Internet Banking Security

[paulcam123]

Customers of Standard Bank and FNB (and possibly others) should take note that the Internet Banking at these banks is vulnerable to "man-in-the-middle" attacks.

In the case of Standard Bank, most Personal Internet banking is at risk. Such an attack would be almost completely invisible to the user. The attacker (your network/firewall administrator, ISP, etc) could easily access your accounts once you log on. You would still receive SMS notifications if payments were made from your accounts, but not if he just looked at your statements, etc.

In the case of FNB, it would be slightly more complicated. A man-in-the-middle could probably access your account in 30% of the cases without any visible effects, or 60% with a slightly visible effect. It all depends exactly where you click, etc. As with Standard Bank, all your banking details would be visible without receiving any notification.

This vulnerability does not involve loading viruses on your computer, loading certificates, etc. The user would not have to accept any email or change any security settings. Everything looks legitimate - even the certificates are correct. It is a case of bad coding on the Banking Site. The only requirement is that he is a "man-in-the-middle".

Both banks were informed of this and have done nothing or very little to resolve the issue over the past few months.

The exploit took me under an hour to setup and demonstrate on Standard Bank, and another 30 minutes to convert for FNB.

Standard bank claim that "KPMG and Deloitte and Touche have audited our service and secure encryption infrastructure". Makes you wonder exactly what they audited.

I have tested various banks, but not all of them. I have not tested Investec or Nedbank, so I dont know how secure these 2 are. I havent tested business banking products either.

Hopefully now that the public knows about this, the banks will employ network security experts to secure their systems, rather than auditors. I will create an archive of the exploits and post that as well, but I want to "encourage" the banks to fix the problems first.

If anyone doesnt believe me, I have working demonstrations on a computer somewhere in Centurion (no, its not connected to the internet), and would be happy to demonstrate it to any nonbelievers out there.

Until the banks get their act together, I would encourage you not to use internet banking unless you are 100% sure that you trust everyone between your computer and the bank.

 

[Nickste]

Interesting... could you explain the man in the middle scenario in a bit more detail. Do you mean someone intercepting data, and if so, how would the banks get around that?

Cheers, Nick

 

[paulcam123]

Man-in-the-Middle

To answer your question very briefly, yes, this vulnerability allows someone sitting between your computer and the bank to access your account. If you are working from your office, this could be your network administrator working under your desk or in the server room, or your firewall administrator, or someone at your ISP. Theoretically Telkom could also do it.

The idea of implementing SSL (that little padlock in the corner of the screen) security for this type of site ensures that all the data passing from your computer to the bank is encrypted. It also ensures that the site that is actually asking you for your password is actually the bank, and not another computer downstairs.

So theoretically, using SSL, if you dont receive any warning messages about invalid certificates, and you dont install any certificates that you might receive in your email, etc, your internet banking should be secure.

Unfortunately, both FNB and Standard Bank have not implemented this correctly. I dont want to give too much information away to the script kiddies out there at this stage, but I will post a complete example of this vulnerability in the next few days.

 

[zerofocus]

Thats hectic! Thank G Im with ABSA. So thats why Im paying so much bank charges? for SSL?!?!?!

 

[asmith]

Do you have suggestions on how they can fix the situation or what steps us users can take to check for a man in the middle?

I am not sure what you have done, but expect it involves fake SSL certs and a kind of reverse proxy. As some people work via a proxy anyhow, I would think its quite difficult to figure out a way to protect against this, other than being careful not to open/run strange programs that would install trojans.

 

[lucifir]

I find this very interesting and look forward to a full detailed example/explanation of this exploit. I do however agree that the banks have no clue about real security and as for the auditors ... they r a joke ... they definitely don't have a clue about security ... all they can do is read

 

[paulcam123]

Thats hectic! Thank G Im with ABSA. So thats why Im paying so much bank charges? for SSL?!?!?!

ABSA had a similar problem. If you compare ABSA to Standard Bank, their Internet Banking have many similar. But, unlike Standard Bank, ABSA updated their Internet Banking within days of being informed about it. They took it VERY seriously and did an excellent job of fixing it.

 

[paulcam123]

Do you have suggestions on how they can fix the situation or what steps us users can take to check for a man in the middle?

I am not sure what you have done, but expect it involves fake SSL certs and a kind of reverse proxy. As some people work via a proxy anyhow, I would think its quite difficult to figure out a way to protect against this, other than being careful not to open/run strange programs that would install trojans.

No, it has nothing to do with fake certificates. If you receive a fake certificate, and you have the latest version of your browser, you should receive a warning message. It was possible about a year ago to exploit a bug in IE to make it accept a fake certificate without warning you.

I dont think that most people realise how dangerous it is to click "OK" if they get a certificate warning message. If this happens, it probably means that you are sending your password to a company other than your bank!

Even if you are using a proxy, all the data going through the proxy should be encrypted. So using a proxy should not create a security risk. It is, however, a place for potential MitM attacks to take place, and would be an ideal place to exploit this one.

There are ways that you can prevent these exploits. But giving too much detail here would unfortunately be telling the hackers how to exploit it. I will, however post more details over the next few days.

 

[JET@WORK]

With FNB... I get instant sms notifications when I access my account. now at what stage can the middleman access my banking details?is it when I log on or simply anytime they feel like it. and you mention that the middleman can see my details, can they interact and do transactions from my account. and one other thing... should they succeed in doing transactions, who do I blame for this. Thanks for the info P-Cam ... Welcome to MyAdsl

 

[mitchmagi]

Best thing to do here would be contact Carte Blanche or other similar media organisation. They would love the opportunity to film you 'hacking' into someone's account ( only yours of course ) while the head of the respective bank's Internet Security looks on incredulously

 

[paulcam123]

SMS alerts

With FNB... I get instant sms notifications when I access my account. now at what stage can the middleman access my banking details?is it when I log on or simply anytime they feel like it. and you mention that the middleman can see my details, can they interact and do transactions from my account. and one other thing... should they succeed in doing transactions, who do I blame for this. Thanks for the info P-Cam ... Welcome to MyAdsl

I dont want to give away too much information, but I can tell you that in its simplest form, this exploit would still send you an SMS if any money was transferred from your account. But just having someone seeing your credit card number, and the balance, is equally dangerous. There are other possibilities that I havent tested, like whether or not it would be possible to alter someones transaction while they are busy, or disable alerts.

It should be noted that email notifications are normally useless in MitM situations. SMS's are better, but also not perfect. One-time passwords would probably not help in at least some forms of this exploit.

One of the problems with hacking banks, is what to do with the money without being traced. You cant exactly transfer the money to your account.

I imagine that they bank would be responsible for any money that goes missing, but it would be hard to prove that someone used your credit card number after intercepting it on the internet. I dont know how well the bank would react to that!

 

[stoke]

Many thanks for the headz-up paulcam123.

 

[dominic]

look forward to seeing more on this - please follow it through and keep the thread updated

so much of the bank's current and future strategy rests on migrating clients to online services - from my legal perspective this is a "creation or risk" which implies that the banks would need to take "all available reasonable steps to mitigate against this risk"....once they are aware of it they will have to deal with it if there is a likelihood of their security being compromised

best description i heard re internet banking security in SA : "security through obscurity"

 

[bekdik]

@paulcam123:

Is this browser and or OS related in any way?

 

[paulcam123]

Browsers

@paulcam123:

Is this browser and or OS related in any way?

No, this is not related to any OS or Browser. It would certainly work with FireFox and IE, and on Linux and Windows XP. I cant see any reason why it wouldnt work on other browsers. Depending on the way it is implemented, the exploit code might be implemented slightly differently for the different browsers.

I havent tested it on a Mac, or on other browsers, like Opera.

 

[JET@WORK]

What are our banks doing about this.... anybody has any idear about what happened with the Iburst hacking. apart from us discussing these things here... do they really go our to the people that are affected...like the systems administrators and all related.

 

[Gurr]

hi
the worse is info is freely available if your interested I have been messing around on/off with this for awhile.

sorry about that , really dumb to post links about the subject.

 

[w1z4rd]

i dont think this is the same. There should still be the encryption to deal with. And that seems to work on mac address`s on a local area network. Ettercap

Love to see this to conclusion. I wonder if MyAdsl will get a gag order from the banks. Let is know RPM

 

[paulcam123]

ARP Spoofing

hi
the worse is info is freely available if your interested I have been messing around on/off with this for awhile.

sorry about that , really dumb to post links about the subject.

Yes, indeed, ARP Spoofing can be very useful. In this case, this could possibly be used to help you become the MitM if you didnt have access to the firewall. But on its own, it would not help you to access any information, because of the SSL Layer.

 

[Gurr]

lol , was more interested in learning how to write a app to redirect local lan traffic. ettercap is a admins best friend. :d