Return to Video

Shut Up and Take My Money! (33c3)

  • 0:00 - 0:14
    33C3 preroll music
  • 0:14 - 0:19
    Herald: Next talk is gonna be “Shut up
    and take my money” by Vincent Haupert.
  • 0:19 - 0:22
    Vincent is a research associate
    at the security research group
  • 0:22 - 0:26
    of the Department of Computer Science
    at Friedrich-Alexander-Universität
  • 0:26 - 0:34
    in Erlangen, Nürnberg, Germany.
    Typical, very long German word.
  • 0:34 - 0:38
    His main research interests are
    authentication, system security
  • 0:38 - 0:40
    and software protection of mobile devices.
  • 0:40 - 0:43
    It’s actually Vincent’s second time
    speaking at the Congress.
  • 0:43 - 0:49
    Last year’s talk discussed conceptual
    insecurity of app-generated passwords
  • 0:49 - 0:54
    in online banking. This year
    he will discuss the practical aspects
  • 0:54 - 0:59
    and some successful hacks that,
    if I recall correctly,
  • 0:59 - 1:02
    took over entire bank accounts
    from users’ mobile apps.
  • 1:02 - 1:05
    With that, Vincent, over to you.
  • 1:05 - 1:12
    applause
  • 1:12 - 1:15
    Vincent Haupert: Hello again,
    thanks for the warm welcome,
  • 1:15 - 1:20
    and let’s dive right into it
    because we have a tough program.
  • 1:20 - 1:25
    Okay. First of all, online banking
    is something that affects us all,
  • 1:25 - 1:29
    because virtually everybody uses it.
    In traditional online banking,
  • 1:29 - 1:34
    we use two devices.
    One to initiate our payments
  • 1:34 - 1:37
    – and to log in
    with user name and password –
  • 1:37 - 1:41
    and another device
    to confirm transactions.
  • 1:41 - 1:48
    With the rise of mobile devices, app-based
    confirmation procedures became popular
  • 1:48 - 1:53
    like this app there.
    In the recent past,
  • 1:53 - 1:59
    what I have been talking about last year,
    it became popular
  • 1:59 - 2:03
    to implement those two devices
    in two apps. That means you only have
  • 2:03 - 2:07
    one single device and have two apps now
  • 2:07 - 2:13
    to authenticate transactions.
  • 2:13 - 2:19
    Last year I showed that this has
    severe conceptional drawbacks.
  • 2:19 - 2:27
    But this is not the end of it.
    The latest evolution in online banking
  • 2:27 - 2:32
    are now one-app authentication models.
    I already said this last year:
  • 2:32 - 2:36
    Actually, it doesn’t make so much
    difference. So banks are no longer faking
  • 2:36 - 2:42
    to have real two-factor authentication.
    It’s now clear that it’s just one,
  • 2:42 - 2:47
    so you do the transaction initialization
    inside the app
  • 2:47 - 2:52
    and the confirmation is just
    another dialog inside the app.
  • 2:52 - 2:56
    This time I want to talk about N26,
  • 2:56 - 3:02
    the shining star
    on the German FinTech sky.
  • 3:02 - 3:09
    Actually, this time I’m only going to be
    talking about technical issues.
  • 3:09 - 3:14
    It’s clear that we have similar conceptual
    problems like with two-app authentication,
  • 3:14 - 3:21
    but I will focus on technical issues
    because we have enough of this there.
  • 3:21 - 3:26
    Briefly about N26: N26 is
    a Berlin-based, “Mobile First” FinTech
  • 3:26 - 3:31
    and it plans to establish your smartphone
    as your financial hub
  • 3:31 - 3:36
    for everything, so that you do
    literally everything
  • 3:36 - 3:41
    from inside the app.
    Actually it was only founded in 2013,
  • 3:41 - 3:46
    it started in 2015 with their app and it
    already has over 200.000 customers,
  • 3:46 - 3:50
    which is astonishing, actually.
  • 3:50 - 3:54
    It now also has its own European
    banking license. It’s only, I think,
  • 3:54 - 3:59
    half a year ago; and it announced
    not even one month ago that it’s now
  • 3:59 - 4:05
    available in 17 European countries.
    And they also claim
  • 4:05 - 4:09
    that you can open a bank account
    in just eight minutes. As it turns out
  • 4:09 - 4:11
    you can lose it even faster.
  • 4:11 - 4:15
    laughter
  • 4:15 - 4:21
    Okay, let’s talk briefly about transaction
    security in the Number 26 app.
  • 4:21 - 4:24
    If you want to do a transaction,
    you at first need to log in.
  • 4:24 - 4:28
    This works with your user name,
    in this case it’s just your email address,
  • 4:28 - 4:30
    and your password.
    This is pretty standard.
  • 4:30 - 4:34
    Afterwards you are good to initiate
    a transaction. After you have entered
  • 4:34 - 4:39
    all the details you also have to supply a
    transfer code. This is just a four-digit
  • 4:39 - 4:46
    number, you use this also to withdraw
    cash. Probably you would call this ‘PIN’.
  • 4:46 - 4:51
    The last factor in this authentication
    scheme is you paired phone.
  • 4:51 - 4:56
    This is actually the most important
    security feature of the N26 account,
  • 4:56 - 5:01
    and you can only pair one smartphone
    with you N26 account.
  • 5:01 - 5:05
    That means, from a technical
    perspective, the N26 app,
  • 5:05 - 5:10
    the very first time you start it,
    generates a RSA key pair
  • 5:10 - 5:13
    and sends the public key to the N26
    backend. And whenever you initiate
  • 5:13 - 5:18
    a transaction they are going to send
    an encrypted challenge to your smartphone
  • 5:18 - 5:23
    and you send it back decrypted.
    That’s how it works. Actually,
  • 5:23 - 5:28
    re-pairing, that means pairing another
    phone is a pretty well secured process,
  • 5:28 - 5:33
    but we will talk about this later. Just
    to talk about the infrastructure
  • 5:33 - 5:38
    of N26: basically they have two apps,
    one for iOS, one for Android,
  • 5:38 - 5:42
    and they communicate over
    a JSON-based protocol, TLS encrypted.
  • 5:42 - 5:47
    The backend is at api.tech26.de.
  • 5:47 - 5:51
    How do I know, actually, that this is
    a JSON-based protocol: because I used
  • 5:51 - 5:57
    a TLS man-in-the-middle attack
    to log the protocol.
  • 5:57 - 6:03
    I only needed to install a certificate,
    the MITM proxy certificate on the client,
  • 6:03 - 6:07
    but actually I was surprised that I didn’t
    need to touch the client, because
  • 6:07 - 6:10
    they didn’t implement
    any certificate pinning.
  • 6:10 - 6:16
    applause
  • 6:16 - 6:22
    So that means, the first thing
    that comes into mind is like:
  • 6:22 - 6:26
    Let’s do real-time transaction
    manipulation. That means we manipulate
  • 6:26 - 6:30
    a transaction that the user does,
    but we will change the recipient
  • 6:30 - 6:36
    and the user won’t see nothing about this.
    So if we look at this graphic again,
  • 6:36 - 6:42
    what if an attacker could get the DNS
    record of api.tech26.de under his control?
  • 6:42 - 6:48
    This would mean that all traffic is routed
    over the man-in-the-middle attacker server
  • 6:48 - 6:54
    and, as there is no certificate pinning,
    we could just issue a Letsencrypt
  • 6:54 - 7:00
    TLS certificate and the app is going
    to trust the certificate.
  • 7:00 - 7:04
    How does this work?
    Let’s take an example here.
  • 7:04 - 7:09
    Let’s image I want to transfer
    2 Euro to my friend Dominik.
  • 7:09 - 7:13
    After I entered all the transaction details
    I have to enter my transfer code, too.
  • 7:13 - 7:19
    When I did this I get like the second
    factor where you need the paired device
  • 7:19 - 7:24
    and I need to confirm it. This is just
    like the next dialogue inside the app.
  • 7:24 - 7:28
    After I confirmed it, the transaction went
    through, everything looks good.
