Recently I posted about security flaws in our banks. Unfortunately, one of my friend also affected by these security flaws but in different way. He is a technology aware person and has been using computer (and related technology) since last 10 years. The incident itself a series of events and I would like to mention it step by step:
- He activated his e-banking account 6 months ago and didn't use single time. So, all his credential was default set by bank.
- Few days before he received an SMS informing him that around Rs.100/- has transferred from his account to a Ufone number.
- He contacted the call center to talk the customer representative but surprisingly the respond that "you are not registered with our call center. Kindly visit your branch and fill the form to register with our call center" (:D can you imagine? Dam!)
- On such response he decided to contact that person (Ufone number) directly to know who is he. (Bad luck starts from here)
- He called but on telling him that few amount has transferred from my account to his number, he dropped the call.
- In next few days, he check his account and found his balance is Zero.
I don't know much details but in my opinion those guys used simple technique. They discovered Bank's service to access accounts and use brute force algorithm to crack password. Firstly, they transferred small amounts into their mobile accounts etc so they can get to know which account they have cracked and later can empty those accounts. Well, I don't know the status of his inquiry but IMHO authorities can easily access them by their cell number or account in which money has transferred.
But once again, it is clearly showed that Banks' are not deploying proper security policies and it can lead some disastrous situation.