Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS)

[Shreyas Zare <shreyas () secfence com>]

LOL. It must be quite convenient to use banking alongside FarmVille.

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


On Mon, Oct 11, 2010 at 3:57 AM, Andriy Tereshchenko <tag () 24 odessa ua>wrote:

> 1) Affected Service
>
> * Privat24 application in Facebook created by PrivatBank, Ukraine
>
> 2) Severity
>
> Rating: Moderate (need user actions or access to mobile phone)
> Impact: Exposure of sensitive financial information
>           and unauthorized payment transactions
> Where: Remote (man in the middle), Local (removed authentication factor)
>
> 3) Vendor's Description of Service
>
> "Privat24 application in Facebook allows to view bank statement recent
> transactions on all your PrivatBank cards and account, refill mobile
> phones balance. More services to be added in future."
>
> Product Description Link:
> http://privatblog.com.ua/?p=269
>
> Actual Product Link:
> http://apps.facebook.com/pb_transactions/
>
> 4) Description of Vulnerability
>
> During registration process Facebook application ask for one-time-password
> from
> SMS message sent to mobile phone of registered Privat24 user.
>
> Once user name supplied proper OTP from SMS - his Facebook account ID is
> linked
> to ID of PrivatBank client.
>
> Vulnerabilities are:
> 1. SMS messages are not tagged in any way that they are from
>   Privat24 (Facebook) system and no risks are described to client on
>   disclosure of this OTP.
>
> 2. Secondary (mandatory) factor currently used on original
> non-Facebook Privat24
>   system ( http://privat24.ua ) is not used in this version of
> application.
>
> 3. Once linking/authorization process is done - no future SMS codes or
> passwords
>   are needed to access application others that Facebook account
> login/password.
>
> 4. Client has no control on which Facebook accounts are linked to his
>   financial information.
>
>
> Exploitation scenario:
>
> Attacker create fake Facebook accounts and link them to ID of Privat
> client.
> In order to link attacker need short-term access to the mobile phone
> (in order to receive SMS code)
> or setup fake website to ask for code from SMS  (ex. eurovoice.tv SMS
> best-song
> voting process).
>
> After linking - attacker can access balances and statement on last
> transactions
> from all accounts of PrivatBank client.
> As well attacker can make small (tested are ~10 UAH) payments without any
> SMS passwords.
>
> 5) Solution
>
> a) SMS messages from Privat24 (Facebook) system should be tagged properly
> in order to allow users clearly identify service and website URL of SMS
> origin.
>
> b) SMS codes should be requested on each login to Privat24 (Facebook)
>   application (at least once per day) or SMS notification be sent on login.
>
> c) Static (existing) password factor should be used in order to link
> Facebook
>   account to client ID or visit to ATM for extra password is
> acceptable solution.
>
>  Temporary solutions for current users offered by Rakaev Rostislav
>  from bank support:
>
> Option 1: Protect your mobile phone using PIN/password from usage by
>          wife/husband or co-workers.  Never give it to unknown people.
>
> Option 2: Blacklist own phone-number for usage in PrivatBank Facebook
>          applications by contacting 0 800 500 003 (for Ukraine)
>          or online-chat support.
>
> 6) Timeline
>
> Postal mail letter addressed to author by PrivatBank from 03.05.2010
> No. 30.1.0/2-100412/1849 describe intentions of PrivatBank to restore extra
> login factor (static password).
>
> Phone call from bank Security Department (Dnepropetrovsk) on 07.10.2010
> with apology on inability to address issues due to conflict of interests
> with
> Electronic Business Department.  Insecurity accepted as trade-off.
>
> 7)  Credits
>
> Discovered by client of PrivatBank.
>
> 8) About
>
> The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its
> services are used by more than 23% population of Ukraine population.
> PrivatBank currently serves 420 thousand corporate clients and small
> businesses, and over 13 million individual accounts.
>
> Moscomprivatbank Joint Stock Co. is subsidiary of PrivatBank.
> It has about 1.5 million credit cards issued.
>
> Privat24 is online-banking system used by more 1 million clients in
> Ukraine,
> Russia and CIS.
>
> 9) Links
>
> Privat24 (Facebook version)
> http://apps.facebook.com/pb_transactions/
>
> Vendor announcement of service
> http://privatblog.com.ua/?p=269
>
> Existing Privat24 system
> http://privat24.ua
>
>
>
> --
> Andriy G. Tereshchenko
> Odessa, Ukraine
> +380683777768
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/