Security bug that let hackers steal banking passwords put 10 million app users at risk

A critical security bug was discovered in major banking apps used by HSBC, NatWest and Co-op which could let hackers steal usernames and passwords, new research has revealed.

Researchers from the University of Birmingham said this week (6 December) that they had worked alongside the UK's National Cyber Security Centre (NCSC) – a fork of intelligence agency GCHQ – to fix the vulnerabilities and ensure patches were pushed to users.

The team found the bugs after developing a tool called "Spinner", which was able to perform "semi-automated security testing" of mobile apps. It was used to analyse cybersecurity against a sample of 400 services.

Spinner found that nine apps had a major flaw, including those operated by two of the largest banks in the world, Bank of America and HSBC. TunnelBear, one of the most popular VPN apps, was also vulnerable.

These apps, which are now fixed, had a joint user base of "tens of millions of users," the research said.

Both iPhone and Android software were tested.

The vulnerability, if exploited, could have let hackers connect to the same network as the victim – such as a public Wi-Fi network in a workplace or coffee shop - to perform a so-called Man in the Middle (MitM) attack and retrieve usernames, passwords or pin codes.

The issue was with a technology known as "certificate pinning" which meant standard tests failed to detect a serious vulnerability that could let attackers take control of a victim's online banking.

The team said the flaw could let hackers decrypt, view and modify network traffic from users of the app. An attacker with this capability could perform any operation possible on the app.

Experts found "in-app phishing attacks" in apps offered by Santander and the Allied Irish bank.

These would have let an attacker "take over part of the screen while the app is running and use this to phish for the victim's login credentials".

A Bank of America statement sent to IBTimes UK via email read: "The vulnerability identified was resolved in Bank of America's Health app nearly two years ago in January 2016. The app is no longer available as of June 2017. At no time was customer information impacted."

BankBot

This technique is commonly used in Android-based hacks and is known as an overlay attack. Trojans frequently slip past Google on to the official app store - one the most notorious is known as BankBot.

The banks were involved in the patching process and all users of online banking are urged to ensure the most recent updates have been installed. Anyone who fails to do so will be at risk.

"In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed," said Dr Tom Chothia, a University of Birmingham researcher at its Security and Privacy Group.

"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network," he added.

A second researcher on the team, Dr Flavio Garcia, added: "Certificate pinning is a good technique to improve the security of a connection but in this case it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification."

The findings were published in the journal ACSAC 2017 and presented at a meeting during the 33rd Annual Computer Security Applications Conference.

This article was updated to add additional clarification from Bank of America, saying its impacted app - Bank of America Health - was no longer available and no user data was lost.