Your banking app may not be as safe as you think it is.
Three researchers created a tool to check the security of 400 different apps that require high levels of security, including apps for banking, trading, accessing cryptocurrency and browsing the internet securely.
Nine apps showed the same type of vulnerability, including the apps for HSBC and Bank of America Health — the health savings account website and app for Bank of America. The researchers, from the University of Birmingham in the U.K., revealed the results in a paper at a security conference in Orlando, Fla., on Wednesday.
That vulnerability became apparent during the app’s verification process called “certificate pinning,” said Chris McMahon Stone, one of the researchers. This flaw “was quite subtle and not easy to detect,” he said.
The vulnerable apps were not secure enough and potentially could allow attackers to get the user’s username and password during this certification process. Many websites and apps use certificate services that help them identify their users, he said. The researchers alerted the banks of the flaw, and they have since repaired their apps, he said.
“We thank the University of Birmingham for the opportunity to work together, and we have already taken steps to address this,” said a spokesman for HSBC. “Our mobile banking app uses the highest level of encryption and security to protect our customers and their financial details, and we constantly review and improve our security measures to ensure we keep our customers’ money and personal details as safe as possible.”
Bank of America did not immediately return MarketWatch’s request for comment.
The researchers also found a vulnerability for a “phishing” attack in the apps for banks including Santander, they said. That flaw would allow an attacker to take over part of the user’s screen while they enter their credentials in the app, so they could try to find the credentials and take over the victim’s account. They also worked with those banks to repair the issue, and the apps are now secure, Stone added.
Santander did not immediately return MarketWatch’s request for comment.
Many apps are vulnerable to attacks, not just those used for banking, said Eric Cole, the former cybersecurity chief for President Barack Obama. Attackers can find sensitive information such as log-in credentials at any time if they are successful in taking over a device, he said. That’s why consumers must be careful when clicking on links and opening attachments from anyone they don’t know, which could be malicious.
One way to reduce the likelihood of hacking: Always have the latest version of a bank’s mobile app with the most up-to-date security features. Consumers should never access their bank’s app on public Wi-Fi networks, Stone added.
And don’t download unfamiliar apps, which are likely even more vulnerable than those from reputable institutions like banks, said Adam Levin, the chairman and founder of security firm CyberScout and the author of “Swiped.” Sign up for alerts on banking and credit accounts, he said, to keep track of any suspicious activity in real time.