  • 7:28 - 7:32
    2 Euro less on my account, pretty good.
  • 7:32 - 7:37
    In the next step you can see in your
    transaction overview too, that
  • 7:37 - 7:43
    there are 2 Euro less. But after the attack
    when N26 realized that something wrong
  • 7:43 - 7:47
    was going on and they fixed it you will
    realize that we actually transferred
  • 7:47 - 7:52
    20 Euro, not 2. But this was
    completely transparent for the user
  • 7:52 - 7:56
    even after the attack.
    Okay, this is nice.
  • 7:56 - 8:00
    We can manipulate a transaction
    in real time, but
  • 8:00 - 8:05
    wouldn’t it be even more interesting
    to take over entire accounts
  • 8:05 - 8:09
    to do our own transactions?
  • 8:09 - 8:14
    For this, we need the login credentials,
    the transfer code and the paired phone.
  • 8:14 - 8:17
    So we need to obtain all of them.
  • 8:17 - 8:20
    Let’s start with the login credentials.
  • 8:20 - 8:26
    Actually, I want to assume, that the login
    credentials are already compromised.
  • 8:26 - 8:34
    But there are some weak points in the
    security system of the N26 transactions,
  • 8:34 - 8:37
    that make it an easier task to obtain
    those login credentials.
  • 8:37 - 8:42
    There are two things I want to talk about.
    The first thing is the recovery-from-loss
  • 8:42 - 8:47
    procedure. When you forget your
    password, N26 just sends
  • 8:47 - 8:50
    an email to your email account.
    There is a link inside, you click it
  • 8:50 - 8:54
    and you can just reset your password.
  • 8:54 - 8:58
    This breaks the N26 password policy
  • 8:58 - 9:04
    which is actually pretty solid, because
    if you have access to the email account,
  • 9:04 - 9:08
    you have automatically access
    to the N26 account, too
  • 9:08 - 9:14
    and the access to the email account
    could be as bad as “password” or “123456”.
  • 9:14 - 9:18
    Another idea is spear phishing. Think
    of spear phishing like a more targeted
  • 9:18 - 9:23
    version of phishing. What you always need
    for phishing is a similar domain,
  • 9:23 - 9:27
    something the user can relate to. And
    if you want to make spear phishing
  • 9:27 - 9:30
    you want to have it more targeted.
    That means you want to expose
  • 9:30 - 9:35
    N26 customers, so only send out mails
    to them. And you need to have
  • 9:35 - 9:39
    a valid reason to contact them.
    About the domain:
  • 9:39 - 9:45
    usually N26 uses number26.de;
    and for password resets
  • 9:45 - 9:51
    e.g. number26.tech.
    Sounds pretty valid in my eyes.
  • 9:51 - 9:58
    Only by chance I happen to own
    that domain. laughter
  • 9:58 - 10:04
    The next thing is exposing
    N26 customers. N26 offers
  • 10:04 - 10:10
    peer to peer transactions, that means if
    your recipient also has a N26 account,
  • 10:10 - 10:16
    those transactions are instant.
    To show the N26 customers
  • 10:16 - 10:20
    who of his contacts actually have
    an N26 account, they upload
  • 10:20 - 10:25
    all of the email addresses, all of the
    phone numbers in your address book
  • 10:25 - 10:30
    to the N26 backend.
    Unhashed.
  • 10:30 - 10:35
    applause
  • 10:35 - 10:40
    But we actually want to use this to
    identify customers of a given dataset.
  • 10:40 - 10:44
    We can actually abuse this API for that.
  • 10:44 - 10:49
    Do you remember the recent Dropbox leak
    that revealed 68 million accounts?
  • 10:49 - 10:55
    We evaluated all of those 68 million
    email accounts against this API
  • 10:55 - 10:59
    and N26 took no notice of this.
    There were no limits applied.
  • 10:59 - 11:03
    They just think, I’m really popular.
    laughter
  • 11:03 - 11:11
    applause
  • 11:11 - 11:18
    In the end, we revealed 33.000 N26
    customers and could now send out
  • 11:18 - 11:22
    e-mails to them. Actually, this also provides
    a valid reason to contact them.
  • 11:22 - 11:28
    E.g. the usual e-mail of N26 looks
    somehow like this.
