BNF Bank and The Gift of Phishing

Disclaimer

I have filed a case with the Office of the Arbiter for Financial Services. I am legally not allowed to comment on this case.

BNF Bank was responsibly alerted to the security points raised in this article 6 weeks prior to publication.

Not yet back to normal

In March, BNF Bank (Malta) upgraded their IT system and the process went completely wrong. Even though initially the Bank attempted to minimize how wrong the upgrade had gone, today it admits there are problems as evidenced by their customer support pre-recorded messaging (taken 22 July 2025).

 

Following the publication of my first story, I've been contacted by several people who described the chaotic period that ensued when everything began to go wrong. Internal communication was in meltdown, with customer-facing employees uncertain about how to handle a situation no one had anticipated.

Based on my understanding of events, I speculate that the bank lacked a proper fallback plan specifying the point at which the upgrade would be abandoned and the old system reactivated. It resembles a train heading toward the end of the tracks with no ability to reverse course and return to its starting point.

One can only hope that the complete silence from the Maltese Financial Services Authority (MFSA) stems from their ongoing investigation of the matter, and that they will make their findings public in due course.

Security misunderstood

Poor security poses a grave risk in today’s world, where every individual and device can be a hacker’s target. Financial institutions—because they hold vast sums of money—are especially attractive. Highly specialized groups, including state‑sponsored actors, constantly seek new victims and vulnerabilities. Although reprehensible, this illicit industry generates billions of dollars in annual profits. The examples below highlight flaws in BNF’s mobile app.

Recent cybersecurity studies reveal that over 90 percent of cyberthreats in 2024 stemmed from social engineering, rendering banks with flaws such as the ones described here particularly exposed to attacks.

False Upgrade Alert

Security researchers have documented how attackers create fake or cloned applications that mimic legitimate banking apps to steal user credentials, frequently tricking users through phishing schemes. BNF’s confusing upgrade prompts provide the perfect social engineering opportunity for such attacks.

This popup appeared when users logged into their mobile app, even when they were running the latest version. Since the majority of people use automatic app updates, this unnecessary warning would likely cause confusion. As the app owner, BNF Bank should only display such warnings when the version on the device is actually outdated. At the time of writing, subsequent versions of BNF’s mobile app still display similar text at the bottom of the login screen, again without verifying whether the app is the latest version.

A Hacker’s Perspective

A malicious actor would love institutions like BNF Bank because their actions make attacks easier and much more rewarding. It would be simple to socially engineer targets by exploiting the misleading prompts on the bank’s own app.

Cybersecurity experts warn that fake banking apps are commonly “distributed through unofficial app stores or phishing websites” to trick users into sharing their login credentials and sensitive financial information. The vulnerability BNF has created makes these attacks significantly easier to execute.

My attack script would play out along these lines:

“Good morning/afternoon. I’m calling about a security notice on your mobile app that you may have ignored.”

“I want to assure you that I will not be asking for any passwords or personal information.”

“Please open your app, and you will see that we have been showing you a notice to upgrade. Let me help you with that process.”

(The goal is to convince the victim to install a fake app. While “helping” them log in, the attacker steals their credentials, takes over their account, and transfers their funds).

Target hacked.

Incorrect Instructions

The image below shows a section of the letter accompanying a new credit card, which explains how to activate it.

However, the instructions for activating the card via the eBNF Mobile App are incorrect. At the time I activated my card, it was not possible to do so using the app. This was later confirmed by the bank’s personnel.

The attacker would contact a potential victim and they wouldn’t have to invent a story from scratch; they would simply refer to the real (but misleading) notification from the bank.

Conclusion

My first article prompted a number of people to get in touch, and I’m grateful to those who shared their thoughts. One reader shared an example of user-hostile design that is too perfect not to share.

On BNF’s mobile app, setting card limits cannot be done by typing a number. Users must tap a spinner button, which adjusts the limit by €50 with each tap. Holding the button doesn’t speed it up. The reader wanted to lower their purchase limit from €40,000 to €1,000, a task which required them to tap the button almost 800 times. This is the kind of design failure that needs to be seen to be believed.

If you’ve encountered something similar or have more to discuss on this topic, get in touch (and don’t use company equipment to do so!!).

 

 

Follow This, That and (Maybe), the Other:

 

 

Comments

Post a Comment

Popular posts from this blog

How to clone and synchronise a GitHub repository on Android

Image
Introduction This project describes how I synchronise my  LogSeq  folder on GitHub on Android devices. I wanted to be able to work on topics in LoqSeq on my Android devices besides my PCs. Most of the screen shots and references relate to LogSeq, but you can adjust them to your needs. The solution described here is one in which the synchonization with the repository will be manual. In this scenario, one would synchronise with the repo before opening the tool (LogSeq in my case) and update the repo again when you're done. The Steps ( skip if you want to jump directly to the actions ) This tutorial describes how to install  Termux  on an Android device.  Termux  is an open-source Android terminal emulator and Linux environment application. After Termux is updated and running, a folder on the Android device is mapped to Termux.  GitHub  is installed, and the repo is cloned to this folder. The Termux folder used for the repo has to be  refle...
Read more

HOWTO setup OpenVPN server and client configuration files using EasyRSA

Image
Introduction OpenVPN allows client computers to tunnel into a server over a single UDP or TCP port securely. This HOWTO article is a step-by-step guide that explains how to create the server and client OpenVPN configuration files that makes this possible. In the process this article explains how to create the public key infrastructure (PKI) so that a client can securely communicate with the server. OpenSSL is the foundation for the security functionality of OpenVPN. For this tutorial you will need the following software: OpenVPN. You can download the latest version of OpenVPN from https://openvpn.net/index.php/open-source/downloads.html EasyRSA is the tool people use to create the Public Key Infrastructure (PKI) for OpenVPN. Download the latest release of EasyRSA from https://github.com/OpenVPN/easy-rsa/releases . There is not installation required. Extract the contents of the archive into a folder. OpenVPN is available on various platforms. The generation of the...
Read more

The complete guide to installing, configuring, and managing Plex Media Server on an Ubuntu Server

Image
Introduction This guide covers how to install Plex Media Server (PMS) on a lower-powered Ubuntu Server. As a long-time Plex Pass user, I created a video titled HOWTO Setup a Plex Media Server (PMS) Appliance back in 2020. While that computer (a laptop, actually) had been running flawlessly, I decided to replace it with a virtualised setup. As part of the upgrade process, I chose to start from the very beginning and document each action I performed. I also wanted to make this tutorial beginner-friendly, allowing anyone to follow along and replicate the steps I describe here. 
Read more