The flaw has been discovered by security researchers from the University of Birmingham, who tested hundreds of various banking applications and discovered that many of them were affected by a security flaw, leaving their clients vulnerable to man-in-the-middle attacks.
Apps from major financial organizations, including NatWest, Bank of America Health and HSBC, all shared the same vulnerability.
The flaw enables the attacker, who is connected to the same network as the victim, to do a man-in-the-middle attack and obtain credentials such as a username and a pin code.
Actually, the flaw was with one particular technology known as ‘certificate pinning’. According to researchers:
‘Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper host name verification.’
Many apps from some of the biggest banks were discovered to contain this issue, which enables an attacker to decrypt, view and modify network traffic from users of the app.
The researchers worked with all affected banks and the UK National Cyber Security Centre to patch the flaw. All the apps are secure now.