BREAKING SMART [BANK] STATEMENTS
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.
3. Agenda
Context
Analysis of the file
Analysis of JavaScript
RC4
Demo
Analysis after fix
Conclusions
Q & A
01
02
03
04
05
06
07
08
4. Whoami
• Work
• Security Researcher at Trustwave SpiderLabs.
• Previously worked in the offensive side of security (Ethical Hacking).
• Before that he worked on the defensive side of security.
• Extra
• Web attacks, DDoS
• Dogs, tacos
• Twitter: @AgoraSecurity
6. Disclosure Timeline
• Disclosure to SLR Intelligence: March 21, 2018
• SLR Intelligence contacted the vendor: March 22, 2018
• Vendor responded: April 30, 2018
• Vendor (responsible.disclosure@citi.com) confirms fix: July 19,
2018
7. Context – Who?
• CitiBanamex
• One of the largest Banks in Mexico (3rd biggest bank1 in Mexico).
• Part of Citigroup (one of the biggest groups in the world).
1. https://www.forbes.com.mx/los-10-bancos-mas-grandes-de-mexico/
8. • In Mexico, it’s possible to receive
your monthly bank statement via
email.
• Mexico's banking and securities
regulator (CNBV) says that security
mechanisms must be applied to
the bank statement to avoid an
unauthorized third party.2
2. Titulo Quinto --> Capítulo X --> Sección Segunda --> Artículo 313
http://www.cnbv.gob.mx/Normatividad/Disposiciones%20de%20carácter%20general%20aplicables%20a%20las%20instituciones%20de%20crédito.pdf
Context – Bank Statement via email
9. • CitiBanamex send two types of Bank Statements:
1. Encrypted PDF. Used for most accounts.
2. Smart Statements. Send only3 to Credit Cards of the type “Tarjetas Oro,
Prestige y Beyond Citibanamex”.
• Fun Fact: They have a FAQ page4 for the Smart Statement.
• Question 3 (translated):
• 3. Is my Smart Statement safe?
• The Smart Statement has the highest security protocols worldwide, which is
why it is just as safe as your PDF Account Statement.
3. Information from 2018
4. https://www.banamex.com/citialert/smartstatement/resources/faqs.pdf?lid=MX%7Ces%7Cpersonas%7Cbanca-digital%7Cestado-de-cuenta-TextoBottom-04102017-
Information-irFAQsSmartStatement-ES-ES
Context – CitiBanamex Bank Statement via email
14. What does the HTML contain?
• The HTML is around 2.3 – 3 MB.
– Contains lots of JavaScript (around 93%).
– Some CSS (around 6%).
– Some HTML (around 1%).
15. What is happening?
• First impression: Security via obscurity and some type of
encryption:
• Analysis of the HTML
17. JS Analysis #1
• It has 31 JavaScript functions and a lot of variables.
– Some are very similar: hexCrypt0, hexCrypt1, hexCrypt2, etc.
– One is particularly interesting: validatePswd
• After some beautify of the JS and following the logic, here’s a simple
diagram of what’s happening:
User submits
password
SHA1 of the
password is
obtained
(hashTypedPswd)
Second SHA1
hash is obtained
and compared
against
‘validatePswd’
If they are equal,
decrypt the
message.
Note: Use the first hash as the
key:
`desenc(hashTypedPswd)`
18. • The ‘desenc’ function is quite
simple:
− Calls one functions 30 times (push the
result to an array).
− Replace the window with the content of the
array.
• What does the function decrypt
do?
JS Analysis #2
19. • The ‘decrypt’ function is:• Looks like RC4.
• RC4 is a stream cipher.
− It has more than 20 years.
− It’s not considered a strong encryption
algorithm.
• Line 18 is different (they are not
adding +1).
• They are using the same key
(remember previous slide)!
JS Analysis #3
21. RC4 – What is it?
• RC4. Rivest Cipher 4 also known
as ARC4.
• Was initially a trade secret.
• Is a stream cipher.
• Extra: Listen CRYPTO WARS
(DARKNET DIARIES) Source: Wikipedia.
https://en.wikipedia.org/wiki/RC4
22. RC4 – Overview #1
• A stream cipher is a symmetric key cipher where plaintext digits
are combined with a pseudorandom cipher digit stream
(keystream), RC4 is a stream cipher.
• For RC4, the keystream is independent of the plaintext
(Synchronous stream cipher).
23. • The algorithm does 2
main things:
• Key Scheduling
algorithm (KSA)
• PRGA: XOR the plaintext
(get the encrypted text)
and keep generating
the keystream
www.hackerhalted.com 23
RC4 – Overview #2
PRGA
algorithm
(keystream)
Plaintext
Encrypted
text
Key
RC4 KSA
Algorithm
Input for
PGRA
24. • The KSA does:
1. Initialize an array (s) with all
values from 0 to 255.
2. Scramble array using key.
• Output is an array that will be
used to generate the keystream.
www.hackerhalted.com 24
RC4 – Overview #3
1
2
25. • For every element of
the plaintext, the PRGA:
• Gets the next element
of the keystream
• XOR the plaintext with
the keystream
www.hackerhalted.com 25
RC4 – Overview #4
26. • To sum up RC4:
• The keystream is generated
using the key.
• You will always have the same
keystream if you use the same
key.
• The plaintext XOR the
keystream = the encrypted
message.
www.hackerhalted.com 26
RC4 – Overview #5
27. RC4 – Security
• There are some attacks on the algorithm, but they are not very simple.
• You should never use the same key to encrypt more than one message
in a stream cipher.
• The same key is used to encrypt 30 different messages.
• The desired output is always an HTML and we can do a Known-plaintext
attack.
28. Breaking RC4 – Known-plaintext attack # 1
• For each bit:
𝐶 = 𝑍 ⊕ 𝑀
• Which is equal to:
𝑍 = 𝐶 ⊕ 𝑀
C = Encrypted Text
Z = Keystream
M = Plain Text Message
29. • We have the Encrypted Message and it is split in ~30 variables [for
our convenience].
• Could we obtain the Keystream?
• Could we obtain the complete plain text?
Breaking RC4 – Known-plaintext attack # 2
30. • Decrypted HTML:
− Looks like it’s going to be the same for every
Bank Statement.
− HTML normal headers & comments.
− jQuery
Breaking RC4 – Known-plaintext attack # 3
31. • Could we obtain the Keystream?
Keystream = Cipher Text1 ⊕ Plain Text1
• Could we obtain the complete plain text?
Plain Textn = Cipher Textn ⊕ Keystream
Breaking RC4 – Known-plaintext attack # 2
32. • Idea behind the exploit:
1
2
3
Breaking RC4 – Exploit
1. Use plain text we know (first ~3% of the HTML).
2. Obtain the keystream.
3. Decrypt the message using the keystream.
35. Possible Fixes
• There are many possible solutions, some ideas are:
• Don’t send the bank statement to the user via email (ask to login for download).
• Don’t reuse the same key in a stream cipher.
• This is, join the variables or use an IV.
• Use an algorithm that is considered safe.
• Could you think of other?
41. Conclusion
• It’s a good idea to have a security review before rolling out a new product.
• Hire specialists if needed.
• Always use cryptography algorithms that are considered safe.
• Never roll your own cryptography algorithms (nor implement them differently).
• Never use the same key more than once in a stream cipher.
• If possible, have a simple, safe & clear way of communicating security issues to your organization.
• Blog: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breaking-smart-bank-
statements/