GUWAHATI, Aug 4 - Indrajeet Bhuyan, a city-based independent security researcher, who previously identified two WhatsApp vulnerabilities that took the cyber world by storm, has now discovered a flaw in the design of the passbooks of several Indian banks that can be leveraged to obtain a client�s account balance and his transaction history.
Indrajeet, who is at present studying Computer Science at the Assam Don Bosco University, had previously made a code of 2kb which could crash WhatsApp and also reported security loopholes in the WhatsApp web client that in some way exposes an user�s privacy.
�This serious flaw in Indian banks is that they use a simple barcode printed on the passbook as the sole method of authentication with their automatic passbook printing machines and an attacker can easily spoof a passbook barcode and obtain the account history and balance for other customers,� divulged Indrajeet.
It needs to be mentioned here that most of the banks, including the State Bank of India, have installed automatic passbook printers by using which a customer can update his or her passbook by inserting the passbook into the machine. Unlike ATMs where one needs to insert the credit/debit card and enter the password given by the banks in order to withdraw money, the customer does not have to insert any card or enter password in the automatic passbook printing machine. All the customer needs to do is just insert the passbook to get the entire transaction details printed on his or her passbook.
�So how does the machine recognise the user�s passbook? The banks do a simple thing, they paste a barcode in each of the passbooks and when the user inserts the passbook, the scanner inside the machine scans the barcode and then the printer prints the entire transaction details in the passbook. The grave security flaw is that there is no other authentication apart from the barcode which puts a client�s private financial information at the risk of falling into the hands of any person curious enough to go searching for it,� explained Indrajeet.
Indrajeet checked the functioning of automatic passbook printing machines of several banks, including the SBI. �Most of the banks in the city have already installed the automatic passbook printing machine, while a few banks have not yet installed it but will soon do it. One thing that was common in all the banks� automatic passbook printing machine is that they all use barcodes and no other authentication is required, which is a serious security loophole,� he stressed.
Upon investigating, Indrajeet got to know that unlike the SBI that get the barcodes from a different place with barcode data, some banks use the account number as barcode data. �When banks use the account number itself as the barcode data, it means if a person has the account number of any customer, he can easily make the barcode out of it and paste it in his passbook and get the customer�s complete transaction history which includes money withdrawal, money deposited, total bank balance, etc., with time and dates,� said Indrajeet who has practically proved the flaw.
With his father�s consent, Indrajeet took his father�s bank passbook and made a barcode online where he added his father�s account number itself as the barcode data. Then he removed the barcode sticker provided by the bank from the passbook and pasted the barcode that was generated online and then inserted the passbook into the machine.
�My theory was successful. I was able to get the entire transaction history of my father�s bank account printed on his passbook. Then I repeated the same thing with my passbook, but with a barcode generated online with my father�s account number. Once again I was able to get the entire transaction history of my father�s bank account printed on my passbook. This is a great security flaw because the bank balance, transaction history, etc., are meant to be private and if this information can be accessed by someone else, it can be very dangerous,� said Indrajeet.
Is the SBI�s approach good enough? According to Indrajeet, even though they have added a level of security by making the barcode data different from the actual account number, anyone can take out the data of an account just by some social engineering as smart phones can easily scan and read a barcode.
�Banks should add some other level of authentication with barcodes like password/ biometrics so that no one can fake other customer�s barcode and get transaction history. I went to various banks and informed them about the issue, but I was told that they only know to operate the machine and issue barcodes. I also sent mails to the IT teams of the respective banks which have installed these machines, but it is more than a week and I am yet to get any response from their end,� said Indrajeet, calling upon the public to be alert in this regard.
