How to rob an online bank

Captivating talk by Mitja Kolsek at DeepSec 2011 conference, describing the methods and prevalent vectors of online banking attacks.

Mitja Kolsek Mitja Kolsek is a computer and network security expert and the CEO of ACROS Security – a Slovenia-based company specializing in digital security research. He has a rich background in security analysis of products and systems and penetration testing – here is his view of the current state of online banking system and the challenges it has to tackle:

For as long as online banking exists, we have attacks against individual users. We read about that, there are a lot of cases. You probably get email everyday where someone is trying to hustle you into giving them your Barclays bank account, which you never used, and you are not even a customer of the bank. But this is something that’s being going on, and it’s really past and present thing.

Past, present and future targets of e-banking attacks

Past, present and future targets of e-banking attacks

The present thing – maybe you noticed that we get more and more attacks against corporate users because that’s more interesting, there is more money there. Well, it’s not just the future; it’s already present – direct attacks against online banking servers. And in the future, we can expect attacks against the Back-End systems because that’s where really the money is now.

Attacking individual users: so, the methods are known, the goal is to steal the user’s identity. Attackers are using many methods like phishing, cross-site scripting1, CSRF2; they install malware on users’ computers. We are not going to be talking about that today, this is just like an intro. The attackers have many problems because banks and users are fighting back and they are making this more and more difficult.

Attacks against corporate users: that’s more interesting because there is more money there. It won’t be a surprise to a bank to see a couple of million EUR being sent from the bank account of a corporation to another corporation, because that’s just daily business. It would be suspicious if an individual user did that, but not a company. So the organized crime is now going after the corporations as well.

And they have another problem, because if you want to attack individual users, you can just spam everyone, you can just buy an email list of one million emails, and just spam everyone. So, I get spammed with an attack that is aimed against users of a specific bank that I never even heard of. But they don’t care.

Why attackers prefer corporate users:

– More money

– Large transactions

– Public certificate directories listing some targets

With corporate users, you wanna be more targeted. So, how do they find their targets? You have to know who to attack in a specific company, who is the person doing the online banking. Well, one thing that is very useful for the attackers is the online public directories of issued digital certificates. I don’t know about the whole world, but in Europe digital certificates are being mainly used for online banking, for corporations. So, if you are a corporation you are going to be using smart card digital certificate to do the online banking. Now, these digital certificates are published in online directories, so anyone can find information on who in a specific company has been issued a certificate by one of the certificate authorities that are being used for online banking.

Details to extract from a published corporate certificate

Details to extract from a published corporate certificate

Let me show you an example: We found a lot of public directories of issued digital certificates. And specifically in our country, if you want to attack the company that’s listed below, you can find the name of the person who has been issued a digital certificate for that company, and also his email address (see image). And that’s all you need if you want to attack the company – just go attack this guy. If you want to attack a company, you can get this information, you know exactly who to target inside that company.

But that’s not the topic of our talk. The topic of our talk, really, is online banking servers. Now, in contrast to attacking users and corporations where the goal was to steal their identity and then do whatever the banking application allows any legitimate users to do, here the attacker is interested in finding vulnerabilities and exploiting them in the online banking server.

You can actually create new money, because banks do that all the time.

The method is hacking, and there is an additional problem here. The attacker does not know of the vulnerabilities yet, so he has to try to find them. So there is an additional stage where the attacker can be detected. Now, the advantages are obvious. Basically, all the money is in the bank, right, and not just all the money – even more money than all the money. What I mean by that is you can actually create new money, because banks do that all the time. Banks create new money every day and destroy money every day, we just don’t see that. Since the money is digital, it’s just a matter of a couple of bits and bytes in databases.

And the advantage for the attacker is that there is no social engineering required here, you don’t have to hustle or trick anyone into doing something, you are just attacking the server directly.

Now, let’s just move on to a couple of vulnerability types and attack types that I have prepared for you. This will be somewhat simplified to make them more generic, but if you are familiar with how banks work, it will be easy for you to just translate that to real case.

Read next: How to rob an online bank 2

1Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

2CSRF (Cross-site request forgery) is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: