How To Rob An Online Bank And Get Away With It - Acros Security
How To Rob An Online Bank And Get Away With It - Acros Security
How To Rob An Online Bank And Get Away With It - Acros Security
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ACROS PUBLIC© ACROS<strong>How</strong> to <strong>Rob</strong>an <strong>Online</strong> <strong>Bank</strong>(and get away with it)SOURCE Boston 2012Mitja KolsekACROS d.o.o.mitja.kolsek@acrossecurity.comwww.acrossecurity.com
ACROS PUBLIC Page 2SOURCE Boston 2012
ACROS PUBLIC Page 3SOURCE Boston 2012
ACROS PUBLIC Page 4SOURCE Boston 2012PAST-PRESENTEvolution Of E-banking AttacksFUTUREBack-EndServerPRESENT<strong>Online</strong><strong>Bank</strong>ingServerFUTURE 2.0
ACROS PUBLIC Page 5SOURCE Boston 2012Attacks Against Individual UsersGoal: Identity TheftMethodsPhishing, Fake security alertsXSS, CSRFMalware (man in the browser,extraction of certs and private keys)ProblemsUser awareness2-factor authenticationE-<strong>Bank</strong>ingServerOOB transaction confirmationsAdditional passwords/PINs“Known good” target accountsBack-EndServer
ACROS PUBLIC Page 6SOURCE Boston 2012Attacks Against Corporate UsersGoal: Identity TheftMethods & ProblemsSame as with individual usersBack-EndServerAdvantagesMore moneyLarge transactions not unusualTargets can be found in publiccertificate directories<strong>Online</strong><strong>Bank</strong>ingServer
ACROS PUBLIC Page 7SOURCE Boston 2012LDAP Explorer – <strong>Online</strong> <strong>Bank</strong> <strong>Rob</strong>ber’s Google
ACROS PUBLIC Page 8SOURCE Boston 2012Example: Published Corporate Certificateldap://ldap.halcom.si:389/eidCertificateSerialNumber=382631E-Mail AddressPersonal NameCompany Name
ACROS PUBLIC Page 9SOURCE Boston 2012Attacks Against <strong>Online</strong> <strong>Bank</strong>ing ServersGoal: Exploiting Application FlawsMethodsHackingProblems<strong>Get</strong>ting noticed while looking for flaws<strong>Online</strong><strong>Bank</strong>ingServerAdvantagesUnlimited amount of moneyNo user interaction (social engineering)Possible creation of new money
ACROS PUBLIC Page 10SOURCE Boston 2012Direct Resource Access
ACROS PUBLIC Page 11SOURCE Boston 2012Direct Resource Access – URL Cleartext IDhttps://bank/balance?uid=7728356(my account balance data)https://bank/balance?uid=7728355(another user’s account balance data)
ACROS PUBLIC Page 12SOURCE Boston 2012Direct Resource Access – URL Base64 encodinghttps://bank/balance?dWlkPTc3MjgzNTY=(my account balance data)Base64decode(“dWlkPTc3MjgzNTY=”)“uid=7728356”Base64encode(“uid=7728355”)https://bank/balance?dWlkPTc3MjgzNTU=(another user’s account balance data)
ACROS PUBLIC Page 13SOURCE Boston 2012Direct Resource Access – URL Encryption/balance?Ko7hIGJJ2GqfhSZ9... (Base64)/balance?AF86B301008AEF5... (Hex)params = "uid=7728356"enc_params = AES_encrypt(params, key)path = "/balance?" + base64(enc_params)
ACROS PUBLIC Page 14SOURCE Boston 2012Transferring Money From Other People’s Accounts/transfer? src=1 & dest=2 & amount=100(from my account)/transfer? src=42 & dest=2 & amount=100(from another user’s account)
ACROS PUBLIC Page 15SOURCE Boston 2012Transaction Creation ProcessI want to transfer some moneyValidation #1Empty transaction formFilled-out transaction formsrc=1,dst=2, amount=100Validation #2Read-only confirmation formsrc=1,dst=2, amount=100Transaction confirmationsrc=1,dst=2, amount=100Validation #3
ACROS PUBLIC Page 16SOURCE Boston 2012Negative Numbers
ACROS PUBLIC Page 17SOURCE Boston 2012Negative Numbers – A Devastating OversightIF RequestedAmount > DisposableAmountTHEN ERROR();IF 3,000 > 2,000THEN ERROR(); // Error – Insufficient FundsIF -100 > 2,000THEN ERROR(); // No Error Here
