YouTube

Got a YouTube account?

New: enable viewer-created translations and captions on your YouTube channel!

English subtitles

← Shut Up and Take My Money! (33c3)

Get Embed Code
1 Language

Showing Revision 28 created 10/07/2017 by Bar Sch.

  1. 33C3 preroll music
  2. Herald: Next talk is gonna be “Shut up
    and take my money” by Vincent Haupert.
  3. Vincent is a research associate
    at the security research group
  4. of the Department of Computer Science
    at Friedrich-Alexander-Universität
  5. in Erlangen, Nürnberg, Germany.
    Typical, very long German word.
  6. His main research interests are
    authentication, system security
  7. and software protection of mobile devices.
  8. It’s actually Vincent’s second time
    speaking at the Congress.
  9. Last year’s talk discussed conceptual
    insecurity of app-generated passwords
  10. in online banking. This year
    he will discuss the practical aspects
  11. and some successful hacks that,
    if I recall correctly,
  12. took over entire bank accounts
    from users’ mobile apps.
  13. With that, Vincent, over to you.
  14. applause
  15. Vincent Haupert: Hello again,
    thanks for the warm welcome,
  16. and let’s dive right into it
    because we have a tough program.
  17. Okay. First of all, online banking
    is something that affects us all,
  18. because virtually everybody uses it.
    In traditional online banking,
  19. we use two devices.
    One to initiate our payments
  20. – and to log in
    with user name and password –
  21. and another device
    to confirm transactions.
  22. With the rise of mobile devices, app-based
    confirmation procedures became popular
  23. like this app there.
    In the recent past,
  24. what I have been talking about last year,
    it became popular
  25. to implement those two devices
    in two apps. That means you only have
  26. one single device and have two apps now
  27. to authenticate transactions.
  28. Last year I showed that this has
    severe conceptional drawbacks.
  29. But this is not the end of it.
    The latest evolution in online banking
  30. are now one-app authentication models.
    I already said this last year:
  31. Actually, it doesn’t make so much
    difference. So banks are no longer faking
  32. to have real two-factor authentication.
    It’s now clear that it’s just one,
  33. so you do the transaction initialization
    inside the app
  34. and the confirmation is just
    another dialog inside the app.
  35. This time I want to talk about N26,
  36. the shining star
    on the German FinTech sky.
  37. Actually, this time I’m only going to be
    talking about technical issues.
  38. It’s clear that we have similar conceptual
    problems like with two-app authentication,
  39. but I will focus on technical issues
    because we have enough of this there.
  40. Briefly about N26: N26 is
    a Berlin-based, “Mobile First” FinTech
  41. and it plans to establish your smartphone
    as your financial hub
  42. for everything, so that you do
    literally everything
  43. from inside the app.
    Actually it was only founded in 2013,
  44. it started in 2015 with their app and it
    already has over 200.000 customers,
  45. which is astonishing, actually.
  46. It now also has its own European
    banking license. It’s only, I think,
  47. half a year ago; and it announced
    not even one month ago that it’s now
  48. available in 17 European countries.
    And they also claim
  49. that you can open a bank account
    in just eight minutes. As it turns out
  50. you can lose it even faster.
  51. laughter
  52. Okay, let’s talk briefly about transaction
    security in the Number 26 app.
  53. If you want to do a transaction,
    you at first need to log in.
  54. This works with your user name,
    in this case it’s just your email address,
  55. and your password.
    This is pretty standard.
  56. Afterwards you are good to initiate
    a transaction. After you have entered
  57. all the details you also have to supply a
    transfer code. This is just a four-digit
  58. number, you use this also to withdraw
    cash. Probably you would call this ‘PIN’.
  59. The last factor in this authentication
    scheme is you paired phone.
  60. This is actually the most important
    security feature of the N26 account,
  61. and you can only pair one smartphone
    with you N26 account.
  62. That means, from a technical
    perspective, the N26 app,
  63. the very first time you start it,
    generates a RSA key pair
  64. and sends the public key to the N26
    backend. And whenever you initiate
  65. a transaction they are going to send
    an encrypted challenge to your smartphone
  66. and you send it back decrypted.
    That’s how it works. Actually,
  67. re-pairing, that means pairing another
    phone is a pretty well secured process,
  68. but we will talk about this later. Just
    to talk about the infrastructure
  69. of N26: basically they have two apps,
    one for iOS, one for Android,
  70. and they communicate over
    a JSON-based protocol, TLS encrypted.
  71. The backend is at api.tech26.de.
  72. How do I know, actually, that this is
    a JSON-based protocol: because I used
  73. a TLS man-in-the-middle attack
    to log the protocol.
  74. I only needed to install a certificate,
    the MITM proxy certificate on the client,
  75. but actually I was surprised that I didn’t
    need to touch the client, because
  76. they didn’t implement
    any certificate pinning.
  77. applause
  78. So that means, the first thing
    that comes into mind is like:
  79. Let’s do real-time transaction
    manipulation. That means we manipulate
  80. a transaction that the user does,
    but we will change the recipient
  81. and the user won’t see nothing about this.
    So if we look at this graphic again,
  82. what if an attacker could get the DNS
    record of api.tech26.de under his control?
  83. This would mean that all traffic is routed
    over the man-in-the-middle attacker server
  84. and, as there is no certificate pinning,
    we could just issue a Letsencrypt
  85. TLS certificate and the app is going
    to trust the certificate.
  86. How does this work?
    Let’s take an example here.
  87. Let’s image I want to transfer
    2 Euro to my friend Dominik.
  88. After I entered all the transaction details
    I have to enter my transfer code, too.
  89. When I did this I get like the second
    factor where you need the paired device
  90. and I need to confirm it. This is just
    like the next dialogue inside the app.
  91. After I confirmed it, the transaction went
    through, everything looks good.
  92. 2 Euro less on my account, pretty good.
  93. In the next step you can see in your
    transaction overview too, that
  94. there are 2 Euro less. But after the attack
    when N26 realized that something wrong
  95. was going on and they fixed it you will
    realize that we actually transferred
  96. 20 Euro, not 2. But this was
    completely transparent for the user
  97. even after the attack.
    Okay, this is nice.
  98. We can manipulate a transaction
    in real time, but
  99. wouldn’t it be even more interesting
    to take over entire accounts
  100. to do our own transactions?
  101. For this, we need the login credentials,
    the transfer code and the paired phone.
  102. So we need to obtain all of them.
  103. Let’s start with the login credentials.
  104. Actually, I want to assume, that the login
    credentials are already compromised.
  105. But there are some weak points in the
    security system of the N26 transactions,
  106. that make it an easier task to obtain
    those login credentials.
  107. There are two things I want to talk about.
    The first thing is the recovery-from-loss
  108. procedure. When you forget your
    password, N26 just sends
  109. an email to your email account.
    There is a link inside, you click it
  110. and you can just reset your password.
  111. This breaks the N26 password policy
  112. which is actually pretty solid, because
    if you have access to the email account,
  113. you have automatically access
    to the N26 account, too
  114. and the access to the email account
    could be as bad as “password” or “123456”.
  115. Another idea is spear phishing. Think
    of spear phishing like a more targeted
  116. version of phishing. What you always need
    for phishing is a similar domain,
  117. something the user can relate to. And
    if you want to make spear phishing
  118. you want to have it more targeted.
    That means you want to expose
  119. N26 customers, so only send out mails
    to them. And you need to have
  120. a valid reason to contact them.
    About the domain:
  121. usually N26 uses number26.de;
    and for password resets
  122. e.g. number26.tech.
    Sounds pretty valid in my eyes.
  123. Only by chance I happen to own
    that domain. laughter
  124. The next thing is exposing
    N26 customers. N26 offers
  125. peer to peer transactions, that means if
    your recipient also has a N26 account,
  126. those transactions are instant.
    To show the N26 customers
  127. who of his contacts actually have
    an N26 account, they upload
  128. all of the email addresses, all of the
    phone numbers in your address book
  129. to the N26 backend.
    Unhashed.
  130. applause
  131. But we actually want to use this to
    identify customers of a given dataset.
  132. We can actually abuse this API for that.
  133. Do you remember the recent Dropbox leak
    that revealed 68 million accounts?
  134. We evaluated all of those 68 million
    email accounts against this API
  135. and N26 took no notice of this.
    There were no limits applied.
  136. They just think, I’m really popular.
    laughter
  137. applause
  138. In the end, we revealed 33.000 N26
    customers and could now send out
  139. e-mails to them. Actually, this also provides
    a valid reason to contact them.
  140. E.g. the usual e-mail of N26 looks
    somehow like this.
  141. So we could say to them: “Hey, you are
    affected by the Dropbox leak, please
  142. change your password for your own security.
    Click this link to change your password.”
  143. Now I can already see the N26
    management board nervous,
  144. but don’t worry, we didn’t do this.
    My professor had legal concerns.
  145. laughter
  146. Now, that we have the login credentials,
    we have to wonder: Can we already
  147. do something with those login credentials?
    And this brings me to Siri transactions.
