Logical security holes Sberbank OnL @ yn

It so happened that being often on the road and having a salary card of Sberbank, I had to use different ATMs in different unreliable places. Accordingly, there was a high chance to run into the skimmer. (Skimmer is an illegal device for reading data from a plastic card for the purpose of dubbing).

Without thinking twice, I decided to use the following way out. Create a deposit in Sberbank where money is held, and cash on the card in small portions as needed.

Thus, even if the card is “opened”, only the remainder that I accrued from the deposit will be removed from it. The transfer between the card and the deposit account is interest-free, which made the idea even more attractive.
')
But it was not there.

First of all, I decided to connect Sberbank Online itself.
You can connect it very simply, insert the card into the ATM, select the option "Internet Service", then "Print ID and password."
ATM spits out a login and password to log into Sberbank Online.
Further, all transactions are confirmed in two ways, by SMS from an attached phone or by one-time passwords from another check. Since there was no telephone yet, I typed another check with one-time passwords.
Having these checks in hand, I logged in to the Online Bank.
Then my first bell rang. It turns out that even if you have not heard anything about online service, you still have it.

Okay, I study the main page and fall into a light stupor. It turns out that I have not only a Sberbank card, but also a certain “Universal” deposit, on which money has been deposited for 3 years already. Long remembered what it is. I remembered that this turned out to be a passbook account, when it was long ago opened and abandoned. The second bell rang. It turns out all the contributions that you open to your name are available by default, through online.

I tried to transfer money from my deposit to the card account, transferred at the moment. Moreover, without any confirmation by check or SMS!
Then I began to rush through the interface. Obviously, to implement my idea, such an implementation of protection is not enough.
The scammer, “otkeriv” my card, will print his Logins and Passwords directly through the ATM, calmly go to the online bank, rake out all the money from the deposits to the card account, and then cash out. This situation absolutely did not suit me.

After a brief rush, I found in the Security settings a section on the so-called product visibility. It is possible to hide deposits and accounts from the screen of both the ATM and the Sberbank Online system. There was only one thing, access to this section was carried out only via SMS. One-time password from the check here did not pass. Already good!

Gladly rubbing their hands. Began to read the manual how to connect SMS alerts. It turns out that for this we need to connect the so-called “Mobile Bank”, and this can be done through (guess what?), The same ATM!

Well, go to the ATM, insert the card, connect the Mobile Bank - asks to enter the number (?). Entered your number, SMS came that the Mobile Bank is connected. Everything is great!

Received SMS with code, set up the visibility of products in the security section. Removed deposits and accounts. Now the excess is not visible either in the ATM or online. It seems everything is fine! But something did not give rest. I return to the ATM, I go to the section "Mobile Bank". And what do I see? The option to add a number to connect the "Mobile Bank" is still active!
In a slight bewilderment I call support, a polite operator explains to me that yes, you can enter more numbers, and then the data will come to them in parallel! A curtain.

To make it clearer, I will write a structurally implemented protection in Sberbank and an attack that makes this protection useless if a copy of the card falls into the hands of intruders.

Protection: Keep a minimum of funds on the card, keep large amounts of money on deposits that allow cash withdrawals.
Attack: The attacker transfers all funds from deposits to the card, then cashes out.

Protection: Complicated user password to enter the online bank, which can be set in the security settings.
Attack: The attacker prints a check with a new Login and Password, the user password is blocked.

Protection: Hiding the user visibility of their deposits with large amounts in ATMs and Online Bank. Concealment is made only by SMS code.
Attack: A malefactor registers his phone through an ATM, quickly receives an SMS code to open deposits visibility, from deposits that appear, promptly transfers all money to a card and cashes out.

This is basic.
Another little thing is a standard, unchangeable interface template that allows you to slap a bunch of fake sites and deceive users.

And a little about how it would be good to avoid all these troubles.

1. Link only mobile phones to mobile banking and online banking. With confirmation of the identity of the phone holder. For example, on a call to a call center, through a code word or in person at branches of a savings bank with a passport. Automatically bind only the phone, which is contained in the contract for receiving a card or opening an account.
2. More flexible security settings authorization - to give the opportunity to disable the use of passwords issued by the ATM.
3. Enable the ability to set your IP address in the security settings in order to allow access to the Online Bank only from personal IP addresses.
4. In order to combat phishing phishing sites, give the opportunity to upload your unique picture to the main page of the Online Bank. If I do not see my picture, then this is the left site! This is done for example in Yahoo.