Client Tinkoff” forced the Bank to start paying for finding bugs


One of the customers Tinkoff Bank published a post on “Habrahabr” (a resource for IT professionals) about the technical mistake of the Bank, which, according to the author, it is possible to identify the balance in a foreign account.

The nature of the error is that when transferring funds from card to card (card2card) in case of insufficient amount for the transaction is displayed a message stating that funds are insufficient. As confirms the screenshot, published by the author of the post, this message appeared to enter CVC (security code on a credit card required for online authentication and transaction confirmation. The author also claims that by repeated selection it was possible to determine the upper limit of the amount available for transfer, and thus to check the card balance.

In a press-Bank service have confirmed that in a few days “was a technical mistake”, stressing that no risk to client’s funds Bank she was carrying. “By entering the card number, you can only learn by going through enough of her assets to make a transaction, is to know the exact balance of the card was impossible,” — said the press service of the credit institution, noting that on Friday, “error” was eliminated.

The card number also applies to confidential information, although not as important as the pin or CVC, says Director for information security, “VTB Capital” Andrey Bazhin. The client is responsible, if it passes the card number to third parties, therefore it is safer when depositing funds transfer the account number and not the card, he said.

The comments of the client, however, forced the Bank to retaliatory action. The credit organization has announced that during the month will be launched the program of financial incentives for customers who found bugs and reported them directly to the company, not announcing to the public such information. Traditionally, such programs are called Bug Bounty. For example, they have such tech companies as Qiwi, VK and Mail.Ru.

Remuneration will range from several thousand to several hundred thousand rubles and will depend on the type of service in which an error is detected, and the degree of criticality of this error. The “best “hunters” errors “we will offer a job with us, so it is also a potential HR-channel”, — told in “Tinkoff”.