By Maria LaMagna
Researchers found vulnerabilities in the apps of some of the largest banks
Your banking apps may not be as safe as you think it is.
Three researchers created a tool to check the security of 400 different apps that require high levels of security, including apps for banking, trading, accessing cryptocurrency and browsing the internet securely.
Nine apps showed the same type of vulnerability, including the apps for HSBC and Bank of America Health -- the health savings account website and app for Bank of America. The researchers, from the University of Birmingham in the U.K., revealed the results in a paper at a security conference in Orlando, Fla (https://www.cs.bham.ac.uk/garciaf/publications/spinner.pdf)., on Wednesday.
"The vulnerability identified in this report was resolved in Bank of America's health app in January 2016," a spokesman for Bank of America said. "The app is no longer available as of June 2017. At no time was customer information impacted."
The vulnerability became apparent during the app's verification process called "certificate pinning," said Chris McMahon Stone, one of the researchers. This flaw "was quite subtle and not easy to detect," he said.
The vulnerable apps were not secure enough and potentially could allow attackers to get the user's username and password during this certification process. Many websites and apps use certificate services that help them identify their users, he said. The researchers alerted the banks of the flaw, and they have since repaired their apps, he said.
"We thank the University of Birmingham for the opportunity to work together, and we have already taken steps to address this," said a spokesman for HSBC. "Our mobile banking app uses the highest level of encryption and security to protect our customers and their financial details, and we constantly review and improve our security measures to ensure we keep our customers' money and personal details as safe as possible."
The researchers also found a vulnerability for a "phishing" attack in the apps for banks including Santander, they said. That flaw would allow an attacker to take over part of the user's screen while they enter their credentials in the app, so they could try to find the credentials and take over the victim's account. They also worked with those banks to repair the issue, and the apps are now secure, Stone added.
Santander did not immediately return MarketWatch's request for comment.
Many apps are vulnerable to attacks, not just those used for banking, said Eric Cole, the former cybersecurity chief for President Barack Obama. Attackers can find sensitive information such as log-in credentials at any time if they are successful in taking over a device, he said. That's why consumers must be careful when clicking on links and opening attachments from anyone they don't know, which could be malicious.
One way to reduce the likelihood of hacking: Always have the latest version of a bank's mobile app with the most up-to-date security features. Consumers should never access their bank's app on public Wi-Fi networks, Stone added.
And don't download unfamiliar apps, which are likely even more vulnerable than those from reputable institutions like banks, said Adam Levin, the chairman and founder of security firm CyberScout and the author of "Swiped." Sign up for alerts on banking and credit accounts, he said, to keep track of any suspicious activity in real time.
-Maria LaMagna; 415-439-6400; AskNewswires@dowjones.com
RELATED: Donald Trump and Warren Buffett's vastly different strategies -- to eating at McDonald's (http://www.marketwatch.com/story/donald-trump-and-warren-buffetts-vastly-different-strategies-to-eating-at-mcdonalds-2017-12-05)
RELATED: After my father died, my brother has been bullying me to lend him money (http://www.marketwatch.com/story/after-my-father-died-my-brother-has-been-bullying-me-to-lend-him-money-2017-12-06)
RELATED: Americans say they are worse off today than 50 years ago (http://www.marketwatch.com/story/people-are-better-off-in-20-countries-versus-50-years-ago-the-us-is-not-one-of-them-2017-12-05)
(END) Dow Jones Newswires