Scientists discover a flaw in banking apps

If you bank with HSBC, NatWest, Co-op or Bank of America Health, you may have been at risk of a security flaw, according to a new study.

Researchers have tested a new tool on a sample of 400 apps, and found that several banking apps had a critical vulnerability that could have allowed hackers to access your username and password. 

Thankfully, the banks have been informed of the flaw, which has now been removed.

Scroll down for video 

Researchers have tested a new tool on a sample of 400 apps, and found that several banking apps, including HSBC had a critical vulnerability
Thankfully, the banks have been informed of the flaw, which has now been removed

If you bank with HSBC (pictured left), NatWest, Co-op (pictured right) or Bank of America Health, you may have been at risk of a security flaw, according to a new study

THE FLAW 

The researchers found a critical vulnerability in banking apps that allowed an attacker, who is connected to the same network as the victim, to perform a 'Man in the Middle Attack.'

This form of attack allows the hacker to retrieve the user's credentials such as username and password or pin code.

A technology called 'certificate pinning', which normally improves security in apps, had meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim's online banking.

Dr Flavio Garcia, co-author of the study, said: 'Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper host name verification.'

Apps from some of the world's largest banks were found to contain this flaw, which, if exploited, could have allowed an attacker to decrypt, view and modify network traffic from users of the app.

This means that an attacker could have performed any operation which is normally possible on the app.

Researchers from the University of Birmingham developed a tool to perform semi-automated security testing of mobile phone apps.

When testing the tool, they found a critical vulnerability in banking apps that allowed an attacker, who is connected to the same network as the victim, to perform a 'Man in the Middle Attack.'

This form of attack allows the hacker to retrieve the user's credentials such as username and password or pin code.

Dr Tom Chothia, co-author of the study, said: 'In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed.

'It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network'.

A technology called 'certificate pinning', which normally improves security in apps, had meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim's online banking.

Dr Flavio Garcia, co-author of the study, said: 'Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper host name verification.'

Apps from some of the world's largest banks were found to contain this flaw, which, if exploited, could have allowed an attacker to decrypt, view and modify network traffic from users of the app (stock image)

Apps from some of the world's largest banks were found to contain this flaw, which, if exploited, could have allowed an attacker to decrypt, view and modify network traffic from users of the app (stock image)

WHICH APPS WERE AFFECTED? 

Apps in which at least one flaw were found were:

- NatWest

- HSBC

- RBS

- Co-op

- Smile Bank

- Santander

- First Trust Bank

- Allied Irish Bank

- Bank of America Health 

Apps from some of the world's largest banks were found to contain this flaw, which, if exploited, could have allowed an attacker to decrypt, view and modify network traffic from users of the app.

This means that an attacker could have performed any operation which is normally possible on the app.

The tool also revealed other attacks, including an 'in app fishing attack' against Santander and Allie Irish bank.

These attacks would have led a hacker take over part of the screen while the app was running and phish the victim's login credentials.

The researchers worked with the banks involved, as well as the UK government's National Cyber Security Centre to fix the vulnerabilities.

Current versions of all the apps are now secure.

To make sure your online banking is secure, the researchers recommend that you should always ensure that you're using the most recent version of the app.