September 10, 2013 at 13:34PrivatBank accused the Ukrainian programmer of hacking his Android application
KPIshnik Aleksey Mokhov, a former employee of Ukrainian Samsung and Viewdle, found a vulnerability in the Privat24 Android application. Privatbank responded unexpectedly, accusing the programmer of trying to steal funds from the accounts of bank customers.
As reported on the Ukrainian portal of the KPI student newspaper
According to Alexey:
“You need to understand that he is a hacker. In civilized countries, this is a crime. The flaw in the system that he found is not terrible, it does not particularly threaten the bank's customers. As soon as Mokhov tried to transfer other people's money, our security system sounded the alarm. They would definitely find him, ”says Oleg Serga, the head of the press service of PrivatBank.
As a result, PrivatBank launched an investigation into the attempt to hack its security system by programmer Alexei Mokhov, who previously worked for Samsung and the Viewdle project. In the next two weeks, the bank's management will decide whether to initiate proceedings on this fact.
As reported on the Ukrainian portal of the KPI student newspaper
According to Alexey:
Now I am engaged in software for taxi services in Kiev (it somehow happened that it brought me to this steppe, I used to work in Samsung & Viewdle). So here. The task was to periodically check the balance of PrivatBank bank cards and, if necessary, transfer funds to another card. Why PrivatBank? Because they have one of the largest networks of TCO (self-service terminals). The scheme is as follows: a taxi driver approaches the TCO, the application for topping up a taxi account requests a card number, the system issues a card to him and awaits the receipt of funds. As soon as the funds have fallen on the card, it credits the funds in the taxi system.
During the study of the communication protocol with the bank, I noticed a couple of errors in the security system. He began to delve deeper into them. It turned out that the bank also allowed transferring funds from card to card at least to another bank, at least to another country (via Visa / Mastercard). This is in addition to access to confidential data of a person (balance sheet, accounts, loans, bank deposits).
After the examination, I wrote about this on Twitter, contacting the PrivatBank account. In addition, I wrote to a PrivatBank employee in Dnepropetrovsk so that the Bank Security Service would come to me faster.
On the same day in the evening, PrivatBank from headquarters in the Dnieper wrote a letter to the Kiev branch of Privat in Pechersk, they wrote to the SB department by itself. The representative of Privat V. Maksimenko phoned me and offered to meet, show and tell what is there and how. I was impressed by an experienced specialist, no one pressed me (they didn’t even think about it).
Well, I arrived, showed and told how the Privat programmers made a security hole. He showed how you can substitute in principle any person, even the chairman of the Privat board. I also changed the official application of the bank (added my code to it) and showed what can be done with it. It is almost impossible to distinguish official from modified. They were shocked, a department of 8-10 people in the room — everyone is working and half-ear listening to my monologue about all these matters.
“You need to understand that he is a hacker. In civilized countries, this is a crime. The flaw in the system that he found is not terrible, it does not particularly threaten the bank's customers. As soon as Mokhov tried to transfer other people's money, our security system sounded the alarm. They would definitely find him, ”says Oleg Serga, the head of the press service of PrivatBank.
As a result, PrivatBank launched an investigation into the attempt to hack its security system by programmer Alexei Mokhov, who previously worked for Samsung and the Viewdle project. In the next two weeks, the bank's management will decide whether to initiate proceedings on this fact.