Are you at risk? This security flaw in banking apps left millions vulnerable to hacking attack

Mobile banking customers are being advised to update their apps after experts discovered a security flaw that left millions vulnerable to hackers.

Researchers found that several apps, including those from HSBC, The Co-operative and NatWest banks, had a specific weakness that could be exploited by criminals to gain access to users’ details such as username, password and Pin code.

The vulnerability, believed to have put 10 million users around the world at risk, has been fixed but the experts say it is not clear whether the flaw was exploited by attackers.

They recommend using the most recent version of the banking apps and installing updates as soon as they are offered.

Researchers detected vulnerabilities in several banking apps, including HSBC and Santander (PA)

The team from the University of Birmingham detected the weakness using a tool they developed to test 400 apps considered to be high security.

Dr Tom Chothia, a senior lecturer in Cyber Security at the University of Birmingham, said: “In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed.

“It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”

They found that a hacker connected to the same network as the app user, such as WiFi or a corporate network, could perform what they call a “man-in-the-middle attack” to trick the software into revealing personal details.

The apps with the security flaw had one particular technology – known as certificate pinning – in common. Certificate pinning is normally used to improve security in apps but contains vulnerabilities that remain undetected in standard checks.

The researchers recommend using the most recent version of the banking app (Lauren Hurley/PA)

The team also uncovered the risk of other potential threats including “in-app phishing attacks” against Santander UK and Allied Irish (GB).

A phishing attack would have let a hacker take over a part of the screen while the app was running and use this to fraudulently ask the victim for their confidential information by sending emails or messages that look like they are from a legitimate organisation.

The team worked with the banks involved as well as the UK Government’s National Cyber Security Centre to fix the vulnerabilities.

The findings were presented at the 33rd Annual Computer Security Applications Conference in Orlando.

More in this Section

Embrace an android: Labour study warns UK must boost research and development spending in technology

Gary Oldman’s Darkest Hour performance gets seal of approval from Churchill's family

Uber appeal to Transport for London to be heard in the spring

AI uses bee-like ‘swarm thinking’ to correctly predict Time Person of the Year


Join the conversation - comment here

House rules for comments - FAQ


Today's Stories

Hospitals face closure under new targets law

‘This feud is only starting’: 30 pellets left in baby’s leg after shooting

Kelp-harvesting plan to go ahead in Bantry Bay

Cocaine-related overdoses rising, figures show


No wee feat: Daniel back in the charts with new album this Christmas

The League Of Gentlemen sketch troupe back on TV screens after 15 years

Get ready for the Jedi in latest Star Wars instalment

A heavy burden for such young shoulders caring for parents this Christmas

More From The Irish Examiner