BREAKING SMART [BANK] STATEMENTS Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.

1. Breaking Smart [Bank] Statements
How to read a Bank Statement without a password

2. SECURITY RESEARCHER @
TRUSTWAVE SPIDERLABS RESEARCH –VAT
OCTOBER 10, 2019
Manuel Nader

3. Agenda
Context
Analysis of the file
Analysis of JavaScript
RC4
Demo
Analysis after fix
Conclusions
Q & A
01
02
03
04
05
06
07
08

4. Whoami
• Work
• Security Researcher at Trustwave SpiderLabs.
• Previously worked in the offensive side of security (Ethical Hacking).
• Before that he worked on the defensive side of security.
• Extra
• Web attacks, DDoS
• Dogs, tacos
• Twitter: @AgoraSecurity

5. Context

6. Disclosure Timeline
• Disclosure to SLR Intelligence: March 21, 2018
• SLR Intelligence contacted the vendor: March 22, 2018
• Vendor responded: April 30, 2018
• Vendor (responsible.disclosure@citi.com) confirms fix: July 19,
2018

7. Context – Who?
• CitiBanamex
• One of the largest Banks in Mexico (3rd biggest bank1 in Mexico).
• Part of Citigroup (one of the biggest groups in the world).
1. https://www.forbes.com.mx/los-10-bancos-mas-grandes-de-mexico/

8. • In Mexico, it’s possible to receive
your monthly bank statement via
email.
• Mexico's banking and securities
regulator (CNBV) says that security
mechanisms must be applied to
the bank statement to avoid an
unauthorized third party.2
2. Titulo Quinto --> Capítulo X --> Sección Segunda --> Artículo 313
http://www.cnbv.gob.mx/Normatividad/Disposiciones%20de%20carácter%20general%20aplicables%20a%20las%20instituciones%20de%20crédito.pdf
Context – Bank Statement via email

9. • CitiBanamex send two types of Bank Statements:
1. Encrypted PDF. Used for most accounts.
2. Smart Statements. Send only3 to Credit Cards of the type “Tarjetas Oro,
Prestige y Beyond Citibanamex”.
• Fun Fact: They have a FAQ page4 for the Smart Statement.
• Question 3 (translated):
• 3. Is my Smart Statement safe?
• The Smart Statement has the highest security protocols worldwide, which is
why it is just as safe as your PDF Account Statement.
3. Information from 2018
4. https://www.banamex.com/citialert/smartstatement/resources/faqs.pdf?lid=MX%7Ces%7Cpersonas%7Cbanca-digital%7Cestado-de-cuenta-TextoBottom-04102017-
Information-irFAQsSmartStatement-ES-ES
Context – CitiBanamex Bank Statement via email

10. Analysis of the file

11. First view of the HTML

12. Incorrect Password

13. Correct Password
Private data,
address
CC number

14. What does the HTML contain?
• The HTML is around 2.3 – 3 MB.
– Contains lots of JavaScript (around 93%).
– Some CSS (around 6%).
– Some HTML (around 1%).

15. What is happening?
• First impression: Security via obscurity and some type of
encryption:
• Analysis of the HTML

16. Analysis of the JavaScript

17. JS Analysis #1
• It has 31 JavaScript functions and a lot of variables.
– Some are very similar: hexCrypt0, hexCrypt1, hexCrypt2, etc.
– One is particularly interesting: validatePswd
• After some beautify of the JS and following the logic, here’s a simple
diagram of what’s happening:
User submits
password
SHA1 of the
password is
obtained
(hashTypedPswd)
Second SHA1
hash is obtained
and compared
against
‘validatePswd’
If they are equal,
decrypt the
message.
Note: Use the first hash as the
key:
`desenc(hashTypedPswd)`

18. • The ‘desenc’ function is quite
simple:
− Calls one functions 30 times (push the
result to an array).
− Replace the window with the content of the
array.
• What does the function decrypt
do?
JS Analysis #2

19. • The ‘decrypt’ function is:• Looks like RC4.
• RC4 is a stream cipher.
− It has more than 20 years.
− It’s not considered a strong encryption
algorithm.
• Line 18 is different (they are not
adding +1).
• They are using the same key
(remember previous slide)!
JS Analysis #3

