(Update: corrected a few things. You can’t see the person’s bank account number. But you can see anyone’s phone bill, whether or not they’re a customer of that bank.)
Here’s a hole in Internet banking that allows anyone with an account at a bank to look up other
customers’ people’s bills–tax, water bill, Internet bill, landline, cellphone—so long as they have that person’s account or phone number.
This means, for example, I can enter a telephone number and—so long as that person
pays their phone has an unpaid bill at that bank—I can find out their name. Think of it as a reverse phone book. Not only that: I get their bank account number.
It needn’t stop there. If I was the social engineering type, I could then call up the phone company and give them enough information—the name, phone number and bill amount—and persuade them to send me the itemised bill.
The same is true, I’m told, of all bills that can be paid at that bank.
In short, this kind of access gives me enough personal information to socially engineer all sorts of attacks. The mind boggles.
The bank is a well-known Indonesian one—making this sort of attack particularly dangerous–but it’s probably not alone in failing to ensure a validation procedure for its customers. I’ve not had the chance to explore it; most banks, I believe, would require not a phone number but a bill reference number to access this kind of information.
The problem here is that the people who set up the service didn’t imagine that someone might enter a telephone number or bill number that wasn’t their own. Techies need to think like thieves and real people when they set these things up.
Us ordinary folk? We need to stay on our toes and yell at banks that compromise our personal data in this way. I believe the bank in question knows of this breach but as of the time of writing, it’s not yet fixed.