  148. With iOS 10 N26 now supports
    transactions using Siri. That means
  149. now you can just say: “Send 5 Euro
    to Dominik Maier using N26”, then
  150. the transaction pops up and you can say:
    “Send it” and afterwards it’s gone.
  151. The app doesn’t even open.
    So this already sounds wrong,
  152. laughter …but you can only
    do this with the paired device.
  153. If you use another phone and just
    log in and try to use Siri with this,
  154. this dialogue appears and you really
    have to open the app and have
  155. to confirm it with the paired phone. As it
    turns out, this is just a client feature.
  156. laughter
  157. This is actually the entire payload
    you need. It’s just like “5 Euro
  158. to Dominik Maier”, and there is the phone
    number. And look at this API endpoint,
  159. ‘/transactions/unverified’.
    So it turns out
  160. you don’t need the paired phone
    to do this type of transactions.
  161. applause
  162. Yet another thing that’s interesting
    is that N26 claims that they have
  163. some intelligent algorithms
    to immediately detect irregularities
  164. and prevent fraud before it even occurs.
    So we thought: “Challenge accepted!”
  165. laughter and applause
  166. And what we actually did,
    and I think this is pretty irregular,
  167. we sent 2000 Siri transactions
    worth 1 Cent within 30 minutes.
  168. laughter
  169. Try to speak that fast.
    Ok.
  170. And so what happened? Like we waited the
    next day and the day after nobody actually
  171. made contact with us, and we thought they
    would never actually make contact.
  172. But over three weeks later
    N26 required Dominik to explain
  173. the “unusual amount” of transactions.
    Okay, they even threatened to cancel
  174. his account. I mean, this is actually…
    it’s reasonable because it’s a clear misuse
  175. of the account and it violates
    the Terms of Service of them.
  176. But Dominik didn’t send those
    transactions, he received them!
  177. laughter
  178. They contacted the wrong person!
    This is kind of like
  179. if Gmail cancels your account
    because you received Spam!
  180. loud laughter
  181. applause
  182. Okay, let’s go back to the account
    hijacking. And the next thing we need
  183. to obtain is the transfer code and get
    the control over the paired phone.
  184. What we will do: with the transfer code
    we will try to reset it; and
  185. the paired phone we have to un-pair.
    Actually, those processes are
  186. not as independent as it seems. So
    I will right start with the paired phone.
  187. As I told in the beginning, un-pairing is
    actually a highly-secured process
  188. and I mean, this is my serious opinion.
    So let’s look at the process.
  189. At first, when you want to pair a new
    phone, like I said, you need to un-pair
  190. the existing one. Therefor, you open the
    app, then you click at “Un-pair” and
  191. afterwards they send a link to your
    email account. Then, in the e-mail
  192. you need to follow the un-pairing link.
  193. In the next step the real un-pairing
    process starts, where you
  194. have to enter your transfer code first,
    then your MasterCard ID. This is something
  195. that is kind of special for N26, like,
    every N26 account comes with a MasterCard,
  196. and they have printed a 10-digit numerical
    token below your name. I don’t know
  197. what this actually is, it’s not the PAN,
    it’s not the credit card number but
  198. some other sort of token. So you need
    to have the Mastercard, actually.
  199. And in the last step they’re going to send
    an SMS to you with a token, and you have
  200. to enter it. And only after this process
    the un-pairing is done.
  201. So that means we need to have access to
    the e-mail account. We need to know
  202. the transfer code. We need to have the
    Mastercard and we need to own the SIM card
  203. in order to receive the token.
    You can’t screw up each of those.
  204. laughter and applause
  205. Okay. Let’s go into it. So, the first
    thing: when you actually click
  206. on that item in your app where
    it says “Start un-pairing”
  207. it sends – this is basically HTTP GET
    request but you wouldn’t believe
  208. that they send the link as a response.
    So – it’s not this plate (?)
  209. but it’s there. So you don’t need to
    have access to the e-mail account
  210. because it’s in the response.
    laughs
  211. laughter
  212. Okay. Next thing. The transfer code
    – I actually will skip this for the moment
  213. and we’ll get right back to this. But the
    next thing is actually the Mastercard ID.
  214. And this ID is printed on the card,
    and we don’t have access to that card.
  215. So what will we do?
    In the transaction overview
  216. N26 shows a lot of properties,
    e.g. the amount, the beneficiary,
  217. whatever. And it turns out that this…
  218. laughter and turmoil
    that they used
  219. this Mastercard ID, they thought: “Oh,
    this is actually a nice ID, let’s use it
  220. as a prefix”. So, again, this is not
    displayed to the user inside the app
  221. but it’s clearly there in the API.
