0:00:00.000,0:00:14.180
33C3 preroll music
0:00:14.180,0:00:19.170
Herald: Next talk is gonna be “Shut up[br]and take my money” by Vincent Haupert.
0:00:19.170,0:00:22.450
Vincent is a research associate[br]at the security research group
0:00:22.450,0:00:26.430
of the Department of Computer Science[br]at Friedrich-Alexander-Universität
0:00:26.430,0:00:34.220
in Erlangen, Nürnberg, Germany.[br]Typical, very long German word.
0:00:34.220,0:00:37.540
His main research interests are[br]authentication, system security
0:00:37.540,0:00:39.970
and software protection of mobile devices.
0:00:39.970,0:00:43.170
It’s actually Vincent’s second time[br]speaking at the Congress.
0:00:43.170,0:00:48.850
Last year’s talk discussed conceptual[br]insecurity of app-generated passwords
0:00:48.850,0:00:53.809
in online banking. This year[br]he will discuss the practical aspects
0:00:53.809,0:00:58.900
and some successful hacks that,[br]if I recall correctly,
0:00:58.900,0:01:02.269
took over entire bank accounts[br]from users’ mobile apps.
0:01:02.269,0:01:05.110
With that, Vincent, over to you.
0:01:05.110,0:01:11.710
applause
0:01:11.710,0:01:15.230
Vincent Haupert: Hello again,[br]thanks for the warm welcome,
0:01:15.230,0:01:19.579
and let’s dive right into it[br]because we have a tough program.
0:01:19.579,0:01:25.150
Okay. First of all, online banking[br]is something that affects us all,
0:01:25.150,0:01:29.350
because virtually everybody uses it.[br]In traditional online banking,
0:01:29.350,0:01:33.619
we use two devices.[br]One to initiate our payments
0:01:33.619,0:01:36.950
– and to log in[br]with user name and password –
0:01:36.950,0:01:41.299
and another device[br]to confirm transactions.
0:01:41.299,0:01:47.810
With the rise of mobile devices, app-based[br]confirmation procedures became popular
0:01:47.810,0:01:53.210
like this app there.[br]In the recent past,
0:01:53.210,0:01:59.090
what I have been talking about last year,[br]it became popular
0:01:59.090,0:02:03.420
to implement those two devices[br]in two apps. That means you only have
0:02:03.420,0:02:07.049
one single device and have two apps now
0:02:07.049,0:02:12.610
to authenticate transactions.
0:02:12.610,0:02:18.640
Last year I showed that this has[br]severe conceptional drawbacks.
0:02:18.640,0:02:26.800
But this is not the end of it.[br]The latest evolution in online banking
0:02:26.800,0:02:31.680
are now one-app authentication models.[br]I already said this last year:
0:02:31.680,0:02:36.410
Actually, it doesn’t make so much[br]difference. So banks are no longer faking
0:02:36.410,0:02:41.890
to have real two-factor authentication.[br]It’s now clear that it’s just one,
0:02:41.890,0:02:46.720
so you do the transaction initialization[br]inside the app
0:02:46.720,0:02:51.530
and the confirmation is just[br]another dialog inside the app.
0:02:51.530,0:02:55.800
This time I want to talk about N26,
0:02:55.800,0:03:02.110
the shining star[br]on the German FinTech sky.
0:03:02.110,0:03:09.240
Actually, this time I’m only going to be[br]talking about technical issues.
0:03:09.240,0:03:14.490
It’s clear that we have similar conceptual[br]problems like with two-app authentication,
0:03:14.490,0:03:21.280
but I will focus on technical issues[br]because we have enough of this there.
0:03:21.280,0:03:26.341
Briefly about N26: N26 is[br]a Berlin-based, “Mobile First” FinTech
0:03:26.341,0:03:31.150
and it plans to establish your smartphone[br]as your financial hub
0:03:31.150,0:03:35.860
for everything, so that you do[br]literally everything
0:03:35.860,0:03:40.880
from inside the app.[br]Actually it was only founded in 2013,
0:03:40.880,0:03:45.790
it started in 2015 with their app and it[br]already has over 200.000 customers,
0:03:45.790,0:03:49.710
which is astonishing, actually.
