Widespread mobile banking outages affecting a number of high street lenders this morning, may have been caused by a recent update to Apple’s iOS operating system.
Customers of a number of high street lenders, including Barclays, RBS, Santander and Clydesdale Bank complained that they are unable to access mobile banking systems. The claims were subsequently confirmed by banks, which stated that other banking systems, including online banking and ATMs, remained unaffected.
Banks have given a variety of reasons for the problems, including an unexpected rise in traffic on their servers at the end of the month when many check their accounts after being paid. Whether it is possible that so many banks would simultaneoulsy have been unprepared for the level of traffic and overwhelmed at the same time is unclear. RBS claimed that it was receiving 5,500 customer log-ins every minute, but was unable to provide comparative stats for previous months.
While some of the banks affected share a common mobile payments platform supplied by software provider Monitise, including Santander and Clydesdale Bank, others such as Barclays have built their mobile platforms in-house. This also makes it unlikely to be the result of problems at the vendor.
The common system used by all mobile banking applications is the underlying operating systems. While RBS claims to be the only bank to have a Windows Phone app, most banks have both an iOS and Android version.
Last Friday Apple issued updates for iOS 6 and iOS 7 aimed at plugging a security hole which was left wide open in the implementation of basic Internet encryption.
This centred around a bug in Mavericks handling of SSL (secure socket layer) and TLS (transport layer security), which create an encrypted connection between a personal computer or mobile device and a server – such as a retailer like Amazon, or a bank’s systems.
With bank customers reporting that iOS banking apps were unable to connect to servers, a problem with SSL certification following the release of the patch could be the cause of the problems.
"It is certainly possible," said Jason Steer, director of technology strategy at security firm FireEye. "This is the challenge with testing software - you fix the problem with your devices but you don’t know how the system interact with the SSL/TSL channel. You can only do so much testing and quality assurance as you roll out these things, and you can’t replicate every environment. There is always the risk that things do go wrong.
“Typically it is a combination of manufacturers creating and fixing software, and sometimes by fixing these features and gaps there are unintended consequences, which means that it breaks other things that they may not have tested. That is why testing is not just the responsibility of the vendor – in this case the provider of OS – but other people who are using the platform."
He added: "Organisations do regular testing, but how extensive and how quickly they can do that testing when the patches come out is always a race. Everyone is responsible, and everyone has something to lose by not testing it fully. The bank does, the provider does, as does the consumer."