- Joined
- Jun 21, 2020
- Messages
- 5,618
- Reaction score
- 1,363
- Points
- 1,012
- Awards
- 4
If you use the services of one of the banks that pay attention to the IT component, you probably talked with a bot that helps to solve this or that issue. So, these chat bots, according to experts, contain vulnerabilities that allow them to steal money from a client of a credit institution.
Aleksandr Gerasimov, an information security specialist from Awillix, told Izvestia about the potential attack vector. In his conclusions, Gerasimov relies on the results of penetration tests (pentests), which showed that bots of two different banks have similar vulnerabilities in logic. In particular, chat bots disclose confidential information of a client of a credit institution. If an attacker is able to exploit the flaws in the attack, he may be exposed to the bank card details (number and expiration date), the balance of the account and the user's phone number.
As Gerasimov noted, these vulnerabilities not only open up an excellent opportunity for preparing attacks using social engineering, but also allow you to get into the client's personal account and bypass the money transfer confirmation mechanism.
“During our penetration tests, the attackers were able to penetrate the test client's account and transfer money,” explains the Awillix specialist.
Aleksandr Gerasimov, an information security specialist from Awillix, told Izvestia about the potential attack vector. In his conclusions, Gerasimov relies on the results of penetration tests (pentests), which showed that bots of two different banks have similar vulnerabilities in logic. In particular, chat bots disclose confidential information of a client of a credit institution. If an attacker is able to exploit the flaws in the attack, he may be exposed to the bank card details (number and expiration date), the balance of the account and the user's phone number.
As Gerasimov noted, these vulnerabilities not only open up an excellent opportunity for preparing attacks using social engineering, but also allow you to get into the client's personal account and bypass the money transfer confirmation mechanism.
“During our penetration tests, the attackers were able to penetrate the test client's account and transfer money,” explains the Awillix specialist.