Quick summary of the article
1. Indian banks have started installing self pass-book updating & printing machines across India
2. Unlike ATM machines, these kiosks don’t ask for passwords/cards. Just insert your passbook & it’ll be updated.
3. The kiosk identifies the customer with the help of a barcode printed on the passbook. No authentication.
4. Barcode can easily be replicated as the method used are too naive.
5. Indrajeet tested his theory on his father’s account (with his consent) & easily got all transaction details, bank balance & personal information printed.
6. He informed respective banks of the security flaw, but banks are either in denial or ignored his bug submission entirely.
7. Determined, he makes his experiment public so that general public and banks (and probably the RBI) take notice.
How safe are you bank details? Because even a 17-year-old can get to know all about your transaction with just a few easy tricks!
My name is Indrajeet Bhuyan & I’m a 17-year-old technology blogger and a cyber security researcher
After the State Bank of India installed the self pass book updating and printing machine, Swayam, in the city, like others I was elated that the hassle of standing in the queue comes to an ends now.
'SWAYAM' – Our automated passbook printing facility enables hassle-free updating of your passbook and saves time. pic.twitter.com/U9OSpZ36s6
— State Bank of India (@TheOfficialSBI) November 27, 2014
However, while using the machine, I discovered a security bug using which anyone can see the bank balance, transaction history of any customer. Here’s how:
Unlike ATMs where one needs to insert credit/debit cards and enter password given by the banks in order to withdraw money, here in the automatic passbook printing machine the customer don’t need to insert any cards or enter passwords. All they need to do is just insert the passbook and they get their entire transaction details history printed in their passbook.
So how does the machine recognize the Respective user’s passbook?
The bank do a simple thing, they paste a barcode in each of the passbook and when the user inserts the passbook, the barcode scanner inside the machine scans the barcode and then the printer prints the entire transaction details in the passbook.
This really made me very curious as they don’t use any cards or passwords but only rely on barcodes which means there is some kind of encryption done on the data of the barcode.
So I went to different banks of my city to check which banks have actually implemented this automatic passbook printing machines. And also to see if they use the same barcode method or there is some other kind of security level added. I went to the following banks :
– State Bank of India
– Union bank
– Bank of India
– Indian bank
– Bank of Baroda
– Canara Bank
– Central Bank of India
After going to the above banks I got to know that most of the banks have already implemented the automatic passbook printing machine while a few banks have not yet implemented but will soon do it.
One thing that was common in all the bank’s automatic passbook printing machine is that they all use barcodes and no other authentication.
Now I started analyzing the data of barcodes of various bank’s automatic passbook printing machine.
I took the following bank’s barcodes :
State Bank of India
State Bank of India
After scanning the barcode of State Bank of India I got to know that they use some kind of encryption on the barcode data and use the most popular ‘Code_128’ format of barcode. But I soon realized that actually the get barcodes stickers from a different location and when a customer asks for barcodes , they paste those barcode stickers and assign the data present in that sticker to the account number of the customer in their database .
For example: If the barcode data in the sticker is ‘12345’ and bank account number is ‘ 9768xxxxx’ so when the customer ask for a barcode sticker, the bank paste the barcode sticker with the data ‘12345’ to the passbook of account no. ‘ 9768xxxxx’ . So whenever the customer inserts his passbook into the machine the machine will read the data ‘12345’ from the barcode and check the database and see which bank account it was assigned to. And after verifying, the machine will print the transaction details of the account no. ‘ 9768xxxxx’ in the passbook.
📣 Follow Storypick on Instagram! Click here to follow @story.pick
After state bank of india I scanned the barcode of UCO bank to see what encryption or type of barcodes they use. I was shock to know that they use the same account number as the barcode data and it was of ‘Code_128’. There was no encryption done like it was in the case of state bank of india. Upon investing I got to know that Unlike state bank of india where they get the barcodes from a different place with barcode data and they assign account number to those data, here in UCO bank the employee themselves print barcodes.
After going to state bank of india and UCO bank I went to canara bank. Canara bank too does the same as UCO bank. They too use the account number itself as the barcode data and it was of ‘Code_128’.
After investigating the above banks and their automatic printing machine I realized the dangerous security risk they possess.
The account number of a person is public. Means in order to get money we generally give our account number and it is safe to do so. But as we have seen in the above that in the automatic passbook printing machine the banks use the account number itself as the barcode data, it means if a person have the account number of any customers, he can easily make the barcode out of it and paste it in his passbook and get the complete transaction history which includes money withdrawal , money deposited, total bank balance etc with time and date of the customer.
I was not fully sure if my theory is correct so I planned to do it practically:
With my father’s Consent , I took my father’s bank account number and made a barcode online where I added the account number itself as the barcode data . I removed the barcode sticker that the bank provided and pasted my barcode which i generated online and inserted the passbook into the machine. My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on his passbook.
Once again, with my father’s Consent , I took my father’s bank account number and made a barcode online where I added the account number itself as the barcode data and this time I pasted the barcode in my passbook and not his, and inserted the passbook into the machine. Once again My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on my passbook.
This is a great security flaw because the bank balance, transaction history, etc are meant to be private and if these information can be access by someone else then it can be very dangerous.
Is State Bank of India’s approach is good enough ?
No, even though they have added a level of security by making the barcode data different from the actual account number but just by some social engineering any one can take the data of an account as today with the help of smart phones any one can easily scan and read a barcode.
Banks should add some other level of authentication with barcodes like password/ biometrics so that no one can fake other customer’s barcode and get transaction history.
I went to various banks and informed them about the issue but I was told that they only know to operate the machine and issue barcodes . So I mailed to the IT team of the respective banks which have implemented this machines but its been more than a week I did not get any reply from their end.
I made this public so that people get aware of it and also since a few banks have not yet implemented it and are planning to do it, they refrain from doing the same mistake and secure its customers.
So before you trust your bank about keeping your account details secure, check twice if they’re really doing what they’re saying.