
The Bank Job – breaking a mobile banking application - deproders
https://boris.in/blog/2016/the-bank-job/
======
jamies888888
It's actually quite heart-breaking to see the extent gone to to reveal the
bug, and then to disclose it in full, for zero reward.

Whether or not a bug bounty programme exists at a company, if a bug this
severe comes through the door, it should warrant a reward.

~~~
nbevans
Presumably any reward would need to be approved by an executive other than
just the IT director since clearly they have no policy in place. The IT
director would not want his department's incompetence to be known higher up
the board.

As an aside, the OP claims it took 12 days to resolve but it is possible they
took more immediate action by disabling the mobile app's ability to do
transfers until they had resolved all the issues.

~~~
0x424242
It took 12 days for them to reply back saying that "They're working on a fix".
The fix was not out at least until Late December/Early Jan. And they did not
block fund transfers during the intermediate period either.

------
franjkovic
The post is interesting, but I do not know why people assume they would get a
bounty for a security report if the company does not have responsible
disclosure / bounty program.

~~~
0x424242
OP here. I knew the bank wouldn't pay. But I wanted to initiate a discussion
with the bank so they know that paying bounty for disclosures is a thing.

~~~
saganus
Nice work OP.

You gave them a tech analysis that should be worth some money, for free, at
the same time (hopefully) bringing to their attention how bounty programs are
a helpful thing for everyone. They should be feeling very lucky about it.

However, the thing that worries me with these things is that, what if some
"bad guys" already knew about this and exploiting it and now that the bank is
aware and might close the hole, makes them angry and looking for retaliation?

Hopefully you are taking precautions to be anonymous, but I know that where I
live if I were to pull a stunt like that I would seriously consider watching
my back for a while.

Sad world we live in :( so take care OP.

~~~
prab97
He is in Sweden. So definitely safer than being in India :-) Adding to that, I
don't think bad guys from the computer world would go to great lengths to harm
someone from physical world.

~~~
saganus
I wouldn't be so sure of that.

Being in Switzerland definitely helps, but still, India being a very big
country it wouldn't surprise me if they had some really-bad-guys(TM) mafias
capable of hurting people in other countries.

Of course, a small thing like this wouldn't necessarily pop up in their radars
but still...

I guess part of the reason I think this way is because I live in a country
where this is a real threat. Where posting things that real-bad-guys(TM) don't
like can literally get you tortured and killed.

~~~
teknologist
> Switzerland

I see what you did there.

~~~
saganus
Ahhh.... yes... damn. Didn't do it on purpose. Sorry about that 0x424242. I am
_always_ getting those two mixed up, even in my mother tongue.

:(

I guess the point still stands as I originally intended it though. Again..
sorry for the confusion. Even though I know my geography reasonably well, my
mind brings the word and my mouth or fingers say something else.

------
LukeB_UK
Cached copy because the site seems to be struggling:
[http://archive.is/2FN8G](http://archive.is/2FN8G)

------
jbaviat
Having done similar pentests on similar applications during my previous jobs,
you can imagine the level of security many editors have on the pair (client
app, server). And we are talking here about a banking application: banks have
always been more concerned buy security than other software consumers.

------
forgingahead
It's actually important to name the vendor responsible for this mess so this
doesn't happen again.

~~~
sremani
I would not do it (if I were the guy), India is litigious mess and a motivated
financial strongman/entity can screw you for Years without a verdict and if
they allege there is a hacking attack, the Judiciary is in no position to
handle that kind of sophistication and have a more or less fire first and ask
questions later way of doing things.

------
tener
Prediction: in the coming months we will hear about more issues of this kind.
This time though it will be mafia inspired by the story, stealing money for
real.

------
udkl
This is the result of hiring mediocre developers and not performing sufficient
security testing/analysis and threat modeling.

