UK Banks Face Authentication Security Flaw

Several large U.K. banks may be at risk because of a security hole in their two-factor authentication systems, and regulators aren’t acting to deal with the problem, a security research company has revealed.

To exploit the vulnerability in the banks’ online banking systems, cyberattackers could use phishing emails to plant malware on customers’ computers, then infiltrate the bank’s networks by piggybacking off legitimate activity, according to Andrew Taylor, CEO of Bronzeye, the security company that first uncovered the problem at one large U.K. bank.

He believes most other big U.K. banks that use a similar two-step authentication process, in which customers get an access code via mobile phone for each transaction, would also be vulnerable.

Taylor told Computer Business Review that his firm met with the bank last year to explain 47 security vulnerabilities it found on the bank’s IT systems, including 22 that were critical. But the bank argued that the problems involved third-party vendors, that investigating them could disrupt normal service, or that the security holes didn’t exist.

“We were prepared to [hand] this to the bank, but they didn’t want to engage, and the FCA didn’t want to get in the middle of it,” Taylor told CBR. “I think the bank told the FCA that there was nothing [that needed] to be done, and that wasn’t true.” Bronzeye contacted the Financial Conduct Authority, the U.K.’s non-governmental financial regulator, in July about the problem, but the FCA declined to take action.

Taylor didn’t name the bank, explaining that his company was bound by a non-disclosure agreement.

The most dangerous security hole the company found was similar to the one used to loot 100 banks worldwide of as much as $900 million. The attackers could use phishing to hijack the identities of customers or bank employees, then use a cross-site request forgery to gain access to bank systems. The attack would be “extremely difficult to identify” by the bank, Bronzeye told the FCA in its July letter, according to the Financial Times.

“Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions,” Bronzeye wrote. “The attack would circumvent the bank’s security procedures. The customer would be completely oblivious. The bank, for its part, would see a perfectly normal transaction.”