Upload
libertaslogos
View
216
Download
0
Embed Size (px)
Citation preview
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
1/47
ACROS PUBLIC ACROS
How to Rob
an Online Bank(and get away with it)
SOURCE Boston 2012
Mitja KolsekACROS [email protected]
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
2/47
ACROS PUBLIC SOURCE Boston 2012Page 2
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
3/47
ACROS PUBLIC SOURCE Boston 2012Page 3
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
4/47
ACROS PUBLIC SOURCE Boston 2012Page 4
Evolution Of E-banking Attacks
PAST-PRESENT
PRESENT
FUTURE
FUTURE 2.0
OnlineBankingServer
Back-EndServer
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
5/47
ACROS PUBLIC SOURCE Boston 2012Page 5
Attacks Against Individual Users
E-BankingServer
Back-EndServer
Goal: Identity Theft
Methods
Phishing, Fake security alerts
XSS, CSRF
Malware (man in the browser,extraction of certs and private keys)
Problems
User awareness
2-factor authentication
OOB transaction confirmations
Additional passwords/PINs
Known good target accounts
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
6/47
ACROS PUBLIC SOURCE Boston 2012Page 6
Attacks Against Corporate Users
OnlineBankingServer
Back-EndServer
Goal: Identity Theft
Methods & Problems
Same as with individual users
Advantages
More money
Large transactions not unusual
Targets can be found in publiccertificate directories
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
7/47
ACROS PUBLIC SOURCE Boston 2012Page 7
LDAP Explorer Online Bank Robbers Google
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
8/47
ACROS PUBLIC SOURCE Boston 2012Page 8
Example: Published Corporate Certificate
ldap://ldap.halcom.si:389/eidCertificateSerialNumber=382631
E-Mail Address
Personal Name
Company Name
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
9/47
ACROS PUBLIC SOURCE Boston 2012Page 9
Attacks Against Online Banking Servers
OnlineBankingServer
Goal: Exploiting Application Flaws
Methods
Hacking
Problems
Getting noticed while looking for flaws
Advantages
Unlimited amount of money
No user interaction (social engineering)
Possible creation of new money
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
10/47
ACROS PUBLIC SOURCE Boston 2012Page 10
Direct Resource Access
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
11/47
ACROS PUBLIC SOURCE Boston 2012Page 11
Direct Resource Access URL Cleartext ID
https://bank/balance?uid=7728356(my account balance data)
https://bank/balance?uid=7728355(another users account balance data)
P
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
12/47
ACROS PUBLIC SOURCE Boston 2012Page 12
Direct Resource Access URL Base64 encoding
https://bank/balance?dWlkPTc3MjgzNTY=(my account balance data)
https://bank/balance?dWlkPTc3MjgzNTU=(another users account balance data)
Base64decode(dWlkPTc3MjgzNTY=)
uid=7728356
Base64encode(uid=7728355)
P 13
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
13/47
ACROS PUBLIC SOURCE Boston 2012Page 13
Direct Resource Access URL Encryption
/balance?Ko7hIGJJ2GqfhSZ9... (Base64)/balance?AF86B301008AEF5... (Hex)
enc_params = AES_encrypt(params, key)path = "/balance?" + base64(enc_params)
params = "uid=7728356"
ACROS PUBLIC SOURCE B 2012P 14
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
14/47
ACROS PUBLIC SOURCE Boston 2012Page 14
Transferring Money From Other Peoples Accounts
/transfer? src=1 & dest=2 & amount=100(from my account)
/transfer? src=42 & dest=2 & amount=100(from another users account)
ACROS PUBLIC SOURCE B t 2012Page 15
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
15/47
ACROS PUBLIC SOURCE Boston 2012Page 15
Transaction Creation Process
I want to transfer some money
Empty transaction form
Filled-out transaction formsrc=1,dst=2, amount=100
Read-only confirmation formsrc=1,dst=2, amount=100
Transaction confirmationsrc=1,dst=2, amount=100
ACROS PUBLIC SOURCE Boston 2012Page 16
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
16/47
ACROS PUBLIC SOURCE Boston 2012Page 16
Negative Numbers
