A critical flaw has been uncovered in several leading mobile banking applications, posing significant risks to the financial credentials of millions of users. This vulnerability, identified by researchers from the University of Birmingham’s Security and Privacy Group, affects numerous banking apps on both iOS and Android platforms, and leaves users susceptible to man-in-the-middle (MITM) attacks.
Banks impacted by this security breach include major institutions such as HSBC, NatWest, Co-op, Santander, and Allied Irish Bank. Following the researchers’ alert, affected app developers have since issued updates to address this serious flaw. The findings were detailed in a research paper published by the team, revealing that the security issue allows attackers on the same network as the victim to intercept SSL connections and retrieve sensitive information, including usernames and passwords, despite the presence of SSL pinning.
SSL pinning is intended to shield apps from MITM attacks by establishing a trusted relationship between specified hosts and devices. When correctly implemented, it combats network-based attacks where malicious actors exploit valid certificates from compromised certification authorities. However, the researchers pointed out that some banking applications failed to properly verify hostnames, a critical step in establishing secure connections.
Hostname verification assures that the URL the banking app connects to matches the hostname presented in the server’s digital certificate. The researchers noted that many apps neglected this security check, making them further vulnerable to potential exploitation. Their study emphasizes ongoing misconfigurations in Transport Layer Security (TLS) measures, with existing frameworks incapable of detecting when a client pins certificates but fails to check hostname authenticity.
Additionally, the research illuminated another concern: in-app phishing attacks that could compromise Santander and Allied Irish Bank users by hijacking sections of the app’s display. Such vectors could be used to trick users into providing login credentials while the app was operational.
To assess these vulnerabilities systematically across various banking apps, the researchers developed an automated tool named Spinner, which leverages the Censys IoT search engine to identify certificate chains for alternative hosts that differ only in the terminal certificate. By directing traffic from the tested app to a website with a matched CA-signed certificate but a different hostname, the tool determines whether the application correctly identifies the host.
The trio of researchers—Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia—collaborated with the National Cyber Security Centre (NCSC) to notify the affected financial institutions, prompting them to rectify these vulnerabilities before the public disclosure of their research.
In summary, the implications of this security flaw are vast, not only highlighting a failure in SSL implementation among trusted banking applications but also raising questions about ongoing cybersecurity practices in the financial sector. As financial institutions continue to adapt to evolving threats, this incident serves as a critical reminder of the systemic vulnerabilities that can compromise user security and trust.
The attack can be analyzed through the MITRE ATT&CK framework, where techniques such as Initial Access may have been utilized, alongside Authentication Bypass to manipulate SSL connections. This incident underscores the importance of robust security measures to ensure the integrity and confidentiality of user information within increasingly digital banking environments.