Security Flaw in Bank Passbooks?Bug Hunter Discovers Data-Leak Vulnerability in Barcodes
The State Bank of India took the lead late last year in launching the barcode-based passbook printing kiosk named Swayam in an effort to use technology to enhance the customer experience.
The service was rolled out to more than 2,500 branches to enable customers to print their own passbooks of savings, recurring deposit as well as PPF account through the facilities round the clock, even after hours. Essentially, the passbook is a copy of the customer's account, containing details of the client's current account balance and transactions.
Since the launch, more than 3,000 Indian bank branches, including Bank of Baroda, Union Bank, Bank of India, HDFC, Canara Bank, UCO, Central Bank of India and others, have rolled out their own versions of the Swayam service.
But now Indrajeet Bhuyan, a 17-year-old bug hunter, has discovered that the barcode technology is vulnerable to information disclosure. Bhuyan maintains that the passbook can be easily spoofed by attackers to obtain customer account details.
ISMG reached out to banking/security leaders for their reactions and insight on how to mitigate this newly-discovered vulnerability.
The Security Flaw
The simplicity of Swayam-type services is that all that customers need to do is place their passbook in the ATM, which then reads the attached barcode sticker and delivers the passbook with the customer account details.
However, Bhuyan discovered that Swayam machines are using the barcode attached to the passbook as the only method of validation to print out the account details.
He argues that even though banks have added a level of security by having the barcode data different from the actual account number, anyone can take the data of an account using simple social engineering. Fraudsters can easily scan and read a barcode with the help of smart phones.
Banks should therefore add yet another level of authentication such as passwords or biometrics, so that no one can spoof a customer's barcode and get their transaction history.
Dr Onkarnath, security consultant for banks and financial institutions, agrees the self-printing process is not secure in the present scenario. "Since it is a non-financial process, the challenge is associated with the privacy of customer information," he says. "As per my knowledge, apart from the physical passbook, no other security mechanism is in place in this process."
Dinesh Bareja, principal adviser-IS practice at Pyramid Cyber Security and Forensics Pvt. Ltd and Infosec Consortium believes that most often the organizations fail to include the end-point in their risk assessment when rolling out such a service which would result in data leak.
He says, risk assessment is an activity which is fundamental to any action being taken by an entity when considering the addition of external or internal devices to the network and there is obviously a big gap in the practice at the concerned bank.
"The banks considered access control but did not anticipate that the barcode can be copied easily with the simple algorithm that has been defined to generate the barcode," says Bareja.
Security Experts' Recommendations
Hyderabad-based Milind Rajhans, CISO and AGM-IT, AP Mahesh Urban Co-operative Bank, is surprised to learn about the security flaw. He didn't expect to see any security challenge or cloning with the service, as this is interfaced at the backend with the core banking platform.
So, how should banks address this security flaw?
Experts believe an additional authentication mechanism can be built around this service, but any such initiative will also involve a cost to the bank. Some suggest banks think of a least-expensive authentication mechanism.
Mumbai-based N D Kundu, head of security at Bank of Baroda, supports the use of magnetic stripes to identify customers and authenticate users. "However, having too many security controls deployed at the customer transaction level will be cumbersome and the service may lose its effectiveness," Kundu says.
He recommends a two-Factor authentication process for the self-service printing process, similar to that followed in on-line transactions, i.e., the use of one-time passwords to make the process secure.
Bareja also supports use of two-factor authentication considering all customers are sensitized to the practice of requesting an OTP or getting an OTP to authenticate transactions.
Other experts say banks could introduce biometric codes to authenticate the correct user as a future measure.
"Banks may issue or use some static code like the PIN of the debit/credit card, which is cost-efficient and an effective security mechanism," says Onkarnath. "In fact, some banks don't have a mechanism in place to force the change of PIN on first use."
Proponents of the Swayam kiosks believe this off-the-counter, round-the-clock customer service is a good marketing initiative, but it does leads to a debate on the right to data privacy.
And now, with the discover of this bug, it also leads to a necessary discussion about security, Onkarnath says.
"Service providers have to invest in innovation, for putting relevant and effective information security controls on IT to enable financial products and services to work efficiently," he says.