Gone are the days when you had to wait in a queue to get your Bank passbook updated. With the implementation of automated machines in Banks, it’s now a game of seconds to update your passbook yourself.
Bank Passbook is a copy of the customer’s account in the books of the bank which includes client’s current account balance and transaction details (deposits and withdrawals).
But, Are these Automated Machines holding your Financial Information Hack-Proof?
Last year, Major Indian Banks rolled out a barcode based passbook printers called ‘Swayam’ which can be operated by customers themselves.
17-year-old Indian bug hunter, Indrajeet Bhuyan, found that the barcode technology used by more than 3000 Indian Banking Branches, including State Bank of India, UCO Bank and Canara Bank, is vulnerable to information disclosure.
To use Swayam, the self-service passbook printing machine, the customers need just to feed their passbook into the machine, which will read the barcode sticker attached to it and gives out the passbook duly printed.
Indrajeet found that Swayam machines are using only ‘Bar Code’ (attached to Passbook) as the sole method of authentication to print out the respective account details.
Indrajeet told The Hacker News that an attacker can easily spoof the barcode, which is same as the customer’s account number in case of UCO Bank and Canara Bank.
Using spoofed barcode (with victim’s account number) sticker attached to his passbook, an attacker can use the automatic printing machine to get victim’s account history and balance.
“I took my father’s bank account number and made a barcode online, where I added the account number itself as the barcode data”, Indrajeet says in a blog post.
“I removed the barcode sticker that the bank provided and pasted my barcode that I generated online and inserted the passbook into the machine. My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on his passbook.”
Indrajeet has already informed IT departments of several banks, but none of them has replied yet.