HDFC Bank website has a major flaw. They don't give a shit.

  • Thread starter Thread starter Sushubh
  • Start date Start date
  • Replies Replies 13
  • Views Views 14,135
http://www.readability.com/articles/oeckizoy
While Speaking to “The Hacker News” ,Mr. Jiten disclosed that had shared the above vulnerability report with the HDFC Bank in February itself to provide them ample time to fix the above vulnerability. The report about lacking security on HDFC online banking website is another blow to HDFC Bank which is already facing flak for its shady deals and is currently under a Black Money investigation by Indian Government.
Click to expand...
 
Click to expand...
frankly speaking, I love the simplicity of interface beyond login
Good things are 4 secret answers required to complete a transaction etc etc
But
The login page showing you your selected image and text is Nothing intelligent authentication method for sure
Its good that someone came forward and showed them what they need to work upon,

Also any expert programmer can setup fake website which can pull the shown image and then steal the innocent user's password,
but I hope they would come up with something more solid with their net banking.
I think if a user is supposed to remember 4 pass-phrases to complete a financial transaction it would not be a surprise or technologically a bad idea
to remember one for your login too
eg:
Enter customer ID
When input valid ---> Enter Login Page Pass-phrase
when both meets --> Input Access Only password and enjoy your netbanking
Similarly a very simple firewall can Block a user IP upon 3 or 5 wrong inputs this is one basic firewall I've lived on in past
it used to block users on my server for wrong email ID logins attempts, wrong ftp access info, wrong cpanel access.
a simple ticket or a phone call always unblocked them within a minute or two, then why Can't Indian Banks have this feature.
Even Facebook sends you a email when you or a hacker tries multiple login attempts with wrong password then why can't Indian Banks get on front foot of security.
 
Sending an online payment through ICICI requires me to do this:1. Login with user id and password.2. Add the user and confirm it by a code sent to me by sms.3. Make a payment which requires me to enter three different codes: transaction password, code sent through sms and codes from blocks from the back of the debit card.It gets annoying really but I guess it works.
 
Yes I Agree ICICI is also good for fund transfer options
Even HDFC has this, they want you to place request for adding a beneficiary and after notification to you on SMS and Email the
beneficiary would be enabled after 12 hours only, this helps you give enough time to report un-authorized usage to phone banking.
However the issue Mr.Jiten on above article posted that HDFC has flaw in Main Login page, he's not talking about inside options
his primary concern was, why the heck they show customer a process which in actual is not security enhancement, its just retrieving information from
DB after the input of customer ID,
His concern was if someone wants to put up a phishing site he can easily collect all actual user images and user's message from official hdfcbank website which is
wrong and the phishing site would look more realistic.
Secondly the bank servers are not blocking such notorious attempts which certainly looks they just leave you on your luck rather than security.......
 
I would personally hate a bank if it requires me to wait for 12 hours before I can add a new payee to send him money.
 
Why shouldn't an OTP be just enough?
I used to highly recomend Standard Chartered couple of years ago as they had implemented OTP even before it was mandatory and I felt really safe with the concept of one time passwords. Recently they have introduced transaction password and have lost a customer
 

v1rus said:
Why shouldn't an OTP be just enough?
Click to expand...
OTP is a good option but HDFC doesn't uses it, they make you wait instead however adding beneficiary needs you to wait 12 hours.
 
chromaniac said:
I would personally hate a bank if it requires me to wait for 12 hours before I can add a new payee to send him money.
Click to expand...

I have my company's account with HDFC. Not only do they make you wait for 12 hours before activating a new payee, once a new payee has been activated after 12 hours wait, there are other limits imposed on quantum of funds that can be transferred to new beneficiaries.
Following is what appears in my account after login:

[*][color=#ff0000;]Beneficiary activation takes 12 hours. Post activation of a beneficiary, you can transfer a maximum of Rs. 50,000/- to each beneficiary for the first 2 days.[/color]
[/list]
[*][color=#ff0000;]The maximum number of beneficiaries which can be added in 24 hrs is 3.[/color]
[/list]It is very difficult to run a business when payments are to be made to outstation suppliers quickly. It is also not convenient to run to the bank and then wait in line to get a fund transfer done.
Next month, I'll open an account with another bank next month and get rid of this HDFC account. I have had enough of this BS.
 
ghpk said:
OTP is a good option but HDFC doesn't uses it, they make you wait instead however adding beneficiary needs you to wait 12 hours.
Click to expand...
..and then let you send only Rs. 50000 for the first two days. Quite annoying, I'd say.
 
i am surprised that no one has brought this up until now . HDFC has the weakest authentication system of all the Netbanking websites i have used but is the least troublesome. I normally used HDFC NB for railway and fast payments.
 
i love the way the sbi netbanking works. major transction require otp and transaction pwd. anyone who enters correct or incorrect transaction password an sms informing transaction reference no is sent on sms. awesome for psu bank
 
I've used Axis, ICICI, UBI, SBI, HDFC for netbanking.
ICICI bags #1 position. UBI asks for Rs.150/- one time charge to enable 2 factor authentication.
 

Top