Disclaimer: I don’t endorse any cracking or stealing activity. I had sent a message to ICICI regarding this issue on 9/8/2011and got the reply as below
Dear Mr. Issac,
We value your relationship with ICICI Bank.
Thank you for your feedback. We appreciate the efforts you have taken in order to improve our service standards and processes.
Your suggestions will go a long way in helping us improve the features on our website and security measures.
We look forward for more opportunities to be of service to you.Sincerely,
X XXXXXXX
Account Manager
ICICI Bank Limited
—–Original Message—–
Subject: RE: Password Related Issues
Ok received and changed password.
Its too bad that spaces are not allowed in passwords as its easy to create tough passwords with spaces in between.BTW I have found a serious security flaw in your ICICI bank mobile application for android. Who should be contacted for security related issues ?
Sunish
I tried to use contact option on ICICI web site to report the issue, but could not find any link nor did I find any link related to reporting security issue on a site wide search. The contact option forces the customer to use messaging system of internet banking whenever the option ‘other’ is selected.
Now to the real issue :
You don’t need ATM pin or any external authentication tools to activate iMobile app but just ICICI bank debit card (PIN NOT REQUIRED). The danger is when you have an ICICI bank account and you have not started using iMobile.
It should work on all platforms, be it android, iphone, windows mobile or symbian.
Scenario 1: Somebody steals your mobile and wallet containing ICICI bank debit card
The thief can transfer money and perform all transactions possible within the iMobile application by following the process below.
Steps to activate imobile and do whatever including tranferring funds using IMPS, shopping, mobile recharge, air ticketing and whatever.
- Install imobile on the victim’s phone or another phone with the victim’s SIM.
- Run the application and it will ask for a 4 digit pin for registration. (Yes the thief can put whatever pin he wants to use iMobile)
- It will go through the grid based authentication for which all you need is the debit card .
That’s it the thief has full access to iMobile with all transaction permissions with the daily limits through App.
The process of activation is explained here http://www.icicibank.com/mobile-banking/download.html#down. Step 3 without ATM pin is the problem step.
Essentially the grid based security is useless without asking for atm pin and that’s the flaw which was there ever since ICICI had the mobile apps released.
If you are already using iMobile app then nothing to fear as you got to enter the application PIN to start the app. If you have registered your mobile number for mobile banking but not yet activated iMobile, then if you loose that SIM with ICICI debit card, man you can get into trouble if you have big balances
Very true, i just now activated imobile on my phone and wandered is this what u need to access ur account. Surely atm pin should have been included in this process.