0:03:49.710,0:03:53.650
It now also has its own European[br]banking license. It’s only, I think,
0:03:53.650,0:03:59.431
half a year ago; and it announced[br]not even one month ago that it’s now
0:03:59.431,0:04:04.510
available in 17 European countries.[br]And they also claim
0:04:04.510,0:04:08.820
that you can open a bank account[br]in just eight minutes. As it turns out
0:04:08.820,0:04:11.060
you can lose it even faster.
0:04:11.060,0:04:14.730
laughter
0:04:14.730,0:04:20.810
Okay, let’s talk briefly about transaction[br]security in the Number 26 app.
0:04:20.810,0:04:23.509
If you want to do a transaction,[br]you at first need to log in.
0:04:23.509,0:04:27.810
This works with your user name,[br]in this case it’s just your email address,
0:04:27.810,0:04:29.999
and your password.[br]This is pretty standard.
0:04:29.999,0:04:34.220
Afterwards you are good to initiate[br]a transaction. After you have entered
0:04:34.220,0:04:39.300
all the details you also have to supply a[br]transfer code. This is just a four-digit
0:04:39.300,0:04:45.780
number, you use this also to withdraw[br]cash. Probably you would call this ‘PIN’.
0:04:45.780,0:04:50.830
The last factor in this authentication[br]scheme is you paired phone.
0:04:50.830,0:04:55.990
This is actually the most important[br]security feature of the N26 account,
0:04:55.990,0:05:00.930
and you can only pair one smartphone[br]with you N26 account.
0:05:00.930,0:05:05.449
That means, from a technical[br]perspective, the N26 app,
0:05:05.449,0:05:09.699
the very first time you start it,[br]generates a RSA key pair
0:05:09.699,0:05:13.199
and sends the public key to the N26[br]backend. And whenever you initiate
0:05:13.199,0:05:17.889
a transaction they are going to send[br]an encrypted challenge to your smartphone
0:05:17.889,0:05:22.709
and you send it back decrypted.[br]That’s how it works. Actually,
0:05:22.709,0:05:27.960
re-pairing, that means pairing another[br]phone is a pretty well secured process,
0:05:27.960,0:05:32.900
but we will talk about this later. Just[br]to talk about the infrastructure
0:05:32.900,0:05:37.639
of N26: basically they have two apps,[br]one for iOS, one for Android,
0:05:37.639,0:05:42.179
and they communicate over[br]a JSON-based protocol, TLS encrypted.
0:05:42.179,0:05:47.099
The backend is at api.tech26.de.
0:05:47.099,0:05:50.719
How do I know, actually, that this is[br]a JSON-based protocol: because I used
0:05:50.719,0:05:56.979
a TLS man-in-the-middle attack[br]to log the protocol.
0:05:56.979,0:06:02.919
I only needed to install a certificate,[br]the MITM proxy certificate on the client,
0:06:02.919,0:06:06.740
but actually I was surprised that I didn’t[br]need to touch the client, because
0:06:06.740,0:06:10.129
they didn’t implement[br]any certificate pinning.
0:06:10.129,0:06:16.490
applause
0:06:16.490,0:06:21.690
So that means, the first thing[br]that comes into mind is like:
0:06:21.690,0:06:25.759
Let’s do real-time transaction[br]manipulation. That means we manipulate
0:06:25.759,0:06:30.219
a transaction that the user does,[br]but we will change the recipient
0:06:30.219,0:06:36.259
and the user won’t see nothing about this.[br]So if we look at this graphic again,
0:06:36.259,0:06:42.049
what if an attacker could get the DNS[br]record of api.tech26.de under his control?
0:06:42.049,0:06:48.079
This would mean that all traffic is routed[br]over the man-in-the-middle attacker server
0:06:48.079,0:06:53.820
and, as there is no certificate pinning,[br]we could just issue a Letsencrypt
0:06:53.820,0:06:59.930
TLS certificate and the app is going[br]to trust the certificate.
0:06:59.930,0:07:04.230
How does this work?[br]Let’s take an example here.
0:07:04.230,0:07:08.580
Let’s image I want to transfer[br]2 Euro to my friend Dominik.
0:07:08.580,0:07:13.240
After I entered all the transaction details[br]I have to enter my transfer code, too.
0:07:13.240,0:07:18.930
When I did this I get like the second[br]factor where you need the paired device
0:07:18.930,0:07:23.669
and I need to confirm it. This is just[br]like the next dialogue inside the app.
0:07:23.669,0:07:27.890
After I confirmed it, the transaction went[br]through, everything looks good.
0:07:27.890,0:07:32.199
2 Euro less on my account, pretty good.
0:07:32.199,0:07:37.479
In the next step you can see in your[br]transaction overview too, that
0:07:37.479,0:07:42.690
there are 2 Euro less. But after the attack[br]when N26 realized that something wrong
0:07:42.690,0:07:47.000
was going on and they fixed it you will[br]realize that we actually transferred
0:07:47.000,0:07:51.539
20 Euro, not 2. But this was[br]completely transparent for the user
0:07:51.539,0:07:56.209
even after the attack.[br]Okay, this is nice.
0:07:56.209,0:07:59.790
We can manipulate a transaction[br]in real time, but
0:07:59.790,0:08:05.419
wouldn’t it be even more interesting[br]to take over entire accounts
0:08:05.419,0:08:09.010
to do our own transactions?
0:08:09.010,0:08:13.669
For this, we need the login credentials,[br]the transfer code and the paired phone.
0:08:13.669,0:08:17.069
So we need to obtain all of them.
0:08:17.069,0:08:20.459
Let’s start with the login credentials.
0:08:20.459,0:08:26.479
Actually, I want to assume, that the login[br]credentials are already compromised.
0:08:26.479,0:08:33.530
But there are some weak points in the[br]security system of the N26 transactions,
0:08:33.530,0:08:37.260
that make it an easier task to obtain[br]those login credentials.
0:08:37.260,0:08:41.919
There are two things I want to talk about.[br]The first thing is the recovery-from-loss
0:08:41.919,0:08:47.460
procedure. When you forget your[br]password, N26 just sends
0:08:47.460,0:08:50.500
an email to your email account.[br]There is a link inside, you click it
0:08:50.500,0:08:53.959
and you can just reset your password.
0:08:53.959,0:08:58.160
This breaks the N26 password policy
0:08:58.160,0:09:04.060
which is actually pretty solid, because[br]if you have access to the email account,
0:09:04.060,0:09:08.029
you have automatically access[br]to the N26 account, too
0:09:08.029,0:09:14.389
and the access to the email account[br]could be as bad as “password” or “123456”.
0:09:14.389,0:09:18.440
Another idea is spear phishing. Think[br]of spear phishing like a more targeted
0:09:18.440,0:09:22.839
version of phishing. What you always need[br]for phishing is a similar domain,
0:09:22.839,0:09:27.010
something the user can relate to. And[br]if you want to make spear phishing
0:09:27.010,0:09:30.350
you want to have it more targeted.[br]That means you want to expose
0:09:30.350,0:09:34.759
N26 customers, so only send out mails[br]to them. And you need to have
0:09:34.759,0:09:39.249
a valid reason to contact them.[br]About the domain:
0:09:39.249,0:09:45.139
usually N26 uses number26.de;[br]and for password resets
0:09:45.139,0:09:51.480
e.g. number26.tech.[br]Sounds pretty valid in my eyes.
0:09:51.480,0:09:57.740
Only by chance I happen to own[br]that domain. laughter
0:09:57.740,0:10:03.520
The next thing is exposing[br]N26 customers. N26 offers
0:10:03.520,0:10:09.840
peer to peer transactions, that means if[br]your recipient also has a N26 account,
0:10:09.840,0:10:15.660
those transactions are instant.[br]To show the N26 customers
0:10:15.660,0:10:20.040
who of his contacts actually have[br]an N26 account, they upload
0:10:20.040,0:10:25.089
all of the email addresses, all of the[br]phone numbers in your address book
0:10:25.089,0:10:30.160
to the N26 backend.[br]Unhashed.
0:10:30.160,0:10:34.860
applause
0:10:34.860,0:10:39.709
But we actually want to use this to[br]identify customers of a given dataset.
0:10:39.709,0:10:43.779
We can actually abuse this API for that.
0:10:43.779,0:10:49.410
Do you remember the recent Dropbox leak[br]that revealed 68 million accounts?
0:10:49.410,0:10:54.649
We evaluated all of those 68 million[br]email accounts against this API
0:10:54.649,0:10:58.680
and N26 took no notice of this.[br]There were no limits applied.
0:10:58.680,0:11:03.439
They just think, I’m really popular.[br]laughter
0:11:03.439,0:11:10.519
applause
0:11:10.519,0:11:17.870
In the end, we revealed 33.000 N26[br]customers and could now send out
0:11:17.870,0:11:22.500
e-mails to them. Actually, this also provides[br]a valid reason to contact them.
0:11:22.500,0:11:27.520
E.g. the usual e-mail of N26 looks[br]somehow like this.
0:11:27.520,0:11:31.759
So we could say to them: “Hey, you are[br]affected by the Dropbox leak, please
0:11:31.759,0:11:41.070
change your password for your own security.[br]Click this link to change your password.”
0:11:41.070,0:11:47.480
Now I can already see the N26[br]management board nervous,
0:11:47.480,0:11:52.220
but don’t worry, we didn’t do this.[br]My professor had legal concerns.
0:11:52.220,0:11:57.250
laughter
0:11:57.250,0:12:02.829
Now, that we have the login credentials,[br]we have to wonder: Can we already
0:12:02.829,0:12:08.940
do something with those login credentials?[br]And this brings me to Siri transactions.
0:12:08.940,0:12:13.979
With iOS 10 N26 now supports[br]transactions using Siri. That means
0:12:13.979,0:12:19.200
now you can just say: “Send 5 Euro[br]to Dominik Maier using N26”, then
0:12:19.200,0:12:24.200
the transaction pops up and you can say:[br]“Send it” and afterwards it’s gone.
0:12:24.200,0:12:29.389
The app doesn’t even open.[br]So this already sounds wrong,
0:12:29.389,0:12:33.680
laughter …but you can only[br]do this with the paired device.
0:12:33.680,0:12:39.579
If you use another phone and just[br]log in and try to use Siri with this,
0:12:39.579,0:12:43.500
this dialogue appears and you really[br]have to open the app and have
0:12:43.500,0:12:51.709
to confirm it with the paired phone. As it[br]turns out, this is just a client feature.
0:12:51.709,0:12:53.819
laughter
0:12:53.819,0:12:57.449
This is actually the entire payload[br]you need. It’s just like “5 Euro
0:12:57.449,0:13:02.260
to Dominik Maier”, and there is the phone[br]number. And look at this API endpoint,
0:13:02.260,0:13:07.880
‘/transactions/unverified’.[br]So it turns out
0:13:07.880,0:13:11.939
you don’t need the paired phone[br]to do this type of transactions.
0:13:11.939,0:13:19.839
applause
0:13:19.839,0:13:23.709
Yet another thing that’s interesting[br]is that N26 claims that they have
0:13:23.709,0:13:28.050
some intelligent algorithms[br]to immediately detect irregularities
0:13:28.050,0:13:34.079
and prevent fraud before it even occurs.[br]So we thought: “Challenge accepted!”
