View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

UK banks face potential crisis over two-factor insecurity

FCA and unnamed bank reportedly unconcerned about critical security fears.

By Jimmy Nicholls

British banks could be facing a critical security flaw in their online banking systems after researchers claimed hackers could bypass two-factor authentication at one of the country’s biggest banks.

Using the vulnerability, attackers would allegedly be able to access user accounts by targeting customers and workers at financial groups through phishing emails, which would deliver malware allowing attackers to infiltrate the bank’s networks by piggybacking off legitimate activity.

Andrew Taylor, chief executive of security firm Bronzeye, which discovered the problem, told CBR that despite his company’s efforts to report the problem to the unnamed bank and the Financial Conduct Authority, a regulator, neither group was interested in pursuing the matter.

In a letter sent to the FCA back in July, and seen by CBR, the company detailed its meeting with the bank, in which they explained 47 vulnerabilities found on the bank’s IT systems, 22 of which were critical.

However the bank was not happy to have the problems demonstrated, explaining that the problems were out of bounds because they were linked to third party vendors, that investigating them could disrupt normal service, or that the bugs did not exist.

Bronzeye also claimed that the bank believes third party vendors had no access to client account transactional areas, a view the company disputes.

"We were prepared to [hand] this to the bank, but they didn’t want to engage, and the FCA didn’t want to get in the middle of it," Taylor said. "I think the bank told the FCA that there was nothing [that needed] to be done, and that wasn’t true."

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

His concern is that the hacker can exploit a system without being detected by "masquerading as the account holder or the employee", in a manner similar to the campaign waged by the Carbanak hacking group against banks around the globe.

To do this the attackers would profile someone through social media, building up a picture of a person’s habits and interests in order to craft phishing emails they would be interested on reading.

Most worryingly the attack would work despite the use of two-factor authentication, which requires users to enter a code sent to their mobile phone before they can access their account – a process thought more secure than passwords.

"It means that two-factor is potentially vulnerable," Taylor said, adding that many banks might be at risk because they use similar software and hardware to secure their systems.

Contacted for comment by CBR, the FCA declined to make any statement on the matter. RBS, HSBC and Barclays also refused to comment.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.