Fun with internet banking
intro
See also side aspects, and the TV report.
At the begining of March, some TV journalist from the German HR (Hessen Broadcast) rang me up in my office. He got the telephone number from an FH professor who knows some of my work. So I became interested in his story. He sang the never ending song of German internet banking.
In short, some banks believe (or rather claim to believe) that they did everything possible to make banking as easy and as secure as possible. And this is seen differently from the folks supporting customer groups which point out, that internet banking has never been as insecure as currently. And the TV guy belonged to that folks.
He asked me whether I could tell him some technical facts and demonstrate, that his suspicion is just right. This was going to be fun. So I discussed this issue with some friends from the local computer club here in Frankfurt. And we decided to show something.
technical considerations
The particular system we were going to play with was as simple as a Microsoft Windows PC, a chip card reader and a piece of software. So far so god. What does this harm anybody as the chip card technology has been advertised as secure (I do not comment on the current HBCI technology, here)?
Simple solution with security gap
/
+--------+ +---------------+ / (Internet)
| | | | Weird Wild World
| Chip | <----+ Windows PC | /
| Card | | (Java Applet) +---> | +------+
| Reader +----> | | \ | Bank |
| | | | \ | |
+--------+ +---------------+ \ +------+
: : : \ :
: : : :
: <- key support -> : gap : <- transaction -> :
(HBCI controlled)
With the current set up, a transaction is done by a java applet on the Windows PC directly with the bank. Of course, the data exchanged with the bank are sort of encrypted. So let us assume this data transfer were secure (I do not say this is secure which has not been proven, yet.) Also let us assume the distance from the PC to the chip card in the reader is secure.
There still remains an insecurity gap which can easily exploited, not only in theory (think how the DDoS attacks worked out in spring 2000.) Many warnings have been around telling how to secure a Windows PC against viruses and trojans. And the latter one is most easily caught by carelessly browsing the internet or opening unsolicited email. And this is were we wanted to start an exploit.
We have taken it for granted, that it is possible to place a trojan on a PC which is in size not more then 150kbytes. And this trojan will be used to start an unwanted transaction from the Windows PC. Evaluating the technology that is behind the trojans, one should note that there is no real technical difference between a trojan like Back Orifice 2000 and another general remote control tool like pcAnywhere or SMS (there are many more.) But only the former is free software published in the source code.
Here, the chip card has mostly no other effect than providing a secure key to the customer. This makes the handling easier, but not more secure.
- Remark:
Do dot let yourself be fooled by fancy technologies and standards when the basics are not understood, properly. We will show how to easlily crack the Windows operating system which is much more easier than cracking any, or no transaction protocol. So HBCI is absoluteley useless, here. The word HBCI is used by some bank speakers in a sandman like manner of softly getting the customers asleep singing Brahms Lullaby …
Talking to the banks, there was another scenario discussed. This alterative tries to avoid the security gap on the PC.
Security gap proof solution
Start /
Button /
+-+ /
| | /
+---------------+ +-+-+----+ / (Internet)
| | | Chip | Weird Wild World
| Windows PC | | Card | /
| (Java Applet) +---> | Reader +---> | +------+
| | | with | \ | Bank |
| | | Display| \ | |
+---------------+ +--------+ \ +------+
: \ :
: :
: <- transaction -> :
Again, the PC remains still vulnerable but a tranaction is started from the chip card, now. This is possible because a modern chip card has its own operating system which can manage things like this. In order to become independent from the PC, the transaction on the chip card is not started from the PC but manually by a simple push button, say. So there is no way to do an unwanted transaction even if the PC is controlled by some good or bad guy, remotely.
- Remark:
The latter statement is true only as long as the push button for starting the transaction is not software controllable. With our imaginary eyes we can see the Windows folks already proposing an animated PC emulation for such a button with selectable shape, color and tooltip sensitivity …
Of course, before a transaction is started one should verify its parameters. Again, as the PC might be remotely controlled, wanted or unwanted it cannot be used to display sensitive data whatsoever. For that reason, the chip card reader has its own display which can be controlled by the chip card operation system, only.
- Remark:
Do not even think that this display could be fed or animated by the PC.
Although the chip card reader solution with the additional display and start button looks pretty secure against a trojan horse on the PC, some banks are reluctant to introduce it. It may be due to the obvious reason, that it costs money to develop such a card reader solution. So some banks rather proceed telling everybody how secure the HBCI standard of the simple solution with the security gap is, not noticing that the security gap is independent of any transaction and security standard of the data transmission.
It is a weird situation for the banks. For the last years they were bashed by consumer groups for having neither a common, nor a secure transaction protocol. Now, they start to have a common protocol, at least in Germany (so says the jester that German banks do not want a European standard that is not originally German.) And now they are heavily learning that they are about being bashed again for it is not enough to invest in public relations, alone.
the show must go on
So we started to check what was possible. We began writing some trojans, ourselves but soon realized, that others have done better for quite a while, now. The most popular Back Orifice code has gotten rather mature. And with the plugin technology, you are able to quickly roll your own fancy gimmicks having fun with your victim.
As stated earlier, this software package has also serious applications being an economic alternative to SMS, pcAnywhere and others.
The only problem was the scenario we were going to set up for the TV show. We were able to control the PC remotely, but how could this be done practically showing how to start an unwanted transaction on your victim's PC? Grabbing the keyboard and the mouse would probably be nocticed, if it were done without skill. Also, the victim would see if somebody filled in a transaction form on your web browser. This was clumsy and definitely not what we wanted.
A possible solution would be a snapshot of the whole screen that will be placed on top of the victim's screen, hiding the transaction carried out, behind. Or one could try to play with the java machine running the applet carrying out the transaction.
But all these scenarios were not really satisfying and we run out of time. But here the soulution came easy, as the banks we were targeting had nothing else to do than to fuse, and to part again some weeks later. And we gained time as the TV had other stories that were more important.
Our schedule was originally rather tight. And now, we had time to think (and to browse the internet.) All we did was having some fun sessions gaining skills while playing with Back Orifice and talking how to make a good show.
to get the better of chip card security
Shortly before Easter, we decided to do the simplest and controlling the serial port, the chip card reader is plugged, in. It has been clear from the beginning, that the Windows hook technology can be exploited to do everything on Windows 95/98, and nearly everything on Windows NT. And again we started discussing how to program.
Virtual internet banking
/
(Internet)
+--------+ +---------------+ Weird Wild World
| | | | /
| Chip | <----+ victim's PC | <----------+
| Card | | | / |
| Reader +----> | +----------+ |
| | | | / | |
+--------+ +---------------+ / : :
| : :
| | |
+----------------------------------+ |
| +----------------------------------+ :
virtual | | +---------------+ |
chip | | | | |
card | +-----+ attacking PC | |
reader | | (Java Applet) +---> | +------+
: +-----> | | \ | Bank |
: | | \ | |
: +---------------+ \ +------+
: : : \ :
: : : :
: <--- virtual ---> : : <- transaction -> :
key support (HBCI controlled)
The idea is just to use the victim's chip card reader as if it were plugged in to the attacking PC. For instance, one could install the virtual chip card reader on the attacker's PC port COM7. All the hardware ports are still available, now for use by a personal chip card reader (allowing direct money transfer from the victim's to the attacker's chip card once this feature is available.)
Also, the original bank software for installing and handling all the internet banking stuff can be used which is much more easier than any other solution. On the longer run, the benefits of the commercial hotline and bugfix policy of the banks help the attacker always to be up to date without any needs to pay for it. But the latter is illegal, so the attacker must tell the bank his name, address, marital status, weight and height in order to that the bank can charge him for the support, given.
All the techniques needed here have been provided by others, already. So what was left was to choose a suitable package from several alternatives. The NPCOMM package we chose allows us to access the COM port of the victim's PC as explained, above. And the scenario for the TV show was clear, now.
a show for the masses
First of all, Back Orifice has to be implanted as a trojan horse on the victim's PC. Once the connection to the victim can be established, all additional software necessary will be transfered to the victim PC as there is: the mouse & keyboard controlling plugin for Back Orifice and the serial port software. We fancied writing some more convenience plugins that need to be uploaded, to.
Next, the victim's PC is eavesdropped so that passwords, necessary to log in to the bank and the details of the banking procedures are known (one should at least know which institute the customer internet banks, with.) Once all this has been found out, the fun with the inernet banking starts by simply activating the serial port software. If the chip card is missing on the victim's card drive, one could be bold enough to pop up a window and kindly ask the owner to insert it.
Starting the WWW-Browser on the attacker's controlling PC, any transaction can be done, now using the victim's chip card, remotely. This is really fun. There remain some handicaps with this scenario which are not to hard dealing with:
- the BO server needs to be slightly patched for easy use of starting programs, remotely
- the distribution process for BO2K and the selection of the victim needs to be handled
- the bank sees the IP-address of the attacker
- one has to find out what serial port the chip card reader is plugged, in on the victim's PC
- the LED on the card reader is visible while the chip card is active
- the serial port software is binary only and places a menu icon on the task bar
- only one, the victim or the controlling PC can be logged in at the bank simultaneously
On the other hand, there are several options for an attacker who is criminal enough to not only have fun with internet banking:
- * banks are going to close down branches, so
- * * internet banking becomes wide spread and services as
- * * * stock depot handling and
- * * * foreign money transfer will eventually be available via internet banking.
- * charge and discharge service of electronic money will come
conclusion
The simple solution as currently advertised by some banks is the ideal kick for modern folks having fun with internet banking, let alone criminals that are in need of quick money. As there is no TAN number, anymore the customers do not need to carry around any secrets written on plain paper, that cannot be exploited by remote PC control.
This is nearly a Pareto optimum which roughly goes:
A community is at its best it there is no way to better the situation of one whithout harming the others.
As the banks do not care about coustomer security much (it is simply not their point, the customer is responsible for himself) the Pareto optimum has been reached by optimizing the situation for an attacker seeking fun with internet banking while making it easier for the custumer to be a victim, simultaneously.
jordan
Last modified: Mon May 1 17:29:29 CEST 2000
Brought back to your friendly attention by — hp 2010/05/03 17:21