Sunday, January 03, 2010

HDFC's Insecure Ways and More...

I was using the HDFC Netbanking service the other day and came across a page which could be a serious security hole. If a person gets hold of a valid HDFC Customer ID, they could use it to get the name and account numbers attached to it from this particular page. The worst part is, they don't even have to be logged to get this information. Getting hold customer ID is pretty easy - I have one and changing one or two digits in it yields someone else's. Thankfully though, its not in a series (eg: 12345678 is a valid ID but 12345679 and 12345680 aren't)

I've checked this with IDs of people I know and asked a few others to check on their own - most of the time it worked except in 2 cases (so far). Am not sure how this information can be used to compromise secure access to one's account but I think such information can make Phishing attacks seem more authentic. Here's the link: https://leads.hdfcbank.com/applications/webforms/apply/RDBooking.asp?custid=XYZ&campid=DecRD Just replace the XYZ (in the link) with your HDFC customer ID (or someone else's) and check if your account information is visible through this page. Mine is. And am a bit worried.





In case you aren't able to work it, here's a screenshot to show you how it is. Note that this is not someone I know - just an ID one digit different from mine.

I've already sent HDFC an email about this. Hope they take action.

This is the second time I'm notifying the bank about how an online service of theirs can be compromised. I'll mention the first here just so you know.

If you've used the bank's Net Banking service, you'd have noticed how you have to enter your customer ID first to get an image and text you had previously agreed with the bank. This is to make sure that you are indeed using the HDFC site who is the only other party who is supposed to know the image-text you'd chosen. Right? Well not exactly.



Have a look at the screen on the left. Initially, only the field for ID is available, which when you submit, gets you this screen.

Now you feel sure that you have indeed logging in to the HDFC site. But imagine this. A phisher sends you an email with a link to page designed exactly like the original one - you enter your customer ID, now the phisher can pass the info you entered to the HDFC site, let HDFC show the text and image, fetch that and show it on the phishing site - to you. And you'd think it is the HDFC site!

Hope the bank is listening this time. Here's a tip for folks who are scared of being phished - it doesn't happen if you are not stupid. Just apply common sense whenever you get a mail that claims to be from the bank. Read notices from your Bank. Discuss with your friends when you are in doubt. Bookmark your bank's website, net banking page etc and always use only that.

OK, that's more than a tip. Bye!

Update: Here's another such peek-able link! https://leads.hdfcbank.com/applications/webforms/apply/net_limit.asp?custid=XYZ&campname=Nov-09


This one works for lesser IDs (as far as I've tested) and can set a cap on the limit for online transactions of your credit card.


~LVS

PS: Don't submit this form, you might end up creating an RD account without intending too :P (thanks Barath)

12 comments:

barath said...

Caution:
I submitted the RD request(using the URL specified by LVS), Oops!.. It submitted successfully with "Your RD account will be activated within 5 days....". Hope HDFC will conform once again(through netbanking or phone) before opening RD account.

@LVS
You should specify your Cust ID instead of XYZ, just for testing! :)

Kannan said...

Good alert! Keep it up!

Kunal Janu said...

Okay, so the phisher has your Account number.. not much he can do with that except for go to the bank and get your balance.. Both Cust ID and Account Number are used for verification by the bank! So a person with just the customer ID and the account number can't possibly do anything! Unless he has the password of course :P

The image is just another security tag and that is all! No matter how secure your site is, hackers/ phishers do find a way to con people, and it is only common sense (A physical verification of the URL in this case) that can save them!

Kunal Janu

Kunal Janu said...

And we are of a habit to follow the link without actually looking if everything is genuine which is what barath did! The header reads "Recurring Deposit Booking!" :) All phishers/hackers/conner actually rely on Human psychology to pull off the scam!

Kunal Janu
PS: Blogger does not give me an option of "Email follow up comments" on an Name/URL comment posting! :(

barath said...

@Kunal
1) I totally accept with you regarding the phishers/hackers

2) But with the link provided, I can book a RD for you. Believe me!... This is really a big issue.

You can try, just subtract 2 number from your cust ID and try to submit a RD, it will successfully gets submitted. Wow!.. You opened a RD account for some unknown.

Hope you can understand my 2nd point.
If not I will make you understand by opening a RD of Rs5000 per month, Shall I?

~Barath

Kunal Janu said...

Barath: Now i realise what you are talking about! This seriously is an issue.. I'm reporting the same to HDFC too :)

Kunal Janu

TD5M4PP3R said...

WTF man! Are they kidding? This seems to be a gaping hole!

LVS said...

@barath and @kunal
thanks for the little chat. your comments talk for yourself :P

@tdsmapper i know!

@world
i just went to the bank to lodge this as a complaint - had to show this blog to the guy to make him believe! :) Thanks HDFC, hope you will fix it soon!

seetharaman said...

@LVS, Gr8 job!

The last comment of urs (@World) - too much of an hype though :P

Abhisek Sanyal said...

Hi,
I had stumbled across the same issue. After several email exchanges with HDFC, they claimed that they knew about this issue. A google search lead me to your blog.
Meanwhile, I have created a small write up on this.
HDFC has fixed this issue now. They have removed the vulnerable page from the server.

LVS said...

@seetha
it finally seems to have been addressed. now!

@abhishek
good post there. very detailed. and welcome to blogging :)

Anonymous said...

I've to confess that i typically get bored to learn the entire thing but i feel you'll be able to add some value. Bravo !