Vulnerabilities in Oschadbank: receiving a client’s full name by phone number, enumerating card numbers, problems in payment terminals
I have accumulated several problems found in various services of Oschadbank, one of the largest Ukrainian banks.
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials in this article.
1. Receiving the name * of the client by phone number
Oschadbank added a new function to its online banking “Oschad 24/7” - transfer from card to card by phone number: to transfer funds, it is not necessary to know the card number of the recipient.
Earlier, I examined the problems in implementing this function in another Ukrainian bank - Vulnerability in Alfa-Bank Ukraine: getting the name of the client by phone number .
Here the vulnerability is less - in fact, it is possible to get not only the full name, but only the name and the first letter of the surname, but this does not cancel the fact that now you can find out the real name of the person hiding behind an anonymous phone number (in Ukraine SIM cards are issued without binding to the passport).
Those. if you are interested, for example, the name of the person who called you, and the search on social networks does not give results, or you doubt their validity (often fictitious names are indicated on social networks), then using Oschadbank you can try to find out his real name.
What kind of search on social networks? It has already been described many times, but I think it would not be out of place to remind a "feature": if you need to know the name of a person, you can try to "restore" the credentials on social networks.
For example, you can click "Forgot your account?" on Facebook, enter the desired phone number and, if a person registered with this phone, then the following data will be available:
- Disguised mail address;
- User avatar in the form of a link www.facebook.com/profile/pic.php?cuid=XYZ&square_px=50 , which can be opened in higher resolution by increasing the square_px parameter;
- Name and surname under which the user has registered.
So, if the name given on one of the social networks raises doubts about their authenticity, Oschadbank comes to the rescue with its almost 5.5 million active bank cards (this is the second bank by the number of active cards in Ukraine):
Oschad 24/7 we choose: Payments and transfers, Transfers between cards, By phone number:
If the client finds the system, we see his name, first letter of his name and masked card number:
Or you can use the GET request forhttps://online.oschadbank.ua/wb/api/v2/catalogs/CONTRACT_BY_PHONE?filterCode=BY_PHONE&PHONE_NUMBER=380987654321
In response we get: Yes, Oschadbank blocks the possibility of transferring for some time when trying to search for non-existent phone numbers. However, this is not such a problem, given the second vulnerability of Oschadbank. 2. Obtaining a new account in Oschad 24/7 using a Visa prepaid card
A prepaid card (issued without providing documents) is activated with any phone number: when issuing a card, Oschadbank does not compare the client’s phone number with the card - the client independently associates it with any mobile number.
Thus, in order to get an account in Oschad 24/7, you can not buy such a Oschadbank payment card, but simply by trying the correct card number, try to activate it in the automatic call center menu.
There is no restriction on the number of unsuccessful attempts of such selection in the IVR menu, and if the 16-digit card number is “free” (this card was not activated by anyone), then the bank:
All this without the presence of a plastic card in your hands.
Accordingly, it will be possible to enter Internet banking without ever appearing in the department.
Well, but how then is it better to implement the transfer by phone number so that it is both safe and convenient for customers? - I will reiterate the previous article: Vulnerability in Alfa-Bank Ukraine: obtaining the name of the client by phone number . I like the final implementation of the service by Alfa-Bank: part of the surname is masked with asterisks, and the name and middle name are indicated only in first letters.
3. Access to folders and files on Oschadbank sub-file.
Another problem with Visa cards, it is not indicated in the header.
When Oschadbank launched the sale of Visa Prepaid on its website, they did not care about the access settings and display of directories.
For example, on one of the https pages, it was possible to search the form of someone else’s order, where the client’s e-mail, his order number and name are indicated in the page code:
The remaining pages were on http, not on https, and on them, without authorization, folders, files and logs for paying customers for card data were available: Payment logs
:
There was no answer to my vulnerability message on this site, except for the on-duty duty officer, it was quietly fixed and they didn’t even say “Thank you”.
4. Access to customer transactions in payment terminals
Knowing the mobile phone number of a client of Oschadbank, you can get access to transactions performed by them in payment terminals.
In the terminal menu (there will be no photo) to enter your personal account you need to enter a mobile phone number.
After entering the phone number in PrivatBank and terminals of other payment companies, a one-time code is sent to it, which must be entered for authorization, or authorization is done in another way.
There is no authorization in Oschadbank - you just enter the phone number and get access to the saved payments assigned to this client phone number.
I have something else to say about the terminals. In principle, the following problem with the terminals is similar to the one that I described in the article “5 taps on the terminal screen - and any folder opens” .
5. Full access to the management of the payment terminal
In one of the payment terminals of Oschadbank, the desktop somehow opened for me.
Not only could you walk around the folders of the system drive and configure almost any Windows settings (although this, of course, is the same problem), it’s also in the folder with the straightforward name “Customer” on drive C: there are operation logs in this terminal with extension "jrn" (and in fact - plain text).
Files are created every day and contain the following information: what operations were carried out in this terminal, how much was made to replenish the card, what - to replenish the mobile (indicating the full phone number), how much and when the terminal was collected, with which bills and etc ...
By the way, client operations log files could be changed and deleted. I reported to the bank about the problem in the terminal, but I don’t know how it ended (as can be seen from the previous paragraphs, the bank does not consider it necessary to inform customers about the solution of their requests).
Bug bounty, thanks, at least just feedback? No, not heard.
So it goes.
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials in this article.
