Presentation Material
Abstract
8th November 2016 was a great date for the entire world. On the one hand, US election results were announced and on the other hand Prime Minister of India, Shri Narendra Modi Announced Demonetization in the country ( India ). Soon government started focusing on the cashless economy and encouraged people to use various online platforms and e-wallets for transactions. For Demonetization to be a successful one, the government took various steps pre - demonetization. The government ensured that most of the people should have a bank account so that they can deposit the money, they brought new technology to banks like self-help passbook update machine to cope up with the increase of users.
In this paper Iβll cover various flaws that were found in banking systems, apps etc exploiting which one can get :
Sensitive financial information of customers Bypass security measures Take out money from customerβs account Invade their privacy, and many more
AI Generated Summary
This talk examined multiple security vulnerabilities in Indian banking and digital payment systems that emerged during the 2016 demonetization period, focusing on flawed authentication mechanisms and their potential for financial fraud.
The first vulnerability involved passbook printing machines deployed widely after demonetization to handle new account openings. These machines authenticated users solely via a barcode on the passbook, which typically contained the public account number. An attacker could generate a valid barcode for any target account, insert a blank passbook, and print the victim’s full transaction history and balance.
The second category covered flaws in government-backed digital wallets and bank interfaces. One flaw in a state government wallet allowed direct fund transfer from any linked account due to inadequate authorization checks. Another critical flaw in State Bank of India’s online transfer system allowed OTP bypass by manipulating a parameter (smartOTPFlag) in the payment request, enabling unauthorized transfers without the one-time password.
The third flaw exploited the National Securities Depository Limited’s (NSDL) PAN card verification API, used for KYC by services like cryptocurrency exchanges. The API lacked proper request origin validation, allowing anyone to query personal details (name, date of birth, father’s name) using a PAN number and basic details. This information could be chained with data from the first flaw (account number, balance, email) to facilitate highly convincing social engineering attacks or targeted fraud.
The speaker emphasized that these vulnerabilities stemmed from rushed deployment, over-reliance on single-factor authentication (like barcodes or static parameters), and inadequate API security. The practical implication is that systemic weaknesses in foundational banking infrastructure can be combined to compromise individual financial security and privacy, even when individual systems appear to function correctly. All discussed flaws were reported and patched.