Several large banks of the United Kingdom may be at risk because of a security hole in their two-factor authentication systems, and regulators aren’t acting to deal with the problem, a security essentials research company has revealed.
To exploit the vulnerability in the banks’ online banking systems, cyberattackers could use phishing emails to plant malware on customers’ computers, then infiltrate the bank’s networks by piggybacking off legitimate activity, according to Andrew Taylor, CEO of Bronzeye, the security company that first uncovered the problem at one large UK bank.
He believes most other big UK banks that use a similar two-step authentication process, in which customers get an access code via mobile phone for each transaction, would also be vulnerable. Taylor told Computer Business Review that his firm met with the bank last year to explain 47 security vulnerabilities it found on the bank’s IT systems, including 22 that were critical. But the bank argued that the problems involved third-party vendors, that investigating them could disrupt normal service, or that the security holes didn’t exist.
“We were prepared to [hand] this to the bank, but they didn’t want to engage, and the FCA didn’t want to get in the middle of it,” Taylor told in a message. “I think the bank told the FCA that there was nothing [that needed] to be done, and that wasn’t true.” Bronzeye contacted the Financial Conduct Authority, the U.K.’s non-governmental financial regulator, in July about the problem, but the FCA declined to take action.
“Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions,” Bronzeye wrote. “The attack would circumvent the bank’s security procedures. The customer would be completely oblivious. The bank, for its part, would see a perfectly normal transaction.” Last year the Anunak hackers have snuck into a large number of banks this year and siphoned off as much as $18 million, or one billion roubles.
