Security flaw leaves ‘tens of millions’ vulnerable to banking app hackers

A team of academics have discovered a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers vulnerable to hackers.

Researchers from the University of Birmingham have developed a tool to perform semi-automated security testing of banking apps.

In particular, the tool can identify critical vulnerabilities in banking apps – the researchers identified issues in HSBC, NatWest, Co-op and Bank of America Health apps.



This allowed attackers, connected to the same network as the victims (eg on a public WiFi or corporate), to perform a so-called “Man in the Middle Attack” and retrieve credentials such as usernames and passwords/pin codes.

Although banks had expended a great deal of effort in maintaining stringent security, a technology called certificate pinning was proving to be vulnerable.

A team from the university has been working on a new automated security tool known as ‘Spinner’ that’s able to detect a lack of certificate host name verification on security-sensitive applications. A technique called “certificate pinning”, which normally improves security, made it more difficult to spot the vulnerability through routine checks.

The flaw was so severe that, if exploited, it would have allowed a hacker to view and modify traffic to and from the application, granting the ability to perform any action that is normally possible on the app.

The Birmingham tests found that apps from major global banks contained this flaw, which if exploited, could have enabled an attacker to decrypt, view and modify network traffic from users of the app.

An attacker with this capability could thereby perform any operation which is normally possible on the app.

This wasn’t the only vulnerability identified.

The researchers also found in-app phishing attacks against Santander and Allied Irish bank.

These would have let an attacker take over part of the screen to phish for the victim’s login credentials.

The researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure.

The research was carried out by Dr Tom Chothia, Dr Flavio Garcia and PhD candidate Chris McMahon Stone, all members of the Security and Privacy Group at the University of Birmingham

Dr Tom Chothia said: “In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed” he added “It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”

Share icon
Share this article: