How To Rob An Online Bank And Get Away With It - Acros Security

ACROS PUBLIC© ACROSHow to Roban Online Bank(and get away with it)SOURCE Boston 2012Mitja KolsekACROS d.o.o.mitja.kolsek@acrossecurity.comwww.acrossecurity.com

ACROS PUBLIC Page 2SOURCE Boston 2012

ACROS PUBLIC Page 3SOURCE Boston 2012

ACROS PUBLIC Page 4SOURCE Boston 2012PAST-PRESENTEvolution Of E-banking AttacksFUTUREBack-EndServerPRESENTOnlineBankingServerFUTURE 2.0

ACROS PUBLIC Page 5SOURCE Boston 2012Attacks Against Individual UsersGoal: Identity TheftMethodsPhishing, Fake security alertsXSS, CSRFMalware (man in the browser,extraction of certs and private keys)ProblemsUser awareness2-factor authenticationE-BankingServerOOB transaction confirmationsAdditional passwords/PINs“Known good” target accountsBack-EndServer

ACROS PUBLIC Page 6SOURCE Boston 2012Attacks Against Corporate UsersGoal: Identity TheftMethods & ProblemsSame as with individual usersBack-EndServerAdvantagesMore moneyLarge transactions not unusualTargets can be found in publiccertificate directoriesOnlineBankingServer

ACROS PUBLIC Page 7SOURCE Boston 2012LDAP Explorer – Online Bank Robber’s Google

ACROS PUBLIC Page 8SOURCE Boston 2012Example: Published Corporate Certificateldap://ldap.halcom.si:389/eidCertificateSerialNumber=382631E-Mail AddressPersonal NameCompany Name

ACROS PUBLIC Page 9SOURCE Boston 2012Attacks Against Online Banking ServersGoal: Exploiting Application FlawsMethodsHackingProblemsGetting noticed while looking for flawsOnlineBankingServerAdvantagesUnlimited amount of moneyNo user interaction (social engineering)Possible creation of new money

ACROS PUBLIC Page 10SOURCE Boston 2012Direct Resource Access

ACROS PUBLIC Page 11SOURCE Boston 2012Direct Resource Access – URL Cleartext IDhttps://bank/balance?uid=7728356(my account balance data)https://bank/balance?uid=7728355(another user’s account balance data)

ACROS PUBLIC Page 12SOURCE Boston 2012Direct Resource Access – URL Base64 encodinghttps://bank/balance?dWlkPTc3MjgzNTY=(my account balance data)Base64decode(“dWlkPTc3MjgzNTY=”)“uid=7728356”Base64encode(“uid=7728355”)https://bank/balance?dWlkPTc3MjgzNTU=(another user’s account balance data)

ACROS PUBLIC Page 13SOURCE Boston 2012Direct Resource Access – URL Encryption/balance?Ko7hIGJJ2GqfhSZ9... (Base64)/balance?AF86B301008AEF5... (Hex)params = "uid=7728356"enc_params = AES_encrypt(params, key)path = "/balance?" + base64(enc_params)

ACROS PUBLIC Page 14SOURCE Boston 2012Transferring Money From Other People’s Accounts/transfer? src=1 & dest=2 & amount=100(from my account)/transfer? src=42 & dest=2 & amount=100(from another user’s account)

ACROS PUBLIC Page 15SOURCE Boston 2012Transaction Creation ProcessI want to transfer some moneyValidation #1Empty transaction formFilled-out transaction formsrc=1,dst=2, amount=100Validation #2Read-only confirmation formsrc=1,dst=2, amount=100Transaction confirmationsrc=1,dst=2, amount=100Validation #3

ACROS PUBLIC Page 16SOURCE Boston 2012Negative Numbers

ACROS PUBLIC Page 17SOURCE Boston 2012Negative Numbers – A Devastating OversightIF RequestedAmount > DisposableAmountTHEN ERROR();IF 3,000 > 2,000THEN ERROR(); // Error – Insufficient FundsIF -100 > 2,000THEN ERROR(); // No Error Here

ACROS PUBLIC Page 18SOURCE Boston 2012“Here’s minus hundred bucks for you”Attacker:Victim:0 $100 $(Transfer -100 $ to Victim)Attacker:Victim:100 $0 $

ACROS PUBLIC Page 19SOURCE Boston 2012Creating Money Out Of Thin AirNormal Account:Savings Account:0 $0 $(Transfer -100 $ to Savings Account)Normal Account:Savings Account:100 $0 $

ACROS PUBLIC Page 20SOURCE Boston 2012Bypassing Limit Checks

ACROS PUBLIC Page 21SOURCE Boston 2012Normal OverdraftAccount #1:Account #2:100 $0 $(Transfer 1,000 $ from #1 to #2)Account #1:Account #2:-900 $1,000 $

ACROS PUBLIC Page 22SOURCE Boston 2012“Over-Overdraft”Account #1:Account #2:100 $0 $(Transfer 1,000,000 $ from #1 to #2)Account #1:Account #2:-999,900 $1,000,000 $

ACROS PUBLIC Page 23SOURCE Boston 2012HTTP Parameter PollutionLuca Carettoni & Stefano di Paolahttp://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacks

ACROS PUBLIC Page 24SOURCE Boston 2012User – Public Server – Back End ServerJSPPHPPOST /transfersource=1 & dest=2 & amount=100source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100

ACROS PUBLIC Page 25SOURCE Boston 2012HTTP Parameter Pollution – Source accountJSPPHPPOST /transfersource=1 & dest=2 & amount=100 & source=42source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100 & source=42source = $_POST[“source”] // 42dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100IF NOT user_authorized_for(source) THEN ERROR()

