Monday, November 28, 2022

Discount Bank fake security protection.

HSBC

My previous bank, HSBC, handled security pretty well. Each time a new document was issued, I received an email notification — a straightforward and effective approach.

Discount Bank

Living close to a Discount Bank branch with low customer traffic, I decided to give them a try. At Discount Bank, most documents are conveniently sent via email, which suits my preference for minimal bank account logins. However, there's a catch: each bank email contains a password-protected PDF file. To access it, I must unlock the PDF using a code sent via SMS. This extra verification step makes me miss the simplicity of website logins.

What the Bank Expects You to Do

  1. Download the PDF from your email.
  2. Click a link to request an unlock code.
  3. Wait for the SMS with the code.
  4. Use the code to unlock and save the PDF to your private storage.

This process is required for every PDF you receive. Eventually, the bank may even stop sending the codes, prompting you to call customer service and potentially incur charges.

What You Should Probably Do

Instead of following the tedious official process, you could brute-force the six-digit PDF password in just a few seconds.

Alternatively, automate the process with a script:

  1. Create a working directory named bank.
  2. Inside bank, create two subdirectories: protected and open.
  3. Move all encrypted PDFs into the protected folder.
  4. Install pdfcrack and qpdf—the necessary dependencies.
  5. Execute the following script within the bank directory:
#!/bin/sh
RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
NC="\e[0m"

TOTAL=$(echo protected/*.pdf | wc -l)
CNT=0

grep 'found user-password' protected/*.pass | cut -d\' -f2 | sort -u > prev_pass.txt
mkdir -p open
for SRC in protected/*.pdf
do
  FN=$(basename "$SRC")
  DEST="open/$FN"
  CNT=$((CNT + 1))
  if [ -f "$DEST" ]; then
    printf "${GREEN}${FN}${NC} ${YELLOW}${CNT}/${TOTAL}${NC} previously done\n"
    continue
  fi
  printf "\nProcessing ${GREEN}${FN}${NC} ${YELLOW}${CNT}/${TOTAL}${NC}\n"
  PASS=""
  if [ -f "${SRC}.pass" ]; then
    PASS=$(grep 'found user-password' "${SRC}.pass" | cut -d\' -f2)
  fi
  if [ -z "$PASS" ]; then
    pdfcrack -w prev_pass.txt "$SRC" > "${SRC}.pass"
  fi
  if [ -f "${SRC}.pass" ]; then
    PASS=$(grep 'found user-password' "${SRC}.pass" | cut -d\' -f2)
  fi
  NEW_PASS=0
  if [ -z "$PASS" ]; then
    pdfcrack -c 0123456789 -n 6 -m 6 "$SRC" > "${SRC}.pass" && NEW_PASS=1
  fi
  PASS=$(grep 'found user-password' "${SRC}.pass" | cut -d\' -f2)
  if [ "$NEW_PASS" = "1" ]; then
    echo "$PASS" >> prev_pass.txt
  fi
  printf "${GREEN}${FN}${NC} PASS is ${RED}${PASS}${NC}\n"
  qpdf --password="$PASS" --decrypt "$SRC" "$DEST"
done

This script provides a streamlined and color-coded process, reducing the hassle to about a minute per year's worth of protected documents on a regular computer.

Note

Remember: A PDF protected with a digit-only password does not offer real security.