  • 11:28 - 11:32
    So we could say to them: “Hey, you are
    affected by the Dropbox leak, please
  • 11:32 - 11:41
    change your password for your own security.
    Click this link to change your password.”
  • 11:41 - 11:47
    Now I can already see the N26
    management board nervous,
  • 11:47 - 11:52
    but don’t worry, we didn’t do this.
    My professor had legal concerns.
  • 11:52 - 11:57
    laughter
  • 11:57 - 12:03
    Now, that we have the login credentials,
    we have to wonder: Can we already
  • 12:03 - 12:09
    do something with those login credentials?
    And this brings me to Siri transactions.
  • 12:09 - 12:14
    With iOS 10 N26 now supports
    transactions using Siri. That means
  • 12:14 - 12:19
    now you can just say: “Send 5 Euro
    to Dominik Maier using N26”, then
  • 12:19 - 12:24
    the transaction pops up and you can say:
    “Send it” and afterwards it’s gone.
  • 12:24 - 12:29
    The app doesn’t even open.
    So this already sounds wrong,
  • 12:29 - 12:34
    laughter …but you can only
    do this with the paired device.
  • 12:34 - 12:40
    If you use another phone and just
    log in and try to use Siri with this,
  • 12:40 - 12:44
    this dialogue appears and you really
    have to open the app and have
  • 12:44 - 12:52
    to confirm it with the paired phone. As it
    turns out, this is just a client feature.
  • 12:52 - 12:54
    laughter
  • 12:54 - 12:57
    This is actually the entire payload
    you need. It’s just like “5 Euro
  • 12:57 - 13:02
    to Dominik Maier”, and there is the phone
    number. And look at this API endpoint,
  • 13:02 - 13:08
    ‘/transactions/unverified’.
    So it turns out
  • 13:08 - 13:12
    you don’t need the paired phone
    to do this type of transactions.
  • 13:12 - 13:20
    applause
  • 13:20 - 13:24
    Yet another thing that’s interesting
    is that N26 claims that they have
  • 13:24 - 13:28
    some intelligent algorithms
    to immediately detect irregularities
  • 13:28 - 13:34
    and prevent fraud before it even occurs.
    So we thought: “Challenge accepted!”
  • 13:34 - 13:39
    laughter and applause
  • 13:39 - 13:43
    And what we actually did,
    and I think this is pretty irregular,
  • 13:43 - 13:49
    we sent 2000 Siri transactions
    worth 1 Cent within 30 minutes.
  • 13:49 - 13:51
    laughter
  • 13:51 - 13:57
    Try to speak that fast.
    Ok.
  • 13:57 - 14:03
    And so what happened? Like we waited the
    next day and the day after nobody actually
  • 14:03 - 14:07
    made contact with us, and we thought they
    would never actually make contact.
  • 14:07 - 14:11
    But over three weeks later
    N26 required Dominik to explain
  • 14:11 - 14:16
    the “unusual amount” of transactions.
    Okay, they even threatened to cancel
  • 14:16 - 14:20
    his account. I mean, this is actually…
    it’s reasonable because it’s a clear misuse
  • 14:20 - 14:24
    of the account and it violates
    the Terms of Service of them.
  • 14:24 - 14:30
    But Dominik didn’t send those
    transactions, he received them!
  • 14:30 - 14:31
    laughter
  • 14:31 - 14:35
    They contacted the wrong person!
    This is kind of like
  • 14:35 - 14:39
    if Gmail cancels your account
    because you received Spam!
  • 14:39 - 14:42
    loud laughter
  • 14:42 - 14:49
    applause
  • 14:49 - 14:54
    Okay, let’s go back to the account
    hijacking. And the next thing we need
  • 14:54 - 14:59
    to obtain is the transfer code and get
    the control over the paired phone.
  • 14:59 - 15:03
    What we will do: with the transfer code
    we will try to reset it; and
  • 15:03 - 15:07
    the paired phone we have to un-pair.
    Actually, those processes are
  • 15:07 - 15:14
    not as independent as it seems. So
    I will right start with the paired phone.
  • 15:14 - 15:18
    As I told in the beginning, un-pairing is
    actually a highly-secured process
  • 15:18 - 15:25
    and I mean, this is my serious opinion.
