A regional head of the U.S.-based financial services and communications company Western Union said he is not worried about recent security breaches at Ukraine’s largest bank which allowed a hacker to obtain sensitive data of Western Union customers, potentially putting them at risk for fraud.
Ulugbek Umarov, Western Union country director for the CIS, Georgia and Israel, told the Kyiv Post that he believes PrivatBank’s banking system is secure and that “as a global money transfer company, we pay attention to customer security, and we do our best to protect our customers and to not let any third parties obtain information in such a way.”
But Western Union transactions sent through PrivatBank’s system that did include sensitive data, such as payer and payee names and personal identification numbers, their addresses and phone numbers, ended up in the hands of an Indonesian self-professed “ethical hacker” who was testing the system for security flaws in hopes of obtaining contract work with the bank.
Zul Amri became interested in PrivatBank
in September after reading about 25-year-old Ukrainian programmer Aleksey
Mokhov, who hacked into PrivatBank’s Privat24 mobile banking application on
Sept. 3. While testing the Privat24 application to work with his online taxi
service, Mokhov discovered a flaw that would allow anyone with access to the
application and some technical know-how to withdraw and transfer funds from one
PrivatBank account to another of any kind, anywhere in the world.
Oleg Serga, press
officer for PrivatBank, told the Kyiv Post in September that the company has
some 500 skilled security technologies employees who work around the clock to
strengthen the bank’s anti-fraud security system that monitors transactions.
“PrivatBank has
one of the most powerful systems for monitoring operations that identifies
suspicious transactions at the time of their occurrence and blocks fraudulent
transactions,” he said.
Amri himself was able to hack into the
bank’s system through the Privat24 application weeks after Mokhov had, and
after PrivatBank said it had fixed numerous vulnerabilities within its banking
system. In late September, Amri turned over to the Kyiv Post documents that
proved his ability to gain access to customer and bank administrator accounts.
The documents included the sensitive data of numerous Western Union
transactions.
Sabine Fischer, Western Union corporate communications
manager for Europe and CIS, verified the Western Union transactions data
processed through PrivatBank and obtained by Amri. She said that they occurred
in 2011, and that “the
data obtained in this attack did not enable the intruder to gain access to
actual customer funds.”
“At no time during the incident Western Union internet
money transfers or other electronic channels were affected,” she added.
The Privat24 app, through which these
hackers were able to access PrivatBank’s system, allows customers to transfer
money from card to card, pay for utility and mobile phone bills, and even
transfer money around the world using Visa, Mastercard, LiqPay, PrivatMoney and
Western Union services.
Shown the document obtained by Amri,
Umarov and Denis Saganenko, a senior network development manager for Western
Union in Ukraine, Israel and Armenia, admitted on Nov. 4 that the information
included would be enough to potentially put the company’s customers at risk of
fraud.
However, Western Union takes action in such situations
only if a formal complaint outlining an instance of fraud is lodged with the
bank or authorities, Umarov said. Otherwise, “something like this, it is not a
problem,” he added.
“Until the written document notice is sent to at least
our agent… we are unable to proceed,” Umarov said. “Someone needs to knock on
our door and say, ‘Guys…’”
Umarov and Saganenko said
they met with PrivatBank officials at the bank’s headquarters on Nov. 7 to
discuss the issue. PrivatBank could not be reached for comment following the
meeting.
“In any such cases there will be careful
investigations,” Saganenko said. “The fact
that some information that was confidential was disclosed, it should be
investigated.”
PrivatBank, the largest bank
in Ukraine with assets of $21.6 billion, or about 12 percent of Ukraine’s gross
domestic product, according to investment bank Dragon Capital, serves 420,000
business clients and more than 13 million individual accounts.
PrivatBank is a direct agent of Western Union
Financial Services Inc. Western Union entered into an agreement with PrivatBank
in February of this year to provide customer with the option of using the money
transfer services via their smartphones through the Privat24 application.
Dymtro Dubilet,
chief technology officer for PrivatBank, downplayed the security breaches when
he spoke to the Kyiv Post in September, saying that the bank experiences
breaches in its banking system daily, and that it has “several clients who say
they have been hacked.”
Kyiv Post
editor Christopher J. Miller can be reached at [email protected], or on Twitter at @ChristopherJM.
