ICICI Mobile security vulnerability with imobile application activate mobile banking or loose your money..

Disclaimer: I don’t endorse any cracking or stealing activity. I had sent a message to ICICI regarding this issue on 9/8/2011and got the reply as below

Dear Mr. Issac,

We value your relationship with ICICI Bank.

Thank you for your feedback. We appreciate the efforts you have taken in order to improve our service standards and processes.
Your suggestions will go a long way in helping us improve the features on our website and security measures.
We look forward for more opportunities to be of service to you.

Sincerely,
X XXXXXXX
Account Manager
ICICI Bank Limited

—–Original Message—–

Subject:  RE: Password Related Issues

Ok received and changed password.
Its too bad that spaces are not allowed in passwords as its easy to create tough passwords with spaces in between.

BTW I have found a serious security flaw in your ICICI bank mobile application for android. Who should be contacted for security related issues ?

Sunish

I tried to use contact option on ICICI web site to report the issue, but could not find any link nor did I find any link related to reporting security issue on a site wide search. The contact option forces the customer to use messaging system of internet banking whenever the option ‘other’ is selected.

image 

 

Now to the real issue :
You don’t need ATM pin or any external authentication tools to activate iMobile app but just ICICI bank debit card (PIN NOT REQUIRED). The danger is when you have an ICICI bank account and you have not started using iMobile.

It should work on all platforms, be it android, iphone, windows mobile or symbian.

Scenario 1: Somebody steals your mobile and wallet containing ICICI bank debit card

The thief can transfer money and perform all transactions possible within the iMobile application by following the process below.

Steps to activate imobile and do whatever including tranferring funds using IMPS, shopping, mobile recharge, air ticketing and whatever.

  1. Install imobile on the victim’s phone or another phone with the victim’s SIM.
  2. Run the application and it will ask for a 4 digit pin for registration. (Yes the thief can put whatever pin he wants to use iMobile)
  3. It will go through the grid based authentication for which all you need is the debit card .

That’s it the thief has full access to iMobile with all transaction permissions with the daily limits through App.

The process of activation is explained here http://www.icicibank.com/mobile-banking/download.html#down. Step 3 without ATM pin is the problem step.

Essentially the grid based security is useless without asking for atm pin and that’s the flaw which was there ever since ICICI had the mobile apps released.

If you are already using iMobile app then nothing to fear as you got to enter the application PIN to start the app. If you have registered your mobile number for mobile banking but not yet activated iMobile, then if you loose that SIM with ICICI debit card, man you can get into trouble if you have big balances Smile

Fresh Engineering Graduate Training Topics

I was just thinking of starting a course for Computer Science and Electronics Engineers who have just passed out of College.

The topics that I thought of covering can be split into the following sections, covering what I call the basics.

Basic  Networking / Internet

  • Protocols (TCP/IP, NWLink, NetBios )
  • Application protocols, ports, configuring POP,SMTP,IMAP,NNTP,FTP,
  • Routers,ADSL, dynamic DNS,WIFI
  • Trouble shooting tips, techniques
  • Search Techniques,  Newsgroups search, Torrents
  • Web hosting, blogging, CMS, Adsense, search engine optimization, tools,tips and techniques
  • VPN, Open VPN

PC Trouble Shooting Assembling

  • BIOS – what can be done, basic and advanced techniques.
  • ISA,PCI, PCI Express, AGP and newer bus topology
  • PCMCIA,ExpressCard
  • Various Boot CDs, booting from Flash disk, CDROM
  • Drive imaging techniques, software, nLIte, VLite
  • SysInternals

Telecom

  • Mobile – GSM,CDMA,EDGE,GPRS,Evdo, SMS – PDU/Text formats
  • Land line – ISDN- BRI,PRI, PSTN,PABX,SMDR
  • IP Telephony

Software

  • Various OSes, basic command, shortcut keys etc., Separating DATA from OS, Data Recovery
  • OS differences, versioning
  • Freeware useful Utilities, registry hacks
  • Programing –  Source Control, UI design, Registry, Dotnet, Network programming tricks, techniques, tools(packet sniffers).
  • Virtual Machine Software -VMWare (Snapshots,Serial Ports on VMs) Virtual PC, Live CDS 
  • Sysinternals tools

Electronics

  • Basic electronic circuits
  • Batteries, chargers
  • Microcontrollers – PIC
  • Simulators, Emulators
  • Serial Port, USB, Bluetooth
  • PCB design with Eagle

Will add more as and when required or when I get new ideas. If you are in or around Calicut and needs training on the above topics, please contact me using the contact form of this site.

How to show update availability for a windows program on a PHP/Drupal site ?

With the release of the new version of Jaledit, I thought of introducing a new feature to all my programs. It’s the typical check for updates. I found that Opera does something similar, where in, when the check for update menu option is clicked, a message is displayed if there are no updates. If there’s an update the web page with the download link for the new version of Opera is is displayed.

I didn’t want a fully automatic update where the update file is downloaded in the background for selfish reasons (I want a page hit ) 🙂
So here’s the base spec in my terms

  1. Have a check for updates menu item in the main form and button in the about box form of my Delphi program JALEdit.
  2. Once the user clicks the option, the JALEdit webpage is displayed .
  3. Display message on the page about the status of the update on the top of the page.

My PHP skills = 0, Delphi skills = Advanced

Digging a bit around PHP documentation led to  version_compare, generally used to check PHP versions, but works quite well for program versions as well.

Here’s the code that does the job
$latest = ‘0.5.6’; // define your latest version
$ver = $_GET[‘ver’]; // for me this is like a command line argument get whatever is there after ?ver=
if  ($ver)  // Do the check only if the version info is passed  if its just http://jal.sunish.net/jaledit then nothing happens
 {
if (version_compare($latest,$ver) == 1) // there is an update available
print(“<hr/><strong>”.”An update to JALEdit is available. Latest version is :”.$latest.”</strong>”) ;
 // display in bold about update status in between 2 lines
else
print(“<hr/><strong>”.”No update available.You are using the latest version.”.”</strong>”);
print “<hr/>”;
}

What I learnt,

  1. version_compare()  functions compares versions with “.”.
  2. $_GET[‘variable’] – function to sort of retrieve command line argument.
  3. . is equivalent to + for string concatenation.
  4. A semicolon is required before the else clause (different from Pascal syntax)

Delphi Code

procedure TfrmSecMain.acncheckUpdatesExecute(Sender: TObject);
var
  tempStr: string;
begin
  tempStr := 'http://jal.sunish.net/jaledit?ver=';

  with TJclFileVersionInfo.Create(Application.ExeName) do
  try
    tempStr := tempstr + Format('%s', [FileVersion]);
  finally
    Free;
  end;
  ShellExecute(0, 'open', pcHAR(tempStr), '', '', SW_SHOW);
end;

The Delphi code is pretty straight forward with the JCL function to retrieve the file version from the exe file and that’s passed to the Shellexecute function to do a default browser call.

The PHP code I guess should work with wordpress and any CMS.

 

FCK Editor installation problems and other notes on Import HTML module of Drupal

FCKEditor 2.5 Beta version does not work on Opera Versions below 9.5 Beta.

  • Replacing old version of Drupal FCK results in an error (user warning: Table ‘user328_jal.fckeditor_settings’ doesn’t exist query: SELECT * FROM fckeditor_settings in D:Projectswwwsitesjal.sunish.netincludesdatabase.mysql.inc on line 172.) the error results even if upgrade script is run.
  • The right process is to uninstall, hopefully that will remove the tables that can otherwise cause problems from the db.
  • Import html requires tidy module. The exe version seems to work and is more reliable than the PHP module. The path has to be windows style with the back slash if you are running on windows.
  • Disable the path auto module  or you will end up with totally screwed up links from the imported site.

How to write a product or service review ?

I was just thinking of starting to write reviews about products and services. Naturally I intend to review only those products or services that I use. It has to be true, unbiased opinion. So I first thought if I make a general procedure on how to write a review it might be helpful for me and others on similar grounds. Well I can also write reviews on movies and books, but may be I’ll cover that in another posting.

Its always easier to answer questions even when you are on a stage freight session. So I think, I’ll just list out questions and some tips where in the answers to the questions and the tips will help you to be more creative in writing a review.

