AOH :: HP Unsorted I :: BU-2082.HTM

Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)



Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)
Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)



1) Affected Service

* LiqPAY micro-payment system from PrivatBank, Ukraine

2) Severity

Rating: Moderate (need user actions)
Impact: Exposure of sensitive financial information and unauthorized
access to system
Where:  Remote (man-in-the-middle)

3) Vendor's Description of Service

"LiqPAY is global open high-secure payment system that lets anyone
easily send money using mobile phones, Internet and payment cards
worldwide.
...
LiqPAY Benefits: Strong security. Strong identification and
verification using the OTP technology."

Product Link:
https://www.liqpay.com/?do=pages&p=productliqpay 


4) Description of Vulnerability

LiqPAY one-time-password technology is based on SMS messages sent to
mobile phone of registered user. In order to login user has to submit
his mobile phone number on web-form and will be prompted for 8-digits
password from SMS message sent by system to his mobile.

Vulnerability is that SMS messages are not tagged in any way that they
are from LiqPAY system.
SMS message text is like "Parol: 12345678 --Do not pass your password
to third party.".

Exploitation is following - attacker can setup web-site (or any other
service) that will ask user for their mobile phone numbers first, then
for password they has received. In fact, attacker is not sending SMS
on his own, but request LiqPAY system to send one to user.  After user
will type in password he has received in SMS message on attacker
website - attacker can use this password to login into LiqPAY system.

After login to LiqPAY - all services of system are available to
attacker - history of previous payments and sending of digital money.

5) Solution

SMS messages from LiqPAY system should be tagged properly in order to
allow users clearly identify service and website URL of SMS origin.

Temporary solution for current users - do not answer on all SMS
messages similar in format to LiqPAY one's (there 8-digit password is
used).

6) Time Table

18:16 EET 22 March 2010 - Issue reported in public to vendor
(Alexander Vityaz blog, Head of Center E-business at Privatbank)
18:22 - Vendor denial as non-issue

7) Credits

Discovered by client of PrivatBank.

8) About LiqPay and PrivatBank

The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its
services are used by more than 23% population of Ukraine population.
PrivatBank currently serves 420 thousand corporate clients and small
businesses, and over 13 million individual accounts.

LiqPAY is system invented by PrivatBank company for micropayments. It
is actively pushed to clients of PrivatBank.
All ~3000 branches of bank issue micropayments vouchers or open
accounts of LiqPAY system instead of giving change in coins to most of
it's clients then bank services or wire payments are requested. Number
of LiqPAY users as result of this effort claimed to be over 120
thousands.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.