Faysal Bank Introduces Dangerously Insecure Internet BankingJuly 23rd, 2013
Faysal Bank was probably the only private bank in Pakistan to not offer Internet banking. They were sitting on their hands all these years while their competitors leapt forward. But now they’ve introduced mobile phone compatible Internet banking under the mobit brand name. The problem is that it is badly designed and dangerously insecure.
To login to a mobit Internet banking account you need the account holder’s mobile phone number and 4 digit login PIN.
The phone number is not secret information so it is not a problem for any hacker. You can buy this data in bulk. For instance, telemarketers in Pakistan have no difficulty getting a bank’s customer details.
The 4 digit login PIN has entropy of just 13.3 bits (just 10,000 possible permutations) and can easily be brute forced by a computer even over the web. Even if you were limited to just 1 attempt per second you could do it in less than 3 hours.
To perform transactions you need a second 4 digit PIN called the mobile PIN. Again just 10,000 possibilities so it can be brute forced with ease.
Of course it is possible that they’ve designed the system such that you are limited to a certain number of incorrect guesses before they lock your account and won’t allow anyone to login. If that is the case then they’ve just created a way for a malicious person to deny his target access to their Internet banking account at no cost to the attacker! This could even be used to target thousands of accounts en masse in a denial of service attack and create a huge headache for Faysal Bank and its customers.
Insecure Domain and Servers
Another mistake is that Faysal Bank is using a .com.pk domain name for its Internet banking site. PKNIC, which is the registry for .pk and .com.pk domain names, has a history of getting hacked. It was hacked in 2008 then twice (1, 2) in the last 12 months! Hackers changed the DNS settings of domain names and pointed them to servers they controlled. They could just as easily setup up a phishing site in place of mobit.com.pk and harvest customer login information.
But wait, there is more! Faysal Bank is using Cloudflare as its CDN:
abdussamad@homebase:~> dig +short mobit.com.pk ns gina.ns.cloudflare.com. andy.ns.cloudflare.com. abdussamad@homebase:~> dig +short www.mobit.com.pk a mobit.com.pk. 18.104.22.168 22.214.171.124
Cloudflare is an American company and all data submitted to mobit.com.pk goes through its servers! The SSL certificate that Faysal Bank boasts about is worthless because the server you are connecting to is controlled by an untrusted third party (Cloudflare). This is a huge privacy risk! Why is the data of a Pakistani bank’s customers being sent to a foreign company? Surely this goes against banking confidentiality rules?
Needless to say if you are a Faysal Bank customer do not sign up for their Internet banking. Avoid using it until Faysal Bank gets its act together and fixes all these security issues.