I have a few bank accounts and there is this particular local bank called City Union Bank, that is more than hundred years old.
I received an email from that bank which has a list of different new features that they have added for the benefit of the customers, using latest technology that they could get their hands on – like self service branches, mobile banking using android apps, missed call balance enquiry, and many more.
To enable our customers to have banking facilities from anywhere and anytime, our bank has implemented various e-initiatives. One such facility is E-Statement of account in HTML format. The HTML form of the E-Statement of your account for the month of April 2016 is enclosed for your use.
And, yes their email was in blue, green and brown colors. And they had attached a plain HTML file with the email.
Before I could even finish reading the entire email, I open the file by clicking and letting gmail open in it’s attachment viewer. And it threw this error in my face:
Please download the statement and view it in browser
Ookkkayyy! So I go download it and open only to see it asking me for a password.
I go back to the email and read the section which says what my password is.
Your Statement is password protected. Please enter your Customer ID as the password to open the Account Statement.
But there is one little problem. When I signed up for an online netbanking account with this bank, I was given the choice of either logging in with some weird 7 or 8 digit number that I won’t remember for the rest of my life or choosing my own personalised username. Naturally I chose my own username and conveniently forgot the customer ID.
So in order to login I have to type my customer ID and I am now lost without access to my own bank statements.
Or am I really?
Password Protected HTML??
If it were some password protected PDF file, I would have given up all hope and forgotten about it. But the bank had sent my statement in a HTML file with password protection.
So I quickly “View Source”‘ed the page and see gibberish. They had used some weird encryption for the raw HTML and have a small javascript snippet to decrypt it. Should I waste time reverse engineering the encryption and get back the actual source? But if the browser has loaded the page and shows a password screen, it means the browser has already decrypted it and I can look at the DOM and see what they do.
Those who know basic HTML/Javascript can guess where I am going with this. All I had to do was
- goto View > Developer > Developer Tools
- Cmd + F and search for “password”
- ???
- Profit!!!
Hidden in Plain Sight
All that is left for me to do is use the super secret password and login to see my account statement.
And since emails aren’t secure, anybody can get hold of my private information and I don’t even want to think about the various ways they can target me.
I want to meet the person who thought this was a great idea and get a list of other things he helped design, so that I can be careful. I thought banking software/servers audited for security regularly. If this bank was also audited, I want to meet the person who signed off on this. Is our bank account really secure?
If this is how banks and financial institutions are going to protect our money, I don’t even want to know what other government departments are doing with our personal and private data (read Aadhaar).
The future looks rather bleak to me.
PS: The balance they showed in that statement was completely different from the balance I had in account. Guess I should close this account and short sell this bank stocks if I can.