Banking Apps Vulnerability: Man-In-The-Middle Flaw in Certificate Pinning
Man-in-the-middle attacks show the perils of certificate pinning.
A recently discovered vulnerability in the mobile apps of several major banks has exposed customers to potential data theft. That’s because a certificate pinning error left those customers susceptible to man-in-the-middle attacks which in turn put their credentials – usernames, passwords, personal information, banking info – at risk of theft.
A man-in-the-middle attack is precisely the kind of thing an SSL certificate is supposed to prevent in the first place. But when key pinning goes wrong, this is what can happen. Vince wrote a great piece on why Key Pinning is dangerous earlier this year. To summarize, pretty much everyone around the industry discourages pinning. For one, it can lock you out of your own site. And it can also expose your visitors to security risks. Even Google has deprecated support for it.
While certificate pinning usually improves security, a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim’s online banking. As a result, certificate pinning can hide the lack of proper hostname verification, enabling man-in-the-middle attacks.
Man-in-the-middle attacks allow a hacker to position him or herself between a client and a server. The client and server both think they have a direct connection, but all information being exchanged is filtering through the attacker. You can imagine the possibilities this arrangement creates. You can steal credentials, spoof the website the visitor is headed to and phish, you can impersonate the user and cause problems on the server.
The point is, this shouldn’t happen. The pinning error basically allows the attackers to use the anonymity encryption grants to obfuscate their own malicious behavior. It also prevented penetration testing from finding the vulnerabilities sooner. In fact, the Security and Privacy Group actually had to develop a special tool to test for it.
“As this flaw is generally difficult to detect from normal analysis techniques, we have developed a detection tool that is semi-automated and easy to operate. This will help developers and penetration testers ensure their apps are secure against this attack.”
While it’s not known if the vulnerability had been exploited or not, its existence should cause anyone that uses a banking app to pause.
In fact, at the risk of sounding like a borderline technophobe, it’s probably better if you avoid mobile banking apps altogether. Between the issues with public WiFi and some of the other vulnerabilities facing mobile devices, you’re probably better off using a desktop computer where you can verify security certificates and ensure an encrypted connection.
Or you could actually get up and go the bank. Like, in person.
Does anyone still do that?
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown