1
00:00:00,000 --> 00:00:14,180
33C3 preroll music
2
00:00:14,180 --> 00:00:19,170
Herald: Next talk is gonna be “Shut up
and take my money” by Vincent Haupert.
3
00:00:19,170 --> 00:00:22,450
Vincent is a research associate
at the security research group
4
00:00:22,450 --> 00:00:26,430
of the Department of Computer Science
at Friedrich-Alexander-Universität
5
00:00:26,430 --> 00:00:34,220
in Erlangen, Nürnberg, Germany.
Typical, very long German word.
6
00:00:34,220 --> 00:00:37,540
His main research interests are
authentication, system security
7
00:00:37,540 --> 00:00:39,970
and software protection of mobile devices.
8
00:00:39,970 --> 00:00:43,170
It’s actually Vincent’s second time
speaking at the Congress.
9
00:00:43,170 --> 00:00:48,850
Last year’s talk discussed conceptual
insecurity of app-generated passwords
10
00:00:48,850 --> 00:00:53,809
in online banking. This year
he will discuss the practical aspects
11
00:00:53,809 --> 00:00:58,900
and some successful hacks that,
if I recall correctly,
12
00:00:58,900 --> 00:01:02,269
took over entire bank accounts
from users’ mobile apps.
13
00:01:02,269 --> 00:01:05,110
With that, Vincent, over to you.
14
00:01:05,110 --> 00:01:11,710
applause
15
00:01:11,710 --> 00:01:15,230
Vincent Haupert: Hello again,
thanks for the warm welcome,
16
00:01:15,230 --> 00:01:19,579
and let’s dive right into it
because we have a tough program.
17
00:01:19,579 --> 00:01:25,150
Okay. First of all, online banking
is something that affects us all,
18
00:01:25,150 --> 00:01:29,350
because virtually everybody uses it.
In traditional online banking,
19
00:01:29,350 --> 00:01:33,619
we use two devices.
One to initiate our payments
20
00:01:33,619 --> 00:01:36,950
– and to log in
with user name and password –
21
00:01:36,950 --> 00:01:41,299
and another device
to confirm transactions.
22
00:01:41,299 --> 00:01:47,810
With the rise of mobile devices, app-based
confirmation procedures became popular
23
00:01:47,810 --> 00:01:53,210
like this app there.
In the recent past,
24
00:01:53,210 --> 00:01:59,090
what I have been talking about last year,
it became popular
25
00:01:59,090 --> 00:02:03,420
to implement those two devices
in two apps. That means you only have
26
00:02:03,420 --> 00:02:07,049
one single device and have two apps now
27
00:02:07,049 --> 00:02:12,610
to authenticate transactions.
28
00:02:12,610 --> 00:02:18,640
Last year I showed that this has
severe conceptional drawbacks.
29
00:02:18,640 --> 00:02:26,800
But this is not the end of it.
The latest evolution in online banking
30
00:02:26,800 --> 00:02:31,680
are now one-app authentication models.
I already said this last year:
31
00:02:31,680 --> 00:02:36,410
Actually, it doesn’t make so much
difference. So banks are no longer faking
32
00:02:36,410 --> 00:02:41,890
to have real two-factor authentication.
It’s now clear that it’s just one,
33
00:02:41,890 --> 00:02:46,720
so you do the transaction initialization
inside the app
34
00:02:46,720 --> 00:02:51,530
and the confirmation is just
another dialog inside the app.
35
00:02:51,530 --> 00:02:55,800
This time I want to talk about N26,
36
00:02:55,800 --> 00:03:02,110
the shining star
on the German FinTech sky.
37
00:03:02,110 --> 00:03:09,240
Actually, this time I’m only going to be
talking about technical issues.
38
00:03:09,240 --> 00:03:14,490
It’s clear that we have similar conceptual
problems like with two-app authentication,
39
00:03:14,490 --> 00:03:21,280
but I will focus on technical issues
because we have enough of this there.
40
00:03:21,280 --> 00:03:26,341
Briefly about N26: N26 is
a Berlin-based, “Mobile First” FinTech
41
00:03:26,341 --> 00:03:31,150
and it plans to establish your smartphone
as your financial hub
42
00:03:31,150 --> 00:03:35,860
for everything, so that you do
literally everything
43
00:03:35,860 --> 00:03:40,880
from inside the app.
Actually it was only founded in 2013,
44
00:03:40,880 --> 00:03:45,790
it started in 2015 with their app and it
already has over 200.000 customers,
45
00:03:45,790 --> 00:03:49,710
which is astonishing, actually.
46
00:03:49,710 --> 00:03:53,650
It now also has its own European
banking license. It’s only, I think,
47
00:03:53,650 --> 00:03:59,431
half a year ago; and it announced
not even one month ago that it’s now
48
00:03:59,431 --> 00:04:04,510
available in 17 European countries.
And they also claim
49
00:04:04,510 --> 00:04:08,820
that you can open a bank account
in just eight minutes. As it turns out
50
00:04:08,820 --> 00:04:11,060
you can lose it even faster.
51
00:04:11,060 --> 00:04:14,730
laughter
52
00:04:14,730 --> 00:04:20,810
Okay, let’s talk briefly about transaction
security in the Number 26 app.
53
00:04:20,810 --> 00:04:23,509
If you want to do a transaction,
you at first need to log in.
54
00:04:23,509 --> 00:04:27,810
This works with your user name,
in this case it’s just your email address,
55
00:04:27,810 --> 00:04:29,999
and your password.
This is pretty standard.
56
00:04:29,999 --> 00:04:34,220
Afterwards you are good to initiate
a transaction. After you have entered
57
00:04:34,220 --> 00:04:39,300
all the details you also have to supply a
transfer code. This is just a four-digit
58
00:04:39,300 --> 00:04:45,780
number, you use this also to withdraw
cash. Probably you would call this ‘PIN’.
59
00:04:45,780 --> 00:04:50,830
The last factor in this authentication
scheme is you paired phone.
60
00:04:50,830 --> 00:04:55,990
This is actually the most important
security feature of the N26 account,
61
00:04:55,990 --> 00:05:00,930
and you can only pair one smartphone
with you N26 account.
62
00:05:00,930 --> 00:05:05,449
That means, from a technical
perspective, the N26 app,
63
00:05:05,449 --> 00:05:09,699
the very first time you start it,
generates a RSA key pair
64
00:05:09,699 --> 00:05:13,199
and sends the public key to the N26
backend. And whenever you initiate
65
00:05:13,199 --> 00:05:17,889
a transaction they are going to send
an encrypted challenge to your smartphone
66
00:05:17,889 --> 00:05:22,709
and you send it back decrypted.
That’s how it works. Actually,
67
00:05:22,709 --> 00:05:27,960
re-pairing, that means pairing another
phone is a pretty well secured process,
68
00:05:27,960 --> 00:05:32,900
but we will talk about this later. Just
to talk about the infrastructure
69
00:05:32,900 --> 00:05:37,639
of N26: basically they have two apps,
one for iOS, one for Android,
70
00:05:37,639 --> 00:05:42,179
and they communicate over
a JSON-based protocol, TLS encrypted.
71
00:05:42,179 --> 00:05:47,099
The backend is at api.tech26.de.
72
00:05:47,099 --> 00:05:50,719
How do I know, actually, that this is
a JSON-based protocol: because I used
73
00:05:50,719 --> 00:05:56,979
a TLS man-in-the-middle attack
to log the protocol.
74
00:05:56,979 --> 00:06:02,919
I only needed to install a certificate,
the MITM proxy certificate on the client,
75
00:06:02,919 --> 00:06:06,740
but actually I was surprised that I didn’t
need to touch the client, because
76
00:06:06,740 --> 00:06:10,129
they didn’t implement
any certificate pinning.
77
00:06:10,129 --> 00:06:16,490
applause
78
00:06:16,490 --> 00:06:21,690
So that means, the first thing
that comes into mind is like:
79
00:06:21,690 --> 00:06:25,759
Let’s do real-time transaction
manipulation. That means we manipulate
80
00:06:25,759 --> 00:06:30,219
a transaction that the user does,
but we will change the recipient
81
00:06:30,219 --> 00:06:36,259
and the user won’t see nothing about this.
So if we look at this graphic again,
82
00:06:36,259 --> 00:06:42,049
what if an attacker could get the DNS
record of api.tech26.de under his control?
83
00:06:42,049 --> 00:06:48,079
This would mean that all traffic is routed
over the man-in-the-middle attacker server
84
00:06:48,079 --> 00:06:53,820
and, as there is no certificate pinning,
we could just issue a Letsencrypt
85
00:06:53,820 --> 00:06:59,930
TLS certificate and the app is going
to trust the certificate.
86
00:06:59,930 --> 00:07:04,230
How does this work?
Let’s take an example here.
87
00:07:04,230 --> 00:07:08,580
Let’s image I want to transfer
2 Euro to my friend Dominik.
88
00:07:08,580 --> 00:07:13,240
After I entered all the transaction details
I have to enter my transfer code, too.
89
00:07:13,240 --> 00:07:18,930
When I did this I get like the second
factor where you need the paired device
90
00:07:18,930 --> 00:07:23,669
and I need to confirm it. This is just
like the next dialogue inside the app.
91
00:07:23,669 --> 00:07:27,890
After I confirmed it, the transaction went
through, everything looks good.
92
00:07:27,890 --> 00:07:32,199
2 Euro less on my account, pretty good.
93
00:07:32,199 --> 00:07:37,479
In the next step you can see in your
transaction overview too, that
94
00:07:37,479 --> 00:07:42,690
there are 2 Euro less. But after the attack
when N26 realized that something wrong
95
00:07:42,690 --> 00:07:47,000
was going on and they fixed it you will
realize that we actually transferred
96
00:07:47,000 --> 00:07:51,539
20 Euro, not 2. But this was
completely transparent for the user
97
00:07:51,539 --> 00:07:56,209
even after the attack.
Okay, this is nice.
98
00:07:56,209 --> 00:07:59,790
We can manipulate a transaction
in real time, but
99
00:07:59,790 --> 00:08:05,419
wouldn’t it be even more interesting
to take over entire accounts
100
00:08:05,419 --> 00:08:09,010
to do our own transactions?
101
00:08:09,010 --> 00:08:13,669
For this, we need the login credentials,
the transfer code and the paired phone.
102
00:08:13,669 --> 00:08:17,069
So we need to obtain all of them.
103
00:08:17,069 --> 00:08:20,459
Let’s start with the login credentials.
104
00:08:20,459 --> 00:08:26,479
Actually, I want to assume, that the login
credentials are already compromised.
105
00:08:26,479 --> 00:08:33,530
But there are some weak points in the
security system of the N26 transactions,
106
00:08:33,530 --> 00:08:37,260
that make it an easier task to obtain
those login credentials.
107
00:08:37,260 --> 00:08:41,919
There are two things I want to talk about.
The first thing is the recovery-from-loss
108
00:08:41,919 --> 00:08:47,460
procedure. When you forget your
password, N26 just sends
109
00:08:47,460 --> 00:08:50,500
an email to your email account.
There is a link inside, you click it
110
00:08:50,500 --> 00:08:53,959
and you can just reset your password.
111
00:08:53,959 --> 00:08:58,160
This breaks the N26 password policy
112
00:08:58,160 --> 00:09:04,060
which is actually pretty solid, because
if you have access to the email account,
113
00:09:04,060 --> 00:09:08,029
you have automatically access
to the N26 account, too
114
00:09:08,029 --> 00:09:14,389
and the access to the email account
could be as bad as “password” or “123456”.
115
00:09:14,389 --> 00:09:18,440
Another idea is spear phishing. Think
of spear phishing like a more targeted
116
00:09:18,440 --> 00:09:22,839
version of phishing. What you always need
for phishing is a similar domain,
117
00:09:22,839 --> 00:09:27,010
something the user can relate to. And
if you want to make spear phishing
118
00:09:27,010 --> 00:09:30,350
you want to have it more targeted.
That means you want to expose
119
00:09:30,350 --> 00:09:34,759
N26 customers, so only send out mails
to them. And you need to have
120
00:09:34,759 --> 00:09:39,249
a valid reason to contact them.
About the domain:
121
00:09:39,249 --> 00:09:45,139
usually N26 uses number26.de;
and for password resets
122
00:09:45,139 --> 00:09:51,480
e.g. number26.tech.
Sounds pretty valid in my eyes.
123
00:09:51,480 --> 00:09:57,740
Only by chance I happen to own
that domain. laughter
124
00:09:57,740 --> 00:10:03,520
The next thing is exposing
N26 customers. N26 offers
125
00:10:03,520 --> 00:10:09,840
peer to peer transactions, that means if
your recipient also has a N26 account,
126
00:10:09,840 --> 00:10:15,660
those transactions are instant.
To show the N26 customers
127
00:10:15,660 --> 00:10:20,040
who of his contacts actually have
an N26 account, they upload
128
00:10:20,040 --> 00:10:25,089
all of the email addresses, all of the
phone numbers in your address book
129
00:10:25,089 --> 00:10:30,160
to the N26 backend.
Unhashed.
130
00:10:30,160 --> 00:10:34,860
applause
131
00:10:34,860 --> 00:10:39,709
But we actually want to use this to
identify customers of a given dataset.
132
00:10:39,709 --> 00:10:43,779
We can actually abuse this API for that.
133
00:10:43,779 --> 00:10:49,410
Do you remember the recent Dropbox leak
that revealed 68 million accounts?
134
00:10:49,410 --> 00:10:54,649
We evaluated all of those 68 million
email accounts against this API
135
00:10:54,649 --> 00:10:58,680
and N26 took no notice of this.
There were no limits applied.
136
00:10:58,680 --> 00:11:03,439
They just think, I’m really popular.
laughter
137
00:11:03,439 --> 00:11:10,519
applause
138
00:11:10,519 --> 00:11:17,870
In the end, we revealed 33.000 N26
customers and could now send out
139
00:11:17,870 --> 00:11:22,500
e-mails to them. Actually, this also provides
a valid reason to contact them.
140
00:11:22,500 --> 00:11:27,520
E.g. the usual e-mail of N26 looks
somehow like this.
141
00:11:27,520 --> 00:11:31,759
So we could say to them: “Hey, you are
affected by the Dropbox leak, please
142
00:11:31,759 --> 00:11:41,070
change your password for your own security.
Click this link to change your password.”
143
00:11:41,070 --> 00:11:47,480
Now I can already see the N26
management board nervous,
144
00:11:47,480 --> 00:11:52,220
but don’t worry, we didn’t do this.
My professor had legal concerns.
145
00:11:52,220 --> 00:11:57,250
laughter
146
00:11:57,250 --> 00:12:02,829
Now, that we have the login credentials,
we have to wonder: Can we already
147
00:12:02,829 --> 00:12:08,940
do something with those login credentials?
And this brings me to Siri transactions.
148
00:12:08,940 --> 00:12:13,979
With iOS 10 N26 now supports
transactions using Siri. That means
149
00:12:13,979 --> 00:12:19,200
now you can just say: “Send 5 Euro
to Dominik Maier using N26”, then
150
00:12:19,200 --> 00:12:24,200
the transaction pops up and you can say:
“Send it” and afterwards it’s gone.
151
00:12:24,200 --> 00:12:29,389
The app doesn’t even open.
So this already sounds wrong,
152
00:12:29,389 --> 00:12:33,680
laughter …but you can only
do this with the paired device.
153
00:12:33,680 --> 00:12:39,579
If you use another phone and just
log in and try to use Siri with this,
154
00:12:39,579 --> 00:12:43,500
this dialogue appears and you really
have to open the app and have
155
00:12:43,500 --> 00:12:51,709
to confirm it with the paired phone. As it
turns out, this is just a client feature.
156
00:12:51,709 --> 00:12:53,819
laughter
157
00:12:53,819 --> 00:12:57,449
This is actually the entire payload
you need. It’s just like “5 Euro
158
00:12:57,449 --> 00:13:02,260
to Dominik Maier”, and there is the phone
number. And look at this API endpoint,
159
00:13:02,260 --> 00:13:07,880
‘/transactions/unverified’.
So it turns out
160
00:13:07,880 --> 00:13:11,939
you don’t need the paired phone
to do this type of transactions.
161
00:13:11,939 --> 00:13:19,839
applause
162
00:13:19,839 --> 00:13:23,709
Yet another thing that’s interesting
is that N26 claims that they have
163
00:13:23,709 --> 00:13:28,050
some intelligent algorithms
to immediately detect irregularities
164
00:13:28,050 --> 00:13:34,079
and prevent fraud before it even occurs.
So we thought: “Challenge accepted!”
165
00:13:34,079 --> 00:13:38,879
laughter and applause
166
00:13:38,879 --> 00:13:42,829
And what we actually did,
and I think this is pretty irregular,
167
00:13:42,829 --> 00:13:48,680
we sent 2000 Siri transactions
worth 1 Cent within 30 minutes.
168
00:13:48,680 --> 00:13:51,180
laughter
169
00:13:51,180 --> 00:13:56,820
Try to speak that fast.
Ok.
170
00:13:56,820 --> 00:14:02,779
And so what happened? Like we waited the
next day and the day after nobody actually
171
00:14:02,779 --> 00:14:07,120
made contact with us, and we thought they
would never actually make contact.
172
00:14:07,120 --> 00:14:10,829
But over three weeks later
N26 required Dominik to explain
173
00:14:10,829 --> 00:14:15,790
the “unusual amount” of transactions.
Okay, they even threatened to cancel
174
00:14:15,790 --> 00:14:20,449
his account. I mean, this is actually…
it’s reasonable because it’s a clear misuse
175
00:14:20,449 --> 00:14:24,489
of the account and it violates
the Terms of Service of them.
176
00:14:24,489 --> 00:14:29,520
But Dominik didn’t send those
transactions, he received them!
177
00:14:29,520 --> 00:14:30,620
laughter
178
00:14:30,620 --> 00:14:35,240
They contacted the wrong person!
This is kind of like
179
00:14:35,240 --> 00:14:38,590
if Gmail cancels your account
because you received Spam!
180
00:14:38,590 --> 00:14:41,509
loud laughter
181
00:14:41,509 --> 00:14:49,310
applause
182
00:14:49,310 --> 00:14:53,709
Okay, let’s go back to the account
hijacking. And the next thing we need
183
00:14:53,709 --> 00:14:59,020
to obtain is the transfer code and get
the control over the paired phone.
184
00:14:59,020 --> 00:15:03,480
What we will do: with the transfer code
we will try to reset it; and
185
00:15:03,480 --> 00:15:07,220
the paired phone we have to un-pair.
Actually, those processes are
186
00:15:07,220 --> 00:15:14,060
not as independent as it seems. So
I will right start with the paired phone.
187
00:15:14,060 --> 00:15:17,980
As I told in the beginning, un-pairing is
actually a highly-secured process
188
00:15:17,980 --> 00:15:24,720
and I mean, this is my serious opinion.
So let’s look at the process.
189
00:15:24,720 --> 00:15:29,029
At first, when you want to pair a new
phone, like I said, you need to un-pair
190
00:15:29,029 --> 00:15:33,509
the existing one. Therefor, you open the
app, then you click at “Un-pair” and
191
00:15:33,509 --> 00:15:40,230
afterwards they send a link to your
email account. Then, in the e-mail
192
00:15:40,230 --> 00:15:46,290
you need to follow the un-pairing link.
193
00:15:46,290 --> 00:15:50,570
In the next step the real un-pairing
process starts, where you
194
00:15:50,570 --> 00:15:55,379
have to enter your transfer code first,
then your MasterCard ID. This is something
195
00:15:55,379 --> 00:16:01,319
that is kind of special for N26, like,
every N26 account comes with a MasterCard,
196
00:16:01,319 --> 00:16:06,760
and they have printed a 10-digit numerical
token below your name. I don’t know
197
00:16:06,760 --> 00:16:09,570
what this actually is, it’s not the PAN,
it’s not the credit card number but
198
00:16:09,570 --> 00:16:14,890
some other sort of token. So you need
to have the Mastercard, actually.
199
00:16:14,890 --> 00:16:19,279
And in the last step they’re going to send
an SMS to you with a token, and you have
200
00:16:19,279 --> 00:16:24,130
to enter it. And only after this process
the un-pairing is done.
201
00:16:24,130 --> 00:16:28,170
So that means we need to have access to
the e-mail account. We need to know
202
00:16:28,170 --> 00:16:31,890
the transfer code. We need to have the
Mastercard and we need to own the SIM card
203
00:16:31,890 --> 00:16:40,869
in order to receive the token.
You can’t screw up each of those.
204
00:16:40,869 --> 00:16:47,760
laughter and applause
205
00:16:47,760 --> 00:16:52,430
Okay. Let’s go into it. So, the first
thing: when you actually click
206
00:16:52,430 --> 00:16:58,110
on that item in your app where
it says “Start un-pairing”
207
00:16:58,110 --> 00:17:03,379
it sends – this is basically HTTP GET
request but you wouldn’t believe
208
00:17:03,379 --> 00:17:08,949
that they send the link as a response.
So – it’s not this plate (?)
209
00:17:08,949 --> 00:17:13,680
but it’s there. So you don’t need to
have access to the e-mail account
210
00:17:13,680 --> 00:17:17,289
because it’s in the response.
laughs
211
00:17:17,289 --> 00:17:20,119
laughter
212
00:17:20,119 --> 00:17:25,270
Okay. Next thing. The transfer code
– I actually will skip this for the moment
213
00:17:25,270 --> 00:17:29,789
and we’ll get right back to this. But the
next thing is actually the Mastercard ID.
214
00:17:29,789 --> 00:17:35,870
And this ID is printed on the card,
and we don’t have access to that card.
215
00:17:35,870 --> 00:17:40,790
So what will we do?
In the transaction overview
216
00:17:40,790 --> 00:17:45,340
N26 shows a lot of properties,
e.g. the amount, the beneficiary,
217
00:17:45,340 --> 00:17:49,770
whatever. And it turns out that this…
218
00:17:49,770 --> 00:17:52,909
laughter and turmoil
that they used
219
00:17:52,909 --> 00:17:57,220
this Mastercard ID, they thought: “Oh,
this is actually a nice ID, let’s use it
220
00:17:57,220 --> 00:18:02,260
as a prefix”. So, again, this is not
displayed to the user inside the app
221
00:18:02,260 --> 00:18:07,960
but it’s clearly there in the API.
It’s way too verbose.
222
00:18:07,960 --> 00:18:14,889
So…
applause
223
00:18:14,889 --> 00:18:19,940
Okay. Whenever…
224
00:18:19,940 --> 00:18:23,610
the step that I just skipped
was this transfer code.
225
00:18:23,610 --> 00:18:29,000
The transfer code is unknown.
But you can reset the transfer code.
226
00:18:29,000 --> 00:18:32,590
And it is – as it turns out – what you
need to reset the transfer code
227
00:18:32,590 --> 00:18:35,480
is the Mastercard ID.
laughs
228
00:18:35,480 --> 00:18:43,000
laughter and applause
229
00:18:43,000 --> 00:18:47,320
So you need to enter this Mastercard ID
230
00:18:47,320 --> 00:18:52,510
that I just told how we will get it
and then we just will confirm
231
00:18:52,510 --> 00:18:57,870
our new transfer code. Think of one,
I don’t know. Any code.
232
00:18:57,870 --> 00:19:01,840
And therefor we don’t need to know the
transfer code. Not even the old one
233
00:19:01,840 --> 00:19:06,660
because it’s not required.
The Mastercard ID is sufficient.
