Full Disclosure mailing list archives
Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 24 Nov 2009 13:57:22 +0100
Hi, Thank you for the information. MITM is used rather vaguely in this paper. Are the proposed techniques working in an MITM situation - where an attacker is in the middle of a network stream ? Say on a network over arp cache poisening? The paper afaik applies to systems that are already compromised by an attacker, i.e where malware has been installed. If this is the case what rights (Account acl) does the malware require in order to perform the mentioned attacks ? This brings me to an interesting more general discussion, can one define malware infected workstations and the attacks they perform locally as MITM ? Technically they inject themselves between the client and the server, however they need to be installed prior to be able to do so. Furthermore they have access to a lot more information and possibilities then an attacker that is, say in the middle of a network connection. For sake of allowing proper risk assessment by technically less trained persons - one should coin a better term than classical mitm - but maybe I am mistaken? what about MITMa (man in the machine) All: What's your opinion ? http://de.wikipedia.org/wiki/Man-in-the-middle-Angriff http://technet.microsoft.com/en-us/library/cc722487.aspx#EJAA #1 and #2 Regards, Thierry RPG> Abstract RPG> ======== RPG> ChipTAN comfort is a new system which is supposed to securely authorise online RPG> banking transactions by means of a trusted device. It is assumed that chipTAN RPG> comfort specifically protects against man-in-the-middle attacks. Such attacks are RPG> currently putting bank customers who are using the iTAN system at risk. RedTeam RPG> Pentesting examined chipTAN comfort and showed that even when using this sys- RPG> tem, man-in-the-middle attacks can compromise online banking security. RPG> The full paper is available in German and English at RPG> http://www.redteam-pentesting.de/publications/MitM-chipTAN-comfort -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New Paper: MitM Attacks against the chipTAN comfort Online Banking System RedTeam Pentesting GmbH (Nov 24)
- Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Thierry Zoller (Nov 24)
- Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Nick FitzGerald (Nov 24)
- Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Patrick Hof (Nov 24)
- Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Patrick Hof (Nov 24)
- Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Thierry Zoller (Nov 24)