Vulnerability in Alfa-Bank Ukraine: getting the full name of the client by phone number
Alfa-Bank Ukraine is in the TOP-5 by the number of active cards among all Ukrainian banks and has pretty good Internet banking My Alfa-Bank.
They have the function of transferring funds to another client by phone number: in order to transfer money, it is enough to indicate the recipient's phone number, there is no need to indicate the card number.
For a long time, the function of the p2p-transfer by phone number acted under certain conditions: if the recipient has a phone confirmed and a salary (salary) card has been issued at Alfa-Bank Ukraine.
')
Not so long ago, at the end of March of this year, the bank implemented p2p transfers by phone number in My Alfa-Bank Internet banking for all bank customers, and not just for “payroll”.
I decided to test the function for obtaining customer data by its phone number.
I enter the amount and the phone number of a relative who has an account with Alfa-Bank, click "Next."
On the next page, to make sure that the money will be sent to the right person, the bank indicates the client’s full name in disguised form: part of the last name is masked with asterisks, and the first and middle names are indicated only in the first letters, this is correct ( hereinafter phone numbers, sender’s and receiver’s full names are fictitious ):
Of course, if the funds are transferred, I will see the full name of the recipient. But the recipient will see mine - so at this stage the verification is completed.
Turning to recent operations to look at the details of this test:
Nothing interesting - when you hover the mouse cursor over such an operation, there is no data of interest to me.
Later, in May, the transfer function between Alfa-Bank customers by mobile phone number appeared in the mobile application.
And I, knowing that working with mobile applications can be implemented differently, I decide to check it out on Android.
I enter the data (amount and phone number), enter the code from the SMS and see the same picture: the name is masked.
Good for customers, but sorry for me. I cancel the operation.
However, I’m going to check this transfer in recent transactions in the web version - and yes, in the details of the payment that I checked in the mobile application, the fields “Payment sender” and “Payment recipient” are displayed!
Yes, the vulnerability is found.
Thus, the problem is precisely in the display of operations created in the mobile application - by the phone number you can get the actual names of clients without even sending them money. Such clients can be up to 1.15 million (the number of active cards according to the NBU), but it is necessary that the client be registered in the system.
I am writing to the bank at the addresses found on the site that they should refine the transfer of the fields during the operation performed in the mobile application (or mask the data from there, as it was done at other stages of such an operation), and the problem will be solved.
Chronology of events:
May 30 - the first letter in which I indicate a link to a password-protected document with screenshots with a detailed description of the problem;
June 7 - a second letter asking for a reaction, I get an answer: “ Describe the problem in text format (add a screen if necessary) to resolve the issue ”, send an answer;
June 26th is my repeated letter asking whether the situation will be corrected or not, and when. I get the following answer: “ A fixed proposal is transmitted to the relevant subdivision for consideration and inclusion in the plan of further actions. The implementation of the fixed proposal depends on various factors: resources, complexity of implementation, projects that are already in implementation. For proposals that come to the bank, feedback is not available "- for proposals? I clearly indicated what the problem was, attached screenshots, suggested a solution;
July 7 - of course, no movement, tried to clarify the issue through friends.
The check reveals that the error now does not depend on the platform and is also reproduced in the web version: now you don’t need to use the application and the site at the same time to get the owner’s full name by phone number — you can simply find out the client’s full name in Internet banking;
August 8 - I am writing to the bank that I want to publish information about how the error found was not corrected by the bank for several months; I get the answer "The information provided by you was transferred to the appropriate department of the Bank and the answer was received that it will be added to the backlog, but at the moment no changes will be made " and " the Development Department does not consider that the information you provided will affect the vulnerability of the Internet service, but took it into account. Thank you for helping us to become better. Sincerely, Alfa-Bank! "
Bottom line: since the end of May and for the time being, the vulnerability has not been fixed - you can get the full name of the client by phone number without making a transfer (by looking at the details of the incomplete operation in Internet banking).
They have the function of transferring funds to another client by phone number: in order to transfer money, it is enough to indicate the recipient's phone number, there is no need to indicate the card number.
For a long time, the function of the p2p-transfer by phone number acted under certain conditions: if the recipient has a phone confirmed and a salary (salary) card has been issued at Alfa-Bank Ukraine.
')
Not so long ago, at the end of March of this year, the bank implemented p2p transfers by phone number in My Alfa-Bank Internet banking for all bank customers, and not just for “payroll”.
I decided to test the function for obtaining customer data by its phone number.
I enter the amount and the phone number of a relative who has an account with Alfa-Bank, click "Next."
On the next page, to make sure that the money will be sent to the right person, the bank indicates the client’s full name in disguised form: part of the last name is masked with asterisks, and the first and middle names are indicated only in the first letters, this is correct ( hereinafter phone numbers, sender’s and receiver’s full names are fictitious ):
Of course, if the funds are transferred, I will see the full name of the recipient. But the recipient will see mine - so at this stage the verification is completed.
Turning to recent operations to look at the details of this test:
Nothing interesting - when you hover the mouse cursor over such an operation, there is no data of interest to me.
Later, in May, the transfer function between Alfa-Bank customers by mobile phone number appeared in the mobile application.
And I, knowing that working with mobile applications can be implemented differently, I decide to check it out on Android.
I enter the data (amount and phone number), enter the code from the SMS and see the same picture: the name is masked.
Good for customers, but sorry for me. I cancel the operation.
However, I’m going to check this transfer in recent transactions in the web version - and yes, in the details of the payment that I checked in the mobile application, the fields “Payment sender” and “Payment recipient” are displayed!
Yes, the vulnerability is found.
Thus, the problem is precisely in the display of operations created in the mobile application - by the phone number you can get the actual names of clients without even sending them money. Such clients can be up to 1.15 million (the number of active cards according to the NBU), but it is necessary that the client be registered in the system.
I am writing to the bank at the addresses found on the site that they should refine the transfer of the fields during the operation performed in the mobile application (or mask the data from there, as it was done at other stages of such an operation), and the problem will be solved.
Chronology of events:
May 30 - the first letter in which I indicate a link to a password-protected document with screenshots with a detailed description of the problem;
June 7 - a second letter asking for a reaction, I get an answer: “ Describe the problem in text format (add a screen if necessary) to resolve the issue ”, send an answer;
June 26th is my repeated letter asking whether the situation will be corrected or not, and when. I get the following answer: “ A fixed proposal is transmitted to the relevant subdivision for consideration and inclusion in the plan of further actions. The implementation of the fixed proposal depends on various factors: resources, complexity of implementation, projects that are already in implementation. For proposals that come to the bank, feedback is not available "- for proposals? I clearly indicated what the problem was, attached screenshots, suggested a solution;
July 7 - of course, no movement, tried to clarify the issue through friends.
The check reveals that the error now does not depend on the platform and is also reproduced in the web version: now you don’t need to use the application and the site at the same time to get the owner’s full name by phone number — you can simply find out the client’s full name in Internet banking;
August 8 - I am writing to the bank that I want to publish information about how the error found was not corrected by the bank for several months; I get the answer "The information provided by you was transferred to the appropriate department of the Bank and the answer was received that it will be added to the backlog, but at the moment no changes will be made " and " the Development Department does not consider that the information you provided will affect the vulnerability of the Internet service, but took it into account. Thank you for helping us to become better. Sincerely, Alfa-Bank! "
Bottom line: since the end of May and for the time being, the vulnerability has not been fixed - you can get the full name of the client by phone number without making a transfer (by looking at the details of the incomplete operation in Internet banking).
Source: https://habr.com/ru/post/334700/
All Articles