..

How to not write code for banks

While surfing the interwebs, I stumble upon this one company, which has been providing a lot of applications to the Malaysia local banks (hereinafter referred to as Vendor ABC).

So, me being me, with a lot of curiosity.. I started poking around with the demo site provided by Vendor ABC. Upon some time, I found one very interesting finding..

This application have a XMLRPC web service, exposed few services to the client The code:

So basically, this XMLRPC web service expose three methods: query, insertcall and updatecall. From the name itself, everyone can guess, what this function actually does.. lol

The query method code:

All these exposed XMLRPC web service can be access without any authentications.. Hahaha

CRYPT_IV and CRYPT_KEY

Upon quick google search, reveal that out of 8.. Only more than two, but less than four banks doesn’t use this application.

list-of-banks

List Source: http://www.bnm.gov.my/index.php?ch=li&cat=banking&type=CB&sort=lf&order=desc

Ok Bye.