    So let’s look at the process.
  • 15:25 - 15:29
    At first, when you want to pair a new
    phone, like I said, you need to un-pair
  • 15:29 - 15:34
    the existing one. Therefor, you open the
    app, then you click at “Un-pair” and
  • 15:34 - 15:40
    afterwards they send a link to your
    email account. Then, in the e-mail
  • 15:40 - 15:46
    you need to follow the un-pairing link.
  • 15:46 - 15:51
    In the next step the real un-pairing
    process starts, where you
  • 15:51 - 15:55
    have to enter your transfer code first,
    then your MasterCard ID. This is something
  • 15:55 - 16:01
    that is kind of special for N26, like,
    every N26 account comes with a MasterCard,
  • 16:01 - 16:07
    and they have printed a 10-digit numerical
    token below your name. I don’t know
  • 16:07 - 16:10
    what this actually is, it’s not the PAN,
    it’s not the credit card number but
  • 16:10 - 16:15
    some other sort of token. So you need
    to have the Mastercard, actually.
  • 16:15 - 16:19
    And in the last step they’re going to send
    an SMS to you with a token, and you have
  • 16:19 - 16:24
    to enter it. And only after this process
    the un-pairing is done.
  • 16:24 - 16:28
    So that means we need to have access to
    the e-mail account. We need to know
  • 16:28 - 16:32
    the transfer code. We need to have the
    Mastercard and we need to own the SIM card
  • 16:32 - 16:41
    in order to receive the token.
    You can’t screw up each of those.
  • 16:41 - 16:48
    laughter and applause
  • 16:48 - 16:52
    Okay. Let’s go into it. So, the first
    thing: when you actually click
  • 16:52 - 16:58
    on that item in your app where
    it says “Start un-pairing”
  • 16:58 - 17:03
    it sends – this is basically HTTP GET
    request but you wouldn’t believe
  • 17:03 - 17:09
    that they send the link as a response.
    So – it’s not this plate (?)
  • 17:09 - 17:14
    but it’s there. So you don’t need to
    have access to the e-mail account
  • 17:14 - 17:17
    because it’s in the response.
    laughs
  • 17:17 - 17:20
    laughter
  • 17:20 - 17:25
    Okay. Next thing. The transfer code
    – I actually will skip this for the moment
  • 17:25 - 17:30
    and we’ll get right back to this. But the
    next thing is actually the Mastercard ID.
  • 17:30 - 17:36
    And this ID is printed on the card,
    and we don’t have access to that card.
  • 17:36 - 17:41
    So what will we do?
    In the transaction overview
  • 17:41 - 17:45
    N26 shows a lot of properties,
    e.g. the amount, the beneficiary,
  • 17:45 - 17:50
    whatever. And it turns out that this…
  • 17:50 - 17:53
    laughter and turmoil
    that they used
  • 17:53 - 17:57
    this Mastercard ID, they thought: “Oh,
    this is actually a nice ID, let’s use it
  • 17:57 - 18:02
    as a prefix”. So, again, this is not
    displayed to the user inside the app
  • 18:02 - 18:08
    but it’s clearly there in the API.
    It’s way too verbose.
  • 18:08 - 18:15
    So…
    applause
  • 18:15 - 18:20
    Okay. Whenever…
  • 18:20 - 18:24
    the step that I just skipped
    was this transfer code.
  • 18:24 - 18:29
    The transfer code is unknown.
    But you can reset the transfer code.
  • 18:29 - 18:33
    And it is – as it turns out – what you
    need to reset the transfer code
  • 18:33 - 18:35
    is the Mastercard ID.
    laughs
  • 18:35 - 18:43
    laughter and applause
  • 18:43 - 18:47
    So you need to enter this Mastercard ID
  • 18:47 - 18:53
    that I just told how we will get it
    and then we just will confirm
  • 18:53 - 18:58
    our new transfer code. Think of one,
    I don’t know. Any code.
  • 18:58 - 19:02
    And therefor we don’t need to know the
    transfer code. Not even the old one
  • 19:02 - 19:07
    because it’s not required.
    The Mastercard ID is sufficient.
  • 19:07 - 19:12
    Then. The last step. SMS.