234
00:19:06,660 --> 00:19:11,940
Then. The last step. SMS.
The SIM card is inaccessible.
235
00:19:11,940 --> 00:19:17,450
We don’t have access to that phone. But
this is a 5-digit token that they send out
236
00:19:17,450 --> 00:19:22,659
and it’s only numbers. I mean
this is 100.000 possibilities.
237
00:19:22,659 --> 00:19:28,980
And even though the login procedure, the
login form, has a brute-force protection
238
00:19:28,980 --> 00:19:32,000
this doesn’t have any
brute force protection. So…
239
00:19:32,000 --> 00:19:35,470
laughter
240
00:19:35,470 --> 00:19:39,920
…the maximum that I could get out of the
backend was 160 requests per second!
241
00:19:39,920 --> 00:19:42,430
laughter
242
00:19:42,430 --> 00:19:45,760
So this means…
laughs
243
00:19:45,760 --> 00:19:54,630
applause
244
00:19:54,630 --> 00:20:04,230
So that means that it takes on average
approx. 5 minutes to get this token.
245
00:20:04,230 --> 00:20:09,190
In the end we will just brute-force it
and that’s it. Okay. That’s…
246
00:20:09,190 --> 00:20:11,740
laughter
247
00:20:11,740 --> 00:20:17,000
Let’s look if this really works.
At first we will login to the app
248
00:20:17,000 --> 00:20:22,280
just to see that it’s paired. And if it
wouldn’t be paired we would know,
249
00:20:22,280 --> 00:20:27,320
like, see a dialogue
that we should pair our phone.
250
00:20:27,320 --> 00:20:30,960
So now it opens. Great.
251
00:20:30,960 --> 00:20:36,770
And now we will start our script.
252
00:20:36,770 --> 00:20:43,460
And N26 claimed that this attack
doesn’t scale, just don’t blink!
253
00:20:43,460 --> 00:20:45,030
exhales sharply
254
00:20:45,030 --> 00:20:47,240
So those are the login credentials
laughter
255
00:20:47,240 --> 00:20:50,960
…that will do all the fun. And actually,
everything already happened, it’s just
256
00:20:50,960 --> 00:20:55,450
the brute-forcing that now takes place.
And I have to admit that I have been
257
00:20:55,450 --> 00:21:02,559
really lucky this time because
we are done now. laughter
258
00:21:02,559 --> 00:21:07,220
So this is the response, now the SMS
numeric token is valid, and the phone
259
00:21:07,220 --> 00:21:12,100
has been successfully un-paired. Okay,
now let’s verify in the app… if this worked
260
00:21:12,100 --> 00:21:19,800
really? So let’s open it again. Touch-ID
expired, so this is actually good.
261
00:21:19,800 --> 00:21:27,250
That means that something happened.
Let’s login with our password.
262
00:21:27,250 --> 00:21:31,020
And there it prompts us for pairing
the phone. So it worked.
263
00:21:31,020 --> 00:21:39,860
applause
264
00:21:39,860 --> 00:21:44,030
Yeah…
laughter
265
00:21:44,030 --> 00:21:50,470
This… even though I said that this attack
really scales very well it has a drawback.
266
00:21:50,470 --> 00:21:54,549
Because three mails are sent out to the
user. The first one when you actually
267
00:21:54,549 --> 00:21:58,470
start the un-pairing, the second one
when you reset the transfer PIN and
268
00:21:58,470 --> 00:22:02,149
the third one when the un-pairing is
successful. And the user also receives
269
00:22:02,149 --> 00:22:08,200
an SMS. But I mean fraud is perfectly
possible. But is there a possibility
270
00:22:08,200 --> 00:22:14,550
to avoid this? Let’s try to call
the customer support.
271
00:22:14,550 --> 00:22:19,850
The customer support is actually the most
powerful entity in the N26 security model.
272
00:22:19,850 --> 00:22:23,460
Because they can even change things
you can’t change inside the app.
273
00:22:23,460 --> 00:22:27,260
E.g. your email address, or name
– you cannot change.
274
00:22:27,260 --> 00:22:32,950
But they can. So let’s talk with them.
They can… it turns out they can also
275
00:22:32,950 --> 00:22:38,370
un-pair phones. So now the question arises
of course you cannot just call there
276
00:22:38,370 --> 00:22:42,029
and say: “Hey, my name is Vincent,
please un-pair my phone.” Of course they
277
00:22:42,029 --> 00:22:47,239
are going to authenticate you. And what…
loud laughter
278
00:22:47,239 --> 00:22:53,120
…and what will they ask? They will ask
for the Mastercard ID. We know that.
279
00:22:53,120 --> 00:22:56,410
The current account balance is always
available if you have the login credentials.
280
00:22:56,410 --> 00:23:00,539
Okay. There’s one thing that is
still missing. Place of birth.
