I want to share with the public very suspicious observations about the work with the personal data of the depositor in Sberbank Asset Management JSC. In short, the data of the “left mail account” is entered into the personal data of the new client in the absence of the client’s own e-mail box. How serious it is, at the moment it is difficult to say, but it is obvious that in the principles of
information security it is better to outbid than not reach.
The organization was duly notified by me about the situation, but its representatives believe that there is no problem. The following is a more detailed description of the detected phenomenon.
An acquaintance of the woman turned to me for advice on how she would manage her pension savings so that at least inflation would not eat them. This old-fashioned woman uses only savings books of Sberbank; she categorically refuses to connect an online bank and receive a plastic card due to a lack of understanding of new technologies and fear of losing control over funds. It should be said that the last suspicion is not unreasonable, since it opens up the possibility of remote access to accounts (and the whole vector of social engineering attacks), and if a person has only savings books, then you can manage accounts in Sberbank only by physical appearance (according to official information).
A woman from our history, although she is worried about inflation, but also does not trust other banks and other financial organizations, especially without state. participation, therefore, the transfer of her savings to another organization was immediately rejected. After some thought, I suggested the option of investing 40% of her savings in the mutual fund Ilya Muromets Bond Fund, as the most stable investment instrument offered by Sberbank, which has the least tricky traps and confusing conditions. On that and decided. It is not necessary to take out money from the organization, the stability of the tool inspires a certain trust, the management is transparent, again you can do without online. This is a saying.
And now a fairy tale. At the bank’s office in the city, in the process of filling out the questionnaire and contract, the woman was asked for her data, including her email address. She said that the mail was missing, because she still did not know how to handle it. As a result, at the signing we found the following document:
The important part is highlighted in red.To my question, “what does an extraneous postal address do there?” The department staff gave me the answer - “don't worry, this is just a stub for
everyone who does not have an address”. We tried to assure that it does not mean anything. But what kind of stub is it, which is a valid mailing address
net@mail.ru ? Moreover, the
existing postal address of the real account, which is
not controlled by the structure of Sberbank on an
external postal service! What else it is worth considering that this address is hammered into the typical fish field of the customer’s bank questionnaire, which means it can be concluded that it is stored in the same form in the database of the bank. Hits
all customers, without having their own address, if you extrapolate the words of the staff.
All mailboxes on mail.ru servers are usually automatically created a page on the social network My World. The
net@mail.ru account was no
exception :
Great, then we have a situation that the information about the depositor / investor in Sberbank systems, albeit in the form of a stub, contains an extraneous address of the person who is not associated with the real account holder. Provided the online account is not activated, I could not come up with an attack vector that can trigger a nuance with someone else’s address. But intuition simply does not allow me to pass by such obvious negligence in handling credentials.
Now it is impossible to exploit, but what if something happens in the future, and it becomes possible? What if the account owner decides to take advantage of the circumstances? What if his account is just hacked?
Ask questions technical support Sberbank
From the main site of Sberbank, in whose office an agreement was concluded, we were given a football game to Sberbank Asset Management JSC. Note the contract in the office of
one organization is drawn up by employees in the interests of a
third organization. Okay. We find contacts, food letter and get answers that contradict the documents we have in our hands:
Representatives of technical support "Sberbank Asset Management" believe that we were "incorrectly informed." And the document on hand says that the data of a stranger was typed into the questionnaire in a typical way!
Here, incidentally, contextual advertising “Sberbank Asset Management” comes across, so we go to them with questions to the social network, where we get the following puzzle piece:
Now employees believe that this is an “example of filling out” the questionnaire But the questionnaire was filled not by a female client of the bank, but by a competent employee of the bank. And he was pointed out to a potential problem, to which the employee was assured that it was in the order of things and not a problem.
Summing up and analyzing the collected information, I come to the conclusion that extraneous data could get into the questionnaires of hundreds, if not thousands of Sberbank clients, and these are just people who are not sufficiently knowledgeable in the field of legal, financial or information sciences, but have significant cash savings . In other words, are at risk.
Habr, of course, is not a complaint book, but I don’t want to deal here with a single bank employee. After all, the problem is much more global. The meaning of this post is to warn people about the potential threat to their material well-being. Yes, it still does not bear real danger, but sometimes it is these flaws that later become a time bomb. After all, in documents relating to money and financial instruments there should not be a byte of extraneous information!
I hope that the writing will encourage other investors to check their financial documents again, and the management of the Sberbank structures will review the scripts and instructions of the operators in the branches. By the way, in the place of Sberbank, compensation for the “victims” would also be nice to do something, well, well, bug-bounty will not be superfluous.
UPD User
Joyz talked about an almost
similar situation with Alfa Bank.
UPD 2 After 31 hours after the last message in the social network, Sberbank suddenly nevertheless proceeded to the following actions:
