ICICI Mobile security vulnerability with imobile application activate mobile banking or loose your money..

Disclaimer: I don’t endorse any cracking or stealing activity. I had sent a message to ICICI regarding this issue on 9/8/2011and got the reply as below

Dear Mr. Issac,

We value your relationship with ICICI Bank.

Thank you for your feedback. We appreciate the efforts you have taken in order to improve our service standards and processes.
Your suggestions will go a long way in helping us improve the features on our website and security measures.
We look forward for more opportunities to be of service to you.

Sincerely,
X XXXXXXX
Account Manager
ICICI Bank Limited

—–Original Message—–

Subject:  RE: Password Related Issues

Ok received and changed password.
Its too bad that spaces are not allowed in passwords as its easy to create tough passwords with spaces in between.

BTW I have found a serious security flaw in your ICICI bank mobile application for android. Who should be contacted for security related issues ?

Sunish

I tried to use contact option on ICICI web site to report the issue, but could not find any link nor did I find any link related to reporting security issue on a site wide search. The contact option forces the customer to use messaging system of internet banking whenever the option ‘other’ is selected.

image 

 

Now to the real issue :
You don’t need ATM pin or any external authentication tools to activate iMobile app but just ICICI bank debit card (PIN NOT REQUIRED). The danger is when you have an ICICI bank account and you have not started using iMobile.

It should work on all platforms, be it android, iphone, windows mobile or symbian.

Scenario 1: Somebody steals your mobile and wallet containing ICICI bank debit card

The thief can transfer money and perform all transactions possible within the iMobile application by following the process below.

Steps to activate imobile and do whatever including tranferring funds using IMPS, shopping, mobile recharge, air ticketing and whatever.

  1. Install imobile on the victim’s phone or another phone with the victim’s SIM.
  2. Run the application and it will ask for a 4 digit pin for registration. (Yes the thief can put whatever pin he wants to use iMobile)
  3. It will go through the grid based authentication for which all you need is the debit card .

That’s it the thief has full access to iMobile with all transaction permissions with the daily limits through App.

The process of activation is explained here http://www.icicibank.com/mobile-banking/download.html#down. Step 3 without ATM pin is the problem step.

Essentially the grid based security is useless without asking for atm pin and that’s the flaw which was there ever since ICICI had the mobile apps released.

If you are already using iMobile app then nothing to fear as you got to enter the application PIN to start the app. If you have registered your mobile number for mobile banking but not yet activated iMobile, then if you loose that SIM with ICICI debit card, man you can get into trouble if you have big balances Smile

Does the ATM/Debit Card Expire ?

Yesterday I got a new Visa ATM card for my Federal Bank Account. The expiry date is in 2017. The previous card was valid only for 3 years and the new one has a validity period of 10 years. I was told the old one will work without any problems. I tested and it indeed worked. I guess the bank auto renewed the old one and associated it with my account. Since the new one has a different card number, there’s no conflict of PINs.. However I just changed the new one’s PIN to the old one. So if you have a Federal bank account and thought that the card expired on expiry date, don’t worry, you an continue to use it.

Paypal lets you accept money through Indian Banks

Not news anymore and I have not yet received any payments through paypal yet ,but I have a donation link at http://jal.sunish.net/donate.

I decided to go through the paypal process to accept money through my ICICI bank account in Calicut. After going through the profile option and Add bank of paypal website, it was asking for IFSC code.  A quick search revealed no result, but I accidentally stumbled upon

http://www.joycebabu.com/blog/paypal-supports-direct-withdrawal-to-bank-account.html where he has listed the the RBI link at http://www.idrbt.ac.in/index_fromsm.html?ifsc_directory.html?infinet

Finished through the process and got this threat

“Please make sure that the information you provided is complete and correct. Otherwise, the amount will be returned to your PayPal account (deducting any bank charges) and a return fee of 250.00 INR will be charged.”

and

It can take 5-7 business days to complete this transfer, depending on your bank’s holiday schedule and payment policies.”

Still not bad, for receiving money from the following banks SBI,Bank Of India, Canara Bank (No net banking in most places), Union bank, HDFC, ICICI, Axis, Standard Chartered, HSBC and ING Vysya.