updated on November 18, 2010Here is the description of the vulnerability of the on-line banking system I've recently detected.
On-line banking system of Polbank EFG, the Polish branch of the Eurobank EFG, which is one of the largest banking groups in Greece, listed on the Athens Stock Exchange (EUROB), is vulnerable to the man-in-the-middle attack before one-time authorization code is to be entered by the end-user.
In Polbank EFG all on-line money transfer transactions are secured by 6 digit code send via SMS to the registered mobile phone of the bank account holder. One-time password method (send via SMS or generated by hardware tokens) is commonly used across on-line banking systems as easy to use and reliable security provision.
Vulnerability description.In Polbank EFG, after transaction details are being entered by the account holder into the banking system, account holder requests authorization code to be send to his/her mobile phone. As soon as SMS is obtained, account holder has up-to 2 minutes time slot to enter the (received on his/her mobile) code into the browser to confirm transaction and obtain authorization.
In case of Polbank EFG, before the 6-digit code is to be entered, the transaction details can be altered including Amount and Account Number fields.
In the possible man-in-the-middle attack, attacker can alter the entered values replacing existing values with bank account number belonging to the hacker(s). Regardless of the fact that the transaction details has been changed, previously generated 6-digit auth-code entered by the end-user into the browser confirms the altered transaction.
Updated November 18, 2010:
28 days after the problem has been reported directly to EFG Bank, no actions have been taken. The problem with SMS confirmation still exists.