ACROS PUBLIC Page 18SOURCE Boston 2012“Here’s minus hundred bucks for you”Attacker:Victim:0 $100 $(Transfer -100 $ to Victim)Attacker:Victim:100 $0 $
ACROS PUBLIC Page 19SOURCE Boston 2012Creating Money Out Of Thin AirNormal Account:Savings Account:0 $0 $(Transfer -100 $ to Savings Account)Normal Account:Savings Account:100 $0 $
ACROS PUBLIC Page 20SOURCE Boston 2012Bypassing Limit Checks
ACROS PUBLIC Page 21SOURCE Boston 2012Normal OverdraftAccount #1:Account #2:100 $0 $(Transfer 1,000 $ from #1 to #2)Account #1:Account #2:-900 $1,000 $
ACROS PUBLIC Page 22SOURCE Boston 2012“Over-Overdraft”Account #1:Account #2:100 $0 $(Transfer 1,000,000 $ from #1 to #2)Account #1:Account #2:-999,900 $1,000,000 $
ACROS PUBLIC Page 23SOURCE Boston 2012HTTP Parameter PollutionLuca Carettoni & Stefano di Paolahttp://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacks
ACROS PUBLIC Page 24SOURCE Boston 2012User – Public Server – Back End ServerJSPPHPPOST /transfersource=1 & dest=2 & amount=100source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100
ACROS PUBLIC Page 25SOURCE Boston 2012HTTP Parameter Pollution – Source accountJSPPHPPOST /transfersource=1 & dest=2 & amount=100 & source=42source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100 & source=42source = $_POST[“source”] // 42dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100IF NOT user_authorized_for(source) THEN ERROR()
ACROS PUBLIC Page 26SOURCE Boston 2012HTTP Parameter Pollution – Transfer AmountJSPPHPPOST /transfersource=1 & dest=2 & amount=100 & amount=100000source = request.getParameter(“source”) // 1amount = request.getParameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)POST /BackEndTransactionsource=1 & dest=2 & amount=100 & amount=100000source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100000IF NOT user_authorized_for(source) THEN ERROR()
ACROS PUBLIC Page 27SOURCE Boston 2012SQL Injection
ACROS PUBLIC Page 28SOURCE Boston 2012SQL Injection – Data Theft“SELECT rate FROM exch_ratesWHERE currency = ‘”.$currency.”’”“SELECT rate FROM exch_ratesWHERE currency = ‘’ UNIONSELECT balance FROM accountsWHERE account_id = ‘887296’”
ACROS PUBLIC Page 29SOURCE Boston 2012SQL Injection – Messing <strong>With</strong> Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘”.$acctid1.”’”“UPDATE accounts SET balance = 100WHERE account_id = ‘”.$acctid2.”’”“COMMIT TRANSACTION”
ACROS PUBLIC Page 30SOURCE Boston 2012SQL Injection – Messing <strong>With</strong> Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘123’”“UPDATE accounts SET balance = 100WHERE account_id = ‘456’”“COMMIT TRANSACTION”
ACROS PUBLIC Page 31SOURCE Boston 2012SQL Injection – Messing <strong>With</strong> Transactions“BEGIN TRANSACTION”“UPDATE accounts SET balance = 0WHERE account_id = ‘123’”“UPDATE accounts SET balance = 100WHERE account_id = ‘456’ ORaccount_id = ‘123’”“COMMIT TRANSACTION”
ACROS PUBLIC Page 32SOURCE Boston 2012Forging <strong>Bank</strong>’s Digital Signatures
ACROS PUBLIC Page 33SOURCE Boston 2012Automated Signing Of Deposit AgreementDeposit request: 100€, 31 daysDeposit agreement for signing(Legal text, interest rate)Signed MODIFIED deposit agreementUser’sSigning keyCounter-signedMODIFIED deposit agreement<strong>Bank</strong>’sSigning key
ACROS PUBLIC Page 34SOURCE Boston 2012Server-Side Code Execution
ACROS PUBLIC Page 35SOURCE Boston 2012Server-Side Code ExecutionExamplesImpactJava code injection (JBoss bug in 2010)PHP code injection (eval, system, includes...)Shell argument injection (command1&command2)Buffer overflowsChange e-banking application codeObtain database/WS credentials,issue direct requests to DB or back-end WS
ACROS PUBLIC Page 36SOURCE Boston 2012The List Goes On...
ACROS PUBLIC Page 37SOURCE Boston 2012Other AttacksSession PuzzlingInsecure Mass AssignmentNumerical Magic: Overflows, Underflows,Exponential Notation, Reserved words(Corsaire whitepaper)“Stale” Currency ExchangeRace Conditions...New functionalities: automated deposits, loans,investment portfolio management, ...
ACROS PUBLIC Page 38SOURCE Boston 2012<strong>Get</strong>ting Rich<strong>With</strong>out Breaking The Lawhttp://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
ACROS PUBLIC Page 39SOURCE Boston 2012Rounding <strong>An</strong>d Currency Exchange1 € 1,364 $0,01 € 0,01364 $Loss : -0,00364 $ = -27%0,01 € 0,01 $Profit : +0,00266 € = +36%
ACROS PUBLIC Page 40SOURCE Boston 2012KNOWNAT LEASTSINCE2001Asymmetric Currency Roundingby M'Raïhi, Naccache and Tunstallhttp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf
ACROS PUBLIC Page 41SOURCE Boston 2012Currency Rounding Attack: Algorithm1:2:3:Convert 100€ to $// We have 136,40$for i = 1 to 13640Convert 0,01$ to 0,01€// Now we have 136,40€goto 1
ACROS PUBLIC Page 42SOURCE Boston 2012The Speed Of <strong>Get</strong>ting RichAssume: 10 exchanges / second1 day = 86.400 secondsDaily profit: 2.300 €Monthly profit: ~ 70.000 €Currency Rounding AttacksImprovementsOptimal exchange rate (getting as close to 0,005 as possible)Corporate banking: packets (1000s of exchanges in one packet)Does it really work?My personal e-banking: YESMy company’s corporate e-banking: YESCountermeasuresLimit minimum amount to 1 whole unit, exchange fee
ACROS PUBLIC Page 43SOURCE Boston 2012<strong>Get</strong>ting <strong>Away</strong> <strong>With</strong> <strong>It</strong>
ACROS PUBLIC Page 44SOURCE Boston 2012<strong>Get</strong>ting <strong>Away</strong> <strong>With</strong> <strong>It</strong>Avoiding DetectionWhile searching for vulnerabilitiesWhile performing the attackSolution: “User in the middle” – hiding behind a userBreaking The Money TrailATMs, Western UnionMoney MulesBitCoin, WebMoney, Liberty Reserve, ...Chaining multiple “users in the middle” in different countries
ACROS PUBLIC Page 45SOURCE Boston 20122007: iWire - $5M(9,000 prepaid cards)2008: Citibank - $2M(hacked ATM network,stolen PIN codes)2008: WorldPay - $9M(44 debit cards, lifted limit)2011: Florida bank - $13M(22 debit cards, lifted limit)ATM – The Final Destination2012: Postbank – $6.7M(stolen teller identity,transfers to other accounts, lifted limit)
ACROS PUBLIC Page 46SOURCE Boston 2012
ACROS PUBLIC Page 47SOURCE Boston 2012Mitja KolsekACROS d.o.o.www.acrossecurity.commitja.kolsek@acrossecurity.comTwitter: @acrossecurity, @mkolsekSpeaker Feedback: https://www.surveymonkey.com/sourceboston12Thanks: Mikko H. Hypponen, René Pfeiffer, Claudio Criscione, Stefan Ortloff and Candi Carrerafor help with gathering information on national digital certificate usage