Gone are the days when you had to wait in a queue to get your Bank passbook updated. With the implementation of automated machines in Banks, it’s now a game of seconds to update your passbook yourself. Bank Passbook is a copy of the customer’s account in the books of the bank which includes client’s current account balance and transaction details (deposits and withdrawals).
But, Are these Automated Machines holding your Financial Information Hack-Proof? Last year, Major Indian Banks rolled out a barcode based passbook printers called ‘Swayam’ which can be operated by customers themselves.
17-year-old Indian bug hunter, Indrajeet Bhuyan, found that the barcode technology used by more than 3000 Indian Banking Branches, including State Bank of India, UCO Bank and Canara Bank, is vulnerable to information disclosure.
So how does the machine recognize the Respective user’s passbook?
To use Swayam, the self-service passbook printing machine, the customers need just to feed their passbook into the machine, which will read the barcode sticker attached to it and gives out the passbook duly printed.
Indrajeet found that Swayam machines are using only ‘Bar Code’ (attached to Passbook) as the sole method of authentication to print out the respective account details.
Indrajeet told that an attacker can easily spoof the barcode, which is same as the customer’s account number in case of UCO Bank and Canara Bank. Using spoofed barcode (with victim’s account number) sticker attached to his passbook, an attacker can use the automatic printing machine to get victim’s account history and balance.
No biometric authentication, no passwords, no encryption! All was done without proper authentication, putting a client’s private financial information into the hands of any person curious enough to go searching for it.
Indrajeet Analyzing the data of barcodes of various bank’s automatic passbook printing machine.
State Bank of India:
After scanning the barcode of State Bank of India I got to know that they use some kind of encryption on the barcode data and use the most popular ‘Code_128’ format of barcode. But I soon realized that actually the get barcodes stickers from a different location and when a customer asks for barcodes , they paste those barcode stickers and assign the data present in that sticker to the account number of the customer in their database .
For example: If the barcode data in the sticker is ‘12345’ and bank account number is ‘ 9768xxxxx’ so when the customer ask for a barcode sticker, the bank paste the barcode sticker with the data ‘12345’ to the passbook of account no. ‘ 9768xxxxx’. So whenever the customer inserts his passbook into the machine the machine will read the data ‘12345’ from the barcode and check the database and see which bank account it was assigned to. And after verifying, the machine will print the transaction details of the account no. ‘ 9768xxxxx’ in the passbook.
After state bank of india I scanned the barcode of UCO bank to see what encryption or type of barcodes they use. I was shock to know that they use the same account number as the barcode data and it was of ‘Code_128’. There was no encryption done like it was in the case of state bank of india. Upon investing I got to know that Unlike state bank of india where they get the barcodes from a different place with barcode data and they assign account number to those data, here in UCO bank the employee themselves print barcodes.
After going to state bank of india and UCO bank I went to canara bank. Canara bank too does the same as UCO bank. They too use the account number itself as the barcode data and it was of ‘Code_128’.
Indrajeet planned his theory practically with his Father’s bank account:
“I took my father’s bank account number and made a barcode online, where I added the account number itself as the barcode data”, Indrajeet says in a blog post.
“I removed the barcode sticker that the bank provided and pasted my barcode that I generated online and inserted the passbook into the machine. My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on his passbook,” he added.
“I made this public so that people get aware of it and also since a few banks have not yet implemented it and are planning to do it, they refrain from doing the same mistake and secure its customers. So before you trust your bank about keeping your account details secure, check twice if they’re really doing what they’re saying,” he added.
This is a great security flaw because the bank balance, transaction history, etc are meant to be private and if these information can be access by someone else then it can be very dangerous.
This is revealed by Indrajeet Bhuyan from Storypick