    It’s way too verbose.
  222. So…
    applause
  223. Okay. Whenever…
  224. the step that I just skipped
    was this transfer code.
  225. The transfer code is unknown.
    But you can reset the transfer code.
  226. And it is – as it turns out – what you
    need to reset the transfer code
  227. is the Mastercard ID.
    laughs
  228. laughter and applause
  229. So you need to enter this Mastercard ID
  230. that I just told how we will get it
    and then we just will confirm
  231. our new transfer code. Think of one,
    I don’t know. Any code.
  232. And therefor we don’t need to know the
    transfer code. Not even the old one
  233. because it’s not required.
    The Mastercard ID is sufficient.
  234. Then. The last step. SMS.
    The SIM card is inaccessible.
  235. We don’t have access to that phone. But
    this is a 5-digit token that they send out
  236. and it’s only numbers. I mean
    this is 100.000 possibilities.
  237. And even though the login procedure, the
    login form, has a brute-force protection
  238. this doesn’t have any
    brute force protection. So…
  239. laughter
  240. …the maximum that I could get out of the
    backend was 160 requests per second!
  241. laughter
  242. So this means…
    laughs
  243. applause
  244. So that means that it takes on average
    approx. 5 minutes to get this token.
  245. In the end we will just brute-force it
    and that’s it. Okay. That’s…
  246. laughter
  247. Let’s look if this really works.
    At first we will login to the app
  248. just to see that it’s paired. And if it
    wouldn’t be paired we would know,
  249. like, see a dialogue
    that we should pair our phone.
  250. So now it opens. Great.
  251. And now we will start our script.
  252. And N26 claimed that this attack
    doesn’t scale, just don’t blink!
  253. exhales sharply
  254. So those are the login credentials
    laughter
  255. …that will do all the fun. And actually,
    everything already happened, it’s just
  256. the brute-forcing that now takes place.
    And I have to admit that I have been
  257. really lucky this time because
    we are done now. laughter
  258. So this is the response, now the SMS
    numeric token is valid, and the phone
  259. has been successfully un-paired. Okay,
    now let’s verify in the app… if this worked
  260. really? So let’s open it again. Touch-ID
    expired, so this is actually good.
  261. That means that something happened.
    Let’s login with our password.
  262. And there it prompts us for pairing
    the phone. So it worked.
  263. applause
  264. Yeah…
    laughter
  265. This… even though I said that this attack
    really scales very well it has a drawback.
  266. Because three mails are sent out to the
    user. The first one when you actually
  267. start the un-pairing, the second one
    when you reset the transfer PIN and
  268. the third one when the un-pairing is
    successful. And the user also receives
  269. an SMS. But I mean fraud is perfectly
    possible. But is there a possibility
  270. to avoid this? Let’s try to call
    the customer support.
  271. The customer support is actually the most
    powerful entity in the N26 security model.
  272. Because they can even change things
    you can’t change inside the app.
  273. E.g. your email address, or name
    – you cannot change.
  274. But they can. So let’s talk with them.
    They can… it turns out they can also
  275. un-pair phones. So now the question arises
    of course you cannot just call there
  276. and say: “Hey, my name is Vincent,
    please un-pair my phone.” Of course they
  277. are going to authenticate you. And what…
    loud laughter
  278. …and what will they ask? They will ask
    for the Mastercard ID. We know that.
  279. The current account balance is always
    available if you have the login credentials.
  280. Okay. There’s one thing that is
    still missing. Place of birth.
  281. It’s always the same.
    laughter
  282. It’s, again, you can’t see this information
    inside the app. It’s just not displayed.
  283. But it’s there. There’s so much
    information you can’t think of.
  284. Really, they know more about me than I do.
    laughter
  285. Now that means we have all information
    available, and we can change any data.
  286. And the user won’t receive any notice
    of that. So no email, nothing.
  287. So we can just un-pair the phone,
    and later we can pair our own one,
  288. or… this is perfectly stealth.
  289. Now actually I heard already: “Ah,
    I only got 50 Euro on my account,
  290. why should I care?”
  291. This is actually a valid argument because
    many N26 accounts are opened out of
  292. curiosity, and many are inactive, or not
    used seriously, that means you only use it
  293. for travelling or paying things online
    because of the conditions.
  294. But you don’t use it as the salary account
    so there is frequently not so much money
  295. in it. But as this wants to be the
    financial hub for all the services
  296. you of course can also apply for an
    overdraft. And this is an instant overdraft
  297. that is granted during two minutes.
