Penetration Testing mailing list archives
[PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING
From: mikhail.iakovlev () TELENOR COM
Date: Wed, 23 Aug 2000 10:36:12 +0200
Hi everyone, I have done this kind of testing and in our case online banking methods should be set up in the way that even if the client computer gets hacked, it would be difficult to do anything to abuse bank accounts. Customer (bank) originally had it's own software to be installed on client machine with different account data/passwords etc (of course test machine was specifically set up for this task by the bank, otherwise hacking into any real account would be invading privacy) . However, most of such programs _do_ keep encrypted key of some sort on the harddrive of client machine at all times. This allowed attacker (our company) to conduct following in general: 1.Make a program (virus-like), which would bypass antivirus programs and stay resident running in hidden state, so user wouldn't suspect anything. In case with Norton,McAfee,F-prot,AVP we also managed to kill parts of running antivirus program which monitors registry so we could insert our key in registry, modify checksums in antivirus program so it would not check registry changes next time machine reboots. Part of modified code is taken from original BackOrifice so it would bypass antiviruses (Please do not ask for code). Program was sent in email to customer's client computer and fooled him on clicking the program. Program did what it suppose to, but also executed our code. Since program had no active virus base in the file, antivirus did not react on file structure and did not give any warnings. 2. Next time client machine connects to the bank via bank's program, every dialog box asking for username/password/code is registered by our program which detects and records keystrokes and also detects what kind of program/phone numbers/connection is in use while box is open.Next time client connected to Internet, email would be automatically sent in background to our secret account with all information, without user seeing that it actually happened.This inlcudes also usernames/passwords for windows system (assuming it is windows since most of software delivered by banks are for windows at this time). 3. When we managed to steal encrypted key stored on hard drive, as well as getting username/pass/account number/code, we could access the client's account in the bank by dialing given phone number and feeding given information. Bank's computer accepted us as original client. Of course this required the bank's client program itself, but since in Norway it doesn't cost anything to open an account and apply for online banking (if you live in the country), we have got the same program in a matter of days and installed on our company's attacking computer. -- If target computer is taken over in this way, this bank officially didn't bare any responsibility since it is not a bank service that got abused, but customer's computer. It was equivalent to be logged in on bank's connection and leaving card with codes on the table while having lunch, so bank could not be held responsible.After all, it is _not_ the application itself which had bugs/security problems, but operating system / user input(fooling user to execute our program) that got abused :) However, banks should specify this particular case when delivering software to customer. More than that - banks which _do_ use this kind of rutine for online banking are setting their customers in unneccessary danger by leaving this possibility to attacker. After we demonstrated how it's possible to take over this account, we also suggested modifications to this specific bank: 1. Do not install any software on clients computer 2. Use web browser's authentication methods with SSL & java applets to enter account number and 4/5 digit access code that is permanent and should be memorized by client 3. After user authenticated and connected to account, user can see only balance on account, nothing else, so if user wants to transfer money/pay bills online, user will be asked again to enter new code (it tells what code number to use), which is sent by the bank ( piece of plastic or paper with no account numbers, just "number: code" (50 or 100 random codes which correspond to number). Dialog box asking for code is awaiting response for not more than 30 seconds, after which user is prompted for re-connection/reloading of page, and next number is asked, and so on. The same code cannot be used twice. If failure of codes detected, online access is temporary blocked with given phone number of customer service. However you'd have to go physically to the bank to re-open online access. I feel that in this way customer have much more flexibility / security than with software which delivered by the bank. Lets say I want to go on vacation, and there is some internet cafe. Friend of mine is calling and asking me to transfer some money to his account. In this way any browser supporting SSL (IE,Netscape) will do the job. All I'd have to do is to remember acces code to my account in the first place, and have a card with random codes in hand. If my wallet is stolen, thief wouldn't know what account thos numbers belong to, and wouldn't be able to access the account in the first place, since 4 digit number is memorized and not on the card. If somehow attacker takes over client's machine and get information to accessing account - again, he'd not get too far - the only thing he would see is balance on account and nothing else. Of course, there is a little chance that someone would target _you_ specifically , but than it qould require 2 crimes to be commited - hacking into your computer AND stealing your walled/card. However, you would probably give a message to the bank and they would disable all thos codes on the card at once, and send you a new one. RSA card solutions could also be used but is a bit more expensive for bank.However, remember that RSA _software_ card simulator is not a good idea since it also could be taken over since it is resident software on target computer. I hope this helps:) Best wishes. Mikhail Iakovlev jr. Security officer for Cerber Security Norway, System engineer for Telenor Mobil AS Email: mikhail.iakovlev () telenor com, misha () privat sysedata no Phone: +47-99579541,+47-98213738, fax: +47-22870954 -----Opprinnelig melding----- Fra: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]På vegne av Rafael Coninck Teigao Sendt: 22. august 2000 00:32 Til: PEN-TEST () SECURITYFOCUS COM Emne: [PEN-TEST] Home-Banking PEN-TESTING Hi, ppl. I'm pen-testing a home-banking system. My client has a doubt and we basically disagree in some level: is the client's machine of the responsibility of the bank? I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible, having in mind that it's programmers can fix the problem (they just don't do it 'couz it is costly)? Let me hear what you think. []'s, RCT.
Current thread:
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 23)
- Re: [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING paul m (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Shaun Dewberry (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Job de Haas (Aug 24)
- <Possible follow-ups>
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 24)