Major Banking Apps Left Vulnerable to MiTM Attacks Over SSL
A team of security researchers have discovered a critical implementation flaw in major mobile banking applications that could leave banking credentials of millions of users vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and Android—and found that several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, and Bank of America Health, Santander, and Allied Irish bank, which have now been updated after researchers reported them of the issue. Vulnerable applications could allow an attacker, connected to the same network as the victim, to intercept SSL connection and retrieve the user's banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is a security feature that prevents man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could attempt to use valid certificates issued by rogue certification authorities. However, there are two key parts to verify an SSL connection—the first (authentication) is to verify whether the certificate is from a trusted source and the second (authorization) is to make sure the server you are connecting to presents the right certificate.
Researchers found that due to lack of hostname verification, several banking applications were not checking if they connected to a trusted source.