Scientists from the University of Birmingham found that cyber criminals could hack banking app users if they were connected to the same network and trick the software into revealing customers' personal details.
"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network," said Dr. Tom Chotia, the lead researcher.
Dr. Chotia's team found cyber criminals could have used wifi to perform a "Janus attack", sometimes known as a "man-in-the-middle attack", to find the customer's username, password and pin code.
The flaw, known as "certificate pinning", can mask vulnerabilities from routine checks.
"Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification," said Dr. Flavio Garcia, co-author of the report.
'In-App Phishing Attacks'
The team also found apps were prone to "in-app phishing attacks."
"The security and safety of our customers' accounts is of the utmost importance to us. We thank the University of Birmingham for the opportunity to work together, and we have already taken steps to address this. Our mobile banking app uses the highest level of encryption and security to protect our customers and their financial details, and we constantly review and improve our security measures to ensure we keep our customers' money and personal details as safe as possible," an HSBC spokesperson has reportedly commented.