Last week the TecMundo website brought an article presenting a possible exposure of all the data imaginable of Banco Inter account holders. In the episode, fintech issued a note denying the leak, but this novel does not seem to be over yet.
This is because a Twitter user is disclosing to their account and through Reddit that they have gained access to the private encryption keys of the bank. There is even a program that theoretically promotes the validation of this information, available in the GitHub directory.
Uma fonte me entregou uma das chaves privadas e públicas do @Bancointer. Isso faz com que terceiros sejam capazes de imitar com cadeado verde o sites do banco bem como descriptografar dados entre o banco e os correntistas via Wi-Fi e internet, o que é gravíssimo.
— Ayub (@ayubio) May 9, 2018
In theory, access to this private certificate would make it possible for an illegitimate site to be trusted, which would facilitate a phishing scam, which generally seeks to trick consumers into typing their credentials on fake sites. This is because the certificate would give the famous green security lock HTTPS the guarantee of the veracity of that identity that is actually being falsified.
In the forums that are debating the issue, it is already known that Banco Inter exchanged its certificates – until then issued by GoDaddy – by DigiCert documents. The problem, apparently – if the user is indeed in possession of such sensitive data – would be to not revoke the old credential after this migration.
Other discussions on the subject raise the possibility that the hacker who brought the first leak surfaced to have used those keys to get the amount of sensitive information he got.
If he had this key, for example, he could have used a public network where he knows there is great use by account holders of the institution to intercept communication. Thus, Inter Bank would not be wrong to say that there was no (at least direct) invasion of its systems.
The Public Ministry of the Federal District is charging Banco Inter an answer about the episode.
The curious thing is that the judiciary also appears to have possession of sensitive documents from the bank’s clients. Proof of this would be the image of a check different from the one that was disclosed by TecMundo, showing that this data may be in the hands of more people and organizations.
And you: Do you believe there was a leak? Are you an Inter-Bank customer? Let your opinion down here!