Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Typical Vulnerabilities of E-Banking Systems


Published on

Published in: Technology, Economy & Finance

Typical Vulnerabilities of E-Banking Systems

  1. 1. Typical Vulnerabilities of E-Banking Systems Typical Vulnerabilities of E-Banking SystemsSergey ScherbelDmitry EvteevEugenie Potseluevskaya Positive Technologies
  2. 2. Future NowVulnerabilities of Remote BankingAs Examplified by PHDays I-Bank
  3. 3. Future NowVulnerabilities of Remote BankingAs Examplified by PHDays I-BankPHDays I-Bank IS NOT a real remote banking systemactually used by any bank. The system was developed specially for PHDays 2012 PHDays I-Bank contains vulnerabilities typical of real remote banking systems Some of the vulnerabilities are found too often
  4. 4. Future NowIdentificationPredictable user identifiers are far moredangerous than it can seem!A PHDays I-Bank identifier consists of numbers, just likemost identifiers in actual remote banking systemsExamples of identifiers: 1000001, 1000002, …What’s wrong with it? Well explain a bit later 
  5. 5. Future NowPassword PolicyWeak password policy - a problem of all times! The default password is strong, but user can change it for a weak oneEven for one composed only of 1 character! The only thing that gets checked is the length of the passwordSo, were certain to find something like 1234567 or 12345678 Check On Regular ExpressionProblem - dictionary passwords, for example, P@ssw0rd
  6. 6. Future NowBrute Force?Brute Force against Internet banking? What aboutsecurity?Types of protection from brute force attacks: Locking accounts Locking IP addresses Using CAPTCHA
  7. 7. Future NowLocking is not the answer! Its easy to bypass these protection mechanismsAn account or IP address gets locked after a number offailed authorization attempts (usually 3 or 5). Predictable and weak identifiers Weak password policy ??????? Profit!!!!111
  8. 8. Future NowLocking is not the answer! 1000001 1000002 Collect identifiers 1000003 ... Choose 1 or 2 passwords 1001421:12345678 Match identifiers 1002236:12345678 against passwords, 1002313:12345678 not passwords ... against identifiers
  9. 9. Future NowLocking leads to Denial of Service!After a few failed authentication attempts, the accountsgets locked You can attack a target userIf you know all the identifiers... You can conduct a large-scale DoS attackAs a rule, to unlock the account, users have to contact thebank officeSomeones day might be ruined
  10. 10. Future NowLocking IP AddressLocking an IP address is not more prudent. Most companies assign the same external IP address to all its employees Numerous authentication attempts can be treated like a brute- force attempt, thus leading to lock-up of the IP address
  11. 11. Future NowCAPTCHA Problem Possible repetitive sending of the same value The value is sent in the hidden field of the HTML form Sending of an empty value is possible Insufficient validation: its OK if the length is appropriate or there are certain characters CAPTCHA is not checked for certain headers
  12. 12. Future NowCAPTCHA Problem in PHDays I-Bank The value is sent in a hidden field of the HTML formpublic function encodeCaptchaCode($code) { return @base64_encode(@strrev(@base64_encode($code)));}Encrypting does not use temporal values, it’s a peace of cake todecrypt a linePUlUTndVVE0=  =ITNwUTM  MTUwNTI=  15052
  13. 13. Future NowCAPTCHA Problem in PHDays I-Bank Besides, one and the same value can be sent repeatedly So, you can conduct a brute-force attack on the account!
  14. 14. Future NowPassword RecoveryAlmost every web application provides for a passwordrecovery. PHDays I-Bank is not an exception
  15. 15. Future NowPassword Recovery: Problems If password recovery requires not an email, but an identifier, we can get all identifiers used in the system
  16. 16. Future NowPassword Recovery: Problems Some users of the I-Bank could recover their passwords via a web form For others, the rules provided the only recovery way: to contact a bank office ‘Please contact any office of the PHDays bank for passwordrecovery’
  17. 17. Future NowPassword Recovery: Problems The key required for password recovery is generated with weak entropyprivate function addDataInTable($login) { $key = md5($login.rand(1, 250));To guess the key, one needs to go through only 250 values!Then a new password will be created
  18. 18. Future NowWeak Entropy of Session IdentifierIf a session uses its own mechanisms, reliability ofidentifiers is crucial In PHDays I-Bank identifiers are generated according to a special algorithmprivate function getSpecialHash($password) { $hash = sprintf("%u", crc32($password)); if(strlen($hash) > 4) { $hash = substr($hash, 0, 4);
  19. 19. Future NowWeak Entropy of Session Identifier The session identifier consists of only 4 characters All characters are numerical, which reduces entropy The session identifier is static. It changes only if the user changes his/her password
  20. 20. Future NowWeak Entropy of Session Identifier Cookie: auth=1000001|2|3016
  21. 21. Future NowProblems with Privilege IsolationWhile a possibility to transfer money from other accountsis extremely rare, a possibility to address other users datacan still be found Some systems allow sending messages to the support service on behalf of any user Others that allow editing payment templates of other usersSuch vulnerabilities were not embedded intoPHDays I-Bank
  22. 22. Future NowOne-time PasswordOne-time passwords are used to protect systems fromunauthorized activities (transactions, password change,editing personal data) OTP can be requested either after the initial authentication (login and password) Or before each new transaction (or other action)
  23. 23. Future NowOne-Time Password in PHDays I-BankPHDays I-Bank had 2 types of OTP: Emulation of an external device It was implemented as the TransactionA class in the code OTP on scratch cards It was implemented as the TransactionB class in the code
