Improve Bank cyber security
Guardians of the digital world
An international commercial bank with total assets of USD 500 million applied to our team of cybersecurity experts. The bank offers a full range of banking services to private and corporate clients. The team was tasked with assessing the current level of security of web and mobile banking applications for a commercial bank in Europe. Although the scope of work was limited to a black box perspective and assumed an external attack scenario where the attacker only knows the customer's name, we were able to exploit application abnormalities, gain access to critical data, gain full access to the bank's customer accounts, and withdraw money as the ultimate goal.
WHAT WAS DONE
TESTING STAGES
Reconnaissance:
It took us a week to study the client’s systems. We gathered information about the software, OS, browsers, antiviruses, email clients, etc. used by employees. We also focused on the email format and other elements of corporate identity, news and events in the company – everything that could make the email, phishing site, and targeted attack credible.
STAGES OF THE TEST
To conduct high-quality comprehensive testing, we used both manual and automated testing tools and techniques.
OTP compromise:
- During the testing, we found that access to the account via online banking is protected by two-factor authentication using an OTP code. We were able to find a critical vulnerability in the OTP, which allowed us to capture it using a brute force attack (password guessing attack on the login page). In addition, OTP verification was also used for financial or any other asset transactions. Provided that the attacker knew the user’s credentials, he could access any bank account and make an unwanted money transfer, which would completely compromise the security system.
The same OTP vulnerability was confirmed in the mobile application, although a different server was used to process requests, and the web and mobile application APIs were supposed to function separately. Thus, the mobile application contained the same flaw in the session management logic, and the security risk was correspondingly higher.
Authentication compromise:
- Another critical vulnerability was discovered when authorizing access to user data. By logging into the online banking system and changing the user’s identification token, the hacker could see private data of other bank customers, including their transactions and account balances. Thus, it was possible to select accounts with the desired balances and then – using an automatically generated script – pick up credentials, log in to the victims’ accounts, pick up OTPs, and withdraw money.
Hacking scenario:
- Gaining full access. A vulnerability in the authentication process allowed access to any user account in the system. The attacker could easily check the account balance, select the desired accounts, pick up the necessary data, and initiate unwanted transactions by exploiting the OTP vulnerability.
RESULT
We conducted a series of tests to analyze the security of the bank’s web and mobile applications. The tests revealed several types of vulnerabilities classified according to the risk levels defined by the OWASP methodology. The combination of two critical vulnerabilities allowed our team to conduct any transaction from the bank’s customers’ accounts without proper authentication.
To help the bank address the identified security gaps, we prepared a comprehensive report covering all the vulnerabilities identified and provided remediation recommendations that were implemented during the remediation phase.