- Joined
- Dec 3, 2020
- Messages
- 2,271
An attacker exploited a vulnerability in one of the banking systems to gain access to customer account data.
Specialists of the Central Bank of the Russian Federation warned about a new method of stealing funds from clients' accounts using the Fast Payment System (FPS). As the source of the Kommersant newspaper explained, the attacker, by exploiting a vulnerability in the banking system of one of the credit institutions, was able to gain access to the data of customer accounts.
The criminal launched the mobile application in debug mode, logged in as a real client, sent a request to transfer funds to another bank, but before making a transaction, instead of his account of the sender of funds, he indicated the account number of another client of the same bank. The Remote Banking System (RBS) did not verify the ownership of the specified account to the sender and sent a command to the SBP to transfer funds. Thus, the criminals sent themselves money from other people's accounts.
“The problem was identified in the software of one bank (mobile application and remote banking system) and was of a short-term nature. It was promptly eliminated, ”the Central Bank confirmed the fact of the incident.
According to the source, the vulnerability itself was very specific and only someone familiar with the architecture of the mobile bank could know about it - either a bank employee, or a software developer, or a tester.
Specialists of the Central Bank of the Russian Federation warned about a new method of stealing funds from clients' accounts using the Fast Payment System (FPS). As the source of the Kommersant newspaper explained, the attacker, by exploiting a vulnerability in the banking system of one of the credit institutions, was able to gain access to the data of customer accounts.
The criminal launched the mobile application in debug mode, logged in as a real client, sent a request to transfer funds to another bank, but before making a transaction, instead of his account of the sender of funds, he indicated the account number of another client of the same bank. The Remote Banking System (RBS) did not verify the ownership of the specified account to the sender and sent a command to the SBP to transfer funds. Thus, the criminals sent themselves money from other people's accounts.
“The problem was identified in the software of one bank (mobile application and remote banking system) and was of a short-term nature. It was promptly eliminated, ”the Central Bank confirmed the fact of the incident.
According to the source, the vulnerability itself was very specific and only someone familiar with the architecture of the mobile bank could know about it - either a bank employee, or a software developer, or a tester.
Last edited:
