[PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING

[mikhail.iakovlev () TELENOR COM]

Hi everyone,
I have done this kind of testing and in our case online banking methods
should be set up in the way that even if the client computer gets hacked, it
would be difficult to do anything to abuse bank accounts.

Customer (bank) originally had it's own software to be installed on client
machine with different account data/passwords etc
(of course test machine was specifically set up for this task by the bank,
otherwise hacking into any real account would be invading privacy) .
However, most of such programs _do_ keep encrypted key of some sort on the
harddrive of client machine at all times. This allowed attacker (our
company) to conduct following in general:

1.Make a program (virus-like), which would bypass antivirus programs and
stay resident running in hidden state, so user wouldn't suspect anything. In
case with Norton,McAfee,F-prot,AVP we also managed to kill parts of running
antivirus program which monitors registry so we could insert our key in
registry, modify checksums in antivirus program so it would not check
registry changes next time machine reboots. Part of modified code is taken
from original BackOrifice so it would bypass antiviruses (Please do not ask
for code). Program was sent in email to customer's client computer and
fooled him on clicking the program. Program did what it suppose to, but also
executed our code. Since program had no active virus base in the file,
antivirus did not react on file structure and did not give any warnings.

2. Next time client machine connects to the bank via bank's program, every
dialog box asking for username/password/code is registered by our program
which detects and records keystrokes and also detects what kind of
program/phone numbers/connection is in use while box is open.Next time
client connected to Internet, email would be automatically sent in
background to our secret account with all information, without user seeing
that it actually happened.This inlcudes also usernames/passwords for windows
system (assuming it is windows since most of software delivered by banks are
for windows at this time).

3. When we managed to steal encrypted key stored on hard drive, as well as
getting username/pass/account number/code, we could access the client's
account in the bank by dialing given phone number and feeding given
information. Bank's computer accepted us as original client. Of course this
required the bank's client program itself, but since in Norway it doesn't
cost anything to open an account and apply for online banking (if you live
in the country), we have got the same program in a matter of days and
installed on our company's attacking computer.
--
If target computer is taken over in this way, this bank officially didn't
bare any responsibility since it is not a bank service that got abused, but
customer's computer. It was equivalent to be logged in on bank's connection
and leaving card with codes on the table while having lunch, so bank could
not be held responsible.After all, it is _not_ the application itself which
had bugs/security problems, but operating system / user input(fooling user
to execute our program) that got abused :)
However, banks should specify this particular case when delivering software
to customer.

More than that - banks which _do_ use this kind of rutine for online banking
are setting their customers in unneccessary danger by leaving this
possibility to attacker. After we demonstrated how it's possible to take
over this account, we also suggested modifications to this specific bank:
1. Do not install any software on clients computer
2. Use web browser's authentication methods with SSL & java applets to enter
account number and 4/5 digit access code that is permanent and should be
memorized by client
3. After user authenticated and connected to account, user can see only
balance on account, nothing else, so if user wants to transfer money/pay
bills online, user will be asked again to enter new code (it tells what code
number to use), which is sent by the bank ( piece of plastic or paper with
no account numbers, just "number: code" (50 or 100 random codes which
correspond to number). Dialog box asking for code is awaiting response for
not more than 30 seconds, after which user is prompted for
re-connection/reloading of page, and next number is asked, and so on. The
same code cannot be used twice. If failure of codes detected, online access
is temporary blocked with given phone number of customer service. However
you'd have to go physically to the bank to re-open online access.


I feel that in this way customer have much more flexibility / security than
with software which delivered by the bank. Lets say I want to go on
vacation, and there is some internet cafe. Friend of mine is calling and
asking me to transfer some money to his account. In this way any browser
supporting SSL (IE,Netscape) will do the job. All I'd have to do is to
remember acces code to my account in the first place, and have a card with
random codes in hand. If my wallet is stolen, thief wouldn't know what
account thos numbers belong to, and wouldn't be able to access the account
in the first place, since 4 digit number is memorized and not on the card.
If somehow attacker takes over client's machine and get information to
accessing account - again, he'd not get too far - the only thing he would
see is balance on account and nothing else.
Of course, there is a little chance that someone would target _you_
specifically , but than it qould require 2 crimes to be commited - hacking
into your computer AND stealing your walled/card. However, you would
probably give a message to the bank and they would disable all thos codes on
the card at once, and send you a new one.
RSA card solutions could also be used but is a bit more expensive for
bank.However, remember that RSA _software_ card simulator is not a good idea
since it also could be taken over since it is resident software on target
computer.


I hope this helps:)


Best wishes.
Mikhail Iakovlev jr.
Security officer for Cerber Security Norway, System engineer for Telenor
Mobil AS
Email: mikhail.iakovlev () telenor com, misha () privat sysedata no
Phone: +47-99579541,+47-98213738, fax: +47-22870954


-----Opprinnelig melding-----
Fra: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]På vegne av
Rafael Coninck Teigao
Sendt: 22. august 2000 00:32
Til: PEN-TEST () SECURITYFOCUS COM
Emne: [PEN-TEST] Home-Banking PEN-TESTING


Hi, ppl.
    I'm pen-testing a home-banking system. My client has a doubt and we
basically disagree in some level: is the client's machine of the
responsibility of the bank? I mean, if I can break the client's machine
and steal useful information from it (passwords, account's data, etc.),
is the bank responsible, having in mind that it's programmers can fix
the problem (they just don't do it 'couz it is costly)?
    Let me hear what you think.

    []'s,
    RCT.