12.07.2015 Views

How to Rob an Online Bank (and get away with it) - Acros Security

How to Rob an Online Bank (and get away with it) - Acros Security

How to Rob an Online Bank (and get away with it) - Acros Security

SHOW MORE
SHOW LESS
  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Evolution Of E-b<strong>an</strong>king AttacksPAST-PRESENTFUTUREBack-EndServerPRESENT<strong>Online</strong>B<strong>an</strong>kingServerFUTURE 2.04


Attacks Against Individual UsersGoal: Ident<strong>it</strong>y TheftMethodsE-B<strong>an</strong>kingServerBack-EndServer• Phishing, Fake secur<strong>it</strong>y alerts• XSS, CSRF• Malware (m<strong>an</strong> in the browser,extraction of certs <strong>an</strong>d private keys)Problems• User awareness• 2-fac<strong>to</strong>r authentication• OOB tr<strong>an</strong>saction confirmations• Add<strong>it</strong>ional passwords/PINs• “Known good” tar<strong>get</strong> accounts5


Attacks Against Corporate UsersGoal: Ident<strong>it</strong>y TheftMethods• Same as <strong>w<strong>it</strong>h</strong> individual usersAdv<strong>an</strong>tages• More money• Large tr<strong>an</strong>sactions not unusual• Tar<strong>get</strong>s c<strong>an</strong> be found in publiccertificate direc<strong>to</strong>ries<strong>Online</strong>B<strong>an</strong>kingServerBack-EndServer6


LDAP Explorer – <strong>Online</strong> B<strong>an</strong>k <strong>Rob</strong>ber’s Google7


Example: Published Corporate Certificateldap://ldap.halcom.si:389/eidCertificateSerialNumber=382631E-Mail AddressPersonal NameComp<strong>an</strong>y Name8


Attacks Against <strong>Online</strong> B<strong>an</strong>king ServersGoal: Explo<strong>it</strong>ing Applications<strong>Online</strong>B<strong>an</strong>kingServerMethods• HackingProblems• Getting noticed while looking for flawsAdv<strong>an</strong>tages• Unlim<strong>it</strong>ed amount of money• No user interaction (social engineering)• Possible creation of new money9


Direct ResourceAccess10


Direct Resource Access – URL Cleartext IDhttps://b<strong>an</strong>k/bal<strong>an</strong>ce?uid=7728356(my account bal<strong>an</strong>ce data)https://b<strong>an</strong>k/bal<strong>an</strong>ce?uid=7728355(<strong>an</strong>other user’s account bal<strong>an</strong>ce data)11


Direct Resource Access – URL Base64 encodinghttps://b<strong>an</strong>k/bal<strong>an</strong>ce?dWlkPTc3MjgzNTY=(my account bal<strong>an</strong>ce data)Base64decode(“dWlkPTc3MjgzNTY=”)“uid=7728356”Base64encode(“uid=7728355”)https://b<strong>an</strong>k/bal<strong>an</strong>ce?dWlkPTc3MjgzNTU=(<strong>an</strong>other user’s account bal<strong>an</strong>ce data)12


Taking Money From Other People’s Accounts/tr<strong>an</strong>sfer? src=1 & dest=2 & amount=100(from my account)/tr<strong>an</strong>sfer? src=42 & dest=2 & amount=100(from <strong>an</strong>other user’s account)14


Tr<strong>an</strong>saction Creation ProcessI w<strong>an</strong>t <strong>to</strong> tr<strong>an</strong>sfer some moneyValidation #1Empty tr<strong>an</strong>saction formFilled-out tr<strong>an</strong>saction formsrc=1,dst=2, amount=100Validation #2Read-only confirmation formsrc=1,dst=2, amount=100Tr<strong>an</strong>saction confirmationsrc=1,dst=2, amount=100Validation #315


Negative Numbers16


Negative Numbers – A Devastating OversightIF RequestedAmount > DisposableAmountTHEN ERROR();IF 3,000 > 2,000THEN ERROR(); // Error – Insufficient FundsIF -100 > 2,000THEN ERROR(); // No Error Here17


“Here’s minus hundred bucks for you”Attacker:Victim:0 $100 $(Tr<strong>an</strong>sfer -100 $ <strong>to</strong> Victim)Attacker:Victim:100 $0 $18


Creating Money Out Of Thin AirNormal Account:Savings Account:0 $0 $(Tr<strong>an</strong>sfer -100 $ <strong>to</strong> Savings Account)Normal Account:Savings Account:100 $0 $19


BypassingLim<strong>it</strong> Checks20


Normal OverdraftAccount #1:Account #2:100 $0 $(Tr<strong>an</strong>sfer 1,000 $ from #1 <strong>to</strong> #2)Account #1:Account #2:-900 $1,000 $21


“Over-Overdraft”Account #1:Account #2:100 $0 $(Tr<strong>an</strong>sfer 1,000,000 $ from #1 <strong>to</strong> #2)Account #1:Account #2:-999,900 $1,000,000 $22


Luca Caret<strong>to</strong>ni & Stef<strong>an</strong>o di Paolahttp://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacksHTTP ParameterPollution23


Request FlowJSPPHPPOST /tr<strong>an</strong>sfersource=1 & dest=2 & amount=100source = request.<strong>get</strong>Parameter(“source”) // 1amount = request.<strong>get</strong>Parameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTr<strong>an</strong>saction(request)POST /BackEndTr<strong>an</strong>sactionsource=1 & dest=2 & amount=100source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 10024


HTTP Parameter Pollution(Source Account)JSPPHPPOST /tr<strong>an</strong>sfersource=1 & dest=2 & amount=100 & source=42source = request.<strong>get</strong>Parameter(“source”) // 1amount = request.<strong>get</strong>Parameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTr<strong>an</strong>saction(request)POST /BackEndTr<strong>an</strong>sactionsource=1 & dest=2 & amount=100 & source=42source = $_POST[“source”] // 42dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100IF NOT user_authorized_for(source) THEN ERROR()25


HTTP Parameter Pollution(Tr<strong>an</strong>sfer Amount)JSPPHPPOST /tr<strong>an</strong>sfersource=1 & dest=2 & amount=100 & amount=100000source = request.<strong>get</strong>Parameter(“source”) // 1amount = request.<strong>get</strong>Parameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTr<strong>an</strong>saction(request)POST /BackEndTr<strong>an</strong>sactionsource=1 & dest=2 & amount=100 & amount=100000source = $_POST[“source”] // 1dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100000IF NOT user_authorized_for(source) THEN ERROR()26


SQL Injection27


SQL Injection – Data Theft”SELECT rate FROM exch_ratesWHERE currency = ’”.$currency. ”’””SELECT rate FROM exch_ratesWHERE currency = ’’ UNIONSELECT bal<strong>an</strong>ce FROM accountsWHERE account_id = ’887296’”28


SQL Injection – Messing W<strong>it</strong>h Tr<strong>an</strong>sactions”BEGIN TRANSACTION””UPDATE accounts SET bal<strong>an</strong>ce = 0WHERE account_id = ’”.$acctid1.”’””UPDATE accounts SET bal<strong>an</strong>ce = 100WHERE account_id = ’”.$acctid2.”’””COMMIT TRANSACTION”29


SQL Injection – Messing W<strong>it</strong>h Tr<strong>an</strong>sactions”BEGIN TRANSACTION””UPDATE accounts SET bal<strong>an</strong>ce = 0WHERE account_id = ’123’””UPDATE accounts SET bal<strong>an</strong>ce = 100WHERE account_id = ’456’””COMMIT TRANSACTION”30


SQL Injection – Messing W<strong>it</strong>h Tr<strong>an</strong>sactions”BEGIN TRANSACTION””UPDATE accounts SET bal<strong>an</strong>ce = 0WHERE account_id = ’123’””UPDATE accounts SET bal<strong>an</strong>ce = 100WHERE account_id = ’456’ ORaccount_id = ’123’””COMMIT TRANSACTION”31


Forging B<strong>an</strong>k’sDig<strong>it</strong>al Signatures32


Au<strong>to</strong>mated Signing Of Depos<strong>it</strong> AgreementDepos<strong>it</strong> request: 100€, 31 daysDepos<strong>it</strong> agreement for signing(Legal text, interest rate)Signed MODIFIED depos<strong>it</strong> agreementUser’sSigning keyCounter-signedMODIFIED depos<strong>it</strong> agreementB<strong>an</strong>k’sSigning key33


Server-SideCode Execution34


Server-Side Code ExecutionExamples• Java code injection (JBoss bug in 2010)• PHP code injection (eval, system, includes...)• Shell argument injection (comm<strong>an</strong>d1&comm<strong>an</strong>d2)• Buffer overflowsImpact• Ch<strong>an</strong>ge e-b<strong>an</strong>king application code• Obtain database/WS credentials,issue direct requests <strong>to</strong> DB or back-end WS35