  24. 24. Future NowOne-Time Password, Problems OTP is not requested to transfer small amounts of money (for example, up to $100) One and the same OTP can be sent repeatedly OTP can be predicted Some users disable OTP validationIn PHDays I-Bank, transactions without OTP were carried out in TransactionC. User can skip OTP validation and perform the transaction stright away
  25. 25. Future NowOne-Time Password, TransactionA OTP is impossible to predict However, the OTP validation step can be skipped to perform the transaction straight away!
  26. 26. Future NowOne-Time Password, TransactionA Change step3 for step4
  27. 27. Future NowOne-Time Password, TransactionA Profit!!11Transaction is successfully completed. Simple bypass of areliable protection
  28. 28. Future NowOne-Time Password, TransactionB Algorithm of OTP generationprotected function generateOTP() { $OTPs = array(); $s = 44553 + $this->userInfo["id"]; // the variable depends only on // the users numberfor($n = 10; $n < 24; $n++) { // generating 14 OTP $OTP = ""; $j = rand(20,39); // the $s variable can take on $j = substr($j, 0, 1); // only two values – 2 or 3 $OTP = $n*$s*$j; $OTP = substr($OTP, 0, 5); // OTP consists of 5 characters $OTPs[] = $OTP;
  29. 29. Future NowOne-Time Password, TransactionB OTP can take on only 2 values
  30. 30. Future NowOne-Time Password, TransactionC OTP is not requested - transactions can be completed freely In PHDays I-Bank, there were not many users who were not requested OTP for transactionBut some participants got lucky 
  31. 31. Future NowActions without OTPSometimes OTP is requested only for transactions, whileother actions could be completed without it: Send a message to Support Service Change the password Change the payment template Create a payment template Open a new account
  32. 32. Future NowChanging Payment TemplatePayment templates allow saving time on entering similardata: Recipients account Recipients nameIf an attacker has a chance to change the template data,they can easily change the recipients account for theirs.The user is likely to overlook the change and confirm thetransaction
  33. 33. Future NowHow Was It 20,000 rubles (about $700) - the prize fund The day before the competition, participants received the source code of the systems and a virtual machine with installed PHDays I-Bank Then, the participants had 20-30 minutes to use vulnerabilities they had found Automation of the process decided the winning side.Hypothreading played a critical role!
  34. 34. Future Now2 Tasks to SucceedThe competition could virtually be divided into 2 tasks: Gaining access to the account Simple and dictionary passwords Weak entropy of the password recovery key Weak entropy of session identifier OTP bypass OTP was not requested The OTP validation step could be skipped Predictable OTP
  35. 35. Future NowDistribution of Vulnerabilities Distribution of Vulnerabilities 30 18 Simple password Dictionary password100 Session ID Recovery key 52
  36. 36. Future NowDistribution of Vulnerabilities The money was distributed according to a simple principle: the more difficult it is to get the access, the more money it "costs" The accounts used for demonstration had weak passwords - 1234567 and password The participants accounts were also vulnerable: the session identifier had weak entropyThe most reasonable strategy to follow was to transfer all themoney of other participants closer to the end of the competition
  37. 37. Future NowHelpDeskTogether with the remote banking, we implemented anelementary HelpDesk HelpDesk is a system for the employees of the bank The main idea was if an attacker managed to get into the "restricted-access" system, they would have enough information to hack the entire system In practice: Password policy, information on protection mechanisms and even user passwords
  38. 38. Future NowHelpDesk in PHDays I-Bank Discussions that hinted at the details to consider Link to the system that displayed users with simple passwords 
  39. 39. Future NowHelpDesk, Authentication BypassHelpDesk is vulnerable to authentication bypass: You dont need to know the login or the password Just send the following header in each HTTP requestif(isset($_SERVER["HTTP_BANKOFFICEUSER"])) { $userId = base64_decode($_SERVER["HTTP_BANKOFFICEUSER"]); $userInfo = $this->user->getUserInfoById($userId); $this->user->setupUserInfo($userInfo); return $this->user; }
  40. 40. Future NowHelpDesk, Authentication BypassModify Header - handy for the exploitation:
  41. 41. Future NowRace conditionIf you send a lot of requests, it can probably lead to asituation when all of the requests will be processed at atime: Request N Request N + 1 Checking for the Checking for the required amount required amount Depositing Depositing Profit! $$$
  42. 42. Future NowRace Condition, NginxTo get protected from Race condition and prevent thesituation when money appears from nowhere, nginx wasset to block the messages coming too oftenThe limit was 3 requests per second to the script thatfulfilled the transactions.Nginx was not installed on the virtual machines, so one ofthe participants found the Race condition problem.
  43. 43. Future NowBusiness Impact Analysis - How much would it cost?Assumptions:I-Bank’s capital is 300 million dollars100 000 clients use online banking servicesAverage sum on every account is 1000 dollarsProfit from every client is 500 dollarsOperating costs to change users’ passwords – $0,15 for apasswordReissuing of one scratch card costs 15 dollars
  44. 44. Future NowBusiness Impact Analysis – Impact (in millions of dollars)
  45. 45. Future NowBusiness Impact Analysis – Impact
  46. 46. Future NowBusiness Impact Analysis: Exploitation Probabilities Distribution of Password Vulnerabilities 30 18 Simple password - 90% Dictionary password -90% 100 Session ID - 70% Recovery key - 50% 52 Distribution of OTP Vulnerabilities 40 80 External Device - 90% Scratch Cards -90% No OTP - 100% 80
  47. 47. Future NowBusiness Impact Analysis – Risk Assessment Risk=Impact x Probability Probability is 0,54% Risk=9% of the capital Risk level of over 3% of the capital is regarded as critical for a bank!
  48. 48. Future NowBusiness Impact Analysis: make the right choice Forewarned is forearmed (millions of dollars)
  49. 49. Thank you for your attention