Bruce Schneier reports: “New research found that many banks offer certificate pinning as a security feature, but fail to authenticate the hostname. This leaves the systems open to man-in-the-middle attacks.”
https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html