A logical bug in JUICE can make you lose all your money if you are not careful

A logical bug in JUICE can make you lose all your money if you are not careful

This is based on real life events that occurred in the past few months. We at hackers.mu are writing this urgently so as hopefully you can save yourself if you tend to talk to scammers unknowingly! We normally would have classified this as phishing except that there is some few usual restrictions which is missing from his banks which thus goes beyond the classification of phishing.

Lire cette article en Francais | lire sa lartik la en Creole

 

Note: This article is not about blaming banks or people. We do realize that both parties try to take measures to secure their infrastructures (hopefully), but this exposes an issue that is very well present in our society that banks can reduce by adding a human layer to it, which I know some banks already do in Mauritius and elsewhere.


It has been a few months since we have been getting calls for help regarding some victims of online scams. We usually try not to interfere or get involved too much these days mostly due to our availability factor and other more urgent matters that tend to crop up, but after seeing so many victims of such scams, we had the moral obligation at least to write a few lines about this to warn people.


To have an idea of what all this is about, we have to move back a few weeks prior, there was this 30-ish man from the South who contacted us in panic. He said that all his money has vanished from his bank account and he does not know what to do. The guy is an "Assistant builder" (manev mason), he and his mom's account were emptied overnight. They both live in a poor part of the country, and he and his mom have saved every single penny they could so that they can buy a new home and start a better life. They saved the amount of money to afford their house and were about to move, but sadly the victim, Armo (fictitious name), started having strange phone calls from his Whatsapp. Upon hearing what he had to say, I told him to urgently go to the Cybercrime Police and tell them this. He eventually did go to the Cybercrime UNIT of the Police, the police guided him correctly and took his plaint. What I noted there was that there was a huge line of people who went through the same problem there. I spent some time during the next few weeks after this, talking to a lot of these people since I had some requests to secure their new phones. The matter was not clear at first and I thought that it was the victim who is to be blamed as many of them happened to provide their personal information to strangers, but then I realized there was something else here.

 

Armo is not that well-versed in the English language and the general idea of information technology. Upon asking I found out that Armo went to his bank some while back and asked to be given a system on his phone where he can VIEW his balance and that of his mom (of which he has a joint account). Mind you, he just wanted to view his balance at peace from home. 

The Vulnerability

Unfortunately, Armo started receiving these fraudulent Whatsapp phone calls, these scammers knew what they were doing, they talked to him acting as if they were really from the bank and convinced him that his phone number won a big sum of money (many would know this is dubious here, but remember this person is just an average person who does manual works and is not into any mobile or IT background, there are many people like this, they know something else better than us but just nothing in IT matters, for example, Armo knows how to construct houses, most of us do not know that). So I believe this is perfectly understandable that he fell for that, but anyways, the scammer gradually conversed with Armo. Eventually from just asking for personal information from Armo, the fraudster was able to register an online banking profile on Armo's bank. Weirdly, Armo has never in his life per what he says agreed to have online banking, again remember Armo just wanted a way to see his balance.

Eventually, Armo got an sms which contained a One time Password on his phone, the scammer asked him for that code. Armo is not IT literate hence does not have any idea what is an OTP (one-time password), he readily gave the details away under the assumption that it was the bank asking it. Anyone who is not IT literate would possibly do the same thing.

Unfortunately for Armo, in just 24 or so hours, almost Rs.900,000  were stolen from his account through online banking. 

Armo is not the first nor the last; over the past few weeks of investigation, I have met other people who have been a victim of similar scams, weirdly there is no mention of it in the news nor has the bank said anything about it publicly. I met another girl who lost Rs.5000 like this and possibly Rs.80,000 more under a fake investment scam. I know of another guy who got stolen Rs.1M the same way but prefers to keep his anonymity. A layman might argue that it is not a vulnerability but rather the people themselves who were fooled into giving their details; well in that case, the user never asked for any remote access to be able to retrieve money from his account. When making an application, deciding boundaries is important as, to what should be possible or not. The whole process around your software does concern the software, in the sense of what users should be filtered to use the software or not, if you don't know your user base, then your application is not going to make sense. In this case, in no way did the person even want to be able to make a monetary transfer. let alone giving away his life savings! This is a tragedy not only because the person lost his money but also because different data guards acted without due care when they had the responsibility to safeguard an asset of someone else. That pattern is similar to a user asking for read access but then the administrator granting him full access, this would be a major violation of permission in terms of security, similarly, asking for access to just view your balance cannot and should not translate to the ability to make changes to the balance.

 

The vulnerability in this case while not necessarily of a technical nature, but rather of a logical nature as well as includes flaws in its processes surrounding access to its technical infrastructure, this can be broken down as follows:

  • How can someone have online banking access to his bank account if he did not physically go to the bank to register for one?
  • If when someone registers for juice, does the bank official just make them blindly sign something that enables online banking? if that is the case, am not a lawyer here, don't they somehow violate the contract they have with the customer, i.e exploiting the fact that he does not know and getting him to sign for more than asked?
  • does juice utilizes a specific API or does it uses the same API for online banking as well? 
  • Is there no daily limit in terms of what you can transfer daily? Hell, I earn decently, yet, I can't transfer that much money from my online banking without my bank giving me a call and saying "Sir we noticed you were transferring X amount, are you sure?", so how come for someone who earns so little have no restriction that Rs.900k volatilized in <48 hrs? 
  • Even if this were to be an online purchase, should there not have been any limit?

The solution to this would have been very simple, to enable online banking, you need to be present in person at the bank, ask for it and sign for it, that also there should be daily limits on the number of transfers you can do with online banking! this was a lame and shameful bug and these people would still have had their money, had the processes around the app been designed while considering very obvious aspects of cyber security. And it is not even the fault of the developers, it is the responsibility of whoever designed the product to ensure that such processes have proper boundaries when it concerns the hard-earned money of the customer.

All these points lead me to believe it is a logical flaw around the processes of this app that caused such an issue as well as certain "let go" in regards to API accesses.

This article has been written by Pirabarlen on behalf of hackers.mu in hope that it can prevent someone else from losing money from this particular kind of fraud. It really is painful to see someone lose his life savings from something so simple as bad security practice in a place we all expect it to be present.