281
00:23:00,539 --> 00:23:05,590
It’s always the same.
laughter
282
00:23:05,590 --> 00:23:11,500
It’s, again, you can’t see this information
inside the app. It’s just not displayed.
283
00:23:11,500 --> 00:23:14,340
But it’s there. There’s so much
information you can’t think of.
284
00:23:14,340 --> 00:23:19,780
Really, they know more about me than I do.
laughter
285
00:23:19,780 --> 00:23:23,850
Now that means we have all information
available, and we can change any data.
286
00:23:23,850 --> 00:23:28,230
And the user won’t receive any notice
of that. So no email, nothing.
287
00:23:28,230 --> 00:23:32,390
So we can just un-pair the phone,
and later we can pair our own one,
288
00:23:32,390 --> 00:23:36,460
or… this is perfectly stealth.
289
00:23:36,460 --> 00:23:42,500
Now actually I heard already: “Ah,
I only got 50 Euro on my account,
290
00:23:42,500 --> 00:23:46,610
why should I care?”
291
00:23:46,610 --> 00:23:52,020
This is actually a valid argument because
many N26 accounts are opened out of
292
00:23:52,020 --> 00:23:58,559
curiosity, and many are inactive, or not
used seriously, that means you only use it
293
00:23:58,559 --> 00:24:02,590
for travelling or paying things online
because of the conditions.
294
00:24:02,590 --> 00:24:06,919
But you don’t use it as the salary account
so there is frequently not so much money
295
00:24:06,919 --> 00:24:13,740
in it. But as this wants to be the
financial hub for all the services
296
00:24:13,740 --> 00:24:19,850
you of course can also apply for an
overdraft. And this is an instant overdraft
297
00:24:19,850 --> 00:24:25,110
that is granted during two minutes.
And it’s between… you have guaranteed
298
00:24:25,110 --> 00:24:32,100
50 Euro and up to 2000. This requires
the paired device. What did we just do?
299
00:24:32,100 --> 00:24:35,200
We have the paired device.
We have the entire account.
300
00:24:35,200 --> 00:24:39,159
So what do we do?
We will just hijack the account
301
00:24:39,159 --> 00:24:43,559
then we apply for an overdraft,
and then we will take all the money
302
00:24:43,559 --> 00:24:47,350
he has as a balance
and as an overdraft.
303
00:24:47,350 --> 00:24:50,470
So even if you don’t have money
on your account and think you’re safe
304
00:24:50,470 --> 00:24:54,779
you are not.
laughs
305
00:24:54,779 --> 00:25:02,480
Okay. This was quite a bit, something.
I want to talk briefly about disclosure
306
00:25:02,480 --> 00:25:07,030
before I will draw my conclusion.
307
00:25:07,030 --> 00:25:12,720
I reported all these issues to N26 on
September 25. I didn’t establish
308
00:25:12,720 --> 00:25:16,500
the contact, this was the CCC.
Thank you for that.
309
00:25:16,500 --> 00:25:22,240
I did this because I didn’t know how N26
would react to this kind of vulnerabilities.
310
00:25:22,240 --> 00:25:26,350
But, actually, there was no reason
to think so. Because they acted
311
00:25:26,350 --> 00:25:31,649
really professional. And they were
actually thankful that I revealed
312
00:25:31,649 --> 00:25:34,930
these vulnerabilities.
313
00:25:34,930 --> 00:25:45,490
applause
314
00:25:45,490 --> 00:25:49,940
Then, afterwards, they started
to incrementally fix the issues.
315
00:25:49,940 --> 00:25:54,519
I don’t know when they fixed the first
thing. I didn’t monitor the process.
316
00:25:54,519 --> 00:25:58,039
But the last fix I know of happened on
December 13 when they implemented
317
00:25:58,039 --> 00:26:02,760
certificate pinning on iOS. And,
apparently, I have to say that
318
00:26:02,760 --> 00:26:10,019
I didn’t check everything. But
apparently all issues are resolved.
319
00:26:10,019 --> 00:26:15,390
But what are the consequences out of
this? It is obvious that N26 needs to put
320
00:26:15,390 --> 00:26:22,789
more emphasis on security. It’s important
to notice that this wasn’t a coincidence.
321
00:26:22,789 --> 00:26:27,730
It simply wasn’t! And N26 needs to
understand that it’s not enough to release
322
00:26:27,730 --> 00:26:31,340
videos with caption “mobile first meets
safety first” and to claim that security
323
00:26:31,340 --> 00:26:39,770
is of paramount importance of them.
So PR shouldn’t do your security.
324
00:26:39,770 --> 00:26:45,360
It’s funny: If you visit the N26 home page
you will find out that they currently have
325
00:26:45,360 --> 00:26:53,200
44 open positions. Not even one
is dedicated to security.
326
00:26:53,200 --> 00:26:56,690
Furthermore, with such a strategy
FinTechs squander the trust
327
00:26:56,690 --> 00:27:01,420
in financial institutions that banks
established over years, actually.
