Vulnerabilities in Oschadbank: getting a full name of a client by phone number, enumerating card numbers, problems in payment terminals
I have accumulated several problems found in various services of Oschadbank, one of the largest Ukrainian banks.
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials of this article.
1. Getting the name of the client by phone number
')
Oschadbank added a new function to its online banking Oschad 24/7 - transfer from card to card by phone number: to transfer funds, it is not necessary to know the card number of the recipient.
Earlier, I considered the problems in the implementation of this function in another Ukrainian bank - Vulnerability in Alfa-Bank Ukraine: obtaining the client’s full name by phone number .
Here, the vulnerability is less - in fact, it’s possible to receive not just the full name, but only the name and the first letter of the last name, but this does not negate the fact that you can now find out the real name of a person hiding behind an anonymous phone number to the passport).
Those. if you are interested in, for example, the name of the person who called you, and a search in social networks does not give results, or you doubt their validity (often in social networks indicate made-up names), then with the help of Oschadbank you can try to find out his real name.
What kind of search in social networks? It has already been described many times, but I think it will not be superfluous to recall the “feature”: if you need to know the person’s full name, you can try to “restore” your social media credentials.
For example, you can click "Forgot your account?" On Facebook, enter the desired phone number and, if the person is registered with this phone, the following data will be available:
- Masked mail address;
- User's avatar as a link www.facebook.com/profile/pic.php?cuid=XYZ&square_px=50 , which can be opened in higher resolution by increasing the parameter square_px;
- Name and surname under which the user is registered.
So, if the name and surname indicated in one of the social networks raise doubts about their authenticity, Oschadbank comes to the rescue with its almost 5.5 million active bank cards (this is the second bank by the number of active cards in Ukraine):
In Oschad 24/7 choose: Payments and transfers, Transfers between cards, By phone number:
If the client’s system is found, we see his name, the first letter of the last name and the masked card number:
Or you can use the GET request at https://online.oschadbank.ua/wb/api/v2/catalogs/CONTRACT_BY_PHONE?filterCode=BY_PHONE&PHONE_NUMBER=380987654321
In response, we get:
Yes, Oschadbank has blocked for some time the possibility of transferring non-existent phone numbers when trying to iterate.
However, this is not such a problem, considering the second vulnerability of Oschadbank.
2. Getting a new account in Oschad 24/7 using Visa prepaid cards
A prepaid card (issued without submission of documents) is activated with any phone number: when issuing a card, Oschadbank does not match the client’s phone number with the card - the client automatically links it to any mobile number.
So, in order to get an account in Oschad 24/7, you can not buy such a payment card of Oschadbank, but simply try to activate it in the automatic call center menu by brute forceing the correct card number.
In the IVR menu, there is no limit on the number of unsuccessful attempts to make such a selection, and if the 16-digit card number is “free” (this card was not activated by anyone), the bank:
All this without a plastic card in your hands.
Accordingly, it will be possible to enter Internet banking without ever having appeared in the department.
Well, how then is it better to implement a transfer by phone number, so that it is safe and convenient for customers? - I will reiterate the previous article: Vulnerability in Alfa-Bank Ukraine: getting the client's full name by phone number . I like the final implementation of the Alfa-Bank service: part of the last name is masked with asterisks, and the first and middle names are indicated only by the first letters.
3. Access to folders and files on the Oschadbank site
Another problem with Visa cards, it is not listed in the header.
When Oschadbank launched the sale of Visa Prepaid on its website, they did not take care of the settings for access and display of directories.
For example, on one of the https-pages it was possible to search through the form of someone else's order, where the client’s e-mail address, his order number and name are indicated in the page code:
The rest of the pages were on http, not https, and on them, without authorization, the folders, files and logs of payment by clients for the card data were available:
Payment logs:
The answer to my message about the vulnerability on this site, except for the person on duty “will be transmitted”, was not there, it was quietly corrected and did not even say “Thank you”.
4. Access to customer transactions in payment terminals
Knowing the mobile phone number of the client of Oschadbank, one can get access to the operations performed by them in the payment terminals.
In the terminal menu (there will be no photo) to enter your personal account you need to enter a mobile phone number.
In PrivatBank and the terminals of other payment companies, after entering the phone number, a one-time code is sent to it, which must be entered for authorization, or authorization takes place in a different way.
In Oschadbank, there is no authorization - you simply enter a phone number and get access to the saved payments assigned to this client's phone number.
I have something else to say about the terminals. In principle, the next problem with the terminals is similar to the one I described in the article “5 clicks on the terminal screen - and any folder opens” .
5. Full access to the management of the payment terminal
In one of the payment terminals of Oschadbank, I somehow opened the desktop.
Not only could one go through the folders of the system disk and configure almost any Windows parameters (although this is, of course, another problem), it is also in the folder with the straightforward name “Customer” on the C drive: there are operations logs in this terminal extension "jrn" (and in fact - plain text).
Files are created every day and contain the following information: what operations were carried out in this terminal, how much money was deposited to replenish the card, how much to replenish the mobile (with the full phone number), how much and when the terminal was collected, which bills and etc ...
By the way, log files of client operations could be changed and deleted. I reported to the bank about the problem in the terminal, but I don’t know how it ended (as can be seen from the preceding paragraphs, the bank does not consider it necessary to inform customers about the solution of their requests).
Bug bounty, thanks, at least just a feedback? No, not heard.
So it goes.
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials of this article.
