British banks could be facing a critical security flaw in their online banking systems after researchers claimed hackers could bypass two-factor authentication at one of the country’s biggest banks.
Using the vulnerability, attackers would allegedly be able to access user accounts by targeting customers and workers at financial groups through phishing emails, which would deliver malware allowing attackers to infiltrate the bank’s networks by piggybacking off legitimate activity.
Andrew Taylor, chief executive of security firm Bronzeye, which discovered the problem, told CBR that despite his company’s efforts to report the problem to the unnamed bank and the Financial Conduct Authority, a regulator, neither group was interested in pursuing the matter.
In a letter sent to the FCA back in July, and seen by CBR, the company detailed its meeting with the bank, in which they explained 47 vulnerabilities found on the bank’s IT systems, 22 of which were critical.
However the bank was not happy to have the problems demonstrated, explaining that the problems were out of bounds because they were linked to third party vendors, that investigating them could disrupt normal service, or that the bugs did not exist.
Bronzeye also claimed that the bank believes third party vendors had no access to client account transactional areas, a view the company disputes.
"We were prepared to [hand] this to the bank, but they didn’t want to engage, and the FCA didn’t want to get in the middle of it," Taylor said. "I think the bank told the FCA that there was nothing [that needed] to be done, and that wasn’t true."
His concern is that the hacker can exploit a system without being detected by "masquerading as the account holder or the employee", in a manner similar to the campaign waged by the Carbanak hacking group against banks around the globe.
To do this the attackers would profile someone through social media, building up a picture of a person’s habits and interests in order to craft phishing emails they would be interested on reading.
Most worryingly the attack would work despite the use of two-factor authentication, which requires users to enter a code sent to their mobile phone before they can access their account – a process thought more secure than passwords.
"It means that two-factor is potentially vulnerable," Taylor said, adding that many banks might be at risk because they use similar software and hardware to secure their systems.
Contacted for comment by CBR, the FCA declined to make any statement on the matter. RBS, HSBC and Barclays also refused to comment.