ACROS PUBLIC SOURCE Boston 2012Page 17
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
17/47
ACROS PUBLIC SOURCE Boston 2012Page 17
Negative Numbers A Devastating Oversight
IF RequestedAmount> DisposableAmount
THEN ERROR();
IF -100 > 2,000
THEN ERROR(); // No Error Here
IF 3,000 > 2,000THEN ERROR(); // Error Insufficient Funds
ACROS PUBLIC SOURCE Boston 2012Page 18
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
18/47
ACROS PUBLIC SOURCE Boston 2012Page 18
Heres minus hundred bucks for you
Attacker:Victim:
0 $100 $
Attacker:Victim: 100 $0 $
(Transfer -100 $ to Victim)
ACROS PUBLIC SOURCE Boston 2012Page 19
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
19/47
ACROS PUBLIC SOURCE Boston 2012Page 19
Creating Money Out Of Thin Air
Normal Account:Savings Account:
0 $0 $
Normal Account:Savings Account: 100 $0 $
(Transfer -100 $ to Savings Account)
ACROS PUBLIC SOURCE Boston 2012Page 20
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
20/47
ACROS PUBLIC SOURCE Boston 2012Page 20
Bypassing Limit Checks
ACROS PUBLIC SOURCE Boston 2012Page 21
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
21/47
ACROS PUBLIC SOURCE Boston 2012Page 21
Normal Overdraft
Account #1:Account #2:
100 $0 $
Account #1:Account #2: -900 $1,000 $
(Transfer 1,000 $ from #1 to #2)
ACROS PUBLIC SOURCE Boston 2012Page 22
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
22/47
ACROS PUBLIC SOURCE Boston 2012age
Over-Overdraft
Account #1:Account #2:
100 $0 $
Account #1:Account #2: -999,900 $1,000,000 $
(Transfer 1,000,000 $ from #1 to #2)
ACROS PUBLIC SOURCE Boston 2012Page 23
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
23/47
ACROS PUBLIC SOURCE Boston 2012g
HTTP Parameter PollutionLuca Carettoni & Stefano di Paola
http://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacks
ACROS PUBLIC SOURCE Boston 2012Page 24
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
24/47
g
User Public Server Back End Server
POST /transfersource=1 & dest=2 & amount=100
source = request.getParameter(source) // 1amount = request.getParameter(amount) // 100IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)
source = $_POST[source] // 1dest = $_POST[dest] // 2amount = $_POST[amount] // 100
POST /BackEndTransactionsource=1 & dest=2 & amount=100
PHP
JSP
ACROS PUBLIC SOURCE Boston 2012Page 25
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
25/47
HTTP Parameter Pollution Source account
POST /transfersource=1 & dest=2 & amount=100& source=42
source = request.getParameter(source) // 1amount = request.getParameter(amount) // 100IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)
source = $_POST[source] // 42dest = $_POST[dest] // 2amount = $_POST[amount] // 100
POST /BackEndTransactionsource=1 & dest=2 & amount=100& source=42
PHP
JSP
IF NOT user_authorized_for(source) THEN ERROR()
ACROS PUBLIC SOURCE Boston 2012Page 26
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
26/47
HTTP Parameter Pollution Transfer Amount
POST /transfersource=1 & dest=2 & amount=100& amount=100000
source = request.getParameter(source) // 1amount = request.getParameter(amount) // 100IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()Call BackEndTransaction(request)
source = $_POST[source] // 1dest = $_POST[dest] // 2amount = $_POST[amount] // 100000
POST /BackEndTransactionsource=1 & dest=2 & amount=100& amount=100000
PHP
JSP
IF NOT user_authorized_for(source) THEN ERROR()
ACROS PUBLIC SOURCE Boston 2012Page 27
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
27/47
SQL Injection
ACROS PUBLIC SOURCE Boston 2012Page 28
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
28/47
SQL Injection Data Theft
SELECT rate FROM exch_ratesWHERE currency = .$currency.
SELECT rate FROM exch_ratesWHERE currency = UNIONSELECT balance FROM accounts
WHERE account_id = 887296
ACROS PUBLIC SOURCE Boston 2012Page 29
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
29/47
SQL Injection Messing With Transactions
UPDATE accounts SET balance = 0
WHERE account_id = .$acctid1.UPDATE accounts SET balance = 100WHERE account_id = .$acctid2.