Here are 11 tips in writing a product/service review

  1. Be honest and truthful about the product or service that you review.
    You are writing the review so that it can be helpful to somebody else. Why cheat ? You should not get somebody into the same trap that you fell into. There’s no problem in being opinionated, its your review, but be faithful to what you do.
  2. Make Notes while using the product or service that you are going to review
    Its quite easy to forget, so while using the product just make a note. Use your PDA (I use my  Treo 650 with Splash Notes) or any note taking software, if noting’s available just use the classic pen and paper.
  3. State the antecedents
    Your readers might be interested in knowing how you bought and got to know the product and your background information. The context might be important as the reader can skip the review altogether if its unimportant to them. It also gives a personal touch and adds genuineness to the review.
  4. General Features and Limitations
    There are advertised features which you might easily find on the product website. Go deeper, make a difference by looking out for the not so obvious features. Something that you truly liked. Be critical, but not insulting while stating the cons.
  5. Usability
    I’m one of those guys who’s interested in usability. Almost anything that you use will have an interface that makes it more usable or maybe something that irritates you by making you go all the way around your head, to touch your nose. for software and hardware products, you can state about your installation and configuration experience.
  6. Aesthetics and Durability
    Yes, looks can be deceiving and beauty lies in the eyes of the beholder. My wife can better tell about the aesthetics of a product, about the color combination. The general saying is that beauty and brains don’t go together. But still there’s something that anybody can tell regarding the looks of a product and its something that you can write about.
  7. Cost
    For some cost is not an issue, but for the majority its the price that counts in ultimate decision making. I generally look out for the Price Vs Performance ratio. I look out for the maximum features that I can get for the given price. Stating the price in the review gives the reader more options. It will help him in knowing whether his deal is worth.
  8. Benchmarking
    This is the difficult part, you might have to do some research and testing.  Some sites like notebookreview.com give guidelines on benchmarking tools and their download links. If the product or service doesn’t warrant benchmarking or if you can’t just don’t do it. Also note that it might be a violation of the license terms.
  9. Comparison with similar products
    Anybody reading your review will definitely like to know about similar products that you considered while buying the product. So give the share of information that you got in doing the research. While comparing be careful not to compare Apples with  Oranges. If your comparison is generalized like comparing fruits, yes you can compare apples and oranges.
  10. Have screen shots or photos
    Having photos of products or screen shots (if its  software) would definitely enhance your review. Just ensure that your photos are not bandwidth hogging  monsters. It can also give a hint on the aesthetics of the product.
  11. Conclude
    Write a conclusion whether its worth it, do you like it and for whom can you recommend the product or service.

Want to add more, feel free to comment..

Working on a community site

For the past many days, I’ve been primarily working on nothing but Drupal and JAL. The site http://jal.sunish.net is the net result. Lots of work is still pending. I used many modules, found the backup module doesn’t work with my host. That reminds me, Manas Hosting seems to have many problems. Their support is lousy. Lots of database problems and looks like they are over selling. Still on php 4  and MySQL 4.
I used the paypal and donation module and that required couple of edits, to change the donation request. Once everything’s over I think I’ll list all the modules that I used and its pros and cons. Discovered and reported a bug in the FAQ module where certain options in categories results in sprintf bug.

I don’t know how many more days will be required befores the whole site is complete.

The Birth of a New WordPress Blog and My First thoughts on WordPress and Drupal

After hours,days,weeks and months of thinking, I finally installed WordPress for blogging and Drupal for the rest of it. I know its not an uncommon scenario, but everything with WordPress seems to be easier.

Let me list the already known facts of why WordPress is better for blogging with an out of the box WordPress install.

Yes, both Drupal and WordPress require you to create a new database and have its login information. So what’s the difference, Drupal being a complicated monster show’s its complication and power with a long installation doc. Drupal supports other databases than Mysql but MySQL seems to be the database that has most support.

Why I chose to blog with WordPress instead of Drupal?

  1. No need to learn about taxonomy, categories and tags to use it from the beginning. With Drupal you got to learn and configure the taxonomy module to get started. 
  2. Uploading images, to blog posts is automatic and very easy with WordPress whether you use an offline blog upload tool like WLW or even with the built in web editor of tiny MCE. Something, that’s not possible with a default Drupal installation. 
  3. Windows Live Writer(WLW), an offline blog publisher works seamlessly with WordPress. No tweaking necessary to get categories working with WordPress, but Drupal has lots of problems in getting categories and tags to work with WLW.
  4. WordPress import from other blogging tools work so well and you have options to import from almost any platform. I was able to import easily from www.blogspot.com .  The import options don’t require any plugins to be installed in WordPress. Drupal requires external modules to be installed and your options are limited for a direct import. You need to convert to a particular file format, export and then import.
  5. WordPress gets you going on a fast start with less power, but more ease of use. Drupal with more power and flexibility is more complex, with a not so intuitive user interface.

This is my first blog post with WLW on to my WordPress blog and Drupal site..

Excel Rounding Bug and its solution

For many days I was working on a software for automating the daily accounts of our theatre. The software I developed will generate a QIF file that can be imported to Microsoft Money. I used excel automation within delphi to do the printing of DCR (Daily Collection Report). A copy of the DCR is provided to the film distributor. Since quite a lot calculation is involved and the printing has to be formatted I chose excel. It was then that I found that the printed values after the decimal point was not tallying with the Reps report. I knew its’s well known rounding error, but didn’t know its solution. After some googling I found this link http://www.cpearson.com/excel/rounding.htm where a detailed explanation is given. Eventhough the page is a bit dated the solution still works. Just go to Tools,Options and in the Calculation tab you got to check the option of Precision as displayed. Problem solved. Looks like the setting is saved on the open workbook.