View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0011483 | Taler | merchant backoffice SPA | public | 2026-06-06 03:55 | 2026-06-06 04:08 |
| Reporter | vecirex | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0011483: Adding another IBAN requires MFA, but can be circumvented | ||||
| Description | Adding ticket via and confirmed by fd during yesterday's QC session: Being logged in, adding an additional IBAN acc. requires one additional factor (sms or email, given taler-merchant has tan methods activated by config; like for mytops). This makes sense because an actor (like employee or just any attacker with access to the the open screen) could try to redirect money to his very own account, by just adding another IBAN. By a tan method being required, most attackers would be prevented from doing so. However, it's possible to just delete the first IBAN added and replace it by the "second" one, or: the security model is broken, because in this case no tan method is required. | ||||
| Additional Information | With Instant SEPA coming also to CH, downtime because of KYC Auth pending to the new attacker's IBAN would be neglectable. | ||||
| Tags | No tags attached. | ||||
| related to | 0011484 | new | Notify merchants of relevant changes to the instance (like IBAN no.) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-06-06 03:55 | vecirex | New Issue | |
| 2026-06-06 03:58 | vecirex | Description Updated | |
| 2026-06-06 03:58 | vecirex | Additional Information Updated | |
| 2026-06-06 03:59 | vecirex | Summary | Adding additional IBAN requires MFA, but can be circumvented => Adding another IBAN requires MFA, but can be circumvented |
| 2026-06-06 04:08 | vecirex | Relationship added | related to 0011484 |
