This Serious Flaw in Indian banks can be used to know the bank balance, transaction history of any customer

 

Passbooks with Barcodes for automatic passbook printing
Passbooks with Barcodes for automatic passbook printing

With the advancement of technology everything around us is getting digitized. There was a time when people had to go to banks to withdraw money or deposit money. But now we have ATMs, net banking, mobile banking which made things much easier and faster for us. Banks are using technology so that they can reach to a wider section of people and also make the whole process fast, accurate and secure.

 

Earlier people had to go and consult a bank employee in order to update their bank passbook. But recently The state bank of India have installed an automatic passbook printer called ‘Swayam’ using which any customer can update their passbook just by inserting the passbook into the machine.

 

‘SWAYAM’ – Our automated passbook printing facility enables hassle-free updating of your passbook and saves time. pic.twitter.com/U9OSpZ36s6

— State Bank of India (@TheOfficialSBI) November 27, 2014

 

Unlike ATMs where one needs to insert credit/debit cards and enter password given by the banks in order to withdraw money, here in the automatic passbook printing machine the customer don’t need to insert any cards or enter passwords. All they need to do is just insert the passbook and they get their entire transaction details history printed in their passbook.

 

So how does the machine recognize the Respective user’s passbook?

 

The bank do a simple thing, they paste a barcode in each of the passbook and when the user inserts the passbook, the barcode scanner inside the machine scans the barcode and then the printer prints the entire transaction details in the passbook.

 

This really made me very curious as they don’t use any cards or passwords but only rely on barcodes which means there is some kind of encryption done on the data of the barcode.

 

So I went to different banks of my city to check which banks have actually implemented this automatic passbook printing machines. And also to see if they use the same barcode method or there is some other kind of security level added. I went to the following banks :

 

  • State Bank of India
  • Union bank
  • Bank of india
  • Indian bank
  • Bank of baroda
  • HDFC
  • Canara Bank
  • UCO
  • Central Bank of India
After going to the above banks I got to know that most of the banks have already implemented the automatic passbook printing machine while a few banks have not yet implemented but will soon do it.

 

One thing that was common in all the bank’s automatic passbook printing machine is that they all use barcodes and no other authentication.

 

Now I started analyzing the data of barcodes of various bank’s automatic passbook printing machine.

 

I took the following bank’s barcodes :

 

  • State Bank of India
  • UCO Bank
  • Canara Bank

State Bank of India

 

After scanning the barcode of State Bank of India I got to know that they use some kind of encryption on the barcode data and use the most popular ‘Code_128’ format of barcode. But I soon realized that actually the get barcodes stickers from a different location and when a customer asks for barcodes , they paste those barcode stickers and assign the data present in that sticker to the account number of the customer in their database .

 

For example : If the barcode data in the sticker  is ‘12345’ and bank account number is ‘ 9768xxxxx’ so when the customer ask for a barcode sticker, the bank paste the barcode sticker with the data ‘12345’ to the passbook of account no. ‘ 9768xxxxx’ . So whenever the customer inserts his passbook into the machine the machine will read the data ‘12345’ from the barcode and check the database and see which bank account it was assigned to. And after verifying, the machine will print the transaction details of the account no. ‘ 9768xxxxx’ in the passbook.

 

Passbooks with Barcodes for automatic passbook printing
Barcode data is different from the account number

 

UCO bank

 

After state bank of india I scanned the barcode of UCO bank to see what encryption or type of barcodes they use. I was shock to know that they use the same account number as the barcode data and it was of ‘Code_128’. There was no encryption done like it was in the case of state bank of india. Upon investing I got to know that Unlike state bank of india where they get the barcodes from a different place with barcode data and they assign account number to those data, here in UCO bank the employee themselves print barcodes.

 

Account number used as barcode data

 

Canara Bank

 

After going to state bank of india and UCO bank I went to canara bank. Canara bank too does the same as UCO bank. They too use the account number itself as the barcode data and it was of ‘Code_128’.

 

Account number used as barcode data
After investigating the above banks and their automatic printing machine I realized the dangerous security risk they possess.

 

The account number of a person is public. Means in order to get money we generally give our account number and it is safe to do so. But as we have seen in the above that in the automatic passbook printing machine the banks use the account number itself as the barcode data, it means if a person have the account number of any customers, he can easily make the barcode out of it and paste it in his passbook and get the complete transaction history which includes money withdrawal , money deposited, total bank balance etc with time and date of the customer.

 

I was not fully sure if my theory is correct so I planned to do it practically.

Case 1

With my father’s Consent , I took my father’s bank account number and made a barcode online where I added the account number itself as the barcode data . I removed the barcode sticker that the bank provided and pasted my barcode which i generated online and inserted the passbook into the machine.  My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on his passbook.

 

 Case 2

Once again, with my father’s Consent , I took my father’s bank account number and made a barcode online where I added the account number itself as the barcode data and this time I pasted the barcode in my passbook and not his, and inserted the passbook into the machine.  Once again My theory was successful. I was able to get the entire transaction history of my father’s bank account printed on my passbook.

 

This is a great security flaw because the bank balance, transaction history, etc are meant to be private and if these information can be access by someone else then it can be very dangerous.

 

Is State Bank of India’s approach is good enough ?

 

No, even though they have added a level of security by making the barcode data different from the actual account number but just by some social engineering any one can take the data of an account as today with the help of smart phones any one can easily scan and read a barcode.

 

Banks should add some other level of authentication with barcodes like password/ biometrics so that no one can fake other customer’s barcode and get transaction history.

I went to various banks and informed them about the issue but I was told that they only know to operate the machine and issue barcodes . So I mailed to the IT team of the respective banks which have implemented this machines but its been more than a week I did not get any reply from their end.

Email sent to IT team of different banks

 

I made this public so that people get aware of it and also since a few banks have not yet implemented it and are planning to do it, they refrain from doing the same mistake and secure its customers.