An international commercial bank with total assets of USD 500 million applied to our team of cybersecurity experts. The bank offers a full range of banking services to private and corporate clients.
The team was tasked with assessing the current level of security of web and mobile banking applications for a commercial bank in Europe. Although the scope of work was limited to a black box perspective and assumed an external attack scenario where the attacker only knows the customer's name, we were able to exploit application abnormalities, gain access to critical data, gain full access to the bank's customer accounts, and withdraw money as the ultimate goal.
TESTING STAGES
Reconnaissance:
It took us a week to study the client's systems. We gathered information about the software, OS, browsers, antiviruses, email clients, etc. used by employees. We also focused on the email format and other elements of corporate identity, news and events in the company - everything that could make the email, phishing site, and targeted attack credible.
STAGES OF THE TEST
To conduct high-quality comprehensive testing, we used both manual and automated testing tools and techniques.
OTP compromise:
The same OTP vulnerability was confirmed in the mobile application, although a different server was used to process requests, and the web and mobile application APIs were supposed to function separately. Thus, the mobile application contained the same flaw in the session management logic, and the security risk was correspondingly higher.
Authentication compromise:
Hacking scenario:
We conducted a series of tests to analyze the security of the bank's web and mobile applications. The tests revealed several types of vulnerabilities classified according to the risk levels defined by the OWASP methodology. The combination of two critical vulnerabilities allowed our team to conduct any transaction from the bank's customers' accounts without proper authentication.
To help the bank address the identified security gaps, we prepared a comprehensive report covering all the vulnerabilities identified and provided remediation recommendations that were implemented during the remediation phase.