ACROS PUBLIC Page 26SOURCE Boston 2012HTTP Parameter Pollution – Transfer AmountJSPPHPPOST /transfersource=1 & dest=2 & amount=100 & amount=100000source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100 & amount=100000source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100000IF NOT user_authorized_for(source) THEN ERROR()

ACROS PUBLIC Page 27SOURCE Boston 2012SQL Injection

ACROS PUBLIC Page 28SOURCE Boston 2012SQL Injection – Data Theft“SELECT rate FROM exch_ratesWHERE currency = ‘”.$currency.”’”“SELECT rate FROM exch_ratesWHERE currency = ‘’ UNIONSELECT balance FROM accountsWHERE account_id = ‘887296’”

ACROS PUBLIC Page 29SOURCE Boston 2012SQL Injection – Messing With Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘”.$acctid1.”’”“UPDATE accounts SET balance = 100WHERE account_id = ‘”.$acctid2.”’”“COMMIT TRANSACTION”

ACROS PUBLIC Page 30SOURCE Boston 2012SQL Injection – Messing With Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘123’”“UPDATE accounts SET balance = 100WHERE account_id = ‘456’”“COMMIT TRANSACTION”

ACROS PUBLIC Page 31SOURCE Boston 2012SQL Injection – Messing With Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘123’”“UPDATE accounts SET balance = 100WHERE account_id = ‘456’ ORaccount_id = ‘123’”“COMMIT TRANSACTION”

ACROS PUBLIC Page 32SOURCE Boston 2012Forging Bank’s Digital Signatures

ACROS PUBLIC Page 33SOURCE Boston 2012Automated Signing Of Deposit AgreementDeposit request: 100€, 31 daysDeposit agreement for signing(Legal text, interest rate)Signed MODIFIED deposit agreementUser’sSigning keyCounter-signedMODIFIED deposit agreementBank’sSigning key

ACROS PUBLIC Page 34SOURCE Boston 2012Server-Side Code Execution

ACROS PUBLIC Page 35SOURCE Boston 2012Server-Side Code ExecutionExamplesImpactJava code injection (JBoss bug in 2010)PHP code injection (eval, system, includes...)Shell argument injection (command1&command2)Buffer overflowsChange e-banking application codeObtain database/WS credentials,issue direct requests to DB or back-end WS

ACROS PUBLIC Page 36SOURCE Boston 2012The List Goes On...

ACROS PUBLIC Page 37SOURCE Boston 2012Other AttacksSession PuzzlingInsecure Mass AssignmentNumerical Magic: Overflows, Underflows,Exponential Notation, Reserved words(Corsaire whitepaper)“Stale” Currency ExchangeRace Conditions...New functionalities: automated deposits, loans,investment portfolio management, ...

ACROS PUBLIC Page 38SOURCE Boston 2012Getting RichWithout Breaking The Lawhttp://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html

ACROS PUBLIC Page 39SOURCE Boston 2012Rounding And Currency Exchange1 € 1,364 $0,01 € 0,01364 $Loss : -0,00364 $ = -27%0,01 € 0,01 $Profit : +0,00266 € = +36%

ACROS PUBLIC Page 40SOURCE Boston 2012KNOWNAT LEASTSINCE2001Asymmetric Currency Roundingby M'Raïhi, Naccache and Tunstallhttp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf

ACROS PUBLIC Page 41SOURCE Boston 2012Currency Rounding Attack: Algorithm1:2:3:Convert 100€ to $// We have 136,40$for i = 1 to 13640Convert 0,01$ to 0,01€// Now we have 136,40€goto 1

ACROS PUBLIC Page 42SOURCE Boston 2012The Speed Of Getting RichAssume: 10 exchanges / second1 day = 86.400 secondsDaily profit: 2.300 €Monthly profit: ~ 70.000 €Currency Rounding AttacksImprovementsOptimal exchange rate (getting as close to 0,005 as possible)Corporate banking: packets (1000s of exchanges in one packet)Does it really work?My personal e-banking: YESMy company’s corporate e-banking: YESCountermeasuresLimit minimum amount to 1 whole unit, exchange fee

ACROS PUBLIC Page 43SOURCE Boston 2012Getting Away With It

ACROS PUBLIC Page 44SOURCE Boston 2012Getting Away With ItAvoiding DetectionWhile searching for vulnerabilitiesWhile performing the attackSolution: “User in the middle” – hiding behind a userBreaking The Money TrailATMs, Western UnionMoney MulesBitCoin, WebMoney, Liberty Reserve, ...Chaining multiple “users in the middle” in different countries

ACROS PUBLIC Page 45SOURCE Boston 20122007: iWire - $5M(9,000 prepaid cards)2008: Citibank - $2M(hacked ATM network,stolen PIN codes)2008: WorldPay - $9M(44 debit cards, lifted limit)2011: Florida bank - $13M(22 debit cards, lifted limit)ATM – The Final Destination2012: Postbank – $6.7M(stolen teller identity,transfers to other accounts, lifted limit)

ACROS PUBLIC Page 46SOURCE Boston 2012

ACROS PUBLIC Page 47SOURCE Boston 2012Mitja KolsekACROS d.o.o.www.acrossecurity.commitja.kolsek@acrossecurity.comTwitter: @acrossecurity, @mkolsekSpeaker Feedback: https://www.surveymonkey.com/sourceboston12Thanks: Mikko H. Hypponen, René Pfeiffer, Claudio Criscione, Stefan Ortloff and Candi Carrerafor help with gathering information on national digital certificate usage