A report by the British consumer organization Which? stated that various banking organizations could be making multiple basic security mistakes on their mobile apps, which could expose millions of users. Although banks claim to maintain a cleanliness and purification, bank fraud has increased by almost 97% during the last year in the United Kingdom, generating millionaire losses.
While in terms of design the online banking applications and websites analyzed in this research are secure, some of these platforms employ security mechanisms that are considered obsolete or allow the use of very insecure passwords, unnecessarily creating some potential security weaknesses.
It is not possible to analyze the entire infrastructure of a mobile app for security reasons, although Which? was able to analyze some of the most popular online banking platforms, sticking to certain criteria, including encryption, login, account management, and navigation, which allowed to come up with some interesting findings.
According to the report, HSBC apps excelled in security testing, excelling in the fields of encryption and account management. As we know, the better the encryption on a platform, the more trouble a threat actor will have cracking the code. An HSBC UK spokesperson said: “We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner to ensure a seamless customer experience. We take all feedback into account to improve our security measures.”
First Direct, a subsidiary of HSBC, has similar security standards, although researchers found a subdomain associated with the bank exposed to brute-force attacks, which lowered its security score.
The subsidiary firm was also alerted to various account management issues, as its systems allow logging into different platforms, keeping both sessions active. The flaws were addressed by First Direct after receiving the report.
On the security of mobile banking apps in general terms, experts mention that the exposure of subdomains is a condition that affects various banks, including financial institutions such as Metro Bank and Lloyds. While the security teams of these banks mentioned that the identified subdomains are inactive, the recommendation is that they should be deactivated definitively to rule out any risks.
As you can see, the main issues have to do with managing legacy online platforms, which while not storing sensitive financial information, are highly vulnerable to malicious activity. The full report is available on the official which?
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.