Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.
- Barclays’ security chief Troels Oerting takes leave of absence.
- Oerting involved in internal investigation over efforts to identify anonymous Barclays whistleblower.
- Leave of absence said to be unconnected with whistleblowing incident.
LONDON Barclays’ security chief Troels Oerting took a leave of absence from the bank on Tuesday, according to two people familiar with the situation. Oerting joined the bank in 2015 from Europol, Europe’s law enforcement agency focusing on serious international crime and terrorism. As chief security officer and head of information security at Barclays, he is responsible for protecting the bank against everything from cyber threats to information leaks. A spokesman for Barclays declined to comment.
Oerting’s name turned up in an internal investigation over a whistleblowing case at Barclays . CEO Jes Staley asked Oerting to identify the writer of an anonymous letter sent to the board about a senior executive hired by Staley. Barclays said that Oerting’s group “received assistance” from US law enforcement officials in the attempt to find the whistleblower.1
His leave of absence is unconnected with the whistleblowing incident, one of the people said.
Both Jes Staley and Barclays have been the subject of investigations by the UK’s Financial Conduct Authority and Prudential Regulation Authority over the affair. After hearing about the incident earlier this year, the board appointed a law firm, Simmons & Simmons, to investigate. Staley said in a statement at the time: “I have apologised to the Barclays Board, and accepted its conclusion that my personal actions in this matter were errors on my part .
I will also accept whatever sanction it deems appropriate.” The board issued a “formal written reprimand” to Staley and made “a very significant compensation adjustment” to his bonus. Oerting was due to appear on Thursday in a panel discussion at a Barclays conference along with Royce Curtin, Barclays head of intelligence and former deputy assistant director at the FBI and Christopher Greany, Barclays head of investigations and insider threat .
It is unclear if he will still attend.
- ^ from US law enforcement officials in the attempt to find the whistleblower. (uk.businessinsider.com)
DUBAI (Reuters) – Three Saudi men on a list of 23 people wanted by the authorities over security offences have turned themselves in, the interior ministry said on Monday.
The report, carried by state news agency SPA, came as Saudi security forces pushed ahead with an operation in the eastern part of the kingdom to try to flush out armed men, including those on the list announced in January 2012 . The area is home to many of the country’s minority Shi’ite Muslims.
The interior ministry identified the three as Mohammed Isa al-Lubbad, Ramzi Mohammed Jamal and Ali Hassan al-Zayed, and said their “initiative (to surrender voluntarily) will be taken into consideration”.
Many of those on the list have been either killed or captured in recent years . The Saudi Gazette newspaper said that only three of those on the original list remained at large, while eight have surrendered .
The rest were killed during clashes with the security forces, it said.
Saudi security forces have been trying for more than two months to defeat gunmen behind attacks on police in Awamiya, a Shi’ite town of around 30,000 in the eastern region that has been the centre of protests against the Sunni government.
Fighting has intensified over the past two weeks, when elite forces entered the town . In May the authorities began a campaign to tear down the old quarter to prevent gunmen using the narrow streets to evade capture.
Residents estimate that up to 20,000 people have fled to towns and villages nearby . Up to 12 people have been killed in the past week: three policemen and nine civilians, residents say.
The area, in oil-producing Qatif province, has seen unrest and occasional armed attacks on security forces since 2011 “Arab Spring”-style protests .
Residents complain of unfair treatment by the government, something Riyadh denies.
Reporting by Sami Aboudi; Editing by Andrew Bolton