A Student Hacks a Remote Banking System at PHDays

5/24/2013

The security of banking systems became one of the key topics at Positive Hack Days III. Discussions, contests and hands-on labs on banking systems were held during the forum.

Anatoly "heartless" Katyushin, a student from the Samara State Aerospace University (Samara, Russia), hacked a remote banking system during the $natch competition and "stole" 4,995 rubles. The contest consisted of two rounds. at first, virtual machine copies with vulnerable web services of the remote banking system (a real I-banking system analog) were provided to the participants. In the second round, the hackers needed to exploit the discovered vulnerabilities and steal as much money as it was possible.

Positive Technologies developed a test remote banking system PHDays I-Bank for the contest and included typical vulnerabilities.

The participants had one hour to exploit the security problems that were discovered during the first round of the contest and to transfer the money to their account. The system contained 20,000 rubles. The winner manages to "steal" only 4,995.

Asteros, the forum's partner, doubled the sum.

"It took about 4 hours to detect security problems in the system's image. Then we needed just to write a script to automate the vulnerability exploitation," — Anatoly Katyushin said at the end of the contest.

Omar Ganiev (beched), a student of the Department of Mathematics at the Higher school of economics, took second place "stealing" 3,277 rubles.

"I didn't win last year, because of a script error. But this time I manage to take second place," — said Omar Ganiev.

Other participants didn't get a ruble from the PHDays iBank.