The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study
•
0 likes•225 views
A security analysis of Brazilian bank's apps for Android. We identified multiple vulnerabilities, from plain data storage to man-in-the-middle.
![Introduction Brazilian bank’s apps Final Remarks
The Internet Banking [in]Security Spiral:
Past, Present, and Future of Online Banking
Protection Mechanisms based on a Brazilian case
study
Marcus Botacin1, Anatoli Kalysch2, André Grégio1
1Federal University of Parana (UFPR-BR)
{mfbotacin, gregio}@inf.ufpr.br
2Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU-GER)
anatoli.kalysch@fau.de
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19](https://image.slidesharecdn.com/slides-200509223249/85/The-Internet-Banking-in-Security-Spiral-Past-Present-and-Future-of-Online-Banking-Protection-Mechanisms-based-on-a-Brazilian-case-study-1-320.jpg)
![Introduction Brazilian bank’s apps Final Remarks
Topics
1 Introduction
2 Brazilian bank’s apps
3 Final Remarks
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c
ARES/IWSMA’19](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
Similar to The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study
Similar to The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study (20)
More from Marcus Botacin
More from Marcus Botacin (20)
Recently uploaded
Recently uploaded (20)
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study
- 1. Introduction Brazilian bank’s apps Final Remarks The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study Marcus Botacin1, Anatoli Kalysch2, André Grégio1 1Federal University of Parana (UFPR-BR) {mfbotacin, gregio}@inf.ufpr.br 2Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU-GER) anatoli.kalysch@fau.de The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 2. Introduction Brazilian bank’s apps Final Remarks Topics 1 Introduction 2 Brazilian bank’s apps 3 Final Remarks The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 3. Introduction Brazilian bank’s apps Final Remarks Motivation Topics 1 Introduction Motivation 2 Brazilian bank’s apps Methodology Results 3 Final Remarks Conclusions Questions? The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 4. Introduction Brazilian bank’s apps Final Remarks Motivation Online Banking in the World Pros Wide Access. Smaller Response Times. Cons Online Frauds & Crimes. Challenges Secure Online Banking Operations. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 5. Introduction Brazilian bank’s apps Final Remarks Motivation Online Banking in Brazil Economy & History Periodic high inflation periods. Computerized in early 80’s. More operations using credit cards than ATMs. More mobile banking accesses than ATMs. Expensive mobile data plans (Free Whatsapp). The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 6. Introduction Brazilian bank’s apps Final Remarks Motivation Online Banking in Brazil Technologies Desktop-based banking apps (early 2000’s). Web-based banking (late 2000’s). Mobile-based banking (currently). Boletos (offline payment system). Whatsapp-based banking (stop it now!!!). The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 7. Introduction Brazilian bank’s apps Final Remarks Motivation Desktop-based banking Figure: Phishing App. The initial screen of a GUI-based malicious attachment that mimics a bank desktop app to deceive users into providing their credentials. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 8. Introduction Brazilian bank’s apps Final Remarks Motivation Boleto Figure: Brazilian Boleto. The barcode stores all payment information and can be scanned by ATMs. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 9. Introduction Brazilian bank’s apps Final Remarks Methodology Topics 1 Introduction Motivation 2 Brazilian bank’s apps Methodology Results 3 Final Remarks Conclusions Questions? The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 10. Introduction Brazilian bank’s apps Final Remarks Methodology Methodology Target Apps 5 largest BR banks (75+% market-share). Largest BR fin-tech. OWASP Categories Code Quality & Build Settings. Secure Data Storage. Network Communication. Reverse Engineering Resilience. Authentication. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 11. Introduction Brazilian bank’s apps Final Remarks Results Topics 1 Introduction Motivation 2 Brazilian bank’s apps Methodology Results 3 Final Remarks Conclusions Questions? The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 12. Introduction Brazilian bank’s apps Final Remarks Results Analyzed Apps Table: Analyzed Apps Summary. Distinct project decisions between banks and fin-techs apps, and along time. App App Version Android Version Banking Plugin Native Lib Java Lib BB 6.25.1.1 7.1.1 Bradesco 3.2.28 6.0-27 Caixa 2.0.3 5.0.1 Itau 6.1.4 7.1.1 Santander 6.3.2.7 7.0 Nubank 4.19-0 7.1.1 The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 13. Introduction Brazilian bank’s apps Final Remarks Results App Heterogeneity Figure: App Heterogeneity. Banks deploy multiple apps for accessing their distinct services. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 14. Introduction Brazilian bank’s apps Final Remarks Results Apps Diversity Table: Apps Diversity. Bank Santander Version BR DE Architectures (#) 7 6 Table: Apps Diversity. Bank BB Version Main Investing Architectures (#) 2 5 The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 15. Introduction Brazilian bank’s apps Final Remarks Results Apps Diversity Table: Apps Diversity. Bank Bradesco Version Main Cards Corporate Trading Architectures (#) 1 6 7 0 Table: Apps Diversity. Bank Caixa Version Main Tablet Cards Architectures (#) 3 4 5 Table: Apps Diversity. Bank Itaú Version Main Personal Enterprise Tablet Architectures (#) 7 7 7 3 The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 16. Introduction Brazilian bank’s apps Final Remarks Results Network Security Table: Network Attacks Prevention. All apps are protected against HTTP downgrade; many are vulnerable to MITM. APP HTTP Downgrade Certificate Pinning Plain Password BB — Bradesco Caixa Itau — Santander — Nubank The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 17. Introduction Brazilian bank’s apps Final Remarks Results HTTP Blocking Figure: BB, Bradesco, and Caixa banking applications (left to right) blocking HTTP connection attempt. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 18. Introduction Brazilian bank’s apps Final Remarks Results MITM Attack 1 agn: 1523 2 ctaDig: 68925 3 tit: 1 4 senha: 0000 5 senhaCrypt: AKyxSjs2L Bradesco Cryptopass. 1 data{ 2 device_id: 7391 db29fe 3 login: 95430119822 4 model: Asus ASUS_Z00VD 5 password: 12345678 Nubank Plaintext. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 19. Introduction Brazilian bank’s apps Final Remarks Results Local Storage Figure: BB’s app notification messages displaying credit card purchases. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 20. Introduction Brazilian bank’s apps Final Remarks Results Local Storage 1 sqlite select * FROM notifications; 2 43|1|602710506| Compra no valor de R$ 88,76, realizada em Uber Do Brasil as 18:54 do dia 25/10 , com cartao final 1169. Caso nao reconheca , clique em Bloquear Cartao .|...|1|13|0|1|1|0| Compra com cartao ||1|1 BB’s app stores notifications in a plain SQLite DB. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 21. Introduction Brazilian bank’s apps Final Remarks Results Reverse Engineering Protection Table: App Self Protection. Applications fail to prevent their execution in non-standard environments. App Source Code Emulator Root BB Bradesco Caixa Itau Santander Nubank The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 22. Introduction Brazilian bank’s apps Final Remarks Results Root Detection 1 ((! isEmulator buildTags != null buildTags. contains(test -keys)) || new File(/system/app/ Superuser.apk).exists ()) { 1 Log.w( GoogleSignatureVerifier , Test -keys␣aren ’t␣ accepted␣on␣this␣build.); 1 com.itau /.../0 x02BD.java: 2 if (!0 x02BB str != null str.contains(test - keys)) { 3 br.com.bb.android /.../ BBRootUtil.java: 4 return buildTags != null buildTags.contains( test -keys); 5 com.bradesco /.../ RootUtil.java: 6 return buildTags != null buildTags.contains( test -keys); The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 23. Introduction Brazilian bank’s apps Final Remarks Results Patching Figure: App Repacking. Malicious Caixa app. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 24. Introduction Brazilian bank’s apps Final Remarks Results UI Attacks Table: Apps susceptibility to UI and accessibility-based attacks. Our evaluation shows that no security mechanisms have been implemented to prevent these attacks. Banking App A11y Event Sniffing Screenrecording Malicious IME Login Overlay BB Bradesco Caixa Itau Santander Nubank The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 25. Introduction Brazilian bank’s apps Final Remarks Results Attacking Chatbots Figure: BB’s Whatsapp chatbot. Figure: Bradesco’s chatbot. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 26. Introduction Brazilian bank’s apps Final Remarks Conclusions Topics 1 Introduction Motivation 2 Brazilian bank’s apps Methodology Results 3 Final Remarks Conclusions Questions? The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 27. Introduction Brazilian bank’s apps Final Remarks Conclusions Conclusions Secure Banking Apps Guidelines Methodologically assess apps security. Reduce heterogeneity. Pin certificates. Do not store sensitive data locally. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 28. Introduction Brazilian bank’s apps Final Remarks Conclusions Conclusions Secure Banking Apps Guidelines Do not outsource security to third parties. Learn from the past. Learn from other countries. Improve Regulation. The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 29. Introduction Brazilian bank’s apps Final Remarks Questions? Topics 1 Introduction Motivation 2 Brazilian bank’s apps Methodology Results 3 Final Remarks Conclusions Questions? The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19
- 30. Introduction Brazilian bank’s apps Final Remarks Questions? Contact mfbotacin@inf.ufpr.br The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian c ARES/IWSMA’19