Friday, 22 October 2010

Security Vulnerability @ Polbank EFG

updated on November 18, 2010
Here is the description of the vulnerability of the on-line banking system I've recently detected. 

On-line banking system of Polbank EFG, the Polish branch of the Eurobank EFG, which is one of the largest banking groups in Greece, listed on the Athens Stock Exchange (EUROB), is vulnerable to the man-in-the-middle attack before one-time authorization code is to be entered by the end-user.

Severity Medium
In Polbank EFG all on-line money transfer transactions are secured by 6 digit code send via SMS to the registered mobile phone of the bank account holder. One-time password method (send via SMS or generated by hardware tokens) is commonly used across on-line banking systems as easy to use and reliable security provision.

Vulnerability description.
In Polbank EFG, after transaction details are being entered by the account holder into the banking system, account holder requests authorization code to be send to his/her mobile phone. As soon as SMS is obtained, account holder has up-to 2 minutes time slot to enter the (received on his/her mobile) code into the browser to confirm transaction and obtain authorization.

In case of Polbank EFG, before the 6-digit code is to be entered, the transaction details can be altered including Amount and Account Number fields.

In the possible man-in-the-middle attack, attacker can alter the entered values replacing existing values with bank account number belonging to the hacker(s). Regardless of the fact that the transaction details has been changed, previously generated 6-digit auth-code entered by the end-user into the browser confirms the altered transaction.

Updated November 18, 2010:
28 days after the problem has been reported directly to EFG Bank, no actions have been taken. The problem with SMS confirmation still exists.


  1. Have you reported it to EFG/Eurobank? I'm curious if other than PL on-line banking systems have the same problem.


  2. Yes I informed them and got an e-mail from quite a strange source ("PhoneBanking") but anyway it's their problem with circulating the information among the right people.

    -------- Original Message --------
    Subject: FW: Security Vulnerability ( Dr. Andrzej Bartosiewicz )
    Date: Tue, 26 Oct 2010 13:33:06 +0300
    From: Eurobank

    Dear Mr Bartosiewicz,

    Thank you for contacting Eurobank .

    We would like to inform you that your request has been forwarded to the responsible department of our bank, and we will contact you as soon as possible.

    We remain at your service for any further information.

    Best regards,

    Eurobank Customer Service

    EuroPhone Banking

    210 - 9555000