Customers Financial Details Leaked By Self-Service Passbook Printing Machine
Bar Code Attached To The Bank Passbook Can Be Easily Spoofed By The Attackers To Get Customers Account Details
Forget the days when one had to wait in a queue, be it railway station, banks, movie theatre, etc. With advances in technology and introduction of automated machines, now you can get your work done in a jiffy without having to stand in long queues.
Similarly, you can get your bank passbook updated yourself in just a few with the help of automated machines in banks.
Bank Passbook is a copy of the customer’s account in the books of the bank, which has details of the client’s current account balance and transaction (deposits and withdrawals).
But, Do you think your financial information in these automated machines are safe and hack-proof?
‘Swayam’, a barcode based passbook printers that can be self-operated by customers was launched by major Indian banks last year.
However, Indrajeet Bhuyan, a 17-year-old Indian bug hunter, discovered that the barcode technology is susceptible to information disclosure and is currently being used by more than 3000 branches of Indian Banks, which includes State Bank of India, Canara Bank and UCO Bank.
For the customers to use Swayam, the self-service passbook printing machine, all they need to do is just put their passbook into the machine, which would then read the attached barcode sticker and deliver the passbook with the customer account details on it.
However, Indrajeet discovered that Swayam machines are using only ‘Bar Code’ (attached to Passbook) as the only method of validation to print out the respective account details.
In case of Canara Bank and UCO Bank, wherein the customer’s account number is the same as the barcode can be easily spoof by the attacker, Indrajeet told The Hacker News.
An attacker can use the automatic printing machine by using spoofed barcode (with victim’s account number) to obtain the victim’s account balance and history.
“I took my father’s bank account number and made a barcode online, where I added the account number itself as the barcode data”, Indrajeet says in a blog post.
“I removed the barcode sticker that the bank provided and pasted my barcode that I generated online and inserted the passbook into the machine. My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on his passbook.”
IT Departments of many of the banks have been notified by Indrajeet; however, no response has been received by any of them.