Banking Hack Demonstration Using Adhar Card & SE Attack

Image taken from original Content at Ethical Hackers Club’s Official Website

The team of young entrepreneurs of Cyber Security Awareness Shivam Goswami, Shivam Thakur, Bhairav Bose & Vipul Jadhav from firm Secret to Success & Ethical Hackers Club, in India, has Demonstrated a banking hack using the prima-facie of digital India “Adhar Card”.

Adhar card the word itself today doesn’t require any introduction. Well, at least not in India, today Government is making new decisions with regard to adhar card each day. Adhar card seems to be the single identity, nationality & address proof for Indian’s which is sooner getting compulsory. While India was badly in need of such system but was India really ready for it. Adhar card contains Each and every single detail of an individual from banking to personal even biometrics. But what about privacy & security.
Yes, this is what cyber security researchers are worried about. But had anyone ever thought about the same? Surely researchers do under this but did government really take it seriously. 
Well, surely unless the people are aware of cyber security & data privacy they are not ready for such system. 
While researchers were looking out for something really great with respect to cyber security threat using Adhar Card, the team of young Cyber Security Researchers from Secret to Success & EHC demonstrated a Banking Hack using Adhar Card & Social Engineering Attack. The demonstration made it very clear that users are not aware of their privacy while customer care & security team do have a lack of awareness from such attacks. Instead, they can easily be scammed by a simple Social Engineering trick.

In the complete demonstration Shivam Goswami says:
 Adhar card is always trending with something new and something extra each day with new initiatives by Indian Government.
While there was a strong requirement for such system in India with numerous reasons specified by Ethical Hackers Club in its Events, but the lack of security & privacy awareness has made the most useful system a course. While researchers have always been talking about privacy risks Ethical Hackers Club’s Team has for the first time demonstrated a threat using Social Engineering Attack for bank Hacking using Adhar Card Details.
I will be listing below all the steps performed by me for demonstrating a banking hack using adhar card. Before I go Ahead I would make it very clear that all the information I publish here is completely for educational purpose and for the importance of cyber security awareness. I and my team in no way will be responsible if anyone uses the trick and gets caught. While the hack is been performed in the presence of Bank officials to demonstrate the lack of awareness in their team and their users in India and the person whose account was been tested was clearly informed and no amount was ever transferred from his accounts we just used the trick to get logged in to his online account.
Although the steps taken by our team has been very intense and can’t by in the reach of any newbie but team of good scammers and aggressive attackers can surely try it or would be already trying it. We have demonstrated the threat with the same intention to make the world aware about such scams.

In the complete post the team describes each detail about the steps used which were later disclosed to bank & the victim too.
The demonstration contained 4 most aggressive steps of Ethical Hacking but there weren’t any tough technical skills involved a complete social engineering process and the basic internet skills easily allowed them the access to victims Online Banking Account.

In step 1 & 2 the team carried out Passive Reconnaissance where Bhairav Bose Followed their victim’s schedule for 3 months, later he followed the victim till bank and used shoulder sniffing and a simple request trick to gain victims account number. In the step 2 of the same process Shivam Thakur was involved in taking the Copy of Adhar card from the victim’s child. Adhar card made it very simple to obtain original personal details which further helped in finding out PAN number of the victim.
In step 3 the team carried out Social engineering attack where they called the customer service executive and made them to change the victims registered mobile number pretending to be him. It was very easy for them to portray the victim as they had all the in formations asked by customer care representatives. The complete details with proper demonstration can be found in the original post at Ethical Hackers Club where you can find the complete steps performed by the team and finally received login details.
While it was demonstration for security purpose the team has left behind many questions for Indian:

  • Is it really OK to connect Adhar Card with every system?
  • If Connected Do People Understand about the importance of Privacy of their documents?
  • Is India Really Ready to get completely digitized?

Read the demonstration Here