I just got back from DefCon 15 at the Rivera Hotel and Casino in Las Vegas. I will post about the other events at another time, because what I saw this late afternoon at the conference is more important. It is ironic that this session was one of the last one, when many guys already left the conference and were on their way home.
I saw at the conference, where a guy who is (maybe) legal drinking age showed a room full of hundreds of people (it became surprisingly crowded while his presentation progressed) ???how cool??? the new security add-ons to the online banking login and authentication process are. Additions that are enforced by governmental regulations with the intention to make online banking more secure.
The session was going well beyond the “time limit” for it (1 1/2 hours instead of 50 minutes) and the organizers shut it down eventually and the whole thing moved into a overcrowded Q&A room where the discussion and presentation was continued by the speaker for another 45 minutes, which was pretty cool of him, but you could tell, that he wanted to get this info out there.
Yes, the session was about online banking, the new and “more secure” online banking.
You might noticed that pretty much every bank changed their authentication forms and procedures over the last few months. Those changes, caused by the new government regulations are basically aiding hackers to break into your online account.
- Did you notice steps like picking “your” personal image (from a number of choices provided by the bank), that the bank will show you in the future as a proof to you, that it is really us, your bank, and not a hacker doing a phishing attempt to get to your personal information”?
- Did you see the security questions that are derived from your public records, very similar as if you try to access your credit report? Questions like, “Which of the following X things are true?” and then showing you things like previously owned car makes or home loan amounts, where one of them is matching yours?
Yes, those are the new security measurements that were ADDED to the existing online banking software, actually boiler plated in front of the existing software, almost in all cases provided by a different 3rd party vendor, because it was cheaper to add that kind of “patch” to the process to meet government regulations than it would have been to add it to the existing banking software itself, fully integrated.
What struck me the most is how bad it actually is. The new “enhancements” did not enhance the security of the old processes at all. They have the same flaws, but worse, they increased the attack surface for a malicious hacker and made it in fact easier for him to get the information he wants and even more as a bonus.
If I spent a few days with it, I would probably able to hack my bank myself. Its that bad and I am not a hacker (I am a geek and know a lot of stuff, but that does not make me a hacker and/or security expert for something like Online Banking).
I am sure that over the coming weeks and months stuff will surface in the news. People complaining or incidents about hacked accounts. Too much people saw this, not the detailed instructions how to break into the online banking software via a step by step guide, but he showed the way the updated systems work, or better, not work.
He would have broken the law and go to jail, if he would have hacked somebody else’s bank account in front of hundreds of witnesses. He hacked his own bank account instead and provided proof that he is not doing anything extremely hard or attacked the system in a way to alter its behaviour.
By the way, the guys name is “Brendan O’Connor” and he works for an unnamed US finance company. He is not an unknown. He did break at last years DefCon the news about a security hole in Xerox printers, which caused quite some stir.
This time is the issue a much bigger and affecting much more people.
I will throw in some keywords and phrases that point to the problems. If you know a bit about computers, the internet and web development, you will get a pretty good idea what I am talking about.
- New Security is ADD-ON on top of existing authentication layer
- Finger Printing based on HTTP header content via client side Javascript (tip: “View Source”, don’t waste the time and write something yourself. Make it easier for you. If your bank uses Flash instead, download the flash and decompile it)
- Security question will reappear if remained unanswered. Answers will change every time the question is asked (randomly). No limit how often the same question is being asked (until answered)
- Personal image system. Same system used by majority of banks. Don’t waste time on the images. Look at the alt tags. If you have an account, (don’t) look at the nice image gallery where you can pick YOUR picture from. Look at the page where the image is shown to you. Ignore the image file name, that changes all the time and is not predictable, but look at the.. you know what to look at.
- Be grateful for non-obscure error messages, sometimes is the time the system spends on thinking about how to tell you that you entered the wrong stuff the actual message.
- If you write your own pages, don’t forget to use the code you already got. Put a reference to the source in it and don’t take the credits for yourself. Somebody spent a lot of time to write that code (for you)
Okay, that is enough. I hope you get the picture. I forgot to write the email of Brendan down. It was name.name@gmail.com. The “O'” part of his last name makes me unsure, if it was brendan.oconnor AT gmail DOT com or something different. You can find out through the DefCon.org organizers. Brendan said that he provides the code and everything to anybody who wants to see it.
One thing is for sure. That story does not make me sleep better at night, especially if you consider the fact that you are with almost 100% certainty not covered, if your account gets hacked and have to cover the losses yourself, opposite to the archaic method of using checks, where losses are covered by the bank, even if you lost your check book due to grave negligence. This is messed up!
Quick Update: Here is the 47 pages presentation by Brendan O’Connor from DefCon 15 in PDF format
(only 230KB in size), titled “Greater Than One – Defeating ‘strong’ authentication in web applications”.
dc-15-oconnor.pdf
And also see the video recording of the DefCon Session with Brendan O’Connor:
Backup link to the video T164 – Greater Than 1 – Defeating “Strong” Authentication in Web Applications at Google Video if you have problems with playing the embedded video.
Very cool, I was there too, and took interest in this. I think it’s a matter of marketing that people think this security is stronger than anything else, but it’s almost like a street magician fooling a pack of wide eyed tourists! Incidentally I came to your site after a link from: http://www.darkreading.com/boards/messages.asp?thread_id=164773&msg_id=147087&t=true#msg_147087
This after commenting on a WTF article today called Wish-It-Was-Two-Factor http://worsethanfailure.com/Comments/WishItWas-TwoFactor-.aspx
Fun stuff, also, after Defcon I got inspired partially due to that talk, to write a whitepaper about a way to make auth more dependent on underlying technology, than on something more unreliable, like a user ;). I’ll have a proof of concept working for online testing in a month, I hope. I have very little time to work on these things due to time/family, but would love to come up with an idea that would help the community. Who knows, maybe I’ll have a room at Defcon 16.
Thanks for the post, glad someone paid attention!
fak3r
Hey Fak3r,
thanks for the comments. Check out my more recent posts about the DefCon 15 Videos.. Batch 1 features the session with Brendan.
All videos are up btw. See the summary here.
It’s easier to send people to the video (a picture is worth a thousand words and a movie is worth a million )
Also, there are solutions available, but they cost money and U.S. banks are cheap.
See this article about the implementation of a smart card system by swiss banks for their online banking customers.