ICICI Mobile security vulnerability with imobile application activate mobile banking or loose your money..

Disclaimer: I don’t endorse any cracking or stealing activity. I had sent a message to ICICI regarding this issue on 9/8/2011and got the reply as below

Dear Mr. Issac,

We value your relationship with ICICI Bank.

Thank you for your feedback. We appreciate the efforts you have taken in order to improve our service standards and processes.
Your suggestions will go a long way in helping us improve the features on our website and security measures.
We look forward for more opportunities to be of service to you.

Sincerely,
X XXXXXXX
Account Manager
ICICI Bank Limited

—–Original Message—–

Subject:  RE: Password Related Issues

Ok received and changed password.
Its too bad that spaces are not allowed in passwords as its easy to create tough passwords with spaces in between.

BTW I have found a serious security flaw in your ICICI bank mobile application for android. Who should be contacted for security related issues ?

Sunish

I tried to use contact option on ICICI web site to report the issue, but could not find any link nor did I find any link related to reporting security issue on a site wide search. The contact option forces the customer to use messaging system of internet banking whenever the option ‘other’ is selected.

image 

 

Now to the real issue :
You don’t need ATM pin or any external authentication tools to activate iMobile app but just ICICI bank debit card (PIN NOT REQUIRED). The danger is when you have an ICICI bank account and you have not started using iMobile.

It should work on all platforms, be it android, iphone, windows mobile or symbian.

Scenario 1: Somebody steals your mobile and wallet containing ICICI bank debit card

The thief can transfer money and perform all transactions possible within the iMobile application by following the process below.

Steps to activate imobile and do whatever including tranferring funds using IMPS, shopping, mobile recharge, air ticketing and whatever.

  1. Install imobile on the victim’s phone or another phone with the victim’s SIM.
  2. Run the application and it will ask for a 4 digit pin for registration. (Yes the thief can put whatever pin he wants to use iMobile)
  3. It will go through the grid based authentication for which all you need is the debit card .

That’s it the thief has full access to iMobile with all transaction permissions with the daily limits through App.

The process of activation is explained here http://www.icicibank.com/mobile-banking/download.html#down. Step 3 without ATM pin is the problem step.

Essentially the grid based security is useless without asking for atm pin and that’s the flaw which was there ever since ICICI had the mobile apps released.

If you are already using iMobile app then nothing to fear as you got to enter the application PIN to start the app. If you have registered your mobile number for mobile banking but not yet activated iMobile, then if you loose that SIM with ICICI debit card, man you can get into trouble if you have big balances Smile

Search All Indian Electronics and Embedded Shopping Sites

Searching to know whether a particular component, module or board is available in India can be daunting. I made a google custom search engine (CSE) with all the main online embedded/electronics sites.


 

The URL for the search is
http://www.google.com/cse/publicurl?cx=001138685502448049082:odwaxexu1te

The current list of sites included in the search are

http://www.mgsuperlabs.co.in
http://www.ventor.co.in/
http://extremeelectronics.co.in
http://ventor.co.in
http://nex-robotics.com
http://sunrom.com
http://simplelabs.co.in
http://www.robokits.co.in
http://probots.co.in
http://onlinetps.com
http://embeddedmarket.com
http://tenettech.com
http://rhydolabz.com
http://bhashatech.com

Among these I have bought products from
http://www.ventor.co.in/
http://probots.co.in
http://rhydolabz.com
http://nex-robotics.com

and I was satisfied with the overall experience .

BSNL post paid GPRS,EDGE,3G raw configuration for bluetooth and serial modems

 

My post at https://sunish.net/2007/10/25/bsnl-gprs-configuration seems to be one of the most popular pages in spite of the fact that the site was not updated for a long long time.

The most important parameter to be set is the APN or Access Point Name.

The settings are as follows
APN           : bsnlnet
Username : Not Required
Password  : Not Required
Dial up number : *99#

If you are using the software provided by the phone manufacturer like nokia suite and if its updated it will automatically update the settings with the correct apn which is now bsnlnet and earlier was bsnlsouth for southern states.

On windows to connect to the internet using bluetooth or usb drivers has to be installed and configured. Once the drivers are installed, going to device manager(type devmgmt.msc and click OK at  the run prompt obtained by pressing Win+R )  will show the corresponding modem installed under modems, similar to Standard Modem over Bluetooth link shown in the screen shot below.

image

Click on Properties of the Modem, click on advanced tab.

image

Enter extra initialization settings as AT + CGDCONT=1,”IP”,”bsnlnet”

Click OK.

The above steps are required only if you get a PPP link error message with error code 734.

Now create a new dial up connection, on windows 7 open Networking and Sharing centre

  1. Click On Connect to the Internet and click next.
  2. Select Dialup in How do you want to connect and click next.
  3. Enter *99# as dialup number and leave username and password as blank.

Use this connection to connect to the internet.