There were 22 vulnerabilities reported by Bronzeye to the FCA, according to the report. One of the vulnerabilities flagged related to the system of payments verification used by the unnamed bank that requires the bank's customers to enter a code delivered to their mobile phone in addition to their regular password details to complete transactions, it said.
Bronzeye said the vulnerability, if exploited, would enable criminals to pose as bank customers and that bank would find it "extremely difficult to identify", according to the Financial Times report.
“Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions,” Bronzeye told the FCA, according to the Financial Times. "The attack would circumvent the bank’s security procedures. The customer would be completely oblivious … the bank, for its part, would see a perfectly normal transaction."
Bronzeye warned the FCA that other banks that have a similar authentication procedure could also be at risk, the report said.