1. Receiving the name * of the client by phone number
Oschadbank added a new function to its online banking “Oschad 24/7” - transfer from card to card by phone number: to transfer funds, it is not necessary to know the card number of the recipient.
Earlier, I examined the problems in implementing this function in another Ukrainian bank - Vulnerability in Alfa-Bank Ukraine: getting the name of the client by phone number .
Here the vulnerability is less - in fact, it is possible to get not only the full name, but only the name and the first letter of the surname, but this does not cancel the fact that now you can find out the real name of the person hiding behind an anonymous phone number (in Ukraine SIM cards are issued without binding to the passport).
Those. if you are interested, for example, the name of the person who called you, and the search on social networks does not give results, or you doubt their validity (often fictitious names are indicated on social networks), then using Oschadbank you can try to find out his real name.
What kind of search on social networks? It has already been described many times, but I think it would not be out of place to remind a "feature": if you need to know the name of a person, you can try to "restore" the credentials on social networks.
For example, you can click "Forgot your account?" on Facebook, enter the desired phone number and, if a person registered with this phone, then the following data will be available:
- Disguised mail address;
- User avatar in the form of a link www.facebook.com/profile/pic.php?cuid=XYZ&square_px=50 , which can be opened in higher resolution by increasing the square_px parameter;
- Name and surname under which the user has registered.
So, if the name given on one of the social networks raises doubts about their authenticity, Oschadbank comes to the rescue with its almost 5.5 million active bank cards (this is the second bank by the number of active cards in Ukraine):
Oschad 24/7 we choose: Payments and transfers, Transfers between cards, By phone number:
If the client finds the system, we see his name, first letter of his name and masked card number:
Or you can use the GET request forhttps://online.oschadbank.ua/wb/api/v2/catalogs/CONTRACT_BY_PHONE?filterCode=BY_PHONE&PHONE_NUMBER=380987654321
In response we get: Yes, Oschadbank blocks the possibility of transferring for some time when trying to search for non-existent phone numbers. However, this is not such a problem, given the second vulnerability of Oschadbank. 2. Obtaining a new account in Oschad 24/7 using a Visa prepaid card
[ {
"id" : "+380987654321",
"name" : "+380987654321",
"CONTRACT_ID" : "42577459",
"CLIENT_NAME" : "ИМЯ Ф.",
"PAN" : "5167********3489"
} ]A prepaid card (issued without providing documents) is activated with any phone number: when issuing a card, Oschadbank does not compare the client’s phone number with the card - the client independently associates it with any mobile number.
Thus, in order to get an account in Oschad 24/7, you can not buy such a Oschadbank payment card, but simply by trying the correct card number, try to activate it in the automatic call center menu.
There is no restriction on the number of unsuccessful attempts of such selection in the IVR menu, and if the 16-digit card number is “free” (this card was not activated by anyone), then the bank:
- immediately activates the card,
- connect SMS-informing to this phone number,
- and will automatically register the card in the "24/7 Oschad".
All this without the presence of a plastic card in your hands.
Accordingly, it will be possible to enter Internet banking without ever appearing in the department.
Well, but how then is it better to implement the transfer by phone number so that it is both safe and convenient for customers? - I will reiterate the previous article: Vulnerability in Alfa-Bank Ukraine: obtaining the name of the client by phone number . I like the final implementation of the service by Alfa-Bank: part of the surname is masked with asterisks, and the name and middle name are indicated only in first letters.
3. Access to folders and files on Oschadbank sub-file.
Another problem with Visa cards, it is not indicated in the header.
When Oschadbank launched the sale of Visa Prepaid on its website, they did not care about the access settings and display of directories.
For example, on one of the https pages, it was possible to search the form of someone else’s order, where the client’s e-mail, his order number and name are indicated in the page code:
The remaining pages were on http, not on https, and on them, without authorization, folders, files and logs for paying customers for card data were available: Payment logs
:
There was no answer to my vulnerability message on this site, except for the on-duty duty officer, it was quietly fixed and they didn’t even say “Thank you”.
4. Access to customer transactions in payment terminals
Knowing the mobile phone number of a client of Oschadbank, you can get access to transactions performed by them in payment terminals.
In the terminal menu (there will be no photo) to enter your personal account you need to enter a mobile phone number.
After entering the phone number in PrivatBank and terminals of other payment companies, a one-time code is sent to it, which must be entered for authorization, or authorization is done in another way.
There is no authorization in Oschadbank - you just enter the phone number and get access to the saved payments assigned to this client phone number.
I have something else to say about the terminals. In principle, the following problem with the terminals is similar to the one that I described in the article “5 taps on the terminal screen - and any folder opens” .
5. Full access to the management of the payment terminal
In one of the payment terminals of Oschadbank, the desktop somehow opened for me.
Not only could you walk around the folders of the system drive and configure almost any Windows settings (although this, of course, is the same problem), it’s also in the folder with the straightforward name “Customer” on drive C: there are operation logs in this terminal with extension "jrn" (and in fact - plain text).
Pictures in poor quality
Files are created every day and contain the following information: what operations were carried out in this terminal, how much was made to replenish the card, what - to replenish the mobile (indicating the full phone number), how much and when the terminal was collected, with which bills and etc ...
By the way, client operations log files could be changed and deleted. I reported to the bank about the problem in the terminal, but I don’t know how it ended (as can be seen from the previous paragraphs, the bank does not consider it necessary to inform customers about the solution of their requests).
Bug bounty, thanks, at least just feedback? No, not heard.
So it goes.