Since Secure access implementation requires user to only enter his Customer ID (The fixed user name in case of HDFC bank NetBanking users. The system then checks at the backend if the user is registered for Secure Access or NetBanking, if user is not a registered or valid user, Customer id is asked again. But in case if the customer id is found to be correct and registered, User is taken to second step and shown his secure access image and text he selected and asked to enter is password.
HDFC Phishing Mobile App using our database of secure Access images and Text
|Customer Id, Personalized Image and Text of Customer in above Screenshots has been hidden for security|
As we were providing valid Customer Id's, when asked for IPIN/Password we entered it incorrectly 5 times which resulted in those customers being blocked from NetBanking. We used chain proxy to bypass time and Sequence checks but were surprised to find out that HDFC site had NONE and we were able to easily block several user accounts.