Police say yes, and that they helped the bank close the breach, but Bank of Baroda says these are social engineering attacks and customers are responsible for the security breaches
Gunilal Bindeshwari Mandal, who was arrested from Bihar's Banka district
A major loophole in the mobile banking application of Bank of Baroda (BoB), through which cyber criminals attacked accounts across India and are believed to have siphoned off crores, was rectified after the Mumbai police pointed it out to one of their branch managers. The police learnt about the technical loophole while interrogating an accused, Gunilal Bindeshwari Mandal, who was arrested from Bihar when he was making phishing calls.
ADVERTISEMENT
(From left) PSI Pradeep Patil, senior PI Suryakant Bangar and PSI Rakesh Shinde who arrested the main accused
Mandal was arrested within 24 hours after a 30-year-old complainant, Kaiwalya Modha, registered a First Information Report at DB Marg police station on November 2.
Modus operandi
Mandal told his interrogators that there is a loophole in the mobile banking application of BoB. "The conmen had installed the 'BoB MConnect+' app on their smartphones where they would randomly type a mobile number, and if it was registered with BoB, the application would generate a One Time Password (OTP). The OTP was a clear indication for the cyber criminals to target the mobile number," said a police officer.
The officer further told mid-day that the gang would work in the night to segregate mobile numbers to approach the bank account holders next day. Just before calling his target, Mandal would again type the mobile number in the app, and when the OTP was generated, he would call the mobile number immediately. "In a bid to win trust, Mandal would tell his target that he was calling from BoB and did not need an OTP or the CVV number written on the back side of plastic money, etc." said the officer.
Biswas on BoB broken
"During the conversation, Mandal would tell the target that his e-KYC needs to be updated and the details of his banking transactions are on his computer screen. He would ask the target to punch the OTP number in the application after which a four-digit M-PIN is generated. Here, too, Mandal would not ask the M-PIN from his target, instead he would give a random four-digit number and ask him to add the same to the M-PIN and then give that number to him," said the officer.
"To get the M-PIN, then Mandal would then subtract the four-digit number which he had given to his target to add to the M-PIN. Once the M-PIN was typed on the mobile banking application, he would siphon off money from the account," the officer said.
'Phishing cases stop'
The officer further added, "Every day, we at DB Marg police station, used to get at least two phishing cases related to BoB. But now it has stopped as we apprised BoB officials about the loophole. Their IT cell team visited our police station and rectified the issue. Now there is no phishing case related to BoB."
Bank of Baroda in its statement to mid-day said, "Bank of Baroda's Mobile Banking Application is highly secured with zero reported incident of unauthorised access. Customers are falling prey to social engineering attacks of tricksters/fraudsters and sharing personal credentials like PIN, OTP, Passwords, Debit Card details etc., which are essential banking details to perform a transaction. Our bank is continuously running campaigns to create awareness among the customers about these social engineering attacks and not to share their personal banking details with anyone."
Inspector (crime) Raja Bidkar told mid-day, "Mandal was trained by a man from Kolkata who is yet to be arrested. We are trying to find how they came to know about the loophole in the banking application. Our team including sub-inspectors Pradeep Patil and Rakesh Shinde and constable Suraj Dhaygude arrested Mandal.
02
Day in November when the accused Gunilal Bindeshwari Mandal was arrested