Faysal Bank Introduces Dangerously Insecure Internet Banking

July 23rd, 2013

Faysal Bank was probably the only private bank in Pakistan to not offer Internet banking. They were sitting on their hands all these years while their competitors leapt forward. But now they’ve introduced mobile phone compatible Internet banking under the mobit brand name. The problem is that it is badly designed and dangerously insecure.

Insecure Passwords

To login to a mobit Internet banking account you need the account holder’s mobile phone number and 4 digit login PIN.

Mobit Login Screen

Mobit Login Screen

The phone number is not secret information so it is not a problem for any hacker. You can buy this data in bulk. For instance, telemarketers in Pakistan have no difficulty getting a bank’s customer details.

The 4 digit login PIN has entropy of just 13.3 bits (just 10,000 possible permutations) and can easily be brute forced by a computer even over the web. Even if you were limited to just 1 attempt per second you could do it in less than 3 hours.

To perform transactions you need a second 4 digit PIN called the mobile PIN. Again just 10,000 possibilities so it can be brute forced with ease.

Of course it is possible that they’ve designed the system such that you are limited to a certain number of incorrect guesses before they lock your account and won’t allow anyone to login. If that is the case then they’ve just created a way for a malicious person to deny his target access to their Internet banking account at no cost to the attacker! This could even be used to target thousands of accounts en masse in a denial of service attack and create a huge headache for Faysal Bank and its customers.

Insecure Domain and Servers

Another mistake is that Faysal Bank is using a .com.pk domain name for its Internet banking site. PKNIC, which is the registry for .pk and .com.pk domain names, has a history of getting hacked. It was hacked in 2008 then twice (1, 2) in the last 12 months! Hackers changed the DNS settings of domain names and pointed them to servers they controlled. They could just as easily setup up a phishing site in place of mobit.com.pk and harvest customer login information.

But wait, there is more! Faysal Bank is using Cloudflare as its CDN:

abdussamad@homebase:~> dig +short mobit.com.pk ns
gina.ns.cloudflare.com.
andy.ns.cloudflare.com.
abdussamad@homebase:~> dig +short www.mobit.com.pk a
mobit.com.pk.
108.162.205.246
108.162.206.246

Cloudflare is an American company and all data submitted to mobit.com.pk goes through its servers! The SSL certificate that Faysal Bank boasts about is worthless because the server you are connecting to is controlled by an untrusted third party (Cloudflare). This is a huge privacy risk! Why is the data of a Pakistani bank’s customers being sent to a foreign company? Surely this goes against banking confidentiality rules?

Conclusion

Needless to say if you are a Faysal Bank customer do not sign up for their Internet banking. Avoid using it until Faysal Bank gets its act together and fixes all these security issues.

4 Responses to “Faysal Bank Introduces Dangerously Insecure Internet Banking”

  1. Navaid Arif says:

    Dear writer,
    I have already been using Faysal Bank mobile banking since day one and i found it very secure. As far as “Insecure Passwords” are concerned, mobile banking account gets inactive if anyone tries to perform three consecutive incorrect login attempts so brute force is not possible therefore kindly do not midguide innocent people. :)

    Regards,
    Navaid Arif

    Posted on 16 Aug 2013
    • Abdussamad says:

      You obviously did not read my article to completion. I am quoting the relevant paragraph below:

      Of course it is possible that they’ve designed the system such that you are limited to a certain number of incorrect guesses before they lock your account and won’t allow anyone to login. If that is the case then they’ve just created a way for a malicious person to deny his target access to their Internet banking account at no cost to the attacker! This could even be used to target thousands of accounts en masse in a denial of service attack and create a huge headache for Faysal Bank and its customers.

      So, yes, brute force password cracking may not be possible but a denial of service attack is very much possible.

      The other problems are also still there. For example they continue to use a .com.pk domain name even though PKNIC has a history of getting hacked. Why not make a sub domain under faysalbank.com?

      PS: Innocent people should not browse my site. I am not responsible for what effect reading my articles has on the minds of innocent people. And if you want guidance please hire a teacher.

      Posted on 16 Aug 2013
    • Ahsan says:

      I agree with the writer, because internet banking has some standards which are not being followed by Faysal Bank. It is just like you drop your ATM Card somewhere and you believe it will be blocked without calling the authorities… I am sure you will block it in seconds… even if that is not a Visa Card… Right ?

      And for the Faysal Bank shahzadaaas, you should at least have generated transaction PIN for doing a particular transaction like other bank’s do. That could make it little bit useful and a little bit secure.

      Common Sense is not as common as it is common…

      Posted on 11 Dec 2013
  2. Liaquat Ali Almani says:

    kindly send me the way of using internet banking

    thanks

    Posted on 05 Feb 2014