Getting bank transaction history and bank balance of anyone
Category: Penetration Testing
Summary: Recently Indian government launched a mega scheme 'Jan Dhan Yojana'. On the inaugural day 15 Millions of bank accounts were opened across the country. To cope up with such an increasing customers, Indian banks have come up with a self service passbook printing machine which allows people to print their bank transaction details in their passbook using a single source of truth - a barcode sticker.
This talk covers how I have found a security vulnerability involving flaw in barcode encryption used by these newly installed printing machine which allows an attacker to see bank balance of any customer with their entire transaction history. More than 30,000 banks are affected by the flaw. It becomes a critical vulnerability as it cannot be patched just by a software update.