The List Goes On...36


Other Attacks• Session Puzzling• Insecure Mass Assignment• Numerical Magic: Overflows, Underflows,Exponential Notation, Reserved words (Corsairewh<strong>it</strong>epaper)• “Stale” Currency Exch<strong>an</strong>ge• Race Cond<strong>it</strong>ions• ...• New functional<strong>it</strong>ies: au<strong>to</strong>mated depos<strong>it</strong>s, lo<strong>an</strong>s,investment portfolio m<strong>an</strong>agement, ...37


http://blog.acrossecur<strong>it</strong>y.com/2012/01/is-your-online-b<strong>an</strong>k-vulnerable-<strong>to</strong>.htmlGetting RichW<strong>it</strong>hout BreakingThe Law38


Knownat leastsince2001Asymmetric Currency Roundingby M'Raïhi, Naccache <strong>an</strong>d Tunstallhttp://c<strong>it</strong>eseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf40


Currency Rounding Attack: Algor<strong>it</strong>hm1:2:3:Convert 100€ <strong>to</strong> $// We have 136,40$for i = 1 <strong>to</strong> 13640Convert 0,01$ <strong>to</strong> 0,01€// Now we have 136,40€go<strong>to</strong> 141


http://blog.acrossecur<strong>it</strong>y.com/2012/05/<strong>an</strong>a<strong>to</strong>my-of-online-b<strong>an</strong>k-robbery.htmlPhases Of<strong>Online</strong> B<strong>an</strong>k<strong>Rob</strong>bery43


4 Phases Of <strong>Online</strong> B<strong>an</strong>k <strong>Rob</strong>beryPhase 1 Vulnerabil<strong>it</strong>y FindingSource code or black box, “user-in-the-middle”Phase 2 Vulnerabil<strong>it</strong>y Explo<strong>it</strong>ation“Creation” of money on attacker’s account, “user-in-the-middle”Phase 3 Buying TimePassing the money across borders, borrowing corporate accountsPhase 4 ExtractionClassic methods, also borrowing user accounts for tr<strong>an</strong>sfers44


Apply45


Apply: B<strong>an</strong>kers – Short Term• Currency conversion attacks• Set minimum amount or fee• “Phase 1”: Disallow vulnerabil<strong>it</strong>y tests• Terms of service: suspend user account if vuln-testing46


Apply: B<strong>an</strong>kers – Long Term• “Phase 1”: Detect vulnerabil<strong>it</strong>y tests• OWASP AppSensor*• Terminate user session if testing is detected• M<strong>an</strong>y server-side errors caused by single user• “Phase 2”: Find <strong>an</strong>d fix vulnerabil<strong>it</strong>ies• Review your code (<strong>to</strong>ols don’t find logical bugs)• Get help from those who break in<strong>to</strong> b<strong>an</strong>ks• Use external pentest for designing <strong>an</strong>d testing“Phase 1” detection* https://www.owasp.org/index.php/OWASP_AppSensor_Project47


Apply: Penetration Testers• Staging != Production• Authentication, back-end processing, scheduled jobs• Find bugs in staging, verify in production• Successful tests in production may be hard <strong>to</strong> undo(therefore test <strong>w<strong>it</strong>h</strong> small amounts)• Vulnerabil<strong>it</strong>ies• Use HTTP proxy* <strong>to</strong> “eliminate” client user interface• Be really thorough <strong>w<strong>it</strong>h</strong> negative numbers• Base64 encoding is often mere obfuscation• B<strong>an</strong>ks are focused on authentication, not authorization* https://www.owasp.org/index.php/Phoenix/Tools#HTTP_proxying_.2F_ed<strong>it</strong>ing48


M<strong>it</strong>ja KolsekACROS d.o.o.www.acrossecur<strong>it</strong>y.comm<strong>it</strong>ja.kolsek@acrossecur<strong>it</strong>y.comTw<strong>it</strong>ter: @acrossecur<strong>it</strong>y, @mkolsekTh<strong>an</strong>ks: Mikko H. Hypponen, René Pfeiffer, Claudio Criscione, Stef<strong>an</strong> Ortloff <strong>an</strong>d C<strong>an</strong>di Carrerafor help <strong>w<strong>it</strong>h</strong> gathering information on national dig<strong>it</strong>al certificate usage49

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!