    The SIM card is inaccessible.
  • 19:12 - 19:17
    We don’t have access to that phone. But
    this is a 5-digit token that they send out
  • 19:17 - 19:23
    and it’s only numbers. I mean
    this is 100.000 possibilities.
  • 19:23 - 19:29
    And even though the login procedure, the
    login form, has a brute-force protection
  • 19:29 - 19:32
    this doesn’t have any
    brute force protection. So…
  • 19:32 - 19:35
    laughter
  • 19:35 - 19:40
    …the maximum that I could get out of the
    backend was 160 requests per second!
  • 19:40 - 19:42
    laughter
  • 19:42 - 19:46
    So this means…
    laughs
  • 19:46 - 19:55
    applause
  • 19:55 - 20:04
    So that means that it takes on average
    approx. 5 minutes to get this token.
  • 20:04 - 20:09
    In the end we will just brute-force it
    and that’s it. Okay. That’s…
  • 20:09 - 20:12
    laughter
  • 20:12 - 20:17
    Let’s look if this really works.
    At first we will login to the app
  • 20:17 - 20:22
    just to see that it’s paired. And if it
    wouldn’t be paired we would know,
  • 20:22 - 20:27
    like, see a dialogue
    that we should pair our phone.
  • 20:27 - 20:31
    So now it opens. Great.
  • 20:31 - 20:37
    And now we will start our script.
  • 20:37 - 20:43
    And N26 claimed that this attack
    doesn’t scale, just don’t blink!
  • 20:43 - 20:45
    exhales sharply
  • 20:45 - 20:47
    So those are the login credentials
    laughter
  • 20:47 - 20:51
    …that will do all the fun. And actually,
    everything already happened, it’s just
  • 20:51 - 20:55
    the brute-forcing that now takes place.
    And I have to admit that I have been
  • 20:55 - 21:03
    really lucky this time because
    we are done now. laughter
  • 21:03 - 21:07
    So this is the response, now the SMS
    numeric token is valid, and the phone
  • 21:07 - 21:12
    has been successfully un-paired. Okay,
    now let’s verify in the app… if this worked
  • 21:12 - 21:20
    really? So let’s open it again. Touch-ID
    expired, so this is actually good.
  • 21:20 - 21:27
    That means that something happened.
    Let’s login with our password.
  • 21:27 - 21:31
    And there it prompts us for pairing
    the phone. So it worked.
  • 21:31 - 21:40
    applause
  • 21:40 - 21:44
    Yeah…
    laughter
  • 21:44 - 21:50
    This… even though I said that this attack
    really scales very well it has a drawback.
  • 21:50 - 21:55
    Because three mails are sent out to the
    user. The first one when you actually
  • 21:55 - 21:58
    start the un-pairing, the second one
    when you reset the transfer PIN and
  • 21:58 - 22:02
    the third one when the un-pairing is
    successful. And the user also receives
  • 22:02 - 22:08
    an SMS. But I mean fraud is perfectly
    possible. But is there a possibility
  • 22:08 - 22:15
    to avoid this? Let’s try to call
    the customer support.
  • 22:15 - 22:20
    The customer support is actually the most
    powerful entity in the N26 security model.
  • 22:20 - 22:23
    Because they can even change things
    you can’t change inside the app.
  • 22:23 - 22:27
    E.g. your email address, or name
    – you cannot change.
  • 22:27 - 22:33
    But they can. So let’s talk with them.
    They can… it turns out they can also
  • 22:33 - 22:38
    un-pair phones. So now the question arises
    of course you cannot just call there
  • 22:38 - 22:42
    and say: “Hey, my name is Vincent,
    please un-pair my phone.” Of course they
  • 22:42 - 22:47
    are going to authenticate you. And what…
    loud laughter
  • 22:47 - 22:53
    …and what will they ask? They will ask
    for the Mastercard ID. We know that.
  • 22:53 - 22:56
    The current account balance is always
    available if you have the login credentials.
  • 22:56 - 23:01
    Okay. There’s one thing that is
    still missing. Place of birth.
  • 23:01 - 23:06
    It’s always the same.
    laughter
  • 23:06 - 23:12
    It’s, again, you can’t see this information
    inside the app. It’s just not displayed.
