How to empty your bank’s vault with a few clicks and lines of code

A security researcher has demonstrated how he could have theoretically emptied an Indian bank’s coffers with no more than a few clicks and lines of code.

Earlier this week, researcher Sathya Prakash revealed the discovery of multiple, critical vulnerabilities and poor coding in an unnamed government-run Indian bank.

In a blog post, Prakash said in late 2015, his bank released a mobile banking app for Android and iOS which was riddled with security holes related to certificate pinning, enabling the researcher to install a self-signed certificate.

Certificate pinning is a security process which stops HTTPS websites from being impersonated through fake certificates. Without this, cyberattackers may be able to perform man-in-the-middle (MITM) attacks, spy and steal data by pretending to be a legitimate domain.

Prakash deemed the lack of this feature an “epic failure” by the banking app’s development team.

The banking app also contained a number of other security issues. When the banking app was opened, the first request made — before a user logged into their account — is a check to see if updates are available.

The check yields a session ID which can then be noted down and used to make legitimate requests such as checking an account balance, which “essentially bypasses the login password,” according to the researcher.

Many online and mobile bank applications will include a time-out feature to keep idle accounts secure. Prakash found that the mobile app did so, but after poking around, realized the timer was nothing more than a farce — as there were no actual session timers in the backend system.

“My instinct was right,” Prakash noted. “There were no session invalidation controls on the backend. So, unless the App manually invoked the session destroy API, your session IDs live forever.”

The researcher realized that critical issues also existed in the Indian bank’s account validation controls which would allow cyberattackers to bypass checks to transfer money from accounts which did not belong to them.

Prakash used no more than “thirteen lines of code” to tamper with bank customer records and found that there were no checks to see if a given customer ID or authorisation code for a money transfer actually belonged to the sender.

mobile-bank-security-flaw.jpg Sathya Prakash

Prakash commented:

“I was able to transfer money from any source account to any destination account, using my own valid CID (customer ID), and MTPIN (transaction authorisation PIN).

I tested with a bunch of accounts belonging to my family. Few of those accounts don’t even have net banking or mobile backing activated. And it all worked like a charm.”

More security news

Prakash demonstrated the security flaws with a proof-of-concept (PoC) attack using a sender account which did not belong to him.

The range of vulnerabilities and overall lax security could have given cyberattackers free reign and a key to the bank’s vault, which in 2015 contained approximately $25 billion in deposits.

Despite the danger the app’s problems highlighted, it took the bank 12 days to get back to Prakash after he privately disclosed his findings.

The mobile application was patched up based on the researcher’s recommendations, but no financial reward or credit was forthcoming as the bank did not host a bug bounty program.

Read on: Top picks