The phone based interactive voice response systems used by banks are vulnerable to data theft and manipulation of information, warn some cyber experts.
The vulnerabilities of Interactive Voice Response System (IVRS) were exposed at the Nullcon — a conference of cyber security personnel attended by ethical hackers, government officials, intelligence organisations and cyber security firms here.
A leading cyber security expert explained today how IVRS can be a hacker’s paradise for stealing anyone’s personal information using their phones as these systems remain mostly unaudited and lack key security features.
Rahul Sasi, a cyber security expert and a member of global community garage4hackers.com, said one of the major lacunae with the IVRS is lack of confirmation procedure whether data is entered by human or machine — called as captcha.
Through a computer program, he explained how easy it was to get an account number and four digit ATM pin code in a phone banking system as the IVRS could not detect whether data was entered by a human user or a computer.
“Since there is no captcha, method in which simple questions are asked like 1+1 equals to what, which are common in computer based systems to determine whether user is human or machine one can enter loads of permutations as account number and passwords to get a new password using softwares,” he said and also gave a demonstration on how he managed to enter into his own account using the method.
“The worst part is most of these phone banking methods are usually unaudited for security checks and the programs are also not up to the mark, making them vulnerable,” Mr. Sasi told PTI.
He said although through phone banking the hackers have only characters from 0-9 besides star and hash key but even then they can be used to enter complex commands to infect the system with virus.
23-year-old Mr. Sasi is working in the field of cyber security for last six years and is a known name in the field of ethical hackers who are exposing vulnerability of computer systems used by various organisation including the government agencies.
“I found that no one was paying attention to vulnerability of IVRS because it was considered safe. With some perseverance I was able to find the loop holes. It is important that security audits are done for the IVRS also just like web based applications.
“In the absence of these we could not know if such cases happened in banks. Our job is to expose vulnerability now it is their job to pull up their socks and install security measures,” he said.
This article has been corrected for spelling errors.