Getting bank transaction history and bank balance of anyone

Author(s): Indrajeet Bhuyan
Category: Penetration Testing
Duration: 45
Summary: Recently Indian government launched a mega scheme 'Jan Dhan Yojana'. On the inaugural day 15 Millions of bank accounts were opened across the country. To cope up with such an increasing customers, Indian banks have come up with a self service passbook printing machine which allows people to print their bank transaction details in their passbook using a single source of truth - a barcode sticker.

This talk covers how I have found a security vulnerability involving flaw in barcode encryption used by these newly installed printing machine which allows an attacker to see bank balance of any customer with their entire transaction history. More than 30,000 banks are affected by the flaw. It becomes a critical vulnerability as it cannot be patched just by a software update.

Likes: 0

Comments

arnab

nice work, keep it up.


ranok

Who'd have thought there'd be security vulns in terribly designed SW?! *YAWN*


spongepat

"allows people to print their bank transaction details in their passbook using a single source of truth - a barcode sticker." what could possibly go wrong ? This talk does not deserve to be accepted as the initial conditions are way too dumb


citizenx

I dont think is a generic subject to do a talk on.