Similar to The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study (20)
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study
1. Introduction Brazilian bank’s apps Final Remarks
The Internet Banking [in]Security Spiral:
Past, Present, and Future of Online Banking
Protection Mechanisms based on a Brazilian case
study
Marcus Botacin1, Anatoli Kalysch2, André Grégio1
1Federal University of Parana (UFPR-BR)
{mfbotacin, gregio}@inf.ufpr.br
2Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU-GER)
anatoli.kalysch@fau.de
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
2. Introduction Brazilian bank’s apps Final Remarks
Topics
1 Introduction
2 Brazilian bank’s apps
3 Final Remarks
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
3. Introduction Brazilian bank’s apps Final Remarks
Motivation
Topics
1 Introduction
Motivation
2 Brazilian bank’s apps
Methodology
Results
3 Final Remarks
Conclusions
Questions?
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
4. Introduction Brazilian bank’s apps Final Remarks
Motivation
Online Banking in the World
Pros
Wide Access.
Smaller Response Times.
Cons
Online Frauds & Crimes.
Challenges
Secure Online Banking Operations.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
5. Introduction Brazilian bank’s apps Final Remarks
Motivation
Online Banking in Brazil
Economy & History
Periodic high inflation periods.
Computerized in early 80’s.
More operations using credit cards than ATMs.
More mobile banking accesses than ATMs.
Expensive mobile data plans (Free Whatsapp).
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
6. Introduction Brazilian bank’s apps Final Remarks
Motivation
Online Banking in Brazil
Technologies
Desktop-based banking apps (early 2000’s).
Web-based banking (late 2000’s).
Mobile-based banking (currently).
Boletos (offline payment system).
Whatsapp-based banking (stop it now!!!).
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
7. Introduction Brazilian bank’s apps Final Remarks
Motivation
Desktop-based banking
Figure: Phishing App. The initial screen of a GUI-based malicious
attachment that mimics a bank desktop app to deceive users into
providing their credentials.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
8. Introduction Brazilian bank’s apps Final Remarks
Motivation
Boleto
Figure: Brazilian Boleto. The barcode stores all payment information
and can be scanned by ATMs.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
9. Introduction Brazilian bank’s apps Final Remarks
Methodology
Topics
1 Introduction
Motivation
2 Brazilian bank’s apps
Methodology
Results
3 Final Remarks
Conclusions
Questions?
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
10. Introduction Brazilian bank’s apps Final Remarks
Methodology
Methodology
Target Apps
5 largest BR banks (75+% market-share).
Largest BR fin-tech.
OWASP Categories
Code Quality & Build Settings.
Secure Data Storage.
Network Communication.
Reverse Engineering Resilience.
Authentication.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
11. Introduction Brazilian bank’s apps Final Remarks
Results
Topics
1 Introduction
Motivation
2 Brazilian bank’s apps
Methodology
Results
3 Final Remarks
Conclusions
Questions?
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
12. Introduction Brazilian bank’s apps Final Remarks
Results
Analyzed Apps
Table: Analyzed Apps Summary. Distinct project decisions between
banks and fin-techs apps, and along time.
App App Version Android Version Banking Plugin Native Lib Java Lib
BB 6.25.1.1 7.1.1
Bradesco 3.2.28 6.0-27
Caixa 2.0.3 5.0.1
Itau 6.1.4 7.1.1
Santander 6.3.2.7 7.0
Nubank 4.19-0 7.1.1
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
13. Introduction Brazilian bank’s apps Final Remarks
Results
App Heterogeneity
Figure: App Heterogeneity. Banks deploy multiple apps for accessing
their distinct services.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
14. Introduction Brazilian bank’s apps Final Remarks
Results
Apps Diversity
Table: Apps Diversity.
Bank Santander
Version BR DE
Architectures (#) 7 6
Table: Apps Diversity.
Bank BB
Version Main Investing
Architectures (#) 2 5
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
15. Introduction Brazilian bank’s apps Final Remarks
Results
Apps Diversity
Table: Apps Diversity.
Bank Bradesco
Version Main Cards Corporate Trading
Architectures (#) 1 6 7 0
Table: Apps Diversity.
Bank Caixa
Version Main Tablet Cards
Architectures (#) 3 4 5
Table: Apps Diversity.
