• Hey there! Welcome to TFC! View fewer ads on the website just by signing up on TF Community.

SIM swap attack and comparison between security of various banking apps

Apply For Lifetime Free IDFC First Credit Card
S

src223

TF Select
SIM swap attack is something out of nightmares, and I couldn't find details on how they work. So here I will be rating some bank's apps, considering the fact that an attacker has received my duplicate SIM and my original SIM is blocked.

Here is what the attackers might have access to.
1. SIM card and all SMS / calls coming to it (duplicate SIM)
2. PAN number (possible from bank or other app's database leak)
3. Bank account number
4. Customer ID of bank account (this may be difficult to find)
5. Debit card details (possible from bank or other app's data breach. No access to ATM PIN)
6. Date of birth (Pretty easy to find)

Here's what the attackers are NOT supposed to have
1. Internet banking password
2. mPIN of banking app
3. ATM / Debit card PIN
4. Access to email account
5. UPI PIN

Here are my rating of bank apps on a fresh install.

I will personally not recommend keeping liquid cash in any bank rated lower than 3.0!

1. DBS: 4.0/5.0

App: Not only do you need internet banking password, you also need an OTP from email. Previously they also used to restrict transactions for 24 hours, don't know about it now.
Internet banking: Forgot password option requires entering debit card PIN.

2. Axis Bank: 3.0/5.0

App: Only thing preventing login is mPIN. If that is secure, you should be good.
Internet banking: Forgot password requires OTP from email too.

3. Kotak bank: 3.0/5.0

App: Same as Axis bank
Internet banking: Required debit card PIN

4. RBL Bank: 1.5/5.0

App: I am really disappointed with this. If the attackers have Customer ID and PAN, they can easily login with duplicate SIM. To make matters worse, once logged in, the mPIN can easily be changed. Please keep your Customer ID in a safe place.
Internet banking: Didn't check because I was too disappointed by the app.

5. Federal Bank: 3.0/5.0

App: same as Axis Bank
Internet banking: Forgot password requires debit card PIN.


Feel free to chime in with your thoughts. I don't have access to some other popular banks like SBI and ICICI, so if someone can tell information on them it would be great.

Also feel free to share any tips to prevent these attacks. I heard attackers can simply swarm with calls and once you pick it up, all money is gone, don't know how it works though.



Edit - adding some more banks:

6. Au bank: 1.0/5.0

App: Requires mPIN to login, which is fine, but...
Internet banking: Forgot password just needs account number and OTP from either SMS or mail. This is a major flaw, otherwise I would have rated it at an average 3.0. Rating it lower than RBL bank because account number is usually easier to find compared to customer ID. Very disappointed.

7. IDBI bank: 3.0/5.0

App: Requires mPIN to login
Internet banking: Forgot password needs debit card details and PIN.

8. HDFC bank: 3.0/5.0

App: Requires debit card PIN to login and setup. mPIN is not required, can be reset after login.
Internet banking: Initially it looks like only mobile OTP is required to change the password, but fortunately it asks for debit card details and PIN.
 
Last edited:
Apply For LTF AU LIT Credit Card
Sort by date Sort by votes
I like FI app.

1. They make you take a selfie video and use some sort of an algo to process it. Maybe it can be fooled, but i like the innovation.

2. They also need debit card pin
 
Upvote 0 Downvote
11. ICICI Bank
App: mPin/Mobile Biometric
IB: Customer ID and Password, reset password requires OTP

12. Bank of Maharashtra
App: mPin for login, Tpin for Transaction.
IB: You need to install app in PC and then authenticate it using OTP and A/c details. Login using mPin and Login Password and transaction using transaction password.

13. Canara Bank
App: Mpin and Tpin respectively
IB: Customer ID and Password
 
Upvote 0 Downvote
Sreerag said:
12. Bank of Maharashtra
App: mPin for login, Tpin for Transaction.
IB: You need to install app in PC and then authenticate it using OTP and A/c details. Login using mPin and Login Password and transaction using transaction password.
Click to expand...
So, for Bank of Maharashtra, I have no way to just use a web browser on computer? If that's the case, then linux people are screwed?
 
Upvote 0 Downvote
>SIM swap attack is something out of nightmares, and I couldn't find details on how they work.

SIM swap attacks happen when the attacker can get a replacement SIM for your phone number and use it to impersonate you. This is very easy in the US, and happens frequently there. It is quite difficult in India, because you need a valid id to change your SIM, even if your SIM is damaged, and the new SIM is not active for a few hours after verification. Also, in India, when you change your SIM, you don't get SMS for 24 hours to avoid such attacks.
 
Upvote 0 Downvote
src223 said:
So, for Bank of Maharashtra, I have no way to just use a web browser on computer? If that's the case, then linux people are screwed?
Click to expand...
Linux people are screwed. For a while they supplied a binary for MahaSecure but it had old outdated libraries and was a big security vulnerability. Now their Windows MahaSecure kind of works with WINE but the whole thing is a giant piece of shit and looks a lot like security theater, I have a feeling one of the bank seniors may have had some vested interest in an IT / CyberSecurity company (https://www.uniken.com/) and so willingly adopted their shitty solution or got conned into adopting that solution. To me the whole thing just looks like HTTPS tunneled through some flavour of VPN and packaged as some high security solution.
 
Upvote 0 Downvote
phagocyte536 said:
1. They make you take a selfie video and use some sort of an algo to process it. Maybe it can be fooled, but i like the innovation.
Click to expand...
What if their servers are hacked and the video gets into wrong hands ?

they can use your video for other eKYC verifications too... This is the only reason I didn't create account in Snapay as they too were requesting video for eKYC where were had to shake our head and then blink 2-3 times

The video can do wonders in wrong hands
 
Upvote 0 Downvote
ICICI 5/5
Can log in either with a user ID + password or a debit card. User ID can never be changed and password cannot be reset without user ID and mobile number.
Debit card login requires a code which is a grid so every login will be a different combination of code.
After login account is restricted to a 10,000rs transaction limit for 24 hrs.

HDFC 4/5
Requires customer ID or user ID and password.
Resetting requires a 6-digit OTP. Half of it comes to mobile and the other half on email.
There is a passphrase and image verification too on PC but their implementation is bad.

IDFC 1/5
Verifies mobile number with OTP.
Asks for customer ID or user ID and password.
Password can be easily recovered with the customer ID. Customer ID can be easily recovered from mobile OTP... 🤦‍♂️
 
Upvote 0 Downvote
Catalyst said:
ICICI 5/5
Can log in either with a user ID + password or a debit card. User ID can never be changed and password cannot be reset without user ID and mobile number.
Debit card login requires a code which is a grid so every login will be a different combination of code.
After login account is restricted to a 10,000rs transaction limit for 24 hrs.

HDFC 4/5
Requires customer ID or user ID and password.
Resetting requires a 6-digit OTP. Half of it comes to mobile and the other half on email.
There is a passphrase and image verification too on PC but their implementation is bad.

IDFC 1/5
Verifies mobile number with OTP.
Asks for customer ID or user ID and password.
Password can be easily recovered with the customer ID. Customer ID can be easily recovered from mobile OTP... 🤦‍♂️
Click to expand...
But there is no 2FA in ICICI Internet banking login.
 
Upvote 0 Downvote
When you install AXIS MOBILE app. it ask you to create mPIN. once you create mPIN you can easily login on AXIS website with customer ID and 6 digit mPIN.

it won't ask OTP or security questions and they call it secure.
 
Upvote 0 Downvote
0/5 IndusInd is the worst: you don’t need otp or Device verification via sms. Enter mobile number then user id then App Pin that’s all, you’ll get access to everything debit card details, credit card details & imps/rtgs/neft the list goes on & on
 
Upvote 0 Downvote
PNB ONE 3.5/5. You need mobile number account number date of birth, Login Pin to enter into app, after entering the app you need TPin & otp to do transactions, same for net banking, you need user id net banking password specific image selection, & transaction password to do anything
 
Upvote 0 Downvote
Loosing money via Sim swapping is difficult in India unless you’re an ignorant person , because once a duplicate sim is issued, you can’t send or receive sms for 24hours. Normal people will realise something wrong with their sim & calls the customer care to sort it out within 24 hours(actually the moment sim goes off within minutes people will call the customer care in India) so no problem at all. Unless you’re daydreaming why my sim is suddenly turned off, there’s nothing to loose,
 
Upvote 0 Downvote
You must log in or register to reply here.
Back
Top