SlideShare a Scribd company logo

Digipass Instrumentation for Fun and Profit - DefCamp 2012

DefCamp
DefCamp

This document describes a proof of concept machine that can automatically simulate human interactions with a digital security token (digipass) to conduct many small currency exchange transactions for profit. The machine uses external instrumentation and optical character recognition to input codes and read responses from the digipass in order to trade small amounts of currency and exploit rounding differences in exchange rates for a net gain. The document outlines the development process and provides photos of prototypes, noting the machine is currently capable of 10 transactions per minute.

1 of 30
Download to read offline
DefCamp 2012 Adrian Furtunǎ, PhD, CEH (adif2k8@gmail.com)
About me  PhD in information security, CEH  Penetration tester at KPMG Romania  Web apps  Infrastructure  Mobile apps  Source code reviews  + some other annoying stuff  Always like to prove my point… 2
What is this all about? The FUN part 3
What is this all about? 4
Our subject(s) 5
Our subject(s)  Digipass = security token  Disconnected, display, keypad  Used for:  User authentication (2nd factor) - OTP  Transaction signing (e.g. Internet Banking)  Vendors: Vasco, CryptoCard, RSA, etc 6
What is this all about? (still the fun part)  A machine that simulates human behavior when using a digipass Brains Neurons Muscles Eyes • Command the machine • Keep track of the logic • Transport the signal from • Push when powered on • Provide images for state the brain to muscles the brain • Select the desired muscles • Release when powered and send the necessary • Give the muscles the off • Tell the brain what signals necessary power/energy to is happening outside • Read an image from the action eyes • Interpret the image and make the next move 7
OK… But why? Motivation 8
The profit part  Remember the old rounding attacks against Internet Banking apps?  When working with two decimals most banks do the rounding to the closest value  8.3478 EUR ~= 8.35 EUR  8.3436 EUR ~= 8.34 EUR max profit = 0.005 EUR  About rounding attacks:  “Assymetric Currency Rounding” by M'Raïhi, Naccache and Tunstall of Gemalto – 2001 - http://tinyurl.com/d5akdkk  “Is Your Online Bank Vulnerable To Currency Rounding Attacks?”, Mitja Kolsek of ACROSSecurity - 2012 – http://tinyurl.com/6wpg7ew 9
Rounding in currency exchange (1)  Use the Internet Banking application to transfer money between your own accounts (e.g. RON -> EUR) RON EUR EUR Exchange rate (rounded) (RON / EUR rounded) 4.40 1 1.00 4.40 Official 2 0.4545 0.45 4.44 1 0.2272 0.23 4.34 0.5 0.1136 0.11 4.54 0.05 0.0113 0.01 5 0.03 0.0068 0.01 3 0.023 0.0052 0.01 2.3 The best 0.02 0.0045 0.00 not good 100 * (0.023 RON -> 0.01 EUR) => 2.3 RON = 1 EUR 10
Rounding in currency exchange (2) 11
The Bank said…  Known issue but we have the digipass to protects us: 1. User initiates currency exchange in IB application 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transaction 12
The Bank said…  Known issue but we have the digipass to protects us: 1. User initiates currency exchange in IB application Now automated! 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transaction We can make lots of transactions automatically 13
How much? C1 = minimum amount of currency 1 (e.g. 0.023 RON) C2 = minimum amount of currency 2 (e.g. 0.01 EUR) Ex_b = exchange rate for buying C2 with microtransactions (e.g. 2.3). Ex_b = C1 / C2 Ex_s = exchange rate for selling C2 (e.g. 4.4) – real exchange rate – fixed by the Bank Ex_b Ex_s x RON y EUR z RON  z = y * Ex_s = (x / Ex_b) * Ex_s = x * (Ex_s / Ex_b)  multiplication rate = Ex_s / Ex_b  transactions required = x / C1 Currency 1 Multiplication Initial Final Gain Transactions rate amount (x) amount (y) required RON 4.4 / 2.3 = 1.9 100 RON 190 RON 90 RON ~ 20 EUR 100 / 0.023 = 4347 14
How the Banks should protect themselves  Limit the number of transactions that can be performed in a given time  Limit the minimum currency amount that can be exchanged in a transaction  Monitor for suspicious transactions (very small amounts)  State in the contract that such transactions are illegal  Introduce a small fee for currency exchange operations (e.g. 0.01 EUR) 15
Behind the curtains… Back to the FUN part 16
External vs Internal instrumentation  Internal instrumentation (direct electrical connections):  Pros:  more reliable and faster  almost error free  Cons:  might not be always possible – some digipasses deactivate if opened  must know the pinout of LCD screen (lots of pins!)  sensitive soldering required  mistakes can lead to deactivation  External instrumentation:  Pros:  No interference with digipass’s internals  Can be applied to any digipass model  Cons:  Pretty slow (but good for the “low and slow” approach)  Some (mechanics) errors occur on pressing buttons (resolvable by a more professional construction)  OCR process needs special (lightning) conditions to produce correct results 17
Electric diagram D3 D2 D1 D0 Sx Digipass key 0001 S1 0 0010 S2 1 0011 S3 2 0100 S4 3 0101 S5 4 0110 S6 5 0111 S7 6 1000 S8 7 1001 S9 8 1010 S10 9 1011 S11 = 1100 S12 S 1101 S13 ON/OFF 18
Optical Character Recognition Original Cleared Blurred Threshold applied OCR-ized background gocr / ocrad 7169309 -_16g309 1757450 1_5_G50 043i __ i_ì OG3i _i_i 9a__641 4 9__6G1G 19
Current performance  10 transactions / minute (6 seconds / transaction)  max 21600 transactions / day  enter PIN, type challenge code, read response image, do OCR  Our previous example:  100 RON  190 RON (gain ~20 EUR) => 4347 transactions * 6 sec/trans = 26082 sec = 7h:14m:42 s  Maximum amount to multiply per day:  21600 * 0.023 RON = 496.8 RON => final: 943.9 RON  gain 447 RON ~= 101 EUR/day Money making machine?  20
Photo gallery 21
The first POC 22
Development stages (1) 23
Development stages (2) 24
Development stages (3) 25
Development stages (4) 26
Final version - back 27
Final version - front 28
Demo 29
Thank you! QUESTIONS ? Adrian Furtunǎ, PhD, CEH adif2k8@gmail.com http://pentest-tools.com 30

Recommended

Hello Arduino.
Hello Arduino.Hello Arduino.
Hello Arduino.mkontopo
 
Eldim
EldimEldim
Eldimphillaser
 
Arduino Workshop Day 1 - Basic Arduino
Arduino Workshop Day 1 - Basic ArduinoArduino Workshop Day 1 - Basic Arduino
Arduino Workshop Day 1 - Basic ArduinoVishnu
 
Blended Threat Concept in Web Applications - DefCamp 2012
Blended Threat Concept in Web Applications - DefCamp 2012Blended Threat Concept in Web Applications - DefCamp 2012
Blended Threat Concept in Web Applications - DefCamp 2012DefCamp
 
Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012DefCamp
 
Project Smart - DefCamp 2012
Project Smart - DefCamp 2012Project Smart - DefCamp 2012
Project Smart - DefCamp 2012DefCamp
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...DefconRussia
 

Recommended

Hello Arduino.
Hello Arduino.Hello Arduino.
Hello Arduino.mkontopo
 
Eldim
EldimEldim
Eldimphillaser
 
Arduino Workshop Day 1 - Basic Arduino
Arduino Workshop Day 1 - Basic ArduinoArduino Workshop Day 1 - Basic Arduino
Arduino Workshop Day 1 - Basic ArduinoVishnu
 
Blended Threat Concept in Web Applications - DefCamp 2012
Blended Threat Concept in Web Applications - DefCamp 2012Blended Threat Concept in Web Applications - DefCamp 2012
Blended Threat Concept in Web Applications - DefCamp 2012DefCamp
 
Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012DefCamp
 
Project Smart - DefCamp 2012
Project Smart - DefCamp 2012Project Smart - DefCamp 2012
Project Smart - DefCamp 2012DefCamp
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...DefconRussia
 
biometrics
biometricsbiometrics
biometricsAvishek Singh
 
Analytics forward 2019-03
Analytics forward 2019-03Analytics forward 2019-03
Analytics forward 2019-03Scott Gerard
 
Physical Computing and IoT
Physical Computing and IoTPhysical Computing and IoT
Physical Computing and IoTEduardo Oliveira
 
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3Abhishekvb
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...Edwin Coinomia
 
Coinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining WorksCoinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining WorksCoinomia
 
How to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - CoinomiaHow to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - CoinomiaMarcus Neufeldt
 
Mining with Coinomia Review
Mining with Coinomia ReviewMining with Coinomia Review
Mining with Coinomia ReviewCoinomia Review
 
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
 
Fingerprint Based Security System
Fingerprint Based Security SystemFingerprint Based Security System
Fingerprint Based Security SystemTrijendra Singh
 
Eric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 SlidesEric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 Slidesevetillard
 
Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...Илья Родин
 
Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)Future Insights
 
EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14Ian Phillips
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
Arduino Information by Arpit Sharma
Arduino Information by Arpit SharmaArduino Information by Arpit Sharma
Arduino Information by Arpit SharmaArpit Sharma
 
NSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoNSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoBrian Huang
 
SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51 SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51 aroosa khan
 
Big bank theory - digibank
Big bank theory - digibankBig bank theory - digibank
Big bank theory - digibankGaurav Kashalkar
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 