0:13:34.079,0:13:38.879
laughter and applause
0:13:38.879,0:13:42.829
And what we actually did,[br]and I think this is pretty irregular,
0:13:42.829,0:13:48.680
we sent 2000 Siri transactions[br]worth 1 Cent within 30 minutes.
0:13:48.680,0:13:51.180
laughter
0:13:51.180,0:13:56.820
Try to speak that fast.[br]Ok.
0:13:56.820,0:14:02.779
And so what happened? Like we waited the[br]next day and the day after nobody actually
0:14:02.779,0:14:07.120
made contact with us, and we thought they[br]would never actually make contact.
0:14:07.120,0:14:10.829
But over three weeks later[br]N26 required Dominik to explain
0:14:10.829,0:14:15.790
the “unusual amount” of transactions.[br]Okay, they even threatened to cancel
0:14:15.790,0:14:20.449
his account. I mean, this is actually…[br]it’s reasonable because it’s a clear misuse
0:14:20.449,0:14:24.489
of the account and it violates[br]the Terms of Service of them.
0:14:24.489,0:14:29.520
But Dominik didn’t send those[br]transactions, he received them!
0:14:29.520,0:14:30.620
laughter
0:14:30.620,0:14:35.240
They contacted the wrong person![br]This is kind of like
0:14:35.240,0:14:38.590
if Gmail cancels your account[br]because you received Spam!
0:14:38.590,0:14:41.509
loud laughter
0:14:41.509,0:14:49.310
applause
0:14:49.310,0:14:53.709
Okay, let’s go back to the account[br]hijacking. And the next thing we need
0:14:53.709,0:14:59.020
to obtain is the transfer code and get[br]the control over the paired phone.
0:14:59.020,0:15:03.480
What we will do: with the transfer code[br]we will try to reset it; and
0:15:03.480,0:15:07.220
the paired phone we have to un-pair.[br]Actually, those processes are
0:15:07.220,0:15:14.060
not as independent as it seems. So[br]I will right start with the paired phone.
0:15:14.060,0:15:17.980
As I told in the beginning, un-pairing is[br]actually a highly-secured process
0:15:17.980,0:15:24.720
and I mean, this is my serious opinion.[br]So let’s look at the process.
0:15:24.720,0:15:29.029
At first, when you want to pair a new[br]phone, like I said, you need to un-pair
0:15:29.029,0:15:33.509
the existing one. Therefor, you open the[br]app, then you click at “Un-pair” and
0:15:33.509,0:15:40.230
afterwards they send a link to your[br]email account. Then, in the e-mail
0:15:40.230,0:15:46.290
you need to follow the un-pairing link.
0:15:46.290,0:15:50.570
In the next step the real un-pairing[br]process starts, where you
0:15:50.570,0:15:55.379
have to enter your transfer code first,[br]then your MasterCard ID. This is something
0:15:55.379,0:16:01.319
that is kind of special for N26, like,[br]every N26 account comes with a MasterCard,
0:16:01.319,0:16:06.760
and they have printed a 10-digit numerical[br]token below your name. I don’t know
0:16:06.760,0:16:09.570
what this actually is, it’s not the PAN,[br]it’s not the credit card number but
0:16:09.570,0:16:14.890
some other sort of token. So you need[br]to have the Mastercard, actually.
0:16:14.890,0:16:19.279
And in the last step they’re going to send[br]an SMS to you with a token, and you have
0:16:19.279,0:16:24.130
to enter it. And only after this process[br]the un-pairing is done.
0:16:24.130,0:16:28.170
So that means we need to have access to[br]the e-mail account. We need to know
0:16:28.170,0:16:31.890
the transfer code. We need to have the[br]Mastercard and we need to own the SIM card
0:16:31.890,0:16:40.869
in order to receive the token.[br]You can’t screw up each of those.
0:16:40.869,0:16:47.760
laughter and applause
0:16:47.760,0:16:52.430
Okay. Let’s go into it. So, the first[br]thing: when you actually click
0:16:52.430,0:16:58.110
on that item in your app where[br]it says “Start un-pairing”
0:16:58.110,0:17:03.379
it sends – this is basically HTTP GET[br]request but you wouldn’t believe
0:17:03.379,0:17:08.949
that they send the link as a response.[br]So – it’s not this plate (?)
0:17:08.949,0:17:13.680
but it’s there. So you don’t need to[br]have access to the e-mail account
0:17:13.680,0:17:17.289
because it’s in the response.[br]laughs
0:17:17.289,0:17:20.119
laughter
0:17:20.119,0:17:25.270
Okay. Next thing. The transfer code[br]– I actually will skip this for the moment
0:17:25.270,0:17:29.789
and we’ll get right back to this. But the[br]next thing is actually the Mastercard ID.
0:17:29.789,0:17:35.870
And this ID is printed on the card,[br]and we don’t have access to that card.
0:17:35.870,0:17:40.790
So what will we do?[br]In the transaction overview
0:17:40.790,0:17:45.340
N26 shows a lot of properties,[br]e.g. the amount, the beneficiary,
0:17:45.340,0:17:49.770
whatever. And it turns out that this…
0:17:49.770,0:17:52.909
laughter and turmoil[br]that they used
0:17:52.909,0:17:57.220
this Mastercard ID, they thought: “Oh,[br]this is actually a nice ID, let’s use it
0:17:57.220,0:18:02.260
as a prefix”. So, again, this is not[br]displayed to the user inside the app
0:18:02.260,0:18:07.960
but it’s clearly there in the API.[br]It’s way too verbose.
0:18:07.960,0:18:14.889
So…[br]applause
0:18:14.889,0:18:19.940
Okay. Whenever…
0:18:19.940,0:18:23.610
the step that I just skipped[br]was this transfer code.
0:18:23.610,0:18:29.000
The transfer code is unknown.[br]But you can reset the transfer code.
0:18:29.000,0:18:32.590
And it is – as it turns out – what you[br]need to reset the transfer code
0:18:32.590,0:18:35.480
is the Mastercard ID.[br]laughs
0:18:35.480,0:18:43.000
laughter and applause
0:18:43.000,0:18:47.320
So you need to enter this Mastercard ID
0:18:47.320,0:18:52.510
that I just told how we will get it[br]and then we just will confirm
0:18:52.510,0:18:57.870
our new transfer code. Think of one,[br]I don’t know. Any code.
0:18:57.870,0:19:01.840
And therefor we don’t need to know the[br]transfer code. Not even the old one
0:19:01.840,0:19:06.660
because it’s not required.[br]The Mastercard ID is sufficient.
0:19:06.660,0:19:11.940
Then. The last step. SMS.[br]The SIM card is inaccessible.
0:19:11.940,0:19:17.450
We don’t have access to that phone. But[br]this is a 5-digit token that they send out
0:19:17.450,0:19:22.659
and it’s only numbers. I mean[br]this is 100.000 possibilities.
0:19:22.659,0:19:28.980
And even though the login procedure, the[br]login form, has a brute-force protection
0:19:28.980,0:19:32.000
this doesn’t have any[br]brute force protection. So…
0:19:32.000,0:19:35.470
laughter
0:19:35.470,0:19:39.920
…the maximum that I could get out of the[br]backend was 160 requests per second!
0:19:39.920,0:19:42.430
laughter
0:19:42.430,0:19:45.760
So this means…[br]laughs
0:19:45.760,0:19:54.630
applause
0:19:54.630,0:20:04.230
So that means that it takes on average[br]approx. 5 minutes to get this token.
