Header Ads

Banking Hack Demo Using Adhar Card & SE Attack

See How We Used Adhar Card as a Tool For Social-Engineering Attack For Online Banking Hack.

AdharCard Hacked
Creative Commons License
The Are is Created by Ethical Hackers Club and is in no way related to UIDAI accept for the logo which is downloaded from google image search licensed as free to modify & the Image is now  licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Adhar the word itself doesn't require any introduction at least for Indians. Since the time of the system's launch on 28 January 2009, It has always been a trending topic for debate. From Common people to researchers, from Government officials to journalists all have always been talking about adhar card.
Adhar card is always trending with something new and something extra each day with new initiatives by Indian Government.
While there was a strong requirement for such system in India with numerous reasons specified by Ethical Hackers Club in its Events, but the lack of security & privacy awareness has made the most useful system a course. While researchers have always been talking about privacy risks Ethical Hackers Club's Team has for the first time demonstrated a threat using Social Engineering Attack for bank Hacking using Adhar Card Details.

Let's Find Out How I Demonstrated A Banking Hack Using Adhar Card.

I will be listing below all the steps performed by me for demonstrating a banking hack using adhar card. Before I go Ahead I would make it very clear that all the information I publish here is completely for educational purpose and for the importance of cyber security awareness. I and my team in no way will be responsible if anyone uses the trick and gets caught. While the hack is been performed in the presence of Bank officials to demonstrate the lack of awareness in their team and their users in India and the person whose account was been tested was clearly informed and no amount was ever transferred from his accounts we just used the trick to get logged in to his online account.
Although the steps taken by our team has been very intense and can't by in the reach of any newbie but team of good scammers and aggressive attackers can surely try it or would be already trying it. We have demonstrated the threat with the same intention to make the world aware about such scams.

Lets Find Out Each Steps Performed by us:

Step 1:

Step one which has been the most important step which took about 5 months to complete. As we informed it's a complete aggressive attack and we had to get involved physically. Although the demonstration may seem to be like a complete James Bond movie but was created here in India and this is what being used in reality by Cyber Criminal teams. Bhairav From our Media partner supported us in the step.  
We had selected the best of bank in India with all perfect systems to perform the attack. Bhairav's act was really a tough one which was the most important step to perform SE attack. Bhairav was asked to follow the bank for a month to find out a regular customer. Bhairav started his journey by applying to be as a store keeper at the shop outside the Bank. While Bhairav started working as a store keeper he was very firm with his aim. All his attention was focused at people entering the bank. We fond a man who used to enter the bank on 15th of each month. We decided to target him for the hack.
Now it was the time to somehow gain his bank account number. Although having a bank account number cant provide you with access to accounts. 
Now from the 4th month when the person entered the bank to deposite money Bhairav entered behind him and used Shoulder Sniffing to gain account number of the user. 
Bhairav entered the bank behind our victim, took a deposite form, went near the place our victim was filling the form and asked "Sir Can I have your pen Please", It was very clear John wanted to be as close as possible to see the account number. John got the pen and wrote down victims account number using Shoulder Sniffinf method insted of his own number. 
He Brought the details to our team and thats when we started further steps.

Step 2:

Now we had to get details of ID proof submitted in the bank. Now that isn't a rocket science for anyone. The way Bhairav Started with the storekeeper near our victim's bank now we sent Shivam Thakur to the recharge store near the victim's house. All we wanted is the contact information of the person. It was ver easy to gain the number from recharge store and even easier for our team to get the most common adhar card. So what exactly we do?
Shivam Thakur was working at the recharge store for almost 6 days when our victim's child came for the recharge at the store. That's when we got our victims number. While the 17 years child would leave after recharge Shivam Thakur played it very clever which reduced our further planned more aggressive steps. She informed the boy that systems are getting changed and you need to submit your fathers Adhar card or the sim card will be blocked. While the step could have been really dangerous but as always lack of awareness made the child and his family be victimized to our SE Attack. Within hours the boy was there with his fathers Adhar Card. Now We had the print for adhar card which had all the details of our victims. All Genuine information:
  • His Name,
  • His Phone Number (We Already Had),
  • Most Important his Date of Birth,
  • His Adhar Card Number and 
  • The detailed Address.

Step 3:

All we had to do now is to get the mobile number of victims connected with the bank, changed to our own mobile number. It wasn't difficult for our expert Social Engineering team. Our Team had all the details now we called the bank customer care are asked them to do so impersonating our victim. Bhairav called the customer care told them he was Pratik ( Name Changed For Privacy ) and his previous phone number isn't working due to outstanding bills and the number is now been changed. Customer care experience was really so lovely and so helpful that it was actually amazing. He told ok sir we would surely help you. we need to confirm few details of yours. We really had all we needed to get confirmed so we were like ok.  And questions really went as we planned previously. The customer care executive requested us with the full name ( clearly we had it from Adhar Card) Date of Birth ( Even easy - Adhar Card Again) Previous Phone ( it was genuine we had it from recharge store). PAN card number that's what we didn't have. But Was never an Issue. When asked Bhairav informed the customer care executive that he was out and PAN card was at home. The executive refused to help as PAN number verification was important for him. Well, he told sir you can contact again when you have your PAN number handy and disconnected. Now that was the time to get PAN number now. And believe us this was really very very easy for us. All we had to do was to visit websites link NSDL's PanStatusTrack type in the details of our Victim which we had obtained from Adhar Card.
NSDL's Online Pan Checking System Used by Ethical Hackers Club to Gain Pan Details of Our Victim.

Pan Details were waiting at a single click of submit button.

Step 4: 

Now that we had PAN details it was the time to call back the customer care. Bhairav again followed the same procedure and finally the number was changed now we had to get login id and password for victims internet banking. 
We Had Bank Account Number.
We Had All Other Personal Details.
And Even Our Mobile number was linked to the account.
We just had to visit the login page the bank.
Get User Id

At the Login Page We Followed the steps to GetUserID: 

Banking Hack 2017

And We finally received the USER ID at our mobile number.
Banking Hack 2017-4Same Procedure was used to Get The Password and With the same general questions highlighted above proved us with password on our changed mobile number. While we carried out the complete procedure and was informed to the bank's team and to the victim himself who had been informed about the complete details and was asked to change his account details. It was really something new for the common user ( our victim ). The Demonstrations made it very clear that India wasn't yet ready for such privacy attacks due to lack of awareness while the customer executive plays a vital flaw in the banking systems of India which can easily be attacked by scammers using Social Engineering Attacks. There's a lot more for India to learn before it really gets completely digital. The Faster growing digital India can really be making many common user victimizing to such scams & attacks.

While our team was working for security such flaws really brings in questions like:

  • Is it really OK to connect Adhar Card with every system? 
  • If Connected Do People Understand about the importance of Privacy of their documents?
  • Is India Really Ready to get completely digitized?

And a lot more. 

let us know about your views on our 

Official Facebook page &
Our Twitter Account

No comments

Powered by Blogger.