Research conducted at the University of Birmingham has pointed out a security flaw that potentially puts around 10 million users of banking apps at risk. While performing security testing on samples of 400 mobile phone apps used in banking, researchers found a vulnerability that allows hackers to perform Man-In-the-Middle (MiTM) attacks.
An attacker connected to the same network as the victim, such as a public or corporate wifi, was able to carry out a MiTM attack, allowing them to see users’ sensitive data, like usernames and passwords or PIN codes.
This discovery will certainly be cause for alarm for many banks whose customers rely on these apps for safe and secure banking on the go.
Banks have a number of responsibilities to ensure that their customers are secure when using the bank’s mobile app:
Regular updates and testing
The bank has to ensure that its app security stack is up to date and aligned with the latest industry standards, typically by ensuring that it complies with the guidelines provided by industry best practice frameworks such as OWASP; and regularly update and test its security stack against this. Another approach is to disallow older applications from connecting to their systems.
Security testing
Banks should always aim to use external penetration testing (White-hat hackers) to externally validate applications have the correct security posture. Internal development teams are often under a lot of pressure to deliver before adequate quality assurance has been done, and they do not always have the latest skills or knowledge of new hacker exploits. Not only should the mobile be secured but also the API that it uses.
Communications to customers about updates
Banks should regularly release app updates to users via the relevant app stores and use their websites and other channels to educate users on the importance of always using the latest version of the app.
Strategic partnerships to prioritise security
In addition, banks can partner with vendors whose core business it is to look at security trends and work with them to ensure that the business unit responsible for security remains up-to-date with trends and has access to the latest digital fraud mitigation technologies.
From a user’s perspective, the top ways to minimise vulnerabilities include:
* Always make sure to use the latest version of banking apps available.
* Always aim to update mobile phones to the latest versions of the mobile operating system.
* Avoid banking on public networks; this is usually a bad idea. If banking must be done in a public place, use the mobile data rather than public wifi network.
* Be aware that several usernames and passwords have probably already been stolen in one or more mass data breaches. Aside from changing login credentials, press service providers to offer decent two-factor authentication (strong authentication) and use it as a second line of defence.
Certificate pinning
The University of Birmingham researchers pointed out that in the current case, certificate pinning – technology that would normally improve security – allowed standard security tests to fail in detecting a serious flaw that could let attackers decrypt, view and modify network traffic and take control of a victim’s online or mobile banking.
Certificate pinning is a technique used to ensure the identity of the website you are talking to by comparing the digital certificate presented against a set list of trusted certificates. Most browsers indicate that users are connecting to a legitimate website by showing a lock icon. This identification is provided by third-party authorities using digital certificates.
While the approach is generally sound, there have been cases where attackers were able to issue fake certificates and thus set up counterfeit bank websites that still register as legitimate in the browser.
Certificate pinning addresses this problem by disallowing the acceptance of any certificate that isn’t specifically listed by the bank as theirs.
Apps using certificate pinning do not allow a connection to be made to the ‘bank’ if it isn’t validated by a set list of trusted certificates. One could, of course, go further and create a certificate on the mobile side too, meaning that the bank will not connect to the app if it cannot recognise the certificate it presents. Connection between the client and the server is now mutually validated, meaning that both parties know exactly who they are talking to.
If a connection is validated and legitimated in this way, and it has been ensured that the integrity of the app is sound, the attack described by the researchers would not be feasible.
Gerhard Oosthuizen is CIO at Entersekt