PrivatBank accused Ukrainian programmer of hacking his Android application

KPIshnik Alexey Mokhov, a former employee of the Ukrainian Samsung and Viewdle, found a vulnerability in the Android application Privat24. PrivatBank responded unexpectedly, accusing the programmer of trying to steal funds from the accounts of bank customers.



As reported on the Ukrainian portal studios KPI

According to Alexey:
')

Now I am engaged in software for taxi services in Kiev (somehow it happened that brought in this steppe, previously worked at Samsung & Viewdle). So here. The task was to periodically check the balance of PrivatBank bank cards, and if necessary, transfer funds to another card. Why PrivatBank? Because they have one of the largest networks of TSO (self-service terminals). The scheme is as follows - a taxi driver approaches the TCO, an application for replenishing an account in a taxi asks for a card number, the system issues a card to it and waits for funds to arrive. As soon as the funds have fallen on the card - credits the funds in the taxi system.

During the study of the communication protocol with the bank, I noticed a couple of errors in the security system. Began to dig deeper into them. It turned out that the bank also allowed transferring funds from card to card at least to another bank, at least to another country (via Visa / Mastercard). This is in addition to access to confidential data of a person (balance, accounts, loans, deposits in a bank).

After the examination, I wrote about it on Twitter by contacting PrivatBank account. In addition, he wrote to PrivatBank's employee in Dnepropetrovsk, so that the Bank’s Security Service came to me faster.

On the same day, in the evening, PrivatBank from the headquarters in the Dnieper wrote a service office to the Kiev branch of Privat in Pechersk, wrote by itself to the SB department. A representative of Privat V. Maksimenko phoned me and offered to meet, show and tell what is there and how. I was impressed by an experienced specialist, no one pressed on me (they didn’t even think).

Well, I arrived, showed and told how Privat programmers made a security hole. Showed how to substitute in principle any person, even the chairman of the board of Privat. I also changed the official application of the bank (I added my code to it) and showed what can be done with it. It is almost impossible to distinguish the official from the modified. They were in shock, a department of 8-10 people in a room — everyone is working and half my ears are listening to my monologue about all these things.

“You need to understand that he is a hacker. In civilized countries, this is a crime. A flaw in the system that he found is not terrible, and does not particularly threaten the bank’s customers. As soon as Mokhov tried to transfer someone else's money, our security system sounded the alarm. He would have been found, ”says Oleg Serga, head of the PrivatBank press service.

As a result, PrivatBank began investigating the attempt to break into its security system by programmer Alexey Mokhov, who previously worked for Samsung and the Viewdle project. In the next two weeks, the management of the bank will decide whether to initiate a case on this fact.