Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.
We are looking for an additional officer to join a team at a private estate in Berkshire. This is a full time role, with accomdation available on site whilst on shift. Duties include CCTV surveillance, foot and vehicle patrol, emergency response and possibly driving.
Applicants would be subject to an enhanced DBS check, financial check and should be able to provide a 5 year checkable work history. You should have a valid SIA license, Full Driving License and must be available to start in early January. Interviews will be held week commencing 11th Dec.
Preference will be given to those able to commute to site. Rate is 130 for a 12 hour shift, rotation is 7 on/ 4 off/ 7 on/5 off/7 on. Package includes 28 days holiday per year and on site gym membership.
For an application form please e-mail email@example.com
Read the original post: RST – Berkshire
Nadine Dorries password sharing among her staff is in violation of Parliament s cyber security policy. The Conservative MP revealed she shares her Parliamentary digital log ins with around four members of staff1 in order to handle the high volume of virtual correspondence she receives every day.
In common with other organisations, Parliament has a cyber security policy that applies to all users of its digital services, including Members, their staff and parliamentary staff, a Parliamentary spokesperson told i . In line with good practice, this policy includes a requirement not to share passwords.
Cyber security: not a Parliamentary concern, it would seem | Photo: PA
Ms Dorries made the comments on Twitter as she defended Damian Green, who is currently facing calls to step down as the investigation into whether he viewed pornography on his work laptop2 intensifies.
My staff log onto my computer on my desk with my login every day . Including interns on exchange programmes, she said . For the officer on BBC News just now to claim that the computer on Green s desk was accessed, and therefore it was Green is utterly preposterous! In response to an online backlash berating her for poor security practices, Ms Dorries attempted to downplay her importance in Westminster, adding: You don t have a team of four to six staff answering the 300 emails you receive every day.
Flattered by number of people on here who think I m part of the Government and have access to government docs .
I m a back bench MP two Westminster-based computers in a shared office, she later added.
On my computer, there is a shared email account . That s it . Nothing else . Sorry to disappoint ! All my staff have my login details . A frequent shout when I manage to sit at my desk myself is, what is the password?
Amber Rudd: not a fan of encryption (Photo: Getty)
Fellow Tory MP Nick Boles weighed in to offer his support, adding I often forget my password and have to ask my staff what it is, while James Clayton, a producer for the BBC s Newsnight, claimed it is extremely common for MPs to share their parliamentary login details with their staff . The House of Commons was hit by a sustained cyber attack in June3, targeting MP accounts with weak passwords and blocking their owners from accessing them.
A handbook for MPs and their staff4 even explicitly states passwords should not be shared, a sentiment echoed by the House of Commons Staff Handbook on Information Security Responsibilities5. The same advice is recommended by cyber security experts the fewer people in possession of a password, the more secure the account will be.
The cyber security industry makes the point about human fallibility time and again for obvious reasons . Passwords tend to be one of the basics when training staff in cyber security and for good reason, as shared or re-used passwords create weaknesses in an organisations cyber defence, said Tony Pepper, chief executive of data security company Eggress.
From there, a creative attacker can move sideways through a network, implement phishing attacks or undertake any number of malicious actions .
An enterprise can deploy all the advanced tech it likes to track, stop and forensically analyse attacks but if people make mistakes, these are neutered.
- ^ shares her Parliamentary digital log ins with around four members of staff (inews.co.uk)
- ^ viewed pornography on his work laptop (inews.co.uk)
- ^ sustained cyber attack in June (inews.co.uk)
- ^ handbook for MPs and their staff (www.parliament.uk)
- ^ House of Commons Staff Handbook on Information Security Responsibilities (www.parliament.uk)