February 10, 2017,Posted by: Admin


Bug in ICICI Bank Software sends SMS saying payment is received in the future

I have an ICICI credit card since 1999. I use the card heavily but usually pay the whole amount due by the deadline which n my case is the 20 th of every month. This time too I made the payment using Pay by Click after going to the icicibank.com site and through net banking transfer via Axis Bank where I have my bank accounts. Usually, the payment reaches ICICI bank in one or two days. Imagine my surprise when on the 21 st I receive the following SMS (and also a similarly worded email) from ICICI bank. ( See the second SMS in the screenshot below).

The figure above shows the SMS ( second in the screenshot) with some sensitive parts redacted. The SMS is clearly timed (received) on 21 st at 20.50 ( 8.50 pm) and states that the payment is received on 22 nd.

I was flabbergasted. What the heck is this? How can someone receive money the next day and send me an sms / email on the previous day saying that the money is received the next day?

This is surely a bug. Is this a security bug where the clock is skewed ? Given the time being 8.50 pm, it is possible that in Australia or somewhere in the eastern parts of the world it would have been 22 nd then, and it is possible that the message is coming from a different time zone.

Or is this deliberate? Is ICICI deliberately claiming it received the money late so as to charge interest and fine? Is this some sort of a financial scam? It assumes importance because my deadline for payment was 20 th. However, it is unlikely because in the above case, if done properly the SMS should have come on the 22 nd. But then, could it be a financial scam gone wrong?

Finally, my hacker mind couldnt help asking the question --- is this a security bug that can be exploited in some way?

Well how could it be exploited? Perhaps, if there are other SMSes concerning other transfers which are also wrongly timed? Obviously, I wouldnt be the only person who paid by the above method at that time. There could be hundreds or possibly thousands. If you are one of those affected, please email me at info@thesecurityblog.in. Also, there could be other type of bank transfers not just related to credit card payments. I am not a banker, but 3 hours of interest on millions of rupees/dollars could be significant. That is, ICICI has already recorded that it received the money on the 22nd. If in some way, one could use that money for the three hours before the clock turns to 22 nd?

I wrote to ICICI at the highest level. Their response was swift, and kudos to them for that. After three days of investigation, they come up with this response. Only relevant sniippets of their email are included here.

"As per our discussion today, we wish to inform you that a payment made through Click-to-Pay takes (T + 2) working days to reflect in your credit card account. T-being the transaction day. Again, we wish to inform you that, Click-to-Pay is an online payment mode involving a third party vendor due to which your money gets debited instantly and after the processing time, it reflects on your credit card.

Further, we wish to inform you that the payment of Rs. 20,000.00 was received by us on January 20, 2017. However, there will be no payment settlement done on Saturday (being non working day). Hence It is updated on next day i.e. January 22, 2017. Accordingly, the payment receipt alert was triggered on your registered mobile on January 21, 2017 with the settlement date of January 22, 2017.

22/01/2017 20/01/2017 CLICK TO PAY PAYMENT RECEIVED 20,000.00 CR

We also thank you for your valuable suggestion to display the correct payment date in sms alerts.

We really appreciate your time and effort for writing to us with your valuable feedback. We have referred your feedback to our concerned team to check the feasibility of implementing your feedback."

Also, now I have received the latest credit card statement, and there are no late fees or interest charged for delayed payment.

While at one level, the response looks reasonable, there are more questions that appear. Today, for instance, is Friday, so if I pay my next bill today, would the same error get repeated? In the case of credit card payment, the deadline is 20 th. This means I can go to any icici bank site, and pay till midnight on 20 th to fulfill the deadline. Are there other products such as loans maybe where the deadline is a day when the amount must reach ICICI and not the day when it is paid? Thus for instance, if the deadline for the payment reaching ICICI is a Saturday in a particular month, would ICICI charge penalty if the payment reaches them on a Saturday since they take the payment only on a working day? Finally, what happens to the money for a day? Who gets the interest? If the money is significant say Rs. 5 crore, a day's interest would be significant. Further, I cant believe that in this time and age of 24*7 banking, applications are only run on a working day. They ought to be running 24*7. Something is still unclear here.

Finally, is this also the case with other products of ICICI and other banks? Today, a vendor such as a software company like TCS writes applications for many banks not just one, and so a bug usually gets replicated in all the places. So, would other banks have the same bug? Finally, is this part of some custom code or part of a standard product such as iFlex or Finnacle?

Too many questions indeed without answers.

In any case, it is high time we consumers in this country be alert about every SMS and email we receive from banks in this country. If you have experienced something similar, please report to info@thesecurityblog.in and if it is interresting enough, I could even publish your story in one of the subsequent blogs. Also, I request you not to delete your SMSes especially if you are an ICICI bank credit card holder. I may soon have some software for you that could automatically check for such bugs. You can subscribe to this blog ( the right side of the page has a subscribe button) if you want to be alerted when there is a new post or anything else on this blog.


Copyrights © 2017 Teknotrends Software Pvt Ltd All rights reserved | Template by W3layouts