COMMIT TRANSACTION
BEGIN TRANSACTION
ACROS PUBLIC SOURCE Boston 2012Page 30
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
30/47
SQL Injection Messing With Transactions
UPDATE accounts SET balance = 0
WHERE account_id = 123UPDATE accounts SET balance = 100WHERE account_id = 456
COMMIT TRANSACTION
BEGIN TRANSACTION
ACROS PUBLIC SOURCE Boston 2012Page 31
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
31/47
SQL Injection Messing With Transactions
UPDATE accounts SET balance = 0
WHERE account_id = 123UPDATE accounts SET balance = 100WHERE account_id = 456 ORaccount_id = 123
COMMIT TRANSACTION
BEGIN TRANSACTION
ACROS PUBLIC SOURCE Boston 2012Page 32
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
32/47
Forging Banks Digital Signatures
ACROS PUBLIC SOURCE Boston 2012Page 33
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
33/47
Automated Signing Of Deposit Agreement
Deposit request: 100, 31 days
Deposit agreement for signing(Legal text, interest rate)
BanksSigning keyUsersSigning key
Signed MODIFIED deposit agreement
Counter-signedMODIFIED deposit agreement
ACROS PUBLIC SOURCE Boston 2012Page 34
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
34/47
Server-Side Code Execution
ACROS PUBLIC SOURCE Boston 2012Page 35
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
35/47
Server-Side Code Execution
Examples
Java code injection (JBoss bug in 2010)
PHP code injection (eval, system, includes...)
Shell argument injection (command1&command2)
Buffer overflows
Impact
Change e-banking application code
Obtain database/WS credentials,
issue direct requests to DB or back-end WS
ACROS PUBLIC SOURCE Boston 2012Page 36
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
36/47
The List Goes On...
ACROS PUBLIC SOURCE Boston 2012Page 37
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
37/47
Other Attacks
Session Puzzling
Insecure Mass Assignment
Numerical Magic: Overflows, Underflows,
Exponential Notation, Reserved words
(Corsaire whitepaper)Stale Currency Exchange
Race Conditions
...
New functionalities: automated deposits, loans,
investment portfolio management, ...
ACROS PUBLIC SOURCE Boston 2012Page 38
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
38/47
Getting RichWithout Breaking The Law
http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
ACROS PUBLIC SOURCE Boston 2012Page 39
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
39/47
Loss : -0,00364 $ = -27%
Profit : +0,00266 = +36%
Rounding And Currency Exchange
1 1,364 $
0,01 0,01364 $
0,01 0,01 $
ACROS PUBLIC SOURCE Boston 2012Page 40
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
40/47
by M'Rahi, Naccache and Tunstall
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf
KNOWN
AT LEASTSINCE
2001
ACROS PUBLIC SOURCE Boston 2012Page 41
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
41/47
Currency Rounding Attack: Algorithm
2:
1:
goto 13:
for i = 1 to 13640
Convert 100 to $
Convert 0,01$ to 0,01// Now we have 136,40
// We have 136,40$
ACROS PUBLIC SOURCE Boston 2012Page 42
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
42/47
Currency Rounding AttacksThe Speed Of Getting Rich
Assume: 10 exchanges / second
1 day = 86.400 secondsDaily profit: 2.300
Monthly profit: ~ 70.000
Improvements
Optimal exchange rate (getting as close to 0,005 as possible)Corporate banking: packets (1000s of exchanges in one packet)
Does it really work?
My personal e-banking: YES
My companys corporate e-banking: YES
Countermeasures
Limit minimum amount to 1 whole unit, exchange fee
ACROS PUBLIC SOURCE Boston 2012Page 43
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
43/47
Getting Away With It
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
44/47
ACROS PUBLIC SOURCE Boston 2012Page 45
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
45/47
2007: iWire - $5M
(9,000 prepaid cards)
2008: Citibank - $2M(hacked ATM network,stolen PIN codes)
2008: WorldPay - $9M(44 debit cards, lifted limit)
2011: Florida bank - $13M(22 debit cards, lifted limit)
2012: Postbank $6.7M(stolen teller identity,transfers to other accounts, lifted limit)
ATM The Final Destination
ACROS PUBLIC SOURCE Boston 2012Page 46
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
46/47
ACROS PUBLIC SOURCE Boston 2012Page 47
7/31/2019 Source Boston 2012 - How to Rob an Online Bank and Get Away With It
47/47
Mitja Kolsek
ACROS d.o.o.www.acrossecurity.com
Twitter: @acrossecurity, @mkolsek
Thanks: Mikko H. Hypponen, Ren Pfeiffer, Claudio Criscione, Stefan Ortloff and Candi Carrerafor help with gathering information on national digital certificate usage
Speaker Feedback: https://www.surveymonkey.com/sourceboston12