Suramya's Blog : Welcome to my crazy life…

July 6, 2017

Dear HDFC Bank: Please stop making life easier for phishers

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 11:32 PM

I recently had to create a HDFC account because I changed firms and needed a HDFC account in order to be paid 🙂 . Once I created the account I got a few SMS messages from AM-HDFCBK asking me to register online for Netbanking and Mobile Banking which is quite normal (though the no of messages were a bit annoying), what was scary and concerning was that the link in the message was a generic bit.ly URL. (See screenshot below)

HDFC Messages Screenshot

Screenshot of the Messages I got

For those who don’t know, bit.ly is a URL shortening service that allows you to create a short URL that redirects to a different URL. e.g. I have configured http://bit.ly/1MUISmu to redirect to https://en.wikipedia.org/wiki/Phishing. The service is most commonly used on Twitter where the max allowed characters are limited and the URL lengths are long.

However since anyone can create a bit.ly redirect there is no way of verifying that the link I got in the SMS was actually created by HDFC and points to a legitimate site and not a website controlled by a cyber criminal who is out to steal my data. The link can point to literally any website in the world that the sender wants including sites that are copies of the legitimate HDFC bank but in reality are storing your credentials to allow people to steal your money or sites that infect your system with a virus/ransomware.

There is a reason why computer security professionals tell people not to click on random links you get via email/SMS/whatsapp.

If you think that since the sender of the SMS is ‘AM-HDFCBK’ the message is legitimate and thus safe to click then think again. There are a ton of websites out there that allow you to spoof SMS sender details to anything you want at a cheap price. In fact you can also code your own software for doing this in bulk using publicly available API’s at ridiculously cheap prices. These are sites I found after a couple of mins of searching on Google, I am sure there are more secure/untraceable methods of sending fake/spoofed SMS messages on the dark web. So the risk of clicking on unknown links that I got out of nowhere is not worth it.

Normally what companies do in similar scenarios if they absolutely have to use a shortner is that they but a short domain name and use that so people getting the messages can identify the link as something pointing to the official site. But I guess someone at HDFC is trying to save money by not registering a new domain that would protect their customers. *Shrug*.

Ah well, looks like I will need to go to their official site and register my account from there.

Well this is all for now. Will write more later.

– Suramya

1 Comment »

  1. I have reached out to HDFC about this issue. Will update once I hear back from them.

    – Suramya

    Comment by Suramya — July 11, 2017 @ 10:45 AM

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress