Mobile banking customers are being advised to update their apps after experts discovered a security flaw that left millions vulnerable to hackers.
Researchers found that several apps, including those from HSBC, The Co-operative and NatWest banks, had a specific weakness that could be exploited by criminals to gain access to users’ details such as username, password and Pin code.
The vulnerability, believed to have put 10 million users around the world at risk, has been fixed but the experts say it is not clear whether the flaw was exploited by attackers.
They recommend using the most recent version of the banking apps and installing updates as soon as they are offered.
The team from the University of Birmingham detected the weakness using a tool they developed to test 400 apps considered to be high security.
Dr Tom Chothia, a senior lecturer in Cyber Security at the University of Birmingham, said: “In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed.
“It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”
They found that a hacker connected to the same network as the app user, such as WiFi or a corporate network, could perform what they call a “man-in-the-middle attack” to trick the software into revealing personal details.
The apps with the security flaw had one particular technology – known as certificate pinning – in common. Certificate pinning is normally used to improve security in apps but contains vulnerabilities that remain undetected in standard checks.
The team also uncovered the risk of other potential threats including “in-app phishing attacks” against Santander UK and Allied Irish (GB).
A phishing attack would have let a hacker take over a part of the screen while the app was running and use this to fraudulently ask the victim for their confidential information by sending emails or messages that look like they are from a legitimate organisation.
The team worked with the banks involved as well as the UK Government’s National Cyber Security Centre to fix the vulnerabilities.
The findings were presented at the 33rd Annual Computer Security Applications Conference in Orlando.