Statistical Attack Against Virtual Banks

[andre () CS UCSB EDU (Andre L. Dos Santos)]

1. Introduction

Every bank in the world desires to provide services using the World Wide
Web. There are many advantages to the banks, which reduce their operating
costs, and to the users, which receive 24 hours a day, 7days a week,
banking services. Because of these advantages, the number of banks
providing online banking services has grown at a very large rate. However,
flaws in the technologies that are used for the World Wide Web have also
been reported at a very large rate, and it is common belief that many more
are still to be discovered. Some of these flaws can be used to attack
Virtual Bank services or their users. The designers of the Virtual Bank
technologies affected by the flaws followed a band-aid approach: find a
flaw and release a patch. Because of the advantages that the World Wide
Web offers, the banks take their chances and continue to provide online
services. This note describe a powerful attack that does not depend on any
flaw of the technologies and can be used to attack a large portion of the
Virtual Banks currently offering World Wide Web services.

The Statistical Attack was designed and successfully used to attack a
large multinational bank that offers online services in November of 1998,
during a contracted penetration test. We delayed the release of this note,
and of the paper that we expect to release soon, in order to give time for
this particular bank to install security mechanisms that lower the
effectiveness of this attack. The attack uses steps that are considered
legal by the bank to subvert the authentication procedure and impersonate
users. The attack was designed to be performed using the secure socket
layer, since this was the method the bank was offering, but it can be
extended to any method that is used to access online services.

2. Description

Many Virtual Banks rely on a fixed length personal identification number
(PIN) to identify a user. Some banks, allow access to all of their online
operations after a successful identification, others require additional
identification, like social security number, maiden name or an additional
PIN. The Statistical Attack can be used to attack the first
identification, which is based on the personal identification number, and
in some cases to attack an additional identification.

As with passwords, users have difficulty in remembering large personal
identification numbers. Therefore, there is a natural tendency to use
small, easy to remember numbers (like birthday or 1234). Many Virtual
Banks, anticipating the problems that this class of numbers can represent,
require users to choose PINs that are not easy to guess. However, the
Virtual Banks cannot, in the name of user-friendliness, require the user
to use, and remember, a very large number. Therefore, it is a wide spread
practice to use 4 or 6 digit PINs. Because of the small length of the PINs
an attacker can target a particular account and try all possibilities. In
order to defend against this class of attacks, banks usually lock out
accounts after a certain number of unsuccessful identification attempts.

The Statistical Attack relies on the ratio between the size of the
personal identification number and the number of users of the service.
Instead of fixing an account and varying the possible PINs, which would
cause a lock out in the particular account, it fixes a PIN and varies the
account number. Therefore, if the PINs are uniformly chosen and use 4
digits, than a random guess would be a hit for every 10,000 accounts
tried. A hit can be achieved with a much lower number of accounts if easy
to guess PINs are allowed. Using this approach, the bank does not lock out
any particular account, since it will be tried again with a different PIN
only after numerous other accounts have been tried. Thus, the lock out
protection is not triggered.

3. Defenses

One difficulty when performing this attack is to determine valid account
numbers, or in certain cases a log-in ID. The way to guess valid account
numbers, or log-in IDs, depends on the bank where the attack is performed.
In some cases the online service log-in procedure provides different
responses for nonexistent accounts than for wrong PINs. This can be used
to build a dictionary of valid accounts. In other cases the log-in ID is
some number of digits taken from the client's charge card. Since many of
the charge cards in use today can be used where credit cards are, they
have numbers that are valid for credit cards. This characteristic can be
used to eliminate many numbers that are not valid credit card numbers
using the credit card number validation algorithm. When actual bank
accounts are used or when the log-in ID is small, it is sufficient in many
cases to use the locality of account numbers and try sequential guesses.

Two mechanisms can be used to make this attack more difficult. One is to
delay answers to failed, or positive and failed, authentication. This
mechanism, however, reduces the user-friendliness of the system. If only
failed authentications are delayed, an attacker can guess the answer based
on the time that it takes, being bounded only by the positive answer time.
If both authentication answers are delayed, the user may perceive this
delay as a flawed or badly designed system. The second mechanism is to
provide a time window, where failed authentications from fixed IP
addressees are counted. Any request from a particular IP is blocked after
a specific number of failed authentications. The biggest problem with this
protection approach is the generalized use of proxy servers. That is, the
windows must be very carefully designed or legitimate access will be
denied due to different users making mistakes in the same time window.
There is also a potential denial of service attack when proxies are used
or when the attacker wants to deny access from a particular computer. An
attacker can also avoid being blocked by capturing a router, or using
different computers, in order to send requests from different IPs. Thus,
the protection can be totally circumvented with a fixed number of IPs. The
number of IPs needed depends on the time window being used.

4. Conclusions

The Statistical Attack can be used to attack Virtual Banks without the
need to download a Trojan horse program to a user's computer, and without
the need to gain access to the bank's computer. In addition, the attack
does not rely on any flaw of technologies used for the World Wide Web.
Many Virtual Banks are subject to this class of attack.

The Statistical Attack can also be generalized to attack many different
banks at the same time. An attack performed this way can circumvent
protections applied by each bank individually, and be successful based on
the statistical characteristic of PINs. Attacking different banks at the
same time also decrease the difficulty of guessing account numbers or
online IDs, since there is a larger sample space for trying different IDs,
which can be fixed and tried for all attacked banks that have the same
format for the IDs.

Some banks use alphanumeric characters for authentication. An attacker can
use dictionary words, instead of numbers, in this case to attack these
banks.

Andre L. M. dos Santos
Reliable Software Group
University of California, Santa Barbara