WEBVTT
00:00:00.000 --> 00:00:14.180
33C3 preroll music
00:00:14.180 --> 00:00:19.170
Herald: Next talk is gonna be “Shut up
and take my money” by Vincent Haupert.
00:00:19.170 --> 00:00:22.450
Vincent is a research associate
at the security research group
00:00:22.450 --> 00:00:26.430
of the Department of Computer Science
at Friedrich-Alexander-Universität
00:00:26.430 --> 00:00:34.220
in Erlangen, Nürnberg, Germany.
Typical, very long German word.
00:00:34.220 --> 00:00:37.540
His main research interests are
authentication, system security
00:00:37.540 --> 00:00:39.970
and software protection of mobile devices.
00:00:39.970 --> 00:00:43.170
It’s actually Vincent’s second time
speaking at the Congress.
00:00:43.170 --> 00:00:48.850
Last year’s talk discussed conceptual
insecurity of app-generated passwords
00:00:48.850 --> 00:00:53.809
in online banking. This year
he will discuss the practical aspects
00:00:53.809 --> 00:00:58.900
and some successful hacks that,
if I recall correctly,
00:00:58.900 --> 00:01:02.269
took over entire bank accounts
from users’ mobile apps.
00:01:02.269 --> 00:01:05.110
With that, Vincent, over to you.
00:01:05.110 --> 00:01:11.710
applause
00:01:11.710 --> 00:01:15.230
Vincent Haupert: Hello again,
thanks for the warm welcome,
00:01:15.230 --> 00:01:19.579
and let’s dive right into it
because we have a tough program.
00:01:19.579 --> 00:01:25.150
Okay. First of all, online banking
is something that affects us all,
00:01:25.150 --> 00:01:29.350
because virtually everybody uses it.
In traditional online banking,
00:01:29.350 --> 00:01:33.619
we use two devices.
One to initiate our payments
00:01:33.619 --> 00:01:36.950
– and to log in
with user name and password –
00:01:36.950 --> 00:01:41.299
and another device
to confirm transactions.
00:01:41.299 --> 00:01:47.810
With the rise of mobile devices, app-based
confirmation procedures became popular
00:01:47.810 --> 00:01:53.210
like this app there.
In the recent past,
00:01:53.210 --> 00:01:59.090
what I have been talking about last year,
it became popular
00:01:59.090 --> 00:02:03.420
to implement those two devices
in two apps. That means you only have
00:02:03.420 --> 00:02:07.049
one single device and have two apps now
00:02:07.049 --> 00:02:12.610
to authenticate transactions.
00:02:12.610 --> 00:02:18.640
Last year I showed that this has
severe conceptional drawbacks.
00:02:18.640 --> 00:02:26.800
But this is not the end of it.
The latest evolution in online banking
00:02:26.800 --> 00:02:31.680
are now one-app authentication models.
I already said this last year:
00:02:31.680 --> 00:02:36.410
Actually, it doesn’t make so much
difference. So banks are no longer faking
00:02:36.410 --> 00:02:41.890
to have real two-factor authentication.
It’s now clear that it’s just one,
00:02:41.890 --> 00:02:46.720
so you do the transaction initialization
inside the app
00:02:46.720 --> 00:02:51.530
and the confirmation is just
another dialog inside the app.
00:02:51.530 --> 00:02:55.800
This time I want to talk about N26,
00:02:55.800 --> 00:03:02.110
the shining star
on the German FinTech sky.
00:03:02.110 --> 00:03:09.240
Actually, this time I’m only going to be
talking about technical issues.
00:03:09.240 --> 00:03:14.490
It’s clear that we have similar conceptual
problems like with two-app authentication,
00:03:14.490 --> 00:03:21.280
but I will focus on technical issues
because we have enough of this there.
00:03:21.280 --> 00:03:26.341
Briefly about N26: N26 is
a Berlin-based, “Mobile First” FinTech
00:03:26.341 --> 00:03:31.150
and it plans to establish your smartphone
as your financial hub
00:03:31.150 --> 00:03:35.860
for everything, so that you do
literally everything
00:03:35.860 --> 00:03:40.880
from inside the app.
Actually it was only founded in 2013,
00:03:40.880 --> 00:03:45.790
it started in 2015 with their app and it
already has over 200.000 customers,
00:03:45.790 --> 00:03:49.710
which is astonishing, actually.
00:03:49.710 --> 00:03:53.650
It now also has its own European
banking license. It’s only, I think,
00:03:53.650 --> 00:03:59.431
half a year ago; and it announced
not even one month ago that it’s now
00:03:59.431 --> 00:04:04.510
available in 17 European countries.
And they also claim
00:04:04.510 --> 00:04:08.820
that you can open a bank account
in just eight minutes. As it turns out
00:04:08.820 --> 00:04:11.060
you can lose it even faster.
00:04:11.060 --> 00:04:14.730
laughter
00:04:14.730 --> 00:04:20.810
Okay, let’s talk briefly about transaction
security in the Number 26 app.
00:04:20.810 --> 00:04:23.509
If you want to do a transaction,
you at first need to log in.
00:04:23.509 --> 00:04:27.810
This works with your user name,
in this case it’s just your email address,
00:04:27.810 --> 00:04:29.999
and your password.
This is pretty standard.
00:04:29.999 --> 00:04:34.220
Afterwards you are good to initiate
a transaction. After you have entered
00:04:34.220 --> 00:04:39.300
all the details you also have to supply a
transfer code. This is just a four-digit
00:04:39.300 --> 00:04:45.780
number, you use this also to withdraw
cash. Probably you would call this ‘PIN’.
00:04:45.780 --> 00:04:50.830
The last factor in this authentication
scheme is you paired phone.
00:04:50.830 --> 00:04:55.990
This is actually the most important
security feature of the N26 account,
00:04:55.990 --> 00:05:00.930
and you can only pair one smartphone
with you N26 account.
00:05:00.930 --> 00:05:05.449
That means, from a technical
perspective, the N26 app,
00:05:05.449 --> 00:05:09.699
the very first time you start it,
generates a RSA key pair
00:05:09.699 --> 00:05:13.199
and sends the public key to the N26
backend. And whenever you initiate
00:05:13.199 --> 00:05:17.889
a transaction they are going to send
an encrypted challenge to your smartphone
00:05:17.889 --> 00:05:22.709
and you send it back decrypted.
That’s how it works. Actually,
00:05:22.709 --> 00:05:27.960
re-pairing, that means pairing another
phone is a pretty well secured process,
00:05:27.960 --> 00:05:32.900
but we will talk about this later. Just
to talk about the infrastructure
00:05:32.900 --> 00:05:37.639
of N26: basically they have two apps,
one for iOS, one for Android,
00:05:37.639 --> 00:05:42.179
and they communicate over
a JSON-based protocol, TLS encrypted.
00:05:42.179 --> 00:05:47.099
The backend is at api.tech26.de.
00:05:47.099 --> 00:05:50.719
How do I know, actually, that this is
a JSON-based protocol: because I used
00:05:50.719 --> 00:05:56.979
a TLS man-in-the-middle attack
to log the protocol.
00:05:56.979 --> 00:06:02.919
I only needed to install a certificate,
the MITM proxy certificate on the client,
00:06:02.919 --> 00:06:06.740
but actually I was surprised that I didn’t
need to touch the client, because
00:06:06.740 --> 00:06:10.129
they didn’t implement
any certificate pinning.
00:06:10.129 --> 00:06:16.490
applause
00:06:16.490 --> 00:06:21.690
So that means, the first thing
that comes into mind is like:
00:06:21.690 --> 00:06:25.759
Let’s do real-time transaction
manipulation. That means we manipulate
00:06:25.759 --> 00:06:30.219
a transaction that the user does,
but we will change the recipient
00:06:30.219 --> 00:06:36.259
and the user won’t see nothing about this.
So if we look at this graphic again,
00:06:36.259 --> 00:06:42.049
what if an attacker could get the DNS
record of api.tech26.de under his control?
00:06:42.049 --> 00:06:48.079
This would mean that all traffic is routed
over the man-in-the-middle attacker server
00:06:48.079 --> 00:06:53.820
and, as there is no certificate pinning,
we could just issue a Letsencrypt
00:06:53.820 --> 00:06:59.930
TLS certificate and the app is going
to trust the certificate.
00:06:59.930 --> 00:07:04.230
How does this work?
Let’s take an example here.
00:07:04.230 --> 00:07:08.580
Let’s image I want to transfer
2 Euro to my friend Dominik.
00:07:08.580 --> 00:07:13.240
After I entered all the transaction details
I have to enter my transfer code, too.
00:07:13.240 --> 00:07:18.930
When I did this I get like the second
factor where you need the paired device
00:07:18.930 --> 00:07:23.669
and I need to confirm it. This is just
like the next dialogue inside the app.
00:07:23.669 --> 00:07:27.890
After I confirmed it, the transaction went
through, everything looks good.
00:07:27.890 --> 00:07:32.199
2 Euro less on my account, pretty good.
00:07:32.199 --> 00:07:37.479
In the next step you can see in your
transaction overview too, that
00:07:37.479 --> 00:07:42.690
there are 2 Euro less. But after the attack
when N26 realized that something wrong
00:07:42.690 --> 00:07:47.000
was going on and they fixed it you will
realize that we actually transferred
00:07:47.000 --> 00:07:51.539
20 Euro, not 2. But this was
completely transparent for the user
00:07:51.539 --> 00:07:56.209
even after the attack.
Okay, this is nice.
00:07:56.209 --> 00:07:59.790
We can manipulate a transaction
in real time, but
00:07:59.790 --> 00:08:05.419
wouldn’t it be even more interesting
to take over entire accounts
00:08:05.419 --> 00:08:09.010
to do our own transactions?
00:08:09.010 --> 00:08:13.669
For this, we need the login credentials,
the transfer code and the paired phone.
00:08:13.669 --> 00:08:17.069
So we need to obtain all of them.
00:08:17.069 --> 00:08:20.459
Let’s start with the login credentials.
00:08:20.459 --> 00:08:26.479
Actually, I want to assume, that the login
credentials are already compromised.
00:08:26.479 --> 00:08:33.530
But there are some weak points in the
security system of the N26 transactions,
00:08:33.530 --> 00:08:37.260
that make it an easier task to obtain
those login credentials.
00:08:37.260 --> 00:08:41.919
There are two things I want to talk about.
The first thing is the recovery-from-loss
00:08:41.919 --> 00:08:47.460
procedure. When you forget your
password, N26 just sends
00:08:47.460 --> 00:08:50.500
an email to your email account.
There is a link inside, you click it
00:08:50.500 --> 00:08:53.959
and you can just reset your password.
00:08:53.959 --> 00:08:58.160
This breaks the N26 password policy
00:08:58.160 --> 00:09:04.060
which is actually pretty solid, because
if you have access to the email account,
00:09:04.060 --> 00:09:08.029
you have automatically access
to the N26 account, too
00:09:08.029 --> 00:09:14.389
and the access to the email account
could be as bad as “password” or “123456”.
00:09:14.389 --> 00:09:18.440
Another idea is spear phishing. Think
of spear phishing like a more targeted
00:09:18.440 --> 00:09:22.839
version of phishing. What you always need
for phishing is a similar domain,
00:09:22.839 --> 00:09:27.010
something the user can relate to. And
if you want to make spear phishing
00:09:27.010 --> 00:09:30.350
you want to have it more targeted.
That means you want to expose
00:09:30.350 --> 00:09:34.759
N26 customers, so only send out mails
to them. And you need to have
00:09:34.759 --> 00:09:39.249
a valid reason to contact them.
About the domain:
00:09:39.249 --> 00:09:45.139
usually N26 uses number26.de;
and for password resets
00:09:45.139 --> 00:09:51.480
e.g. number26.tech.
Sounds pretty valid in my eyes.
00:09:51.480 --> 00:09:57.740
Only by chance I happen to own
that domain. laughter
00:09:57.740 --> 00:10:03.520
The next thing is exposing
N26 customers. N26 offers
00:10:03.520 --> 00:10:09.840
peer to peer transactions, that means if
your recipient also has a N26 account,
00:10:09.840 --> 00:10:15.660
those transactions are instant.
To show the N26 customers
00:10:15.660 --> 00:10:20.040
who of his contacts actually have
an N26 account, they upload
00:10:20.040 --> 00:10:25.089
all of the email addresses, all of the
phone numbers in your address book
00:10:25.089 --> 00:10:30.160
to the N26 backend.
Unhashed.
00:10:30.160 --> 00:10:34.860
applause
00:10:34.860 --> 00:10:39.709
But we actually want to use this to
identify customers of a given dataset.
00:10:39.709 --> 00:10:43.779
We can actually abuse this API for that.
00:10:43.779 --> 00:10:49.410
Do you remember the recent Dropbox leak
that revealed 68 million accounts?
00:10:49.410 --> 00:10:54.649
We evaluated all of those 68 million
email accounts against this API
00:10:54.649 --> 00:10:58.680
and N26 took no notice of this.
There were no limits applied.
00:10:58.680 --> 00:11:03.439
They just think, I’m really popular.
laughter
00:11:03.439 --> 00:11:10.519
applause
00:11:10.519 --> 00:11:17.870
In the end, we revealed 33.000 N26
customers and could now send out
00:11:17.870 --> 00:11:22.500
e-mails to them. Actually, this also provides
a valid reason to contact them.
00:11:22.500 --> 00:11:27.520
E.g. the usual e-mail of N26 looks
somehow like this.
00:11:27.520 --> 00:11:31.759
So we could say to them: “Hey, you are
affected by the Dropbox leak, please
00:11:31.759 --> 00:11:41.070
change your password for your own security.
Click this link to change your password.”
00:11:41.070 --> 00:11:47.480
Now I can already see the N26
management board nervous,
00:11:47.480 --> 00:11:52.220
but don’t worry, we didn’t do this.
My professor had legal concerns.
00:11:52.220 --> 00:11:57.250
laughter
00:11:57.250 --> 00:12:02.829
Now, that we have the login credentials,
we have to wonder: Can we already
00:12:02.829 --> 00:12:08.940
do something with those login credentials?
And this brings me to Siri transactions.
00:12:08.940 --> 00:12:13.979
With iOS 10 N26 now supports
transactions using Siri. That means
00:12:13.979 --> 00:12:19.200
now you can just say: “Send 5 Euro
to Dominik Maier using N26”, then
00:12:19.200 --> 00:12:24.200
the transaction pops up and you can say:
“Send it” and afterwards it’s gone.
00:12:24.200 --> 00:12:29.389
The app doesn’t even open.
So this already sounds wrong,
00:12:29.389 --> 00:12:33.680
laughter …but you can only
do this with the paired device.
00:12:33.680 --> 00:12:39.579
If you use another phone and just
log in and try to use Siri with this,
00:12:39.579 --> 00:12:43.500
this dialogue appears and you really
have to open the app and have
00:12:43.500 --> 00:12:51.709
to confirm it with the paired phone. As it
turns out, this is just a client feature.
00:12:51.709 --> 00:12:53.819
laughter
00:12:53.819 --> 00:12:57.449
This is actually the entire payload
you need. It’s just like “5 Euro
00:12:57.449 --> 00:13:02.260
to Dominik Maier”, and there is the phone
number. And look at this API endpoint,
00:13:02.260 --> 00:13:07.880
‘/transactions/unverified’.
So it turns out
00:13:07.880 --> 00:13:11.939
you don’t need the paired phone
to do this type of transactions.
00:13:11.939 --> 00:13:19.839
applause
00:13:19.839 --> 00:13:23.709
Yet another thing that’s interesting
is that N26 claims that they have
00:13:23.709 --> 00:13:28.050
some intelligent algorithms
to immediately detect irregularities
00:13:28.050 --> 00:13:34.079
and prevent fraud before it even occurs.
So we thought: “Challenge accepted!”
00:13:34.079 --> 00:13:38.879
laughter and applause
00:13:38.879 --> 00:13:42.829
And what we actually did,
and I think this is pretty irregular,
00:13:42.829 --> 00:13:48.680
we sent 2000 Siri transactions
worth 1 Cent within 30 minutes.
00:13:48.680 --> 00:13:51.180
laughter
00:13:51.180 --> 00:13:56.820
Try to speak that fast.
Ok.
00:13:56.820 --> 00:14:02.779
And so what happened? Like we waited the
next day and the day after nobody actually
00:14:02.779 --> 00:14:07.120
made contact with us, and we thought they
would never actually make contact.
00:14:07.120 --> 00:14:10.829
But over three weeks later
N26 required Dominik to explain
00:14:10.829 --> 00:14:15.790
the “unusual amount” of transactions.
Okay, they even threatened to cancel
00:14:15.790 --> 00:14:20.449
his account. I mean, this is actually…
it’s reasonable because it’s a clear misuse
00:14:20.449 --> 00:14:24.489
of the account and it violates
the Terms of Service of them.
00:14:24.489 --> 00:14:29.520
But Dominik didn’t send those
transactions, he received them!
00:14:29.520 --> 00:14:30.620
laughter
00:14:30.620 --> 00:14:35.240
They contacted the wrong person!
This is kind of like
00:14:35.240 --> 00:14:38.590
if Gmail cancels your account
because you received Spam!
00:14:38.590 --> 00:14:41.509
loud laughter
00:14:41.509 --> 00:14:49.310
applause
00:14:49.310 --> 00:14:53.709
Okay, let’s go back to the account
hijacking. And the next thing we need
00:14:53.709 --> 00:14:59.020
to obtain is the transfer code and get
the control over the paired phone.
00:14:59.020 --> 00:15:03.480
What we will do: with the transfer code
we will try to reset it; and
00:15:03.480 --> 00:15:07.220
the paired phone we have to un-pair.
Actually, those processes are
00:15:07.220 --> 00:15:14.060
not as independent as it seems. So
I will right start with the paired phone.
00:15:14.060 --> 00:15:17.980
As I told in the beginning, un-pairing is
actually a highly-secured process
00:15:17.980 --> 00:15:24.720
and I mean, this is my serious opinion.
