Logo Tinkoff Bank
Photo: Nikita Popov/RBC
A Bank customer found a way of identifying the account balance of another customer’s card number. The Bank reiterated a “technological error” and announced the launch of a reward system for the hunters behind them. A necessary condition for such cooperation with the Bank — privacy, stress in “Tinkoff”
One of the customers Tinkoff Bank published a post on “Habrahabr” (a resource for IT professionals) about the technical mistake of the Bank, which, according to the author, it is possible to identify the balance in a foreign account.
The nature of the error is that when transferring funds from card to card (card2card) in case of insufficient amount for the transaction is displayed a message stating that funds are insufficient. As confirms the screenshot, published by the author of the post, this message appeared to enter CVC (security code on a credit card required for online authentication and transaction confirmation. The author also claims that by repeated selection it was possible to determine the upper limit of the amount available for transfer, and thus to check the card balance.
In a press-Bank service have confirmed that in a few days “was a technical mistake”, stressing that no risk to client’s funds Bank she was carrying. “By entering the card number, you can only learn by going through enough of her assets to make a transaction, is to know the exact balance of the card was impossible,” said RBC in the press service of the credit institution, noting that on Friday, “error” was eliminated.
The card number also applies to confidential information, although not as important as the pin or CVC, says Director for information security, “VTB Capital” Andrey Bazhin. Client cfv liable if passes the card number to third parties, therefore it is safer when depositing funds transfer the account number and not the card, he said.
The comments of the client, however, forced the Bank to retaliatory action. The credit organization has announced that during the month will be launched the program of financial incentives for customers who found bugs and reported them directly to the company, not announcing to the public such information. Traditionally, such programs are called Bug Bounty. For example, they have such tech companies as Qiwi, VK and Mail.Ru.
Remuneration will range from several thousand to several hundred thousand rubles and will depend on the type of service in which an error is detected, and the degree of criticality of this error. The “best “hunters” errors “we will offer a job with us, so it is also a potential HR-channel”, — told in “Tinkoff”.