New Online Banking Security Process Opens More Security Holes Than it Closes

I just got back from DefCon 15 at the Rivera Hotel and Casino in Las Vegas. I will post about the other events at another time, because what I saw this late afternoon at the conference is more important. It is ironic that this session was one of the last one, when many guys already left the conference and were on their way home.

I saw at the conference, where a guy who is (maybe) legal drinking age showed a room full of hundreds of people (it became surprisingly crowded while his presentation progressed) ???how cool??? the new security add-ons to the online banking login and authentication process are. Additions that are enforced by governmental regulations with the intention to make online banking more secure.

The session was going well beyond the “time limit” for it (1 1/2 hours instead of 50 minutes) and the organizers shut it down eventually and the whole thing moved into a overcrowded Q&A room where the discussion and presentation was continued by the speaker for another 45 minutes, which was pretty cool of him, but you could tell, that he wanted to get this info out there.

Yes, the session was about online banking, the new and “more secure” online banking.

You might noticed that pretty much every bank changed their authentication forms and procedures over the last few months. Those changes, caused by the new government regulations are basically aiding hackers to break into your online account.


Yes, those are the new security measurements that were ADDED to the existing online banking software, actually boiler plated in front of the existing software, almost in all cases provided by a different 3rd party vendor, because it was cheaper to add that kind of “patch” to the process to meet government regulations than it would have been to add it to the existing banking software itself, fully integrated.

What struck me the most is how bad it actually is. The new “enhancements” did not enhance the security of the old processes at all. They have the same flaws, but worse, they increased the attack surface for a malicious hacker and made it in fact easier for him to get the information he wants and even more as a bonus.

If I spent a few days with it, I would probably able to hack my bank myself. Its that bad and I am not a hacker (I am a geek and know a lot of stuff, but that does not make me a hacker and/or security expert for something like Online Banking).

I am sure that over the coming weeks and months stuff will surface in the news. People complaining or incidents about hacked accounts. Too much people saw this, not the detailed instructions how to break into the online banking software via a step by step guide, but he showed the way the updated systems work, or better, not work.

He would have broken the law and go to jail, if he would have hacked somebody else’s bank account in front of hundreds of witnesses. He hacked his own bank account instead and provided proof that he is not doing anything extremely hard or attacked the system in a way to alter its behaviour.

By the way, the guys name is “Brendan O’Connor” and he works for an unnamed US finance company. He is not an unknown. He did break at last years DefCon the news about a security hole in Xerox printers, which caused quite some stir.

This time is the issue a much bigger and affecting much more people.
I will throw in some keywords and phrases that point to the problems. If you know a bit about computers, the internet and web development, you will get a pretty good idea what I am talking about.


Okay, that is enough. I hope you get the picture. I forgot to write the email of Brendan down. It was name.name@gmail.com. The “O'” part of his last name makes me unsure, if it was brendan.oconnor AT gmail DOT com or something different. You can find out through the DefCon.org organizers. Brendan said that he provides the code and everything to anybody who wants to see it.

One thing is for sure. That story does not make me sleep better at night, especially if you consider the fact that you are with almost 100% certainty not covered, if your account gets hacked and have to cover the losses yourself, opposite to the archaic method of using checks, where losses are covered by the bank, even if you lost your check book due to grave negligence. This is messed up!

Quick Update: Here is the 47 pages presentation by Brendan O’Connor from DefCon 15 in PDF format
(only 230KB in size), titled “Greater Than One – Defeating ‘strong’ authentication in web applications”.
pdf dc-15-oconnor.pdf

And also see the video recording of the DefCon Session with Brendan O’Connor:



Backup link to the video T164 – Greater Than 1 – Defeating “Strong” Authentication in Web Applications at Google Video if you have problems with playing the embedded video.

 Post details 

Categories: DefCon Internet Marketing Politics
Tags: No Tags
Published on: August 6, 2007

 Comments (2) 

  1. fak3r says:

    Very cool, I was there too, and took interest in this. I think it’s a matter of marketing that people think this security is stronger than anything else, but it’s almost like a street magician fooling a pack of wide eyed tourists! Incidentally I came to your site after a link from: http://www.darkreading.com/boards/messages.asp?thread_id=164773&msg_id=147087&t=true#msg_147087

    This after commenting on a WTF article today called Wish-It-Was-Two-Factor http://worsethanfailure.com/Comments/WishItWas-TwoFactor-.aspx

    Fun stuff, also, after Defcon I got inspired partially due to that talk, to write a whitepaper about a way to make auth more dependent on underlying technology, than on something more unreliable, like a user ;). I’ll have a proof of concept working for online testing in a month, I hope. I have very little time to work on these things due to time/family, but would love to come up with an idea that would help the community. Who knows, maybe I’ll have a room at Defcon 16.

    Thanks for the post, glad someone paid attention!

    fak3r

  2. Hey Fak3r,

    thanks for the comments. Check out my more recent posts about the DefCon 15 Videos.. Batch 1 features the session with Brendan.

    All videos are up btw. See the summary here.

    It’s easier to send people to the video (a picture is worth a thousand words and a movie is worth a million :) )

    Also, there are solutions available, but they cost money and U.S. banks are cheap.

    See this article about the implementation of a smart card system by swiss banks for their online banking customers.

 Leave a Reply to fak3r 

Cancel reply

Your email address will not be published. Required fields are marked *

*


 © 2024 - Roy of Superior Art Creations