Read previous: How to rob an online bank 3: SQL injection
Final part of Mitja Kolsek’s DeepSec conference presentation, outlining currency exchange manipulations and the ways to get away with online banking fraud.
A lot of you probably like vulnerabilities, you would like hypothetically to hack banks, but you don’t want to go to jail.Now, I will give you a way to do that. This attack is about rounding and currency exchange. Suppose you have an exchange rate such that for one EUR you get 1.364 USD. If you exchange one EUR cent you should get this much USD (see image), but because of the rounding, you will get less, so you make a nice little loss. So, what should we do? Yes, make it the other way around. If we exchange one USD cent for one EUR cent, because of the rounding you will actually get one EUR cent. It’s funny that this has been known for a decade, and still many banks allow doing that. So, what would be the algorithm that you use?
You start with 100 EUR for example, and you exchange that to USD. So you get 136.40 USD, and then you make a loop, you repeat that 13640 times, convert that one USD cent to one EUR cent – and you get 136.40 EUR of profit and go to stage one, so you do it as long as they let you (see image).
Now, how fast can you get rich doing that? If we assume ten exchanges per second, as there can be some throttling on the server side which prevents you from doing it too fast – so you have to join with your friends, so you all do it at the same time – you can have a daily profit of 2300 EUR and a nice monthly profit which lets your quit your job immediately. But your bank will probably notice that and will do something about it, and you will have to hop into another bank, so eventually no bank will be doing this anymore.
What can be improved here? You know, doing this for a month takes a long time, and probably someone will notice that something is happening. Whoever is in charge of your account in bank – they will see that you have hundreds of thousands of transactions, and it could trigger some suspicion. But if you want to optimize this, because of the rounding, you should get as close as possible to 0,005 because that’s where the rounding provides the biggest difference. But remember that you earn less than one cent in each transaction, so it’s really low profit.
In corporate banking, banks are making it easier for you. Well, of course companies can do that as well, but banks make it easier for you because they provide an option for you to package the request in single packets and sign those packets, and send those packets to the bank. So you can do more offline and just send it as a single packet to the bank. It works on my personal bank, and also our corporate bank allows us to do that.
Now, the countermeasure is really simple, and that’s what we tell our customers: just don’t let users exchange less than one whole unit of the larger currency. So if you prevent making the exchanges of less than one EUR for example, all this goes away, because everything you earn with the rounding there, you lose with the different exchange rates, the buy and sell exchange rates. This is a very simple countermeasure.
Now, getting away with it. Why should we even care? If we are not actual bank robbers, why should we even learn about getting away with it? Well, we shouldn’t learn much about it because we don’t need that kind of knowledge. But we should know at least a bit about it because when you are talking to a bank and you show them their vulnerabilities, at some point some guy will tell you: “Yes, but you wouldn’t get away with it because someone would catch you.” So you need to have an answer to that because if the conversation stops at that point, it may even lead to their wrongful understanding that the vulnerabilities that they have don’t really matter. You want to make sure that they fix those vulnerabilities, and in order to do that they have to believe that someone could actually exploit them.
So, first thing to do: the attacker would have to avoid detection. When he wants to attack a bank, he first has to find some vulnerabilities in that bank. And in the process of finding these vulnerabilities, he would create some noise, and he might get noticed. And to access most of the bugs that we covered here, the attacker would have to actually log into the bank first.
Now, if you want to log into a bank account, you would have to have one. It means you have to come to the bank and present your ID, which means that you can be traced back. If they notice that user 123374 is doing something funny, like it looks like cross-site scripting or buffer overflow1 exploitation, then let’s send someone from the police to their home and see what they are doing.
So the attacker would have to hide behind someone. And we call this ‘user in the middle’, like ‘man in the middle’ or ‘browser in the middle’; the attacker is using the same technique. He hacks some legitimate user’s account and does all the hacking through that account. It’s not a new concept but it’s a way to hide the attacker’s identity.
Now, the most important thing that is not specific to hacking banks directly – criminals that are now stealing money from users and corporations are already having this problem and solving it really well – is how to break the money trail. You can transfer money from one bank to another but it’s still traceable, it’s still digital money, it’s still in the system. So their goal is to extract it from this digital banking system.
They are employing money mules, you are probably getting emails all the time trying to recruit you. They give you 10% of the proceeds if you just cash some cheques, or if you receive some money on your account and then withdraw the cash and give it to someone, so this is really classic.
But also, digital money in all sorts that exist today can be used to cover your tracks. This is what the attackers are doing today, and they will continue doing it. And one thing that we haven’t seen yet, or haven’t read about yet but which can possibly happen in the future is chaining the ‘users in the middle’. So when the attacker steals some money from the bank, he transfers that money not to his own account but to someone else’s account which has already been hacked in another country, and from that account to yet another hacked account to another country. So this means that he is buying a lot of time to actually extract that money from the system before the police comes.
Now, the perfect crime would be to create new money so that nobody loses anything. If you steal money from a user, the user will eventually notice that and he will say: “Alright, the bank, someone took my money, take a look into this.” But we’ve seen cases where money can be actually created out of nothing. It’s less likely that someone will notice that, because no one has lost anything, no one will complain. So it’s just new money.
This can be done either with types of attacks that I described before, or if you remember the first slide, in the future, future 2.0, there is the DBA in the back-end for instance – database admin can actually do that today. He has all the access to change numbers in the database, not in a transactional way but in a way that creates new money. So this can be really hard to track. If he knows what he is doing, and he knows what the validation controls are in the bank, he can actually create new money without anyone ever noticing.
Now, the attackers’ best friend – this is what we hear all the time and probably some of you are thinking right now: “This would not work on my system because of this and that reason.” And it probably wouldn’t, not everything would work on every system obviously, but for a bank it’s really critical if anything works anywhere in their system. And that is why testing is better than believing.
For the attacker, it’s very good that banks are adopting new technologies, trying to automate more and more processes. So we’ve seen automated deposits and the new threats that they bring. We will see automated small loans in the future, that’s for sure. Right now, the banks don’t want to automate loans because they have these complex procedures in the background. They want to see whether you are worthy to get a loan. But for small loans, they will start doing that at some point. And when one bank starts doing that, the others will follow quickly. And this will just expand the attack surface.
1 – Buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory. This is a special case of violation of memory safety.