VTB24 "passwords flew away" bank client for legal entities
Below is a story that happened around 16-40 today and felt through me as a user of the VTB24 Bank online client system.
Today, at about 16-30, we were unable to log in to the online client of VTB24 Bank, whose client is the company where I work. When entering username and password, the system reported that an authorization error occurred.
Naturally, we began to call the support service of this Internet system. The young man said that they had “lost passwords”. When asked whether system restoration is possible, for example, tomorrow, we were informed that this is hardly possible. However, the young man rejected the suggestion that passwords could have been stolen by repeating the same phrase about “passwords that had flown away”.
And then the fun began. We asked what to do now. Suddenly it turned out that the system can be bypassed, i.e. in essence, log in to your personal account without a password (it turned out to be very easy to do), and from there this same password can be replaced - you need to know the code word to replace it. It also suddenly turned out that no code word was spelled out in our contract with the bank - it turned out that this section appeared in the contract quite recently, we signed the contract at the end of 2008. Naturally, we have never been told at the bank that it is necessary to conclude an additional agreement and create such a word. As a result, the tech support officer suggested (as if he, naturally, does not know) that we will have to go to the bank, write an application for issuing a secret word and, of course, wait for it to be issued. All this time, access to the account will be closed to us. At the same time, the phone of our branch of the bank is not responding - they work until 17-00.
')
I am not an expert in the field of security of banking applications, but my communication with the online system of this bank causes a lot of complaints. First, even when it was installed in 2008, it turned out that the system, despite statements by bank specialists, can be multiplied by a significantly larger number of computers than stated in the contract - no (stated) copy protection is provided in the program. Although the tech support argued that you can install only on one computer for each client (two - if two signatures), and if you need more - you need to write a statement justifying this need and wait for its approval. Apparently, the calculation of the integrity of customers.
Next: somewhere in the middle of 2009, a new security system was introduced - they began to send SMS to customer phones. Also, one number for the client. But during registration, it was possible to fill in several fields with a telephone number — in no way was this controlled or limited. By the way, the presence of such a system has caused another question - is it really possible that in the event of the problem described at the beginning of the post, you cannot somehow inform clients about the difficulties of an SMS mailing? by the name of the paying company, or by the account number - only by date or document number.
In general, all these are lyrics, and now we are sitting together and wondering what the coming day is preparing for us and whether it will be what tomorrow will pay our employees ...
PS Around 8 pm, a message appeared that working with the system was impossible due to technical issues. Estimated recovery time is one in the morning.
Today, at about 16-30, we were unable to log in to the online client of VTB24 Bank, whose client is the company where I work. When entering username and password, the system reported that an authorization error occurred.
Naturally, we began to call the support service of this Internet system. The young man said that they had “lost passwords”. When asked whether system restoration is possible, for example, tomorrow, we were informed that this is hardly possible. However, the young man rejected the suggestion that passwords could have been stolen by repeating the same phrase about “passwords that had flown away”.
And then the fun began. We asked what to do now. Suddenly it turned out that the system can be bypassed, i.e. in essence, log in to your personal account without a password (it turned out to be very easy to do), and from there this same password can be replaced - you need to know the code word to replace it. It also suddenly turned out that no code word was spelled out in our contract with the bank - it turned out that this section appeared in the contract quite recently, we signed the contract at the end of 2008. Naturally, we have never been told at the bank that it is necessary to conclude an additional agreement and create such a word. As a result, the tech support officer suggested (as if he, naturally, does not know) that we will have to go to the bank, write an application for issuing a secret word and, of course, wait for it to be issued. All this time, access to the account will be closed to us. At the same time, the phone of our branch of the bank is not responding - they work until 17-00.
')
I am not an expert in the field of security of banking applications, but my communication with the online system of this bank causes a lot of complaints. First, even when it was installed in 2008, it turned out that the system, despite statements by bank specialists, can be multiplied by a significantly larger number of computers than stated in the contract - no (stated) copy protection is provided in the program. Although the tech support argued that you can install only on one computer for each client (two - if two signatures), and if you need more - you need to write a statement justifying this need and wait for its approval. Apparently, the calculation of the integrity of customers.
Next: somewhere in the middle of 2009, a new security system was introduced - they began to send SMS to customer phones. Also, one number for the client. But during registration, it was possible to fill in several fields with a telephone number — in no way was this controlled or limited. By the way, the presence of such a system has caused another question - is it really possible that in the event of the problem described at the beginning of the post, you cannot somehow inform clients about the difficulties of an SMS mailing? by the name of the paying company, or by the account number - only by date or document number.
In general, all these are lyrics, and now we are sitting together and wondering what the coming day is preparing for us and whether it will be what tomorrow will pay our employees ...
PS Around 8 pm, a message appeared that working with the system was impossible due to technical issues. Estimated recovery time is one in the morning.
Source: https://habr.com/ru/post/101980/
All Articles