GTBank’s new, convenient mobile banking platform, 737, has a gaping security hole in it. No; the hole isn’t some line of code in the service or some missing encryption. The hole is so simple that it is odd that no-one at the bank saw through it. Let me explain.
When you dial *737# and select the option to transfer funds to another account, the only authentication required is that you enter the last 4 digits of your ATM card as PIN/password. Here is a screenshot:
The catch is that, if you happen to be robbed, chances are that the culprits will make away with both your phone and your wallet (which will contain your ATM card). Presto. They have instant access to move cash out of your account.
One doesn’t even have to be robbed by strangers. Anyone who has physical access to one’s person and who has malicious intents can easily empty one’s bank account.
What GTBAnk Needs To Do To Secure GTBank 737 Better
Why not require user to choose a unique 4-digit PIN for the service? That way, at least, unless you tell someone your PIN, they have no way of knowing.
What You Can Do To Secure Your Phone
I cannot repeat it enough: in today’s world, a password on your phone is essential. If possible, lock your SIM card to your phone too so that if it is removed from your phone and inserted into another phone, it will ask for identification without which your SIM will not work on that phone. It is always a good idea to secure both your phone and your SIM card.
Here is a true life story (supposedly) of how someone had his bank account emptied as a result of this situation: Why GTBank Latest 737 Simple Mobile Banking is a Beautiful Nonsense – Uc Artt Ekwueme.
Note that while I cannot verify the story, the security risks are real anyway. GTBank needs to change that security feature that requires your ATM card’s last 4 digits for authentication.