    And it’s between… you have guaranteed
  298. 50 Euro and up to 2000. This requires
    the paired device. What did we just do?
  299. We have the paired device.
    We have the entire account.
  300. So what do we do?
    We will just hijack the account
  301. then we apply for an overdraft,
    and then we will take all the money
  302. he has as a balance
    and as an overdraft.
  303. So even if you don’t have money
    on your account and think you’re safe
  304. you are not.
    laughs
  305. Okay. This was quite a bit, something.
    I want to talk briefly about disclosure
  306. before I will draw my conclusion.
  307. I reported all these issues to N26 on
    September 25. I didn’t establish
  308. the contact, this was the CCC.
    Thank you for that.
  309. I did this because I didn’t know how N26
    would react to this kind of vulnerabilities.
  310. But, actually, there was no reason
    to think so. Because they acted
  311. really professional. And they were
    actually thankful that I revealed
  312. these vulnerabilities.
  313. applause
  314. Then, afterwards, they started
    to incrementally fix the issues.
  315. I don’t know when they fixed the first
    thing. I didn’t monitor the process.
  316. But the last fix I know of happened on
    December 13 when they implemented
  317. certificate pinning on iOS. And,
    apparently, I have to say that
  318. I didn’t check everything. But
    apparently all issues are resolved.
  319. But what are the consequences out of
    this? It is obvious that N26 needs to put
  320. more emphasis on security. It’s important
    to notice that this wasn’t a coincidence.
  321. It simply wasn’t! And N26 needs to
    understand that it’s not enough to release
  322. videos with caption “mobile first meets
    safety first” and to claim that security
  323. is of paramount importance of them.
    So PR shouldn’t do your security.
  324. It’s funny: If you visit the N26 home page
    you will find out that they currently have
  325. 44 open positions. Not even one
    is dedicated to security.
  326. Furthermore, with such a strategy
    FinTechs squander the trust
  327. in financial institutions that banks
    established over years, actually.
  328. Today you usually trust in your bank
    that they will deal with your money
  329. responsibly. And in the end you also
    need to question authorities. I mean
  330. it was BaFin that granted a banking
    license to N26 only six months ago.
  331. And, really, those vulnerabilities
    are in sight for longer time.
  332. Okay. I think, like… résumé for this is:
  333. you shouldn’t say “Works for me”
    when it’s about security.
  334. So, thank you!
  335. applause
  336. Herald: Thank you Vincent. That was
    awesome. And also kind of fucking scary.
  337. We only have a short time for questions.
    Is there anybody who has a question
  338. for Vincent?
  339. No, I guess everybody is out
    deleting banking apps.
  340. laughter
  341. Oh, number 6!
  342. Question: Quick question.
  343. Do you know whether they
    have disallowed those apps
  344. that have not yet been updated
    to still manage their bank account?
  345. So e.g. if someone has a mobile app
    that has not yet been updated
  346. to the version that includes certificate
    pinning would that person
  347. still be vulnerable to
    man-in-the-middle attacks?
  348. Vincent: Yes.
  349. laughter
    laughs
  350. Actually they don’t have so much of an
    idea which device you are using.
  351. They don’t even know which is the paired
    device! This is only a client value.
  352. Herald: Do two more,
    it’s a guy here on number 1.
  353. Question: Thanks for the talk. Did they
    actually invite you to help them
  354. or give your talk at N26?
    Have they been in contact with you?
  355. Vincent: Yes, we have been in contact and
    I also visited them and gave a workshop,
  356. so yeah, they…
  357. laughter and applause
  358. Question: Are you serious?
  359. Vincent: I am serious, yes!
    ongoing applause
  360. Herald: And we do one last,
    one here, from number 5, please.
  361. Question: So during your talk you
    name-dropped Letsencrypt, and
  362. you kind of glossed over that bit, about
    getting them to issue a certificate
  363. for their API host name.
    Do you know something I don’t?
  364. Vincent: Ehm, the question, again?
    I don’t…
  365. Question: So you mentioned getting
    a Letsencrypt certificate to impersonate
  366. their API host name, because they
    weren’t using certificate pinning.
  367. How did you go by doing that?
  368. Vincent: But I didn’t do.
    This, like, was a scenario.
  369. That’s an attack scenario. I didn’t hijack
    the DNS record, okay, sorry.
  370. laughs
  371. Question: Thank you.
  372. Herald: Alright. Thanks everybody for
    joining. And get a big round of applause
  373. here for Vincent!
  374. applause
  375. postroll music
  376. Subtitles created by c3subtitles.de
    in the year 2017. Join and help us!