Bank Itaú
Version Main Personal Enterprise Tablet
Architectures (#) 7 7 7 3
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
16. Introduction Brazilian bank’s apps Final Remarks
Results
Network Security
Table: Network Attacks Prevention. All apps are protected against
HTTP downgrade; many are vulnerable to MITM.
APP HTTP Downgrade Certificate Pinning Plain Password
BB —
Bradesco
Caixa
Itau —
Santander —
Nubank
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
17. Introduction Brazilian bank’s apps Final Remarks
Results
HTTP Blocking
Figure: BB, Bradesco, and Caixa banking applications (left to right)
blocking HTTP connection attempt.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
18. Introduction Brazilian bank’s apps Final Remarks
Results
MITM Attack
1 agn: 1523
2 ctaDig: 68925
3 tit: 1
4 senha: 0000
5 senhaCrypt: AKyxSjs2L
Bradesco Cryptopass.
1 data{
2 device_id: 7391 db29fe
3 login: 95430119822
4 model: Asus ASUS_Z00VD
5 password: 12345678
Nubank Plaintext.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
19. Introduction Brazilian bank’s apps Final Remarks
Results
Local Storage
Figure: BB’s app notification messages displaying credit card purchases.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
20. Introduction Brazilian bank’s apps Final Remarks
Results
Local Storage
1 sqlite select * FROM notifications;
2 43|1|602710506| Compra no valor de R$ 88,76,
realizada em Uber Do Brasil as 18:54 do dia
25/10 , com cartao final 1169. Caso nao reconheca
, clique em Bloquear Cartao .|...|1|13|0|1|1|0|
Compra com cartao ||1|1
BB’s app stores notifications in a plain SQLite DB.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
21. Introduction Brazilian bank’s apps Final Remarks
Results
Reverse Engineering Protection
Table: App Self Protection. Applications fail to prevent their execution
in non-standard environments.
App Source Code Emulator Root
BB
Bradesco
Caixa
Itau
Santander
Nubank
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
22. Introduction Brazilian bank’s apps Final Remarks
Results
Root Detection
1 ((! isEmulator buildTags != null buildTags.
contains(test -keys)) || new File(/system/app/
Superuser.apk).exists ()) {
1 Log.w( GoogleSignatureVerifier , Test -keys␣aren ’t␣
accepted␣on␣this␣build.);
1 com.itau /.../0 x02BD.java:
2 if (!0 x02BB str != null str.contains(test -
keys)) {
3 br.com.bb.android /.../ BBRootUtil.java:
4 return buildTags != null buildTags.contains(
test -keys);
5 com.bradesco /.../ RootUtil.java:
6 return buildTags != null buildTags.contains(
test -keys);
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
23. Introduction Brazilian bank’s apps Final Remarks
Results
Patching
Figure: App Repacking. Malicious
Caixa app.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
24. Introduction Brazilian bank’s apps Final Remarks
Results
UI Attacks
Table: Apps susceptibility to UI and accessibility-based attacks. Our
evaluation shows that no security mechanisms have been implemented to
prevent these attacks.
Banking App A11y Event Sniffing Screenrecording Malicious IME Login Overlay
BB
Bradesco
Caixa
Itau
Santander
Nubank
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
25. Introduction Brazilian bank’s apps Final Remarks
Results
Attacking Chatbots
Figure: BB’s Whatsapp chatbot. Figure: Bradesco’s chatbot.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
26. Introduction Brazilian bank’s apps Final Remarks
Conclusions
Topics
1 Introduction
Motivation
2 Brazilian bank’s apps
Methodology
Results
3 Final Remarks
Conclusions
Questions?
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
27. Introduction Brazilian bank’s apps Final Remarks
Conclusions
Conclusions
Secure Banking Apps Guidelines
Methodologically assess apps security.
Reduce heterogeneity.
Pin certificates.
Do not store sensitive data locally.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
28. Introduction Brazilian bank’s apps Final Remarks
Conclusions
Conclusions
Secure Banking Apps Guidelines
Do not outsource security to third parties.
Learn from the past.
Learn from other countries.
Improve Regulation.
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
29. Introduction Brazilian bank’s apps Final Remarks
Questions?
Topics
1 Introduction
Motivation
2 Brazilian bank’s apps
Methodology
Results
3 Final Remarks
Conclusions
Questions?
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19
30. Introduction Brazilian bank’s apps Final Remarks
Questions?
Contact
mfbotacin@inf.ufpr.br
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19