So let’s look at the process.
00:15:24.720 --> 00:15:29.029
At first, when you want to pair a new
phone, like I said, you need to un-pair
00:15:29.029 --> 00:15:33.509
the existing one. Therefor, you open the
app, then you click at “Un-pair” and
00:15:33.509 --> 00:15:40.230
afterwards they send a link to your
email account. Then, in the e-mail
00:15:40.230 --> 00:15:46.290
you need to follow the un-pairing link.
00:15:46.290 --> 00:15:50.570
In the next step the real un-pairing
process starts, where you
00:15:50.570 --> 00:15:55.379
have to enter your transfer code first,
then your MasterCard ID. This is something
00:15:55.379 --> 00:16:01.319
that is kind of special for N26, like,
every N26 account comes with a MasterCard,
00:16:01.319 --> 00:16:06.760
and they have printed a 10-digit numerical
token below your name. I don’t know
00:16:06.760 --> 00:16:09.570
what this actually is, it’s not the PAN,
it’s not the credit card number but
00:16:09.570 --> 00:16:14.890
some other sort of token. So you need
to have the Mastercard, actually.
00:16:14.890 --> 00:16:19.279
And in the last step they’re going to send
an SMS to you with a token, and you have
00:16:19.279 --> 00:16:24.130
to enter it. And only after this process
the un-pairing is done.
00:16:24.130 --> 00:16:28.170
So that means we need to have access to
the e-mail account. We need to know
00:16:28.170 --> 00:16:31.890
the transfer code. We need to have the
Mastercard and we need to own the SIM card
00:16:31.890 --> 00:16:40.869
in order to receive the token.
You can’t screw up each of those.
00:16:40.869 --> 00:16:47.760
laughter and applause
00:16:47.760 --> 00:16:52.430
Okay. Let’s go into it. So, the first
thing: when you actually click
00:16:52.430 --> 00:16:58.110
on that item in your app where
it says “Start un-pairing”
00:16:58.110 --> 00:17:03.379
it sends – this is basically HTTP GET
request but you wouldn’t believe
00:17:03.379 --> 00:17:08.949
that they send the link as a response.
So – it’s not this plate (?)
00:17:08.949 --> 00:17:13.680
but it’s there. So you don’t need to
have access to the e-mail account
00:17:13.680 --> 00:17:17.289
because it’s in the response.
laughs
00:17:17.289 --> 00:17:20.119
laughter
00:17:20.119 --> 00:17:25.270
Okay. Next thing. The transfer code
– I actually will skip this for the moment
00:17:25.270 --> 00:17:29.789
and we’ll get right back to this. But the
next thing is actually the Mastercard ID.
00:17:29.789 --> 00:17:35.870
And this ID is printed on the card,
and we don’t have access to that card.
00:17:35.870 --> 00:17:40.790
So what will we do?
In the transaction overview
00:17:40.790 --> 00:17:45.340
N26 shows a lot of properties,
e.g. the amount, the beneficiary,
00:17:45.340 --> 00:17:49.770
whatever. And it turns out that this…
00:17:49.770 --> 00:17:52.909
laughter and turmoil
that they used
00:17:52.909 --> 00:17:57.220
this Mastercard ID, they thought: “Oh,
this is actually a nice ID, let’s use it
00:17:57.220 --> 00:18:02.260
as a prefix”. So, again, this is not
displayed to the user inside the app
00:18:02.260 --> 00:18:07.960
but it’s clearly there in the API.
It’s way too verbose.
00:18:07.960 --> 00:18:14.889
So…
applause
00:18:14.889 --> 00:18:19.940
Okay. Whenever…
00:18:19.940 --> 00:18:23.610
the step that I just skipped
was this transfer code.
00:18:23.610 --> 00:18:29.000
The transfer code is unknown.
But you can reset the transfer code.
00:18:29.000 --> 00:18:32.590
And it is – as it turns out – what you
need to reset the transfer code
00:18:32.590 --> 00:18:35.480
is the Mastercard ID.
laughs
00:18:35.480 --> 00:18:43.000
laughter and applause
00:18:43.000 --> 00:18:47.320
So you need to enter this Mastercard ID
00:18:47.320 --> 00:18:52.510
that I just told how we will get it
and then we just will confirm
00:18:52.510 --> 00:18:57.870
our new transfer code. Think of one,
I don’t know. Any code.
00:18:57.870 --> 00:19:01.840
And therefor we don’t need to know the
transfer code. Not even the old one
00:19:01.840 --> 00:19:06.660
because it’s not required.
The Mastercard ID is sufficient.
