September 19, 2017 at 17:52Your phone is the key to your money or about the security of entering the Sberbank mobile application
Imagine the situation: you left the phone for 5 minutes unattended (for example, while charging). Come back and see SMSkom about the transfer of a large amount of money to a third party. Presented? But this can easily be a reality ... The article will discuss a not-so-safe system of entering the Sberbank mobile application in order to warn users about the possibility of financial losses.
After my phone was blunt, I had to reset it to the factory settings. Having installed the Sberbank Online application from the Play store, and having waited a considerable time while the application scans the phone for viruses, it seems that everything is fine with security. But what was my surprise when, after entering the login and readiness to enter the password, they asked me to enter the SMS code instead, which immediately came to the same phone!
At first I thought that maybe somewhere on the memory card some session identifier was saved, because of which it is not necessary to go through the password entry procedure, but rather go through the simplified SMS confirmation procedure. But that was not so.
Then my colleague and I decided to check on his phone if I could enter his application. We take his phone, open the application, select “Change user” in the menu, enter the login (which is not secret and is used by him on different services). And, bingo, again we enter the SMS code and find myself inside the application with full access to all finances! The whole thing took a couple of minutes of time.
But what about locking the phone with a password / secret key / fingerprint, you ask? Well, firstly, it’s not a device but a SIM card. And a full return to the factory settings can also nullify all the protection, it just will be a little longer.
In addition, the OS has a bunch of applications that ask for permissions to read SMS. I won’t be surprised if a virus appears that can simulate entering an application with reading and then entering a code from SMS.
Through feedback, I wrote twice about this problem to Sberbank and left a review on banki.ru. But Sberbank does not seem to consider this a problem. In addition, the following item was found in the conditions of use:
That is, in fact, the application can not be put on the same phone to which SMS messages come.
Only such conclusions can be made - keep the phone always with you, even when you decide to go to the toilet for 5 minutes. Do not install applications with access to SMS. And even better - get SMS with codes to a push-button telephone without applications.
After my phone was blunt, I had to reset it to the factory settings. Having installed the Sberbank Online application from the Play store, and having waited a considerable time while the application scans the phone for viruses, it seems that everything is fine with security. But what was my surprise when, after entering the login and readiness to enter the password, they asked me to enter the SMS code instead, which immediately came to the same phone!At first I thought that maybe somewhere on the memory card some session identifier was saved, because of which it is not necessary to go through the password entry procedure, but rather go through the simplified SMS confirmation procedure. But that was not so.
Then my colleague and I decided to check on his phone if I could enter his application. We take his phone, open the application, select “Change user” in the menu, enter the login (which is not secret and is used by him on different services). And, bingo, again we enter the SMS code and find myself inside the application with full access to all finances! The whole thing took a couple of minutes of time.
But what about locking the phone with a password / secret key / fingerprint, you ask? Well, firstly, it’s not a device but a SIM card. And a full return to the factory settings can also nullify all the protection, it just will be a little longer.
In addition, the OS has a bunch of applications that ask for permissions to read SMS. I won’t be surprised if a virus appears that can simulate entering an application with reading and then entering a code from SMS.
And what about Sberbank?
Through feedback, I wrote twice about this problem to Sberbank and left a review on banki.ru. But Sberbank does not seem to consider this a problem. In addition, the following item was found in the conditions of use:
Do not combine access devices to the Sberbank Online system and SMS receiving devices with a confirmation one-time password (for example, a mobile phone, smartphone or tablet). For mobile devices, specialized versions of the system have been created.
If you lose the mobile phone to which you receive messages with an SMS password, immediately contact your mobile operator and block the SIM card.
That is, in fact, the application can not be put on the same phone to which SMS messages come.
conclusions
Only such conclusions can be made - keep the phone always with you, even when you decide to go to the toilet for 5 minutes. Do not install applications with access to SMS. And even better - get SMS with codes to a push-button telephone without applications.Only registered users can participate in the survey. Please come in.
Do you have a lock on the phone with the bank’s mobile application?
- 56.8% yes 524
- 12.7% no 118
- 8.1% application and SMS on different devices 75
- 22.2% I don’t have a mobile bank / phone / etc. 205