20. RC4

21. RC4 – What is it?
• RC4. Rivest Cipher 4 also known
as ARC4.
• Was initially a trade secret.
• Is a stream cipher.
• Extra: Listen CRYPTO WARS
(DARKNET DIARIES) Source: Wikipedia.
https://en.wikipedia.org/wiki/RC4

22. RC4 – Overview #1
• A stream cipher is a symmetric key cipher where plaintext digits
are combined with a pseudorandom cipher digit stream
(keystream), RC4 is a stream cipher.
• For RC4, the keystream is independent of the plaintext
(Synchronous stream cipher).

23. • The algorithm does 2
main things:
• Key Scheduling
algorithm (KSA)
• PRGA: XOR the plaintext
(get the encrypted text)
and keep generating
the keystream
www.hackerhalted.com 23
RC4 – Overview #2
PRGA
algorithm
(keystream)
Plaintext
Encrypted
text
Key
RC4 KSA
Algorithm
Input for
PGRA

24. • The KSA does:
1. Initialize an array (s) with all
values from 0 to 255.
2. Scramble array using key.
• Output is an array that will be
used to generate the keystream.
www.hackerhalted.com 24
RC4 – Overview #3
1
2

25. • For every element of
the plaintext, the PRGA:
• Gets the next element
of the keystream
• XOR the plaintext with
the keystream
www.hackerhalted.com 25
RC4 – Overview #4

26. • To sum up RC4:
• The keystream is generated
using the key.
• You will always have the same
keystream if you use the same
key.
• The plaintext XOR the
keystream = the encrypted
message.
www.hackerhalted.com 26
RC4 – Overview #5

27. RC4 – Security
• There are some attacks on the algorithm, but they are not very simple.
• You should never use the same key to encrypt more than one message
in a stream cipher.
• The same key is used to encrypt 30 different messages.
• The desired output is always an HTML and we can do a Known-plaintext
attack.

28. Breaking RC4 – Known-plaintext attack # 1
• For each bit:
𝐶 = 𝑍 ⊕ 𝑀
• Which is equal to:
𝑍 = 𝐶 ⊕ 𝑀
C = Encrypted Text
Z = Keystream
M = Plain Text Message

29. • We have the Encrypted Message and it is split in ~30 variables [for
our convenience].
• Could we obtain the Keystream?
• Could we obtain the complete plain text?
Breaking RC4 – Known-plaintext attack # 2

30. • Decrypted HTML:
− Looks like it’s going to be the same for every
Bank Statement.
− HTML normal headers & comments.
− jQuery
Breaking RC4 – Known-plaintext attack # 3

31. • Could we obtain the Keystream?
Keystream = Cipher Text1 ⊕ Plain Text1
• Could we obtain the complete plain text?
Plain Textn = Cipher Textn ⊕ Keystream
Breaking RC4 – Known-plaintext attack # 2

32. • Idea behind the exploit:
1
2
3
Breaking RC4 – Exploit
1. Use plain text we know (first ~3% of the HTML).
2. Obtain the keystream.
3. Decrypt the message using the keystream.

33. Demo

34. Possible Fixes

35. Possible Fixes
• There are many possible solutions, some ideas are:
• Don’t send the bank statement to the user via email (ask to login for download).
• Don’t reuse the same key in a stream cipher.
• This is, join the variables or use an IV.
• Use an algorithm that is considered safe.
• Could you think of other?

36. Analysis After the Fix

37. Fix #1
• Decrypt function now uses AES
• Use of CryptoJS v3.1.2
• aes.js
• sha256.js

38. Fix #2
• Join all text together before decrypting:

39. Fix #3
• Use a SHA256 of the password as the key:

40. Conclusion

41. Conclusion
• It’s a good idea to have a security review before rolling out a new product.
• Hire specialists if needed.
• Always use cryptography algorithms that are considered safe.
• Never roll your own cryptography algorithms (nor implement them differently).
• Never use the same key more than once in a stream cipher.
• If possible, have a simple, safe & clear way of communicating security issues to your organization.
• Blog: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breaking-smart-bank-
statements/

42. Questions and Next Steps