Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.
With more than 2,000 police officers cut since 2010 and further cuts ahead police bosses believe having them standing by sealed off crime scenes for hours on end is a waste of resources. They are also looking to cut the amount of time constables spend guarding prisoners and suspects in hospital. Constables guard streets and locations where violent crime and murders have taken place to prevent contamination or removal of evidence, or prevent forensics teams being interrupted by passers-by.
Bosses say this is a job which could be done easily by cheaper security guards.
Warranted officer guarding scenes for hours on end is not always a sensible use of resource, when more appropriate, cost effective roles can carry out the task.
I want there to be as many warranted officers out pro-actively tackling crime in the West Midlands as possible.
Freeing up some warranted officers from scene guarding duties is one way of doing that.
The Police and Crime Commissioners Strategic Board was told by Chief Constable Dave Thompson that a pilot of private security guards would begin in February 2018. Mr Thompson said: Our officer numbers are set to drop by about 200 over the next few years . We are looking to make the best use of the officers we have.
He said that digital and mobile technology could improve the productivity of officers. And that already an upgrade to the medical care available at the force s custody blocks had reduced the need to send suspects under guard to hospital, again saving valuable police officer time. The Board was supportive of measures to free up officers for crime fighting duties.
A tourist visiting Newcastle was stopped before her flight home because of an illicit substance – pease pudding. Helen Hook had been visiting old friend Anne Watson in the North East over the weekend and had picked up two tubs of the Geordie delicacy to share with her friend and husband.
But just before boarding her plane from Newcastle1 to Bristol on Sunday evening, she was stopped and made to hand over the contraband from her hand luggage. Security officials said that the pease pudding, a traditional delicacy made using split peas which are turned into a sandy coloured spread, was a liquid and therefore banned.
The tasty condiment, usually spread on top of ham inside a stottie, is rarely available outside of the North East.
Anne Watson of Backworth, North Tyneside, holds some pease pudding (Image: Newcastle Chronicle)
She said: My friend Helen had come up from Bristol to spend the weekend up here.
She was asked by a friend to take some pease pudding back so she bought two tubs of pease pudding from the market in Tynemouth at the Priory.
She had it in her hand luggage when she went to the airport on Sunday.
They said it was a liquid and confiscated it. Anne, a former teacher, added: We were just flabbergasted . How can you describe pease pudding as a liquid?
I know you have got to have the security but we re trying to sell the North East and it s a local delicacy.
Helen had been taking in the sights of the North East during the weekend break, following Anne s recent move back to the region after 35 years in London.
Are you a Geordie?
During the trip, the friends of 25 years went to the Tynemouth Christmas Market where Helen picked up a jar of original pease pudding for a friend and a beer-flavoured one for her husband. On her way to board an easyJet flight to Bristol, before travelling back to Dubai where she now lives, Helen s haul was confiscated. Despite trying to give the tubs to a security officer to take home, the gifts were instead binned.
Anne, 52, said: She said to one of the ladies, I bought this from a farmers market can you have it?
But they put it in the bin in front of her.
Anne added Helen had been disappointed to leave the pease pudding behind. This is not the first time pease pudding has been flagged up by airport security. In 2015, a 58-year-old man was stopped on his way to fly from Newcastle to Gatwick during routine searches of his hand luggage.
He was allowed to take his pease pudding on the flight though, after being warned to keep it in the hold next time. According to Newcastle Airport s guidelines, only a limited quantity of liquid can be carried in hand luggage. Liquids, creams, gels, pastes and aerosols must be 100ml or less and need to be shown in a transparent plastic bag.
An airport spokesperson said: In accordance with security regulations, we regrettably could not permit the customer s item through the security search.
The safety of our passengers and staff is of paramount importance and as such security is taken very seriously.