Computer Active (UK) - - Contents -


of some of the UK’S lead­ing banks, in­clud­ing Natwest, HSBC and RBS, have been us­ing phone and tablet apps that hack­ers could have in­fil­trated to steal log-in de­tails.

Re­searchers at Birm­ing­ham Univer­sity’s School of Com­puter Science ran a tool to test the se­cu­rity of 400 An­droid and IOS apps, in­clud­ing many from banks that cus­tomers use to check their ac­count and trans­fer money.

They found that sev­eral bank­ing apps con­tained a crit­i­cal flaw that would let an at­tacker con­nected to the same net­work per­form a man-in-the-mid­dle (MITM) at­tack, in­ter­cept­ing what’s be­ing sent from the user to the bank. Around 10 mil­lion users are thought to have been at risk.

The flaw was iden­ti­fied in the use of cer­tifi­cate pin­ning, a tech­nique that gives apps and web­sites a guar­an­tee they are us­ing a safe con­nec­tion. Hack­ers can use fake cer­tifi­cates to im­per­son­ate gen­uine sites and apps.

The re­searchers told the banks af­fected, and worked with the Govern­ment’s Na­tional Cy­ber Se­cu­rity Cen­tre to fix the vul­ner­a­bil­i­ties. In to­tal, the apps of nine banks con­tained flaws (see box be­low). They have all been up­dated to erad­i­cate the flaw ex­cept the Bank of Amer­ica Health app, which hasn’t been avail­able since June 2017.

A spokesper­son for HSBC thanked the Univer­sity of Birm­ing­ham “for the op­por­tu­nity to work to­gether”, adding “we have al­ready taken steps to ad­dress this”.

Dr Tom Chothia, who led the re­search, said it was im­pos­si­ble to know whether hack­ers ex­ploited the flaw. He added: “In gen­eral the se­cu­rity of the apps we ex­am­ined was very good, the vul­ner­a­bil­i­ties we found were hard to detect, and we could only find so many weak­nesses due to the new tool we de­vel­oped”.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.