The Financial Times (FT) reports that the Financial Conduct Authority (FCA) was warned last July about a cyber security loophole that could give hackers access to the customer accounts of one of Britain’s biggest banks.
The loophole, which is similar to the flaw identified by Kaspersky in over 100 bank security systems last month, involves a previously unidentified weakness in the two-step verification process, which involves customers receiving codes by mobile phone to use alongside their password.
Cyber security firm, Bronzeye said that it had found 22 critical vulnerabilities at a large British bank but the bank had refused to work with the firm to fix them. The firm told the FT that one of the vulnerabilities could stop the bank in its tracks if hackers managed to exploit it.
The loophole, which allows an attacker to steal a user’s identity and enter the institution through the front door, would be “extremely difficult to identify,” Bronzeye told the FT. “Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions.”
The security firm also believe that other UK high street banks that use the two-step verification software could also be vulnerable. “The attack would circumvent the bank’s security procedures. The customer would be completely oblivious and the bank would see a perfectly normal transaction,” said Bronzeye.
According to the FT, copies of the document presented to the bank and the FCA were shown to them with the name of the bank removed. Bronzeye also confirmed the authenticity of the letter but declined to comment on the case for legal reasons.
A spokesperson for the FCA told the FCA that they could not comment on specific whistleblowing cases but did say that the FCA is “focused on ensuring the right outcomes based on our three operational objectives. We expect firms to provide redress for consumers impacted by cyber crime, consumers should not lose out as a result of cyber crime. Management and oversight of the systemic cyber risks lie with the Bank of England and Prudential Regulation Authority supervision.”