Researchers uncover banking app security flaw

A study undertaken by the University of Birmingham has discovered security flaws in the mobile banking apps of nine banks, including HSBC, NatWest and Co-op Bank, which could enable hackers to reveal personal information.

Researchers found that a hacker connected to the same network as an app user – such as Wi-Fi or a corporate network – could perform a ‘man-in-the-middle’ attack, meaning that they could decrypt, view and modify network traffic from the app.

Tom Chothia, a senior lecturer in cyber security at the University of Birmingham, said: “In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed.

“It is impossible to tell if these vulnerabilities were exploited, but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”

The nine affected apps were: Bank of America Health, TunnelBear VPN, Meezan Bank and Smile Bank for Android, and HSBC, HSBC Business, HSBC Identity, HSBCnet and HSBC Private for iOS. All of the companies were notified by the university, who have together worked with the government’s National Cyber Security Centre to fix all of the vulnerabilities.

The research also uncovered the risk of other potential threats including ‘in-app phishing attacks’ affecting Santander UK and Allied Irish Banks. This scam would see criminals take over part of the user’s screen and use this to phish for login credentials.

Related Articles