NIC-BANK’s improved Ebanking System subsequent to my Exposé

11 Nov

A couple on months ago (7 months actually) I wrote a post on the security flaws on the Ebanking portal that NIC bank uses,If you didn’t read it then feel free to click here>>. I had actually taken it down following issues it had raised. The blog got over 150K views (whey do you expect when Robert Alai gets their hand on it) and my phone went crazy for days after that.Needless to say there were accusations of hacking thrown my way, I was sternly  reminded of the new cyber  laws in Kenya had been amended and I was facing jail term if I was found guilty. Needless to say no one went to jail, and my exploit actually put them on the spot from concerned customers. Thats a synopsis basically and in no way what I wanted to talk about.


Lets talk 7 months later and what had changed. If you bank at NIC Bank ,and I encourage you to if you don’t, then you will have noticed they deactivated ALL old passwords they had issued or that had been generated by users. This was necessitated by the risk of someone else (key word someone else) having used the exploit to get usernames and passwords. NIC bank has now moved to a more secure username and OTP (one time password) combination. The vendor they chose was ActivID® an established IT solutions company. In a nut shell here is how their new security system works.

HID Global’s ActivID® soft tokens provide  strong authentication for remote users accessing corporate IT systems and consumers logging on to online services, without the need to distribute hardware tokens. You can use either the web,mobile or pc soft token generators. I will talk about the mobile one since I am a mobile guy after all. Mobile Soft Token – A user wishing to access the online banking portal, uses the Mobile Token App to generate a One-Time Password. The application can be PIN protected.

It is licensed per user, and licenses can be used across multiple personal mobile devices. Once you download the app on your phone customer service asks you for your licence that is generated the first time you launch the app and they use this to link to your account. Subsequently you simply launch the app, provide the pin you set to protect  the app and it immediately generates a One time Password, that expires in 60 seconds if not used or the lifetime of the login session to the online banking platform if used. The app works totally offline  and all the OTPs are internally generated so no fear of remote agents intercepting it.

2014-11-11 15.38.49


The Mobile Token App is available for all leading mobile devices including Apple® iPhone® and iPad®, Android™, BlackBerry®, and many other Java 2 Platform, Micro Edition (J2ME) -enabled devices.

That covers security on your end (username password combo), but what about the actual portal.Well that’s a tricky one. First because of the nature of a vended system. Patches are rarely awarded on need basis. Secondly the flaw I pointed out was a complete mis config that has since been corrected, thirdly the servlet is only as secure as you make it, if you get social engineered then too bad.

While this issues have been solved I still believe they would have listened to more of what I had to say. To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

But I guess it works for now right, the system admins who caused the glich have since been fired maybe, Temenos has made their money on new modules T24 at NIC uses, muggles have a new app they can floss to their equity bank friends and feel all secure that they are savvy. I guess everyone is happy except me. I am not, I am still online daily looking at other poorly setup systems to advice. So in between grad school, code, subaru runs and this you know what i will be doing

Someone used to say: Wazi back to code, so I end it there.

Leave a comment

Posted by on November 11, 2014 in Uncategorized


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: