of some of the UK’S leading banks, including Natwest, HSBC and RBS, have been using phone and tablet apps that hackers could have infiltrated to steal log-in details.
Researchers at Birmingham University’s School of Computer Science ran a tool to test the security of 400 Android and IOS apps, including many from banks that customers use to check their account and transfer money.
They found that several banking apps contained a critical flaw that would let an attacker connected to the same network perform a man-in-the-middle (MITM) attack, intercepting what’s being sent from the user to the bank. Around 10 million users are thought to have been at risk.
The flaw was identified in the use of certificate pinning, a technique that gives apps and websites a guarantee they are using a safe connection. Hackers can use fake certificates to impersonate genuine sites and apps.
The researchers told the banks affected, and worked with the Government’s National Cyber Security Centre to fix the vulnerabilities. In total, the apps of nine banks contained flaws (see box below). They have all been updated to eradicate the flaw except the Bank of America Health app, which hasn’t been available since June 2017.
A spokesperson for HSBC thanked the University of Birmingham “for the opportunity to work together”, adding “we have already taken steps to address this”.
Dr Tom Chothia, who led the research, said it was impossible to know whether hackers exploited the flaw. He added: “In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed”.