Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Looting Your Bank With the Help of the Government

Indrajeet Bhuyan

0 vote(s)

8th November 2016 was a great date for the entire world. On one hand, the US election results were announced and on the other, the Prime Minister of India, Shri Narendra Modi announced demonetization of India's rupee. From the 9th of November, Rs 500 and Rs 1000 notes would no longer be accepted as legal tender, and all citizens need to deposit their currency to have it changed. The government also started focusing on cashless economy and encouraged people to use various online platforms and e-wallets for transactions and soon launched various banking apps to aid in its cashless mission.

The government also took various steps pre-demonetization. They made it mandatory that people should have a bank account so that they can deposit the money, they brought new technology to banks like 'self help passbook update machine' to cope up with the increase of users.

This research is about how an attacker could exploit various technologies (both hardware and software) introduced by the Indian government pre and post demonitization to know the bank balance of anyone and subsequently withdraw their funds. 

This research is divided into two parts. In the first part (this flaw affects various national and international banks), I will demonstrate a hardware flaw that can be used to bypass the authentication used in passbook printing machines which can be used to know the entire transaction history of anyone including both credit and debit. In the second part I'll be demonstrating various flaws in apps that were introduced by the Indian government to make a fully cashless economy. By leveraging these flaws, an attacker can get into anyone's account. Combining flaw 1 and flaw 2 an attacker can do the following:

1.    See the bank balance of any user
2.    See their entire transaction history
3.    Get into anyone’s account
4.    Get their money

About Indrajeet Bhuyan

Indrajeet Bhuyan is an 19 year old security researcher India who previously made the smallest possible code of 2kb which could crash WhatsApp which effected 500 million people and also reported security holes in the WhatsApp web client that in some way exposes its users’ privacy.

In December 2015 he has made the WhatsApp Crash V2 which can crash WhatsApp app, risking 1 billion+ users worldwide.

He got invited by various international security conferences like, Toorcon California, Andsec Argentina etc.

He has contributed security to various companies and organizations like: HTC, Samsung, Photobucket, Reverbnation, TVF etc. He got featured in various national and international news portal like International Business Times, Russia today, Times of India, Digit, Kaspersky, The Independent, India Today, etc. for his work.