When Twitter user @vertuozzo informed PrivatBank that their mobile application’s security system is a gift for hackers, he did so hoping the company would correct the error. He also expected its management might thank him for alerting it to the security breach of Privat24, the bank's popular payment application.
After
all, the vulnerability in the mobile application for Android users
would mean the personal data and funds of more than 600,000
PrivatBank customers who have downloaded the application were at
great risk.
Instead, the “vertuozzo,” better known as Alexey Makhov, was accused by the bank of hacking its system and attempting to steal money from personal banking accounts – at least initially.
PrivatBank’s
Privat24 app allows customers to transfer money securely from card to
card, pay for utility bills, mobile phone bills and even transfer
money around the world using Visa, Mastercard, LiqPay, Western Union
and PrivatMoney services.
PrivatBank, the largest bank in Ukraine with assets of $21.6 billion, equivalent to 12 percent of Ukrainian GDP, according to investment bank Dragon Capital, has more than 20 applications used by more than 1 million customers.
It is unclear if similar vulnerabilities exist among the other
applications, but PrivatBank press officer Oleg Serga told the Kyiv
Post that all applications are secure and that prior to Mokhov
hacking into the Privat24 application there had been no complaints
from customers of fraud via the company’s mobile applications.
But
Mokhov said that three days after his discovery, the flaw was still
there. He also questioned professionalism of the bank’s online
security and programming teams.
Mokhov,
a former Samsung Electronics employee and developer at Viewdle, a
Kyiv-based imaging and gesture recognition company bought in October
2012 by Google’s Motorola Mobility, was testing the Privat24 app to
be used with his latest project Taxi.tm, an online taxi ordering
service of which he is the current chief technology officer and
co-founder. That is when he discovered a loophole that allowed him to
move money from the account of one stranger to another.
In
addition, he discovered that he had the ability to access
confidential personal data, including balance sheets and account,
loan and deposit information, he told the Kyiv Post. Most strikingly,
he discovered that it was extremely easy.
After
making the discoveries, Mokhov tested the vulnerability. He
transferred Hr 400 ($50) from one bank account of a stranger to
another, and then back. He then let the bank know what he did via
Twitter on Sept. 3.
A
friendly exchange between the two ensued, eventually leading to an
invitation for Mokhov to showcase his findings in person at the
PrivatBank office in Kyiv on Sept. 5.
There, in front of a group of almost a dozen high-ranking executives,
he hacked the account of Alexander Dubilet, chairman of the board for
PrivatBank.
According
to Mokhov, the bank’s management was shocked. “Everyone thought
Dubilet’s account could not be hacked,” he said.
But company officials were not necessarily pleased. Following the demonstration, they threatened to go to the police with
evidence of fraud and attempts to steal the funds of several
PrivatBank customers.
“The
situation was due to the fact that his actions were automatically
blocked by our security system, and in this case, the bank is obliged
to investigate,” Serga said. “Upon investigating, we have no
claims against Mokhov. But it is a pity that he did not apply
directly to us.”
In
the end, Serga said PrivatBank had no hard feelings toward the
programmer and even offered him a “high-paying job” on Sept. 12.
In
addition, he said, “if Mokhov discovers vulnerabilities in
services in the future and he will report about them officially
through the website of (PrivatBank)… we with pleasure will pay him
a bonus in the amount of Hr 10,000.”
Mokhov
said that he had politely declined the offers. His focus now will be
on developing his online taxi-ordering service. But if that should
not work out, he’s confident his new infamy will help him land a
good programming gig.
“As
rightly pointed out my friends, now my resume can be compressed to
one sentence – type into Google/Yandex search ‘Mokhov Privat24,’”
Mokhov tweeted on Sept. 6.
Kyiv
Post editor Christopher J. Miller can be reached at
[email protected].