00:19:06.660 --> 00:19:11.940
Then. The last step. SMS.
The SIM card is inaccessible.
00:19:11.940 --> 00:19:17.450
We don’t have access to that phone. But
this is a 5-digit token that they send out
00:19:17.450 --> 00:19:22.659
and it’s only numbers. I mean
this is 100.000 possibilities.
00:19:22.659 --> 00:19:28.980
And even though the login procedure, the
login form, has a brute-force protection
00:19:28.980 --> 00:19:32.000
this doesn’t have any
brute force protection. So…
00:19:32.000 --> 00:19:35.470
laughter
00:19:35.470 --> 00:19:39.920
…the maximum that I could get out of the
backend was 160 requests per second!
00:19:39.920 --> 00:19:42.430
laughter
00:19:42.430 --> 00:19:45.760
So this means…
laughs
00:19:45.760 --> 00:19:54.630
applause
00:19:54.630 --> 00:20:04.230
So that means that it takes on average
approx. 5 minutes to get this token.
00:20:04.230 --> 00:20:09.190
In the end we will just brute-force it
and that’s it. Okay. That’s…
00:20:09.190 --> 00:20:11.740
laughter
00:20:11.740 --> 00:20:17.000
Let’s look if this really works.
At first we will login to the app
00:20:17.000 --> 00:20:22.280
just to see that it’s paired. And if it
wouldn’t be paired we would know,
00:20:22.280 --> 00:20:27.320
like, see a dialogue
that we should pair our phone.
00:20:27.320 --> 00:20:30.960
So now it opens. Great.
00:20:30.960 --> 00:20:36.770
And now we will start our script.
00:20:36.770 --> 00:20:43.460
And N26 claimed that this attack
doesn’t scale, just don’t blink!
00:20:43.460 --> 00:20:45.030
exhales sharply
00:20:45.030 --> 00:20:47.240
So those are the login credentials
laughter
00:20:47.240 --> 00:20:50.960
…that will do all the fun. And actually,
everything already happened, it’s just
00:20:50.960 --> 00:20:55.450
the brute-forcing that now takes place.
And I have to admit that I have been
00:20:55.450 --> 00:21:02.559
really lucky this time because
we are done now. laughter
00:21:02.559 --> 00:21:07.220
So this is the response, now the SMS
numeric token is valid, and the phone
00:21:07.220 --> 00:21:12.100
has been successfully un-paired. Okay,
now let’s verify in the app… if this worked
00:21:12.100 --> 00:21:19.800
really? So let’s open it again. Touch-ID
expired, so this is actually good.
00:21:19.800 --> 00:21:27.250
That means that something happened.
Let’s login with our password.
00:21:27.250 --> 00:21:31.020
And there it prompts us for pairing
the phone. So it worked.
00:21:31.020 --> 00:21:39.860
applause
00:21:39.860 --> 00:21:44.030
Yeah…
laughter
00:21:44.030 --> 00:21:50.470
This… even though I said that this attack
really scales very well it has a drawback.
00:21:50.470 --> 00:21:54.549
Because three mails are sent out to the
user. The first one when you actually
00:21:54.549 --> 00:21:58.470
start the un-pairing, the second one
when you reset the transfer PIN and
00:21:58.470 --> 00:22:02.149
the third one when the un-pairing is
successful. And the user also receives
00:22:02.149 --> 00:22:08.200
an SMS. But I mean fraud is perfectly
possible. But is there a possibility
00:22:08.200 --> 00:22:14.550
to avoid this? Let’s try to call
the customer support.
00:22:14.550 --> 00:22:19.850
The customer support is actually the most
powerful entity in the N26 security model.
00:22:19.850 --> 00:22:23.460
Because they can even change things
you can’t change inside the app.
00:22:23.460 --> 00:22:27.260
E.g. your email address, or name
– you cannot change.
00:22:27.260 --> 00:22:32.950
But they can. So let’s talk with them.
They can… it turns out they can also
00:22:32.950 --> 00:22:38.370
un-pair phones. So now the question arises
of course you cannot just call there
00:22:38.370 --> 00:22:42.029
and say: “Hey, my name is Vincent,
please un-pair my phone.” Of course they
00:22:42.029 --> 00:22:47.239
are going to authenticate you. And what…
loud laughter
00:22:47.239 --> 00:22:53.120
…and what will they ask? They will ask
for the Mastercard ID. We know that.
00:22:53.120 --> 00:22:56.410
The current account balance is always
available if you have the login credentials.
00:22:56.410 --> 00:23:00.539
Okay. There’s one thing that is
still missing. Place of birth.
