Gone are the days of queuing up at the bank all day to get things done, because we have apps to do most of that stuff for us. When it comes to the bank, security is everything - regardless of whether we're talking about a vault or the electronic systems. The bad news is that no electronic system is 100 per cent secure, but the good news is that researchers have a semi-autonomous tool that can help identify them.
Researchers from the University of Birmingham developed the tool, which went onto discover flaws in the Natwest, HSBC, Co-op, and Bank of America Health apps. Which is fantastic news, because I bank with one of those companies.
The flaws allowed would-be hackers to perform what's called a 'man-in-the-middle attack', connecting to the same Wi-Fi network as the victim to intercept the communication between the customer's phone and the bank. Researchers noted that this could let attackers decrypt, view, and modify user network traffic - essentially letting them perform actions people would need to be logged into the app for. While banks themselves have done a lot to ensure their apps are secure, technology called certificate pinning was the root cause of the vulnerability.
Researchers also found other flaws, including phishing attacks in the Santander and Allied Irish Banks, which would let hackers take over part of the login screen to pinch login credentials. Luckily the researchers have been working with the banks in question and the National Cyber Security Centre to fix these flaws, which means the current versions of the apps are nice and secure.
Dr Tom Chothia from the University of Birmingham said:
“In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed. It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network”.
It's good to know that the fancy tool was needed to find the holes in the first place, which I hope means hackers couldn't get round to exploiting them (Update: Bank of America has confirmed no customer information was compromised by these security holes). In any case the fact that the tool can find difficult-to-spot flaws like this is a good thing. Just remember that no security is perfect, and since being on a shared Wi-Fi network is part of the problem always make sure you're protected. So make sure your home network is secure, or just do all your banking on 4G. [TechRadar]