Sunday, January 03, 2010

HDFC's Insecure Ways and More...

I was using the HDFC Netbanking service the other day and came across a page which could be a serious security hole. If a person gets hold of a valid HDFC Customer ID, they could use it to get the name and account numbers attached to it from this particular page. The worst part is, they don't even have to be logged to get this information. Getting hold customer ID is pretty easy - I have one and changing one or two digits in it yields someone else's. Thankfully though, its not in a series (eg: 12345678 is a valid ID but 12345679 and 12345680 aren't)

I've checked this with IDs of people I know and asked a few others to check on their own - most of the time it worked except in 2 cases (so far). Am not sure how this information can be used to compromise secure access to one's account but I think such information can make Phishing attacks seem more authentic. Here's the link: https://leads.hdfcbank.com/applications/webforms/apply/RDBooking.asp?custid=XYZ&campid=DecRD Just replace the XYZ (in the link) with your HDFC customer ID (or someone else's) and check if your account information is visible through this page. Mine is. And am a bit worried.





In case you aren't able to work it, here's a screenshot to show you how it is. Note that this is not someone I know - just an ID one digit different from mine.

I've already sent HDFC an email about this. Hope they take action.

This is the second time I'm notifying the bank about how an online service of theirs can be compromised. I'll mention the first here just so you know.

If you've used the bank's Net Banking service, you'd have noticed how you have to enter your customer ID first to get an image and text you had previously agreed with the bank. This is to make sure that you are indeed using the HDFC site who is the only other party who is supposed to know the image-text you'd chosen. Right? Well not exactly.



Have a look at the screen on the left. Initially, only the field for ID is available, which when you submit, gets you this screen.

Now you feel sure that you have indeed logging in to the HDFC site. But imagine this. A phisher sends you an email with a link to page designed exactly like the original one - you enter your customer ID, now the phisher can pass the info you entered to the HDFC site, let HDFC show the text and image, fetch that and show it on the phishing site - to you. And you'd think it is the HDFC site!

Hope the bank is listening this time. Here's a tip for folks who are scared of being phished - it doesn't happen if you are not stupid. Just apply common sense whenever you get a mail that claims to be from the bank. Read notices from your Bank. Discuss with your friends when you are in doubt. Bookmark your bank's website, net banking page etc and always use only that.

OK, that's more than a tip. Bye!

Update: Here's another such peek-able link! https://leads.hdfcbank.com/applications/webforms/apply/net_limit.asp?custid=XYZ&campname=Nov-09


This one works for lesser IDs (as far as I've tested) and can set a cap on the limit for online transactions of your credit card.


~LVS

PS: Don't submit this form, you might end up creating an RD account without intending too :P (thanks Barath)
Read more…