00:23:00.539 --> 00:23:05.590
It’s always the same.
laughter
00:23:05.590 --> 00:23:11.500
It’s, again, you can’t see this information
inside the app. It’s just not displayed.
00:23:11.500 --> 00:23:14.340
But it’s there. There’s so much
information you can’t think of.
00:23:14.340 --> 00:23:19.780
Really, they know more about me than I do.
laughter
00:23:19.780 --> 00:23:23.850
Now that means we have all information
available, and we can change any data.
00:23:23.850 --> 00:23:28.230
And the user won’t receive any notice
of that. So no email, nothing.
00:23:28.230 --> 00:23:32.390
So we can just un-pair the phone,
and later we can pair our own one,
00:23:32.390 --> 00:23:36.460
or… this is perfectly stealth.
00:23:36.460 --> 00:23:42.500
Now actually I heard already: “Ah,
I only got 50 Euro on my account,
00:23:42.500 --> 00:23:46.610
why should I care?”
00:23:46.610 --> 00:23:52.020
This is actually a valid argument because
many N26 accounts are opened out of
00:23:52.020 --> 00:23:58.559
curiosity, and many are inactive, or not
used seriously, that means you only use it
00:23:58.559 --> 00:24:02.590
for travelling or paying things online
because of the conditions.
00:24:02.590 --> 00:24:06.919
But you don’t use it as the salary account
so there is frequently not so much money
00:24:06.919 --> 00:24:13.740
in it. But as this wants to be the
financial hub for all the services
00:24:13.740 --> 00:24:19.850
you of course can also apply for an
overdraft. And this is an instant overdraft
00:24:19.850 --> 00:24:25.110
that is granted during two minutes.
And it’s between… you have guaranteed
00:24:25.110 --> 00:24:32.100
50 Euro and up to 2000. This requires
the paired device. What did we just do?
00:24:32.100 --> 00:24:35.200
We have the paired device.
We have the entire account.
00:24:35.200 --> 00:24:39.159
So what do we do?
We will just hijack the account
00:24:39.159 --> 00:24:43.559
then we apply for an overdraft,
and then we will take all the money
00:24:43.559 --> 00:24:47.350
he has as a balance
and as an overdraft.
00:24:47.350 --> 00:24:50.470
So even if you don’t have money
on your account and think you’re safe
00:24:50.470 --> 00:24:54.779
you are not.
laughs
00:24:54.779 --> 00:25:02.480
Okay. This was quite a bit, something.
I want to talk briefly about disclosure
00:25:02.480 --> 00:25:07.030
before I will draw my conclusion.
00:25:07.030 --> 00:25:12.720
I reported all these issues to N26 on
September 25. I didn’t establish
00:25:12.720 --> 00:25:16.500
the contact, this was the CCC.
Thank you for that.
00:25:16.500 --> 00:25:22.240
I did this because I didn’t know how N26
would react to this kind of vulnerabilities.
00:25:22.240 --> 00:25:26.350
But, actually, there was no reason
to think so. Because they acted
00:25:26.350 --> 00:25:31.649
really professional. And they were
actually thankful that I revealed
00:25:31.649 --> 00:25:34.930
these vulnerabilities.
00:25:34.930 --> 00:25:45.490
applause
00:25:45.490 --> 00:25:49.940
Then, afterwards, they started
to incrementally fix the issues.
00:25:49.940 --> 00:25:54.519
I don’t know when they fixed the first
thing. I didn’t monitor the process.
00:25:54.519 --> 00:25:58.039
But the last fix I know of happened on
December 13 when they implemented
00:25:58.039 --> 00:26:02.760
certificate pinning on iOS. And,
apparently, I have to say that
00:26:02.760 --> 00:26:10.019
I didn’t check everything. But
apparently all issues are resolved.
00:26:10.019 --> 00:26:15.390
But what are the consequences out of
this? It is obvious that N26 needs to put
00:26:15.390 --> 00:26:22.789
more emphasis on security. It’s important
to notice that this wasn’t a coincidence.
00:26:22.789 --> 00:26:27.730
It simply wasn’t! And N26 needs to
understand that it’s not enough to release
00:26:27.730 --> 00:26:31.340
videos with caption “mobile first meets
safety first” and to claim that security
00:26:31.340 --> 00:26:39.770
is of paramount importance of them.
So PR shouldn’t do your security.
00:26:39.770 --> 00:26:45.360
It’s funny: If you visit the N26 home page
you will find out that they currently have
00:26:45.360 --> 00:26:53.200
44 open positions. Not even one
is dedicated to security.
00:26:53.200 --> 00:26:56.690
Furthermore, with such a strategy
FinTechs squander the trust
00:26:56.690 --> 00:27:01.420
in financial institutions that banks
established over years, actually.
