Author Topic: Hacker finds flaws that could let anyone steal $25 Billion from a Bank  (Read 603 times)

Offline jasonX

  • Most Valuable Member
  • Youngling
  • *
  • Posts: 38
    • View Profile
Hacker finds flaws that could let anyone steal $25 Billion from a Bank



A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application. Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.

Quote
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.

Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list," Prakash wrote in his blog post.
"It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)."



If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account, reported by Motherboard.

Source HERE