328
00:27:01,420 --> 00:27:06,610
Today you usually trust in your bank
that they will deal with your money
329
00:27:06,610 --> 00:27:11,750
responsibly. And in the end you also
need to question authorities. I mean
330
00:27:11,750 --> 00:27:18,779
it was BaFin that granted a banking
license to N26 only six months ago.
331
00:27:18,779 --> 00:27:26,499
And, really, those vulnerabilities
are in sight for longer time.
332
00:27:26,499 --> 00:27:32,190
Okay. I think, like… résumé for this is:
333
00:27:32,190 --> 00:27:36,409
you shouldn’t say “Works for me”
when it’s about security.
334
00:27:36,409 --> 00:27:38,939
So, thank you!
335
00:27:38,939 --> 00:27:59,239
applause
336
00:27:59,239 --> 00:28:05,510
Herald: Thank you Vincent. That was
awesome. And also kind of fucking scary.
337
00:28:05,510 --> 00:28:09,820
We only have a short time for questions.
Is there anybody who has a question
338
00:28:09,820 --> 00:28:18,950
for Vincent?
339
00:28:18,950 --> 00:28:22,970
No, I guess everybody is out
deleting banking apps.
340
00:28:22,970 --> 00:28:26,760
laughter
341
00:28:26,760 --> 00:28:31,730
Oh, number 6!
342
00:28:31,730 --> 00:28:35,800
Question: Quick question.
343
00:28:35,800 --> 00:28:40,429
Do you know whether they
have disallowed those apps
344
00:28:40,429 --> 00:28:44,370
that have not yet been updated
to still manage their bank account?
345
00:28:44,370 --> 00:28:49,889
So e.g. if someone has a mobile app
that has not yet been updated
346
00:28:49,889 --> 00:28:52,750
to the version that includes certificate
pinning would that person
347
00:28:52,750 --> 00:28:55,100
still be vulnerable to
man-in-the-middle attacks?
348
00:28:55,100 --> 00:28:56,530
Vincent: Yes.
349
00:28:56,530 --> 00:28:59,640
laughter
laughs
350
00:28:59,640 --> 00:29:03,909
Actually they don’t have so much of an
idea which device you are using.
351
00:29:03,909 --> 00:29:10,970
They don’t even know which is the paired
device! This is only a client value.
352
00:29:10,970 --> 00:29:14,500
Herald: Do two more,
it’s a guy here on number 1.
353
00:29:14,500 --> 00:29:18,429
Question: Thanks for the talk. Did they
actually invite you to help them
354
00:29:18,429 --> 00:29:22,540
or give your talk at N26?
Have they been in contact with you?
355
00:29:22,540 --> 00:29:26,970
Vincent: Yes, we have been in contact and
I also visited them and gave a workshop,
356
00:29:26,970 --> 00:29:29,000
so yeah, they…
357
00:29:29,000 --> 00:29:32,790
laughter and applause
358
00:29:32,790 --> 00:29:34,320
Question: Are you serious?
359
00:29:34,320 --> 00:29:39,439
Vincent: I am serious, yes!
ongoing applause
360
00:29:39,439 --> 00:29:42,189
Herald: And we do one last,
one here, from number 5, please.
361
00:29:42,189 --> 00:29:45,120
Question: So during your talk you
name-dropped Letsencrypt, and
362
00:29:45,120 --> 00:29:48,330
you kind of glossed over that bit, about
getting them to issue a certificate
363
00:29:48,330 --> 00:29:53,190
for their API host name.
Do you know something I don’t?
364
00:29:53,190 --> 00:29:55,750
Vincent: Ehm, the question, again?
I don’t…
365
00:29:55,750 --> 00:29:59,530
Question: So you mentioned getting
a Letsencrypt certificate to impersonate
366
00:29:59,530 --> 00:30:02,450
their API host name, because they
weren’t using certificate pinning.
367
00:30:02,450 --> 00:30:04,770
How did you go by doing that?
368
00:30:04,770 --> 00:30:07,500
Vincent: But I didn’t do.
This, like, was a scenario.
369
00:30:07,500 --> 00:30:15,500
That’s an attack scenario. I didn’t hijack
the DNS record, okay, sorry.
370
00:30:15,500 --> 00:30:16,970
laughs
371
00:30:16,970 --> 00:30:19,509
Question: Thank you.
372
00:30:19,509 --> 00:30:22,030
Herald: Alright. Thanks everybody for
joining. And get a big round of applause
373
00:30:22,030 --> 00:30:23,610
here for Vincent!
374
00:30:23,610 --> 00:30:27,260
applause
375
00:30:27,260 --> 00:30:32,240
postroll music
376
00:30:32,240 --> 00:30:50,981
Subtitles created by c3subtitles.de
in the year 2017. Join and help us!