00:27:01.420 --> 00:27:06.610
Today you usually trust in your bank
that they will deal with your money
00:27:06.610 --> 00:27:11.750
responsibly. And in the end you also
need to question authorities. I mean
00:27:11.750 --> 00:27:18.779
it was BaFin that granted a banking
license to N26 only six months ago.
00:27:18.779 --> 00:27:26.499
And, really, those vulnerabilities
are in sight for longer time.
00:27:26.499 --> 00:27:32.190
Okay. I think, like… résumé for this is:
00:27:32.190 --> 00:27:36.409
you shouldn’t say “Works for me”
when it’s about security.
00:27:36.409 --> 00:27:38.939
So, thank you!
00:27:38.939 --> 00:27:59.239
applause
00:27:59.239 --> 00:28:05.510
Herald: Thank you Vincent. That was
awesome. And also kind of fucking scary.
00:28:05.510 --> 00:28:09.820
We only have a short time for questions.
Is there anybody who has a question
00:28:09.820 --> 00:28:18.950
for Vincent?
00:28:18.950 --> 00:28:22.970
No, I guess everybody is out
deleting banking apps.
00:28:22.970 --> 00:28:26.760
laughter
00:28:26.760 --> 00:28:31.730
Oh, number 6!
00:28:31.730 --> 00:28:35.800
Question: Quick question.
00:28:35.800 --> 00:28:40.429
Do you know whether they
have disallowed those apps
00:28:40.429 --> 00:28:44.370
that have not yet been updated
to still manage their bank account?
00:28:44.370 --> 00:28:49.889
So e.g. if someone has a mobile app
that has not yet been updated
00:28:49.889 --> 00:28:52.750
to the version that includes certificate
pinning would that person
00:28:52.750 --> 00:28:55.100
still be vulnerable to
man-in-the-middle attacks?
00:28:55.100 --> 00:28:56.530
Vincent: Yes.
00:28:56.530 --> 00:28:59.640
laughter
laughs
00:28:59.640 --> 00:29:03.909
Actually they don’t have so much of an
idea which device you are using.
00:29:03.909 --> 00:29:10.970
They don’t even know which is the paired
device! This is only a client value.
00:29:10.970 --> 00:29:14.500
Herald: Do two more,
it’s a guy here on number 1.
00:29:14.500 --> 00:29:18.429
Question: Thanks for the talk. Did they
actually invite you to help them
00:29:18.429 --> 00:29:22.540
or give your talk at N26?
Have they been in contact with you?
00:29:22.540 --> 00:29:26.970
Vincent: Yes, we have been in contact and
I also visited them and gave a workshop,
00:29:26.970 --> 00:29:29.000
so yeah, they…
00:29:29.000 --> 00:29:32.790
laughter and applause
00:29:32.790 --> 00:29:34.320
Question: Are you serious?
00:29:34.320 --> 00:29:39.439
Vincent: I am serious, yes!
ongoing applause
00:29:39.439 --> 00:29:42.189
Herald: And we do one last,
one here, from number 5, please.
00:29:42.189 --> 00:29:45.120
Question: So during your talk you
name-dropped Letsencrypt, and
00:29:45.120 --> 00:29:48.330
you kind of glossed over that bit, about
getting them to issue a certificate
00:29:48.330 --> 00:29:53.190
for their API host name.
Do you know something I don’t?
00:29:53.190 --> 00:29:55.750
Vincent: Ehm, the question, again?
I don’t…
00:29:55.750 --> 00:29:59.530
Question: So you mentioned getting
a Letsencrypt certificate to impersonate
00:29:59.530 --> 00:30:02.450
their API host name, because they
weren’t using certificate pinning.
00:30:02.450 --> 00:30:04.770
How did you go by doing that?
00:30:04.770 --> 00:30:07.500
Vincent: But I didn’t do.
This, like, was a scenario.
00:30:07.500 --> 00:30:15.500
That’s an attack scenario. I didn’t hijack
the DNS record, okay, sorry.
00:30:15.500 --> 00:30:16.970
laughs
00:30:16.970 --> 00:30:19.509
Question: Thank you.
00:30:19.509 --> 00:30:22.030
Herald: Alright. Thanks everybody for
joining. And get a big round of applause
00:30:22.030 --> 00:30:23.610
here for Vincent!
00:30:23.610 --> 00:30:27.260
applause
00:30:27.260 --> 00:30:32.240
postroll music
00:30:32.240 --> 00:30:50.981
Subtitles created by c3subtitles.de
in the year 2017. Join and help us!