A major vulnerability has been found within the online banking system of  Eastern Bank Limited (EBL), one of the best banks of the country.

This flaw could enable malicious individuals to gain unauthorized access to confidential customer data, including account details and bank statements, by simply knowing the account number and associated mobile phone number.

The root cause of this issue is an inadequate security measure in the site's one-time password (OTP) system.

For online banking, all banks employ OTPs–unique codes sent to users' phones or emails, to add an extra layer of security during transactions.

By asking users to provide this code, banks can confirm their identity and the validity of the transaction, effectively reducing the risk of unauthorized access, fraud, and identity theft.

SMS-based OTPs have become a standard security measure in the banking industry, with a global adoption rate of 93%, as revealed in a survey by the Mobile Ecosystem Forum.

This popularity stems from the simplicity and broad reach of SMS technology, which allows users to receive these verification codes directly on their mobile phones without needing additional apps or internet access.

Normally, OTPs are rigorously checked on the server side to prevent unauthorized access. However, in the EBL online banking system, the verification process is mistakenly handled on the client side or in the front-end of the website.

It basically means that anyone with rudimentary technical knowledge could easily bypass this security mechanism using developer tools like Chrome DevTools. [Step by step procedure is illustrated in an attached file]

Bangla Outlook has verified the flaw in the online banking system multiple times through multiple portals.

Mizanur Rahman, who headed the IT department of three different banks told Bangla Outlook that this flaw poses a serious threat as it allows “unauthorized individuals to easily bypass the OTP security measure”, which is intended to “safeguard sensitive user information.”

“By making a minor code adjustment, they can deceive the system into granting access to private account details without needing the correct OTP. This oversight leaves users vulnerable and demands immediate action to avoid potential harm," he said.

EBL, a leading financial institution in Bangladesh, holds the distinction of being the first Bangladeshi bank to receive a rating from Moody's.

Additionally, it has been recognized as the Best Bank of Bangladesh by London's prestigious The Banker publication on three separate occasions.

—