I tried the work of SBPay. To do this, I linked my Tinkoff account and paid for the purchase. Everything went well. But only in the Tinkoff application you cannot unlink your account from SBPay. It doesn’t even show that there are permissions for payments from this account via SBPay.
“id”:912669,”type”:”num”,”link”:”https://vc.ru/claim/912669-ogromnaya-dyra-v-bezopasnosti-schetov-tinkoff-banka- up-tinkoff-eshche-vret-chto-privyazki-net”,”gtm”:””,”prevCount”:null,”count”:35,”isAuthorized”:false
“id”:912669,”type”:1,”typeStr”:”content”,”showTitle”:false,”initialState”:”isActive”:false,”gtm”:””
“id”:912669,”gtm”:null
5K views
1.3K discoveries
The money theft scenario is very simple. We link someone else’s Tinkoff client account to SBPay. To do this you need his account number and phone number. Enter the SMS code. Or we simply steal the client’s phone on which SBPay is installed. Then we can safely use the client’s money. He will not be able to unlink SBPay from his account. Blocking and reissuing cards is useless – SBPay is tied to the account, not the card. The client may even forget that SBPay is linked to his account – Tinkoff does not show this in the application. There are no limits when paying via SBPay. Cards are not valid.
“osnovaUnitId”: null,
“url”: ”
“place”: “post_inside”,
“site”: “vc”,
“settings”: “modes”:”externalLink”:”buttonLabels”:[“u0423u0437u043du0430u0442u044c”,”u0427u0438u0442u0430u0442u044c”,”u041du0430u0447u0430u0442u044c”,”u0417u0430u043au0430u0437u0430u0442u044c”,”u041au0443u043fu0438u0442u044c”,”u041fu043eu043bu0443u0447u0438u0442u044c”,”u0421u043au0430u0447u0430u0442u044c”,”u041fu0435u0440u0435u0439u0442u0438″],”deviceList”:”desktop”:”u0414u0435u0441u043au0442u043eu043f”,”smartphone”:”u0421u043cu0430u0440u0442u0444u043eu043du044b”,”tablet”:”u041fu043bu0430u043du0448u0435u0442u044b”
In other banks, at least you can create a bunch of ruble accounts, link SBPay to them, and then simply close the account. But at Tinkoff there is only one account per debit.
UP: I am sure that the word Tinkoff can be replaced with the name of other banks, for example Alfa-Bank or Sber.
UP2: support in the bank chat suggested that I go to the “More” section and select “Fast payment”. There is no such point there. When I uploaded the screenshot, support in the chat replied that I did not have active SBP subscriptions. But the account is still linked. The bank itself does not know that the client’s account is linked somewhere.
UP3: And in response to the appeal, the bank officially deceives that there is no link
Response to request
2023-11-12 16:58:25
#huge #hole #security #Tinkoff #Bank #accounts #Tinkoff #lying #connection #Reception #vc.ru