Improve Bank cyber security cybersecurity

Improve Bank cyber security

Financial services
Improve Bank cyber security
Location USA
Branch Financial services
Technologies
PT Security Sniff
Solution
Testing
Terms
3 months full complete

Guardians of the digital world

An international commercial bank with total assets of USD 500 million applied to our team of cybersecurity experts. The bank offers a full range of banking services to private and corporate clients. The team was tasked with assessing the current level of security of web and mobile banking applications for a commercial bank in Europe. Although the scope of work was limited to a black box perspective and assumed an external attack scenario where the attacker only knows the customer's name, we were able to exploit application abnormalities, gain access to critical data, gain full access to the bank's customer accounts, and withdraw money as the ultimate goal.

WHAT WAS DONE

TESTING STAGES

Reconnaissance:

It took us a week to study the client’s systems. We gathered information about the software, OS, browsers, antiviruses, email clients, etc. used by employees. We also focused on the email format and other elements of corporate identity, news and events in the company – everything that could make the email, phishing site, and targeted attack credible.

STAGES OF THE TEST

To conduct high-quality comprehensive testing, we used both manual and automated testing tools and techniques.

OTP compromise:

  • During the testing, we found that access to the account via online banking is protected by two-factor authentication using an OTP code. We were able to find a critical vulnerability in the OTP, which allowed us to capture it using a brute force attack (password guessing attack on the login page). In addition, OTP verification was also used for financial or any other asset transactions. Provided that the attacker knew the user’s credentials, he could access any bank account and make an unwanted money transfer, which would completely compromise the security system.

The same OTP vulnerability was confirmed in the mobile application, although a different server was used to process requests, and the web and mobile application APIs were supposed to function separately. Thus, the mobile application contained the same flaw in the session management logic, and the security risk was correspondingly higher.

Authentication compromise:

  • Another critical vulnerability was discovered when authorizing access to user data. By logging into the online banking system and changing the user’s identification token, the hacker could see private data of other bank customers, including their transactions and account balances. Thus, it was possible to select accounts with the desired balances and then – using an automatically generated script – pick up credentials, log in to the victims’ accounts, pick up OTPs, and withdraw money.

Hacking scenario:

  • Gaining full access. A vulnerability in the authentication process allowed access to any user account in the system. The attacker could easily check the account balance, select the desired accounts, pick up the necessary data, and initiate unwanted transactions by exploiting the OTP vulnerability.

RESULT

We conducted a series of tests to analyze the security of the bank’s web and mobile applications. The tests revealed several types of vulnerabilities classified according to the risk levels defined by the OWASP methodology. The combination of two critical vulnerabilities allowed our team to conduct any transaction from the bank’s customers’ accounts without proper authentication.

To help the bank address the identified security gaps, we prepared a comprehensive report covering all the vulnerabilities identified and provided remediation recommendations that were implemented during the remediation phase.

Chat with manager
hadiah fantastis tanpa undi mahjong wins 3ABC1131 Slot Dana Gacorakun game server filipinateknik mahjong ways 2ciri akun game gacor calon maxwinakun gacor princessakun gacor mahjong1913 mahjong cepat kaya1914 mahjong menang besar1915 mahjong spin sekali1916 mahjong kok jadi gini1921 starlight princess bukan sulap1922 mahjong sujud dulu1923 mahjong saatnya berrsinar1924 mahjong fenomena langkajalan menuju jackpot mahjong wins 3sensasi cuan ngalir mahjong winskemenangan terbukti jelas mahjong ways 2pola kemenangan rahasia mahjong ways 2kemenangan menantimu di mahjong ways dan mahjong wins 3jalan pintas menang spektakuler mahjong ways 3mesin cetak cuan mahjong winsgame seru cuan tumpah mahjong wins 3main mahjong wins black scatterkekuatan dadu mahjong ways 2main mahjong dompet makin beratcuan ngalir tanpa henti mahjong ways 2jackpot menggoda mahjong wayspanen cuan beruntun mahjong ways 2kisah fahmi trik sweet bonanza rutin kirim uang orang tuaformula pola spiral mahjong ways 2 perkalian x2000algoritma mahjong ways ramadan lebih stabil dan gacor1925 game ghacor waktu luang1926 koi gate sikat terusheylink macauklubheylink asiaklubheylink hksbetheylink kapten76heylink mpoxoheylink garuda76garuda76asiaklubmacauklubrawit303amp rawit303ABC1131mpoxlABC1131 AMP