Your phone is the key to your money or the security of entering the Sberbank mobile app.
Imagine the situation: you left the phone unattended for 5 minutes (for example, on charge). You come back and see a SMS about transferring a large amount of money to a third party. Submitted? But this can easily be a reality ... The article will deal with a not very secure system of entering the Sberbank mobile application in order to warn users about the possibility of financial losses.
After I blunted my phone, I had to reset it to factory settings. Having installed the Sberbank Online application from the Play Market, and after waiting a considerable time while the application scans the phone for viruses, it creates the overall feeling that everything is fine with security. But what was my surprise when, after entering the login and readiness to enter the password, instead of him I was asked to enter the SMS-code, which immediately came to the same phone!
At first, I thought that maybe some session identifier was preserved somewhere on the memory card, because of which it is not necessary to go through the password entry procedure, but it is enough to go through the simplified SMS confirmation procedure. But this was not the case.
Then my colleague and I decided to check on his phone if I could enter his application. We take his phone, open the application, select "Change User" in the menu, enter the login (which is not a secret and is used by it on different services). And, bingo, we again enter the SMS code and find ourselves inside the application with full access to all finances! The whole thing took a couple of minutes.
')
But what about locking the phone by password / secret key / fingerprint, you ask? Well, firstly, it's not about the device but the SIM-card. And a full reset to factory settings can also negate all protection, it will just be a little longer.
In addition, the OS has a bunch of applications that ask for permissions to read SMS. I would not be surprised if a virus appears that is able to simulate the entrance to the application with reading and then entering the code from SMS.
Through feedback, I wrote twice about this problem to the savings bank and left a review on banki.ru. But Sberbank apparently does not consider this a problem. In addition, the following clause was found in the conditions of use:
That is, in fact, the application can not be put on the same phone, which come SMS-ki.
Only such conclusions can be made - keep the phone always with you, even when you decide to go to the toilet for 5 minutes. Do not install applications with access to SMS. And even better - get SMS with codes on the push-button phone without applications.
After I blunted my phone, I had to reset it to factory settings. Having installed the Sberbank Online application from the Play Market, and after waiting a considerable time while the application scans the phone for viruses, it creates the overall feeling that everything is fine with security. But what was my surprise when, after entering the login and readiness to enter the password, instead of him I was asked to enter the SMS-code, which immediately came to the same phone!At first, I thought that maybe some session identifier was preserved somewhere on the memory card, because of which it is not necessary to go through the password entry procedure, but it is enough to go through the simplified SMS confirmation procedure. But this was not the case.
Then my colleague and I decided to check on his phone if I could enter his application. We take his phone, open the application, select "Change User" in the menu, enter the login (which is not a secret and is used by it on different services). And, bingo, we again enter the SMS code and find ourselves inside the application with full access to all finances! The whole thing took a couple of minutes.
')
But what about locking the phone by password / secret key / fingerprint, you ask? Well, firstly, it's not about the device but the SIM-card. And a full reset to factory settings can also negate all protection, it will just be a little longer.
In addition, the OS has a bunch of applications that ask for permissions to read SMS. I would not be surprised if a virus appears that is able to simulate the entrance to the application with reading and then entering the code from SMS.
And what about Sberbank?
Through feedback, I wrote twice about this problem to the savings bank and left a review on banki.ru. But Sberbank apparently does not consider this a problem. In addition, the following clause was found in the conditions of use:
Do not combine Sberbank Online system access devices and SMS message receiving devices with a confirming one-time password (for example, a mobile phone, smartphone or tablet). For mobile devices created specialized versions of the system.
If you lose your mobile phone to which you receive messages with an SMS password, immediately contact your mobile operator and block your SIM card.
That is, in fact, the application can not be put on the same phone, which come SMS-ki.
findings
Only such conclusions can be made - keep the phone always with you, even when you decide to go to the toilet for 5 minutes. Do not install applications with access to SMS. And even better - get SMS with codes on the push-button phone without applications.Source: https://habr.com/ru/post/357428/
All Articles