How we did it

Phishing Attack Setup

A custom SSL-terminating proxy was used to intercept login sessions and capture MFA-protected user actions.

Intercepting MFA (Pingrid) Data

The phishing attack lured a victim into logging in, allowing real-time interception of Pingrid-protected actions.

User Account Enumeration

The attack identified high-value GBP and EUR accounts belonging to the victim.

Unauthorised Card Issuance

Using the intercepted Pingrid digits, a new payment card was issued and linked to the victim’s accounts.

Brute-Forcing Activation CVV

A simple brute-force attack enabled activation of the stolen card, granting full access to funds.

Key priorities included

  • Access control weaknesses that could expose sensitive client data.
  • Phishing attack scenarios and 2FA bypass risks.
  • Vulnerabilities in mobile applications that could enable local attacks or remote code execution.
  • Privilege escalation paths leading to unauthorised account control.
  • Injection-based attacks could grant access to databases or backend systems.
  • Stored and reflected XSS that could be leveraged for session hijacking or watering hole attacks.

The approach involved:

  • Deploying a custom SSL-terminating proxy to intercept login sessions and capture MFA-protected user actions.
  • Using phishing techniques to lure victims into logging in, allowing real-time interception of Pingrid-protected actions.
  • Enumerating user account information to identify high-value GBP and EUR accounts.
  • Exploiting intercepted Pingrid digits to issue a new payment card linked to the victim’s accounts.
  • Performing a brute-force attack to activate the stolen card, granting full access to funds.

Conclusion

While individual vulnerabilities had low to medium risk, chaining them together enabled a severe phishing attack that bypassed MFA and allowed unauthorized transactions.

Recommendations:

  • Strengthen MFA implementation to prevent real-time interception.
  • Implement better phishing detection and awareness training.
  • Enforce strict access controls on financial transactions.
  • Harden Pingrid security to prevent brute-force exploitation.

This case highlights the importance of threat modelling in identifying practical attack chains before real adversaries do.