Posted on December 8, 2017 at 9:29 PM
Banking Login Credential Stealing Bug Exposes Over 10 Million Users to Risk
A newly discovered security flaw in several banking apps could expose over 10 million users’ login credentials to be stolen by hackers.
A new research report confirmed that several banking apps from institutions such as Co-Op, HSBC, and NatWest carried a critical security flaw which could steal the login credentials from over 10 million users.
The flaw was discovered by a team of researchers from the University of Birmingham. Earlier this week, this team confirmed their findings after collaborating with the UK-based agency, the National Cyber Security Centre (NCSC). Since its discovery, the two teams have been working to create a patch that could be made available to affected users.
The bug was discovered by a tool called “Spinner” which was created by the two teams for the purpose of this research endeavor. According to the researchers, Spinner functions as an automated tool used for detecting possible security threats and flaws in mobile-based applications. This tool was used to analyze the security status and possible flaws of over 400 different apps.
The tool identified nine different apps which carried critical security flaws. Two out of the nine identified apps were from two of the largest banks in the United States, the Bank of America, and HSBC. Surprisingly, one of the most popular VPN app services, TunnelBear, was also found to be carrying security vulnerabilities.
Since the security vulnerabilities were discovered, most app developers have made patches available to address the flaws. However, according to researchers, the nine apps had a total user base of over 10 million users.
The research team analyzed both Apple and Android-based apps.
Once the discovered vulnerabilities are exploited, hackers could target victims by connecting to the same network, something which is easy to orchestrate, especially in publicly available Wi-Fi spots. After connecting, the hacker could conduct a man-in-the-middle (MitM) attack to steal the victim’s usernames, passwords, and pin codes.
According to the researchers, most of the security flaws were caused by a specific piece of technology, known as “certificate pinning”. Essentially this means that the app’s standard security test was incapable of detecting security threats which sought to steal the user’s login credentials.
In addition, the security vulnerabilities would allow hackers to decrypt, view and influence the user’s network traffic by using the app. This, in turn, would allow hackers extensive control over most operations performed on the app.
According to experts, apps from Santander as well as the Allied Irish Bank, often fell victim to in-app phishing attacks.
These phishing attacks would essentially enable the hacker to hijack a user’s screen when the app is in use, and then conduct a phishing attack to steal their login credentials.
The Bank of America has responded to the security threats by stating that the discovered security flaw was identified in their Health app almost two years ago, during January 2016. Since then the security flaws were addressed and no user information has been compromised at this time.
The above technique is well-known amongst hackers and is frequently used in Android attacks. The attack, known as an overlay attack, refer to malicious software Trojans bypassing Google’s threat detection software which makes malicious apps available on the Google Play Store. One of the most notorious Trojans to date is the damaging Bankbot.
Firms responsible for the affected apps have since the discovery of the security flaws taken steps to rectify the flaws by making security patches available. In addition, they have notified users to download the latest apps to ensure that no user is impacted by the security vulnerabilities.
According to one of the researchers, Dr. Tom Chothia, the majority of analyzed apps demonstrated excellent security protocols. In addition, the flaws that were eventually detected were hard to pick up on in the first place.
Dr. Chothia added, that it’s impossible to confirm whether these vulnerabilities have been exploited, however, if they were, hackers likely did so by infiltrating a user’s app using a previously compromised public network.
Another researcher, Dr. Flavio Garcia, noted that, while Certificate pinning is a good security protocol in general, it often complicates the process for security testers to detect possible threats and security flaws.
The teams’ findings were published in the ACSAC 2017 journal and has been presented at the 33rd Annual Computer Security Applications Conference.