Customers might want to consider the risks if they choose to stash their cash with PrivatBank.
The ease with which two programmers were able to hack into the bank’s online system this month and collect sensitive information highlights security failures that put at least some of its 13 million clients at risk of fraud and theft.
Dymtro Dubilet, chief technology officer for PrivatBank, downplayed the security breaches, saying that the bank experiences breaches in its banking system daily, and that it has “several clients who say they have been hacked.”
“Of course this is not good that someone got information about our clients,” he said. “But this doesn’t allow someone to steal their money. This is not something extraordinary. This is life.”
PrivatBank is the largest bank in Ukraine with assets of $21.6 billion, equivalent to 12 percent of Ukraine’s gross domestic product, according to investment bank Dragon Capital. The bank’s website says it currently serves 420,000 business clients and more than 13 million individual accounts.
PrivatBank press officer Oleg Serga told the Kyiv Post that the company has some 500 skilled security technologies employees working around the clock to strengthen its anti-fraud security system that monitors transactions.
“PrivatBank has one of the most powerful systems for monitoring operations that identifies suspicious transactions at the time of their occurrence and blocks fraudulent transactions,” he said.
But the Sept. 3 hacking of its Privat24 mobile banking application by 25-year-old programmer Aleksey Mokhov proves otherwise. Mokhov discovered a flaw that would allow anyone with access to the application and some technical know-how to withdraw and transfer funds from one PrivatBank account to another of any kind, anywhere in the world.
As if that wasn’t enough proof, an Indonesian self-professed “ethical hacker” named Zul Amri, who tests companies’ security systems for vulnerabilities, gave the Kyiv Post this week instructions on how to enter the bank’s system and turned over documents proving he could also enter it through its mobile banking application.
By accessing PrivatBank’s support system through a security loophole, Amri was able to access account holders’ phone and card numbers. Using those, he began the registration process to open a Privat24 account online. To do so requires the last four digits of a card as well as a phone number.
The next step requires the user to enter a password sent to their mobile phone. To get past this, Amri used a Firefox add-on called Tamper Data, which can be downloaded for free online, to manipulate the system and allow it to accept his Indonesian +62 phone number.
With the password sent via SMS to his mobile phone, he was able to access the personal banking account of one woman. Amri was able to do all this after acquiring sensitive documents that include information from PrivatBank’s employee database, its email system and user system through its Hypertext Transfer Protocol Secure (HTTPS), which is used to send and receive secure information.
Another bank document shows Western Union transactions that were sent through the bank, including their time, date, pay operator IDs, control numbers and amounts, as well as payer and payee names, addresses and phone numbers – showing that even non-PrivatBank accountholders may be at risk. Several attempts by the Kyiv Post to contact Western Union for comment were unsuccessful.
Dubilet said that PrivatBank’s security team and hackers from all over world discover breaches in PrivatBank’s system on an almost daily basis. “Hackers know that we pay a lot of money for this type of information,” he said.
PrivatBank has set up a direct channel to its security team through which hackers can communicate information regarding system breaches, Dubliet said. Often times, the bank rewards these hackers with up to Hr 10,000 and then works to fix the problem.
In the Mokhov case, the bank considered pressing criminal charges because he didn’t go through this channel, Dubilet explained.
Yegor Anchishkin, an entrepreneur and founder of Viewdle and Zakaz.ua, said people hack security systems to create money or steal money, or to steal identities. PrivatBank’s Dubilet acknowledged that holes in the bank’s online security allows outsiders to access personal data.
Kyiv Post editor Christopher J. Miller can be reached at [email protected].
