Security vulnerability discovered in banking apps, leaving millions at risk

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn47

The flaw has been discovered by security researchers from the University of Birmingham, who tested hundreds of various banking applications and discovered that many of them were affected by a security flaw, leaving their clients vulnerable to man-in-the-middle attacks.

Apps from major financial organizations, including NatWest, Bank of America Health and HSBC, all shared the same vulnerability.

The flaw enables the attacker, who is connected to the same network as the victim, to do a man-in-the-middle attack and obtain credentials such as a username and a pin code.

Actually, the flaw was with one particular technology known as ‘certificate pinning’. According to researchers:
‘Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper host name verification.’

Many apps from some of the biggest banks were discovered to contain this issue, which enables an attacker to decrypt, view and modify network traffic from users of the app.

The researchers worked with all affected banks and the UK National Cyber Security Centre to patch the flaw. All the apps are secure now.

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn47
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Latest posts by Eslam Medhat (see all)

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply