Cashless disaster: Bhim App Released Without Basic Security Measures in Place

Written by Samir Kelekar | Published on: January 3, 2017

In a hurry to present one more sop before the coming crucial 2017 elections in five states, the Bhim APP has been released without even the basic functionality testing


bhim application
 
As a security professional, it is always a curiosity to test for security holes when something new and important has been released. 
 
With the big hype around cashless transactions, and the release of apps such as Bhim with a lot of media attention, it was natural that I downloaded Bhim to play around with it.
 
It took two days to get it working. First, it wouldn’t connect and then it would give error generating an MPIN. But finally it worked. And since I have only one mobile number and all my accounts are linked to just one number, I tried to send money from my mobile number to itself.
 
This shouldn’t work, but imagine my surprise when I saw two different entries --- a debit of Rs. 10/- and a credit of Rs. 10/- from and to the same account! This was incredible.
 
My hacker mind immediately thought of the next step.
 
What if I write an automated  script ( a computer program ) that keeps deducting Rs. 1/- or even smaller amounts if possible and crediting to the same account?
 
If one runs a few hundred such bots, one could keep the Bhim servers busy and in fact down (!) or make it useless for others to use! In security terminology, this is called a dDOS attack.
 
The fact that money can’t be sent to the same account from itself should be part of basic functionality of any app.
 
This is not even security testing. How come an App has been released without even doing such basic functionality testing?
 
And here we are launching a thousand Apps (a few every day!) and going into a cashless economy.
 
Let us not get carried away unnecessarily; we need a halt to all this and ensure that we put together some basic secure, functionality systems to ensure seasoned functioning. And some sanity here.
 
(The author is a security professional based out of Bangalore)