  • 23:12 - 23:14
    But it’s there. There’s so much
    information you can’t think of.
  • 23:14 - 23:20
    Really, they know more about me than I do.
    laughter
  • 23:20 - 23:24
    Now that means we have all information
    available, and we can change any data.
  • 23:24 - 23:28
    And the user won’t receive any notice
    of that. So no email, nothing.
  • 23:28 - 23:32
    So we can just un-pair the phone,
    and later we can pair our own one,
  • 23:32 - 23:36
    or… this is perfectly stealth.
  • 23:36 - 23:42
    Now actually I heard already: “Ah,
    I only got 50 Euro on my account,
  • 23:42 - 23:47
    why should I care?”
  • 23:47 - 23:52
    This is actually a valid argument because
    many N26 accounts are opened out of
  • 23:52 - 23:59
    curiosity, and many are inactive, or not
    used seriously, that means you only use it
  • 23:59 - 24:03
    for travelling or paying things online
    because of the conditions.
  • 24:03 - 24:07
    But you don’t use it as the salary account
    so there is frequently not so much money
  • 24:07 - 24:14
    in it. But as this wants to be the
    financial hub for all the services
  • 24:14 - 24:20
    you of course can also apply for an
    overdraft. And this is an instant overdraft
  • 24:20 - 24:25
    that is granted during two minutes.
    And it’s between… you have guaranteed
  • 24:25 - 24:32
    50 Euro and up to 2000. This requires
    the paired device. What did we just do?
  • 24:32 - 24:35
    We have the paired device.
    We have the entire account.
  • 24:35 - 24:39
    So what do we do?
    We will just hijack the account
  • 24:39 - 24:44
    then we apply for an overdraft,
    and then we will take all the money
  • 24:44 - 24:47
    he has as a balance
    and as an overdraft.
  • 24:47 - 24:50
    So even if you don’t have money
    on your account and think you’re safe
  • 24:50 - 24:55
    you are not.
    laughs
  • 24:55 - 25:02
    Okay. This was quite a bit, something.
    I want to talk briefly about disclosure
  • 25:02 - 25:07
    before I will draw my conclusion.
  • 25:07 - 25:13
    I reported all these issues to N26 on
    September 25. I didn’t establish
  • 25:13 - 25:16
    the contact, this was the CCC.
    Thank you for that.
  • 25:16 - 25:22
    I did this because I didn’t know how N26
    would react to this kind of vulnerabilities.
  • 25:22 - 25:26
    But, actually, there was no reason
    to think so. Because they acted
  • 25:26 - 25:32
    really professional. And they were
    actually thankful that I revealed
  • 25:32 - 25:35
    these vulnerabilities.
  • 25:35 - 25:45
    applause
  • 25:45 - 25:50
    Then, afterwards, they started
    to incrementally fix the issues.
  • 25:50 - 25:55
    I don’t know when they fixed the first
    thing. I didn’t monitor the process.
  • 25:55 - 25:58
    But the last fix I know of happened on
    December 13 when they implemented
  • 25:58 - 26:03
    certificate pinning on iOS. And,
    apparently, I have to say that
  • 26:03 - 26:10
    I didn’t check everything. But
    apparently all issues are resolved.
  • 26:10 - 26:15
    But what are the consequences out of
    this? It is obvious that N26 needs to put
  • 26:15 - 26:23
    more emphasis on security. It’s important
    to notice that this wasn’t a coincidence.
  • 26:23 - 26:28
    It simply wasn’t! And N26 needs to
    understand that it’s not enough to release
  • 26:28 - 26:31
    videos with caption “mobile first meets
    safety first” and to claim that security
  • 26:31 - 26:40
    is of paramount importance of them.
    So PR shouldn’t do your security.
  • 26:40 - 26:45
    It’s funny: If you visit the N26 home page
    you will find out that they currently have
  • 26:45 - 26:53
    44 open positions. Not even one
    is dedicated to security.
  • 26:53 - 26:57
    Furthermore, with such a strategy
    FinTechs squander the trust
  • 26:57 - 27:01
    in financial institutions that banks
    established over years, actually.
  • 27:01 - 27:07
    Today you usually trust in your bank
    that they will deal with your money
  • 27:07 - 27:12
    responsibly. And in the end you also
    need to question authorities. I mean
  • 27:12 - 27:19
    it was BaFin that granted a banking
    license to N26 only six months ago.
  • 27:19 - 27:26
    And, really, those vulnerabilities
    are in sight for longer time.
  • 27:26 - 27:32
    Okay. I think, like… résumé for this is:
  • 27:32 - 27:36
    you shouldn’t say “Works for me”
    when it’s about security.
  • 27:36 - 27:39
    So, thank you!
  • 27:39 - 27:59
    applause
  • 27:59 - 28:06
    Herald: Thank you Vincent. That was
    awesome. And also kind of fucking scary.
  • 28:06 - 28:10
    We only have a short time for questions.
    Is there anybody who has a question
  • 28:10 - 28:19
    for Vincent?
  • 28:19 - 28:23
    No, I guess everybody is out
    deleting banking apps.
  • 28:23 - 28:27
    laughter
  • 28:27 - 28:32
    Oh, number 6!
  • 28:32 - 28:36
    Question: Quick question.
  • 28:36 - 28:40
    Do you know whether they
    have disallowed those apps
  • 28:40 - 28:44
    that have not yet been updated
    to still manage their bank account?
  • 28:44 - 28:50
    So e.g. if someone has a mobile app
    that has not yet been updated
  • 28:50 - 28:53
    to the version that includes certificate
    pinning would that person
  • 28:53 - 28:55
    still be vulnerable to
    man-in-the-middle attacks?
  • 28:55 - 28:57
    Vincent: Yes.
  • 28:57 - 29:00
    laughter
    laughs
  • 29:00 - 29:04
    Actually they don’t have so much of an
    idea which device you are using.
  • 29:04 - 29:11
    They don’t even know which is the paired
    device! This is only a client value.
  • 29:11 - 29:14
    Herald: Do two more,
    it’s a guy here on number 1.
  • 29:14 - 29:18
    Question: Thanks for the talk. Did they
    actually invite you to help them
  • 29:18 - 29:23
    or give your talk at N26?
    Have they been in contact with you?
  • 29:23 - 29:27
    Vincent: Yes, we have been in contact and
    I also visited them and gave a workshop,
  • 29:27 - 29:29
    so yeah, they…
  • 29:29 - 29:33
    laughter and applause
  • 29:33 - 29:34
    Question: Are you serious?
  • 29:34 - 29:39
    Vincent: I am serious, yes!
    ongoing applause
  • 29:39 - 29:42
    Herald: And we do one last,
    one here, from number 5, please.
  • 29:42 - 29:45
    Question: So during your talk you
    name-dropped Letsencrypt, and
  • 29:45 - 29:48
    you kind of glossed over that bit, about
    getting them to issue a certificate
  • 29:48 - 29:53
    for their API host name.
    Do you know something I don’t?
  • 29:53 - 29:56
    Vincent: Ehm, the question, again?
    I don’t…
  • 29:56 - 30:00
    Question: So you mentioned getting
    a Letsencrypt certificate to impersonate
  • 30:00 - 30:02
    their API host name, because they
    weren’t using certificate pinning.
  • 30:02 - 30:05
    How did you go by doing that?
  • 30:05 - 30:08
    Vincent: But I didn’t do.
    This, like, was a scenario.
  • 30:08 - 30:16
    That’s an attack scenario. I didn’t hijack
    the DNS record, okay, sorry.
  • 30:16 - 30:17
    laughs
  • 30:17 - 30:20
    Question: Thank you.
  • 30:20 - 30:22
    Herald: Alright. Thanks everybody for
    joining. And get a big round of applause
  • 30:22 - 30:24
    here for Vincent!
  • 30:24 - 30:27
    applause
  • 30:27 - 30:32
    postroll music
  • 30:32 - 30:51
    Subtitles created by c3subtitles.de
    in the year 2017. Join and help us!
Title:
Shut Up and Take My Money! (33c3)
Description:

more » « less
Video Language:
English
Duration:
30:51

English subtitles

Revisions Compare revisions