1. Getting the name of the client by phone number
')
Oschadbank added a new function to its online banking Oschad 24/7 - transfer from card to card by phone number: to transfer funds, it is not necessary to know the card number of the recipient.
Earlier, I considered the problems in the implementation of this function in another Ukrainian bank - Vulnerability in Alfa-Bank Ukraine: obtaining the client’s full name by phone number .
Here, the vulnerability is less - in fact, it’s possible to receive not just the full name, but only the name and the first letter of the last name, but this does not negate the fact that you can now find out the real name of a person hiding behind an anonymous phone number to the passport).
Those. if you are interested in, for example, the name of the person who called you, and a search in social networks does not give results, or you doubt their validity (often in social networks indicate made-up names), then with the help of Oschadbank you can try to find out his real name.
What kind of search in social networks? It has already been described many times, but I think it will not be superfluous to recall the “feature”: if you need to know the person’s full name, you can try to “restore” your social media credentials.
For example, you can click "Forgot your account?" On Facebook, enter the desired phone number and, if the person is registered with this phone, the following data will be available:
- Masked mail address;
- User's avatar as a link www.facebook.com/profile/pic.php?cuid=XYZ&square_px=50 , which can be opened in higher resolution by increasing the parameter square_px;
- Name and surname under which the user is registered.
So, if the name and surname indicated in one of the social networks raise doubts about their authenticity, Oschadbank comes to the rescue with its almost 5.5 million active bank cards (this is the second bank by the number of active cards in Ukraine):
In Oschad 24/7 choose: Payments and transfers, Transfers between cards, By phone number:
If the client’s system is found, we see his name, the first letter of the last name and the masked card number:
Or you can use the GET request at https://online.oschadbank.ua/wb/api/v2/catalogs/CONTRACT_BY_PHONE?filterCode=BY_PHONE&PHONE_NUMBER=380987654321
In response, we get:
[ {
"id" : "+380987654321",
"name" : "+380987654321",
"CONTRACT_ID" : "42577459",
"CLIENT_NAME" : " . ",
"PAN" : "5167********3489"
} ]Yes, Oschadbank has blocked for some time the possibility of transferring non-existent phone numbers when trying to iterate.
However, this is not such a problem, considering the second vulnerability of Oschadbank.
2. Getting a new account in Oschad 24/7 using Visa prepaid cards
A prepaid card (issued without submission of documents) is activated with any phone number: when issuing a card, Oschadbank does not match the client’s phone number with the card - the client automatically links it to any mobile number.
So, in order to get an account in Oschad 24/7, you can not buy such a payment card of Oschadbank, but simply try to activate it in the automatic call center menu by brute forceing the correct card number.
In the IVR menu, there is no limit on the number of unsuccessful attempts to make such a selection, and if the 16-digit card number is “free” (this card was not activated by anyone), the bank:
- immediately activates the card
- connect SMS informing to this phone number,
- and automatically register the card in Oschad 24/7.
All this without a plastic card in your hands.
Accordingly, it will be possible to enter Internet banking without ever having appeared in the department.
Well, how then is it better to implement a transfer by phone number, so that it is safe and convenient for customers? - I will reiterate the previous article: Vulnerability in Alfa-Bank Ukraine: getting the client's full name by phone number . I like the final implementation of the Alfa-Bank service: part of the last name is masked with asterisks, and the first and middle names are indicated only by the first letters.
3. Access to folders and files on the Oschadbank site
Another problem with Visa cards, it is not listed in the header.
When Oschadbank launched the sale of Visa Prepaid on its website, they did not take care of the settings for access and display of directories.
For example, on one of the https-pages it was possible to search through the form of someone else's order, where the client’s e-mail address, his order number and name are indicated in the page code:
The rest of the pages were on http, not https, and on them, without authorization, the folders, files and logs of payment by clients for the card data were available:
Payment logs:
The answer to my message about the vulnerability on this site, except for the person on duty “will be transmitted”, was not there, it was quietly corrected and did not even say “Thank you”.
4. Access to customer transactions in payment terminals
Knowing the mobile phone number of the client of Oschadbank, one can get access to the operations performed by them in the payment terminals.
In the terminal menu (there will be no photo) to enter your personal account you need to enter a mobile phone number.
In PrivatBank and the terminals of other payment companies, after entering the phone number, a one-time code is sent to it, which must be entered for authorization, or authorization takes place in a different way.
In Oschadbank, there is no authorization - you simply enter a phone number and get access to the saved payments assigned to this client's phone number.
I have something else to say about the terminals. In principle, the next problem with the terminals is similar to the one I described in the article “5 clicks on the terminal screen - and any folder opens” .
5. Full access to the management of the payment terminal
In one of the payment terminals of Oschadbank, I somehow opened the desktop.
Not only could one go through the folders of the system disk and configure almost any Windows parameters (although this is, of course, another problem), it is also in the folder with the straightforward name “Customer” on the C drive: there are operations logs in this terminal extension "jrn" (and in fact - plain text).
Pictures in poor quality
Files are created every day and contain the following information: what operations were carried out in this terminal, how much money was deposited to replenish the card, how much to replenish the mobile (with the full phone number), how much and when the terminal was collected, which bills and etc ...
By the way, log files of client operations could be changed and deleted. I reported to the bank about the problem in the terminal, but I don’t know how it ended (as can be seen from the preceding paragraphs, the bank does not consider it necessary to inform customers about the solution of their requests).
Bug bounty, thanks, at least just a feedback? No, not heard.
So it goes.
Source: https://habr.com/ru/post/341252/
All Articles