Vulnerabilities for cyber attacks found in bank chat bots

Bank chatbots in instant messengers, which are used to conduct transactions with accounts, can be vulnerable to cyber attacks. Because of this, attackers will be able to transfer money without the knowledge of customers.

Alexander Gerasimov, Information Security Director of Awillix, told Izvestia about this. The risks were confirmed by Positive Technologies.

Awillix specialists, while checking the security of chat bots in instant messengers, discovered similar vulnerabilities in two Russian banks. They allow you to get the number and expiration date of cards, find out the account balance and the client’s mobile phone.

In addition, vulnerabilities allow you to get into the client’s personal account in the chatbot and bypass the transaction confirmation mechanism, for example, during money transfer.

According to Alexander Gerasimov, the accounts in the messenger and on the bank’s main website are not linked. A fraudster can access a client’s chatbot account, but cannot get to the main personal account.

The various vulnerabilities of chatbots depend on their functionality. Security problems, for example, will help to get customer data, get into their personal accounts in a chatbot, or find out the balance of the card.

Shot from the Back to Hooded Hacker Breaking into Corporate Data Servers from His Underground Hideout. Place Has Dark Atmosphere, Multiple Displays, Cables Everywhere.

According to Positive Technologies, the most popular deception scenarios are: changing the functionality of a chat bot to collect information about the person who uses it, sending malicious software on behalf of a bank, replacing a robot with a fraudster during communication, creating fake chat bots for banks.

The user of bank chat bots can protect their funds using two-factor authentication to log into the application, emphasized in Jet Infosystems. The company added that the threat is also threatened in cases where the fraudster gained direct access to the victim’s device physically or as a result of a malicious attack.

Raiffeisenbank, Otkritie, Absolute, Rosbank, Unicredit and VTB told the newspaper that they are limiting the functionality of chat bots in messengers. They added that the popularity of this channel of interaction with the client is actively growing.