Capitec has vulnerabilities in their online banking app.

C

Codna

New Member
Joined
Oct 28, 2022
Messages
3
Reaction score
0
If you can do phishing for username and remote pin on the Capitec online banking website. You can use those details to login on the Capitec online banking android apk . It will give you biometric authentication of a selfie after you have used the victims username and remote pin. You use the victims photo to bypass the selfie (it was successful once for me) . You can get the photo from the victim's Facebook. Then you do sim swap with the user's cellphone number, to receive the verification message from Capitec. You have successfully logged in to the user's account.
 
The attempt will have to be super quick as the phished remote pin is valid for like 30 seconds.

(I don't use the app so would not know the details around the app).

It's not like the FNB app seems more secure, they just have to phish some details too and do a SIM swap, in fact is seems even less secure now that I think about it since I do not recall a PIN.

So what is the point of the thread? Phished people will likely be victims? DUH!
 
supersunbird said:
The attempt will have to be super quick as the phished remote pin is valid for like 30 seconds.

(I don't use the app so would not know the details around the app).

It's not like the FNB app seems more secure, they just have to phish some details too and do a SIM swap, in fact is seems even less secure now that I think about it since I do not recall a PIN.

So what is the point of the thread? Phished people will likely be victims? DUH!
Click to expand...
Yes if you have been phished, the chances are high that they might successfully login to your account. And the remote is not 30 minutes. I use the app and the remote pin is your actual pin to login
 
Codna said:
Yes if you have been phished, the chances are high that they might successfully login to your account. And the remote is not 30 minutes. I use the app and the remote pin is your actual pin to login
Click to expand...

The remote pin generated by my dongle changes some like every 30 seconds (not that I have measured it). How long is it then?
 
supersunbird said:
The remote pin generated by my dongle changes some like every 30 seconds (not that I have measured it). How long is it then?
Click to expand...
The remote pin is like your password, it won't change unless you change it.
 
supersunbird said:
The attempt will have to be super quick as the phished remote pin is valid for like 30 seconds.

(I don't use the app so would not know the details around the app).

It's not like the FNB app seems more secure, they just have to phish some details too and do a SIM swap, in fact is seems even less secure now that I think about it since I do not recall a PIN.

So what is the point of the thread? Phished people will likely be victims? DUH!
Click to expand...

In order to add a verified device for FNB you'll need the username, sms pin, card number and pin, and password.
 
Capitec uses 2FA, so either you need the cellphone app installed which is tied to your phone (requires a branch visit to change).
Or you have the physical token generator which is a hardware 2FA device.

Not sure how sim swaps play into this. Or do they allow some kind of non-2FA logins too? I've never had non-2FA options on my Capitec account.
I also don't recall them using SMS codes, but I guess if you were n00b enough to opt into that over one of the above methods then you could be more vulnerable
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X