More Related Content

Similar to Digipass Instrumentation for Fun and Profit - DefCamp 2012

Analytics forward 2019-03
Analytics forward 2019-03Analytics forward 2019-03
Analytics forward 2019-03Scott Gerard
 
Physical Computing and IoT
Physical Computing and IoTPhysical Computing and IoT
Physical Computing and IoTEduardo Oliveira
 
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3Abhishekvb
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...Edwin Coinomia
 
Coinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining WorksCoinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining WorksCoinomia
 
How to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - CoinomiaHow to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - CoinomiaMarcus Neufeldt
 
Mining with Coinomia Review
Mining with Coinomia ReviewMining with Coinomia Review
Mining with Coinomia ReviewCoinomia Review
 
Fingerprint Based Security System
Fingerprint Based Security SystemFingerprint Based Security System
Fingerprint Based Security SystemTrijendra Singh
 
Eric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 SlidesEric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 Slidesevetillard
 
Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...Илья Родин
 
Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)Future Insights
 
EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14Ian Phillips
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
Arduino Information by Arpit Sharma
Arduino Information by Arpit SharmaArduino Information by Arpit Sharma
Arduino Information by Arpit SharmaArpit Sharma
 
NSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoNSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoBrian Huang
 
SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51 SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51 aroosa khan
 
Big bank theory - digibank
Big bank theory - digibankBig bank theory - digibank
Big bank theory - digibankGaurav Kashalkar
 

Similar to Digipass Instrumentation for Fun and Profit - DefCamp 2012 (20)

biometrics
biometricsbiometrics
biometrics
 
Analytics forward 2019-03
Analytics forward 2019-03Analytics forward 2019-03
Analytics forward 2019-03
 
Physical Computing and IoT
Physical Computing and IoTPhysical Computing and IoT
Physical Computing and IoT
 
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
A Report on Bidirectional Visitor Counter using IR sensors and Arduino Uno R3
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones Security
 
Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...Mining with coinomia be a cryptocurrency miner and start earning your first...
Mining with coinomia be a cryptocurrency miner and start earning your first...
 
Coinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining WorksCoinomia How Cryptocurrency Mining Works
Coinomia How Cryptocurrency Mining Works
 
How to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - CoinomiaHow to earn with bitcoin mining - Coinomia
How to earn with bitcoin mining - Coinomia
 
Mining with Coinomia Review
Mining with Coinomia ReviewMining with Coinomia Review
Mining with Coinomia Review
 
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
http://coinomia.com/prelaunch/earning-potential-$65k-day.html?id=deep1333
 
Fingerprint Based Security System
Fingerprint Based Security SystemFingerprint Based Security System
Fingerprint Based Security System
 
Eric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 SlidesEric Vétillard's Cardis2010 Slides
Eric Vétillard's Cardis2010 Slides
 
Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...Development, debug and deploy hardware/software solutions based on Android an...
Development, debug and deploy hardware/software solutions based on Android an...
 
Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)Microcontrollers (Rex St. John)
Microcontrollers (Rex St. John)
 
EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
 
Arduino Information by Arpit Sharma
Arduino Information by Arpit SharmaArduino Information by Arpit Sharma
Arduino Information by Arpit Sharma
 
NSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoNSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and Arduino
 
SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51 SIMPLE Frequency METER using AT89c51
SIMPLE Frequency METER using AT89c51
 
Big bank theory - digibank
Big bank theory - digibankBig bank theory - digibank
Big bank theory - digibank
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Digipass Instrumentation for Fun and Profit - DefCamp 2012

  • 1. DefCamp 2012 Adrian Furtunǎ, PhD, CEH (adif2k8@gmail.com)
  • 2. About me  PhD in information security, CEH  Penetration tester at KPMG Romania  Web apps  Infrastructure  Mobile apps  Source code reviews  + some other annoying stuff  Always like to prove my point… 2
  • 3. What is this all about? The FUN part 3
  • 4. What is this all about? 4
  • 6. Our subject(s)  Digipass = security token  Disconnected, display, keypad  Used for:  User authentication (2nd factor) - OTP  Transaction signing (e.g. Internet Banking)  Vendors: Vasco, CryptoCard, RSA, etc 6
  • 7. What is this all about? (still the fun part)  A machine that simulates human behavior when using a digipass Brains Neurons Muscles Eyes • Command the machine • Keep track of the logic • Transport the signal from • Push when powered on • Provide images for state the brain to muscles the brain • Select the desired muscles • Release when powered and send the necessary • Give the muscles the off • Tell the brain what signals necessary power/energy to is happening outside • Read an image from the action eyes • Interpret the image and make the next move 7
  • 8. OK… But why? Motivation 8
  • 9. The profit part  Remember the old rounding attacks against Internet Banking apps?  When working with two decimals most banks do the rounding to the closest value  8.3478 EUR ~= 8.35 EUR  8.3436 EUR ~= 8.34 EUR max profit = 0.005 EUR  About rounding attacks:  “Assymetric Currency Rounding” by M'Raïhi, Naccache and Tunstall of Gemalto – 2001 - http://tinyurl.com/d5akdkk  “Is Your Online Bank Vulnerable To Currency Rounding Attacks?”, Mitja Kolsek of ACROSSecurity - 2012 – http://tinyurl.com/6wpg7ew 9
  • 10. Rounding in currency exchange (1)  Use the Internet Banking application to transfer money between your own accounts (e.g. RON -> EUR) RON EUR EUR Exchange rate (rounded) (RON / EUR rounded) 4.40 1 1.00 4.40 Official 2 0.4545 0.45 4.44 1 0.2272 0.23 4.34 0.5 0.1136 0.11 4.54 0.05 0.0113 0.01 5 0.03 0.0068 0.01 3 0.023 0.0052 0.01 2.3 The best 0.02 0.0045 0.00 not good 100 * (0.023 RON -> 0.01 EUR) => 2.3 RON = 1 EUR 10
  • 11. Rounding in currency exchange (2) 11
  • 12. The Bank said…  Known issue but we have the digipass to protects us: 1. User initiates currency exchange in IB application 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transaction 12
  • 13. The Bank said…  Known issue but we have the digipass to protects us: 1. User initiates currency exchange in IB application Now automated! 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transaction We can make lots of transactions automatically 13
  • 14. How much? C1 = minimum amount of currency 1 (e.g. 0.023 RON) C2 = minimum amount of currency 2 (e.g. 0.01 EUR) Ex_b = exchange rate for buying C2 with microtransactions (e.g. 2.3). Ex_b = C1 / C2 Ex_s = exchange rate for selling C2 (e.g. 4.4) – real exchange rate – fixed by the Bank Ex_b Ex_s x RON y EUR z RON  z = y * Ex_s = (x / Ex_b) * Ex_s = x * (Ex_s / Ex_b)  multiplication rate = Ex_s / Ex_b  transactions required = x / C1 Currency 1 Multiplication Initial Final Gain Transactions rate amount (x) amount (y) required RON 4.4 / 2.3 = 1.9 100 RON 190 RON 90 RON ~ 20 EUR 100 / 0.023 = 4347 14
  • 15. How the Banks should protect themselves  Limit the number of transactions that can be performed in a given time  Limit the minimum currency amount that can be exchanged in a transaction  Monitor for suspicious transactions (very small amounts)  State in the contract that such transactions are illegal  Introduce a small fee for currency exchange operations (e.g. 0.01 EUR) 15
  • 16. Behind the curtains… Back to the FUN part 16
  • 17. External vs Internal instrumentation  Internal instrumentation (direct electrical connections):  Pros:  more reliable and faster  almost error free  Cons:  might not be always possible – some digipasses deactivate if opened  must know the pinout of LCD screen (lots of pins!)  sensitive soldering required  mistakes can lead to deactivation  External instrumentation:  Pros:  No interference with digipass’s internals  Can be applied to any digipass model  Cons:  Pretty slow (but good for the “low and slow” approach)  Some (mechanics) errors occur on pressing buttons (resolvable by a more professional construction)  OCR process needs special (lightning) conditions to produce correct results 17
  • 18. Electric diagram D3 D2 D1 D0 Sx Digipass key 0001 S1 0 0010 S2 1 0011 S3 2 0100 S4 3 0101 S5 4 0110 S6 5 0111 S7 6 1000 S8 7 1001 S9 8 1010 S10 9 1011 S11 = 1100 S12 S 1101 S13 ON/OFF 18
  • 19. Optical Character Recognition Original Cleared Blurred Threshold applied OCR-ized background gocr / ocrad 7169309 -_16g309 1757450 1_5_G50 043i __ i_ì OG3i _i_i 9a__641 4 9__6G1G 19
  • 20. Current performance  10 transactions / minute (6 seconds / transaction)  max 21600 transactions / day  enter PIN, type challenge code, read response image, do OCR  Our previous example:  100 RON  190 RON (gain ~20 EUR) => 4347 transactions * 6 sec/trans = 26082 sec = 7h:14m:42 s  Maximum amount to multiply per day:  21600 * 0.023 RON = 496.8 RON => final: 943.9 RON  gain 447 RON ~= 101 EUR/day Money making machine?  20
  • 27. Final version - back 27
  • 28. Final version - front 28
  • 29. Demo 29
  • 30. Thank you! QUESTIONS ? Adrian Furtunǎ, PhD, CEH adif2k8@gmail.com http://pentest-tools.com 30