0:20:04.230,0:20:09.190
In the end we will just brute-force it[br]and that’s it. Okay. That’s…
0:20:09.190,0:20:11.740
laughter
0:20:11.740,0:20:17.000
Let’s look if this really works.[br]At first we will login to the app
0:20:17.000,0:20:22.280
just to see that it’s paired. And if it[br]wouldn’t be paired we would know,
0:20:22.280,0:20:27.320
like, see a dialogue[br]that we should pair our phone.
0:20:27.320,0:20:30.960
So now it opens. Great.
0:20:30.960,0:20:36.770
And now we will start our script.
0:20:36.770,0:20:43.460
And N26 claimed that this attack[br]doesn’t scale, just don’t blink!
0:20:43.460,0:20:45.030
exhales sharply
0:20:45.030,0:20:47.240
So those are the login credentials[br]laughter
0:20:47.240,0:20:50.960
…that will do all the fun. And actually,[br]everything already happened, it’s just
0:20:50.960,0:20:55.450
the brute-forcing that now takes place.[br]And I have to admit that I have been
0:20:55.450,0:21:02.559
really lucky this time because[br]we are done now. laughter
0:21:02.559,0:21:07.220
So this is the response, now the SMS[br]numeric token is valid, and the phone
0:21:07.220,0:21:12.100
has been successfully un-paired. Okay,[br]now let’s verify in the app… if this worked
0:21:12.100,0:21:19.800
really? So let’s open it again. Touch-ID[br]expired, so this is actually good.
0:21:19.800,0:21:27.250
That means that something happened.[br]Let’s login with our password.
0:21:27.250,0:21:31.020
And there it prompts us for pairing[br]the phone. So it worked.
0:21:31.020,0:21:39.860
applause
0:21:39.860,0:21:44.030
Yeah…[br]laughter
0:21:44.030,0:21:50.470
This… even though I said that this attack[br]really scales very well it has a drawback.
0:21:50.470,0:21:54.549
Because three mails are sent out to the[br]user. The first one when you actually
0:21:54.549,0:21:58.470
start the un-pairing, the second one[br]when you reset the transfer PIN and
0:21:58.470,0:22:02.149
the third one when the un-pairing is[br]successful. And the user also receives
0:22:02.149,0:22:08.200
an SMS. But I mean fraud is perfectly[br]possible. But is there a possibility
0:22:08.200,0:22:14.550
to avoid this? Let’s try to call[br]the customer support.
0:22:14.550,0:22:19.850
The customer support is actually the most[br]powerful entity in the N26 security model.
0:22:19.850,0:22:23.460
Because they can even change things[br]you can’t change inside the app.
0:22:23.460,0:22:27.260
E.g. your email address, or name[br]– you cannot change.
0:22:27.260,0:22:32.950
But they can. So let’s talk with them.[br]They can… it turns out they can also
0:22:32.950,0:22:38.370
un-pair phones. So now the question arises[br]of course you cannot just call there
0:22:38.370,0:22:42.029
and say: “Hey, my name is Vincent,[br]please un-pair my phone.” Of course they
0:22:42.029,0:22:47.239
are going to authenticate you. And what…[br]loud laughter
0:22:47.239,0:22:53.120
…and what will they ask? They will ask[br]for the Mastercard ID. We know that.
0:22:53.120,0:22:56.410
The current account balance is always[br]available if you have the login credentials.
0:22:56.410,0:23:00.539
Okay. There’s one thing that is[br]still missing. Place of birth.
0:23:00.539,0:23:05.590
It’s always the same.[br]laughter
0:23:05.590,0:23:11.500
It’s, again, you can’t see this information[br]inside the app. It’s just not displayed.
0:23:11.500,0:23:14.340
But it’s there. There’s so much[br]information you can’t think of.
0:23:14.340,0:23:19.780
Really, they know more about me than I do.[br]laughter
0:23:19.780,0:23:23.850
Now that means we have all information[br]available, and we can change any data.
0:23:23.850,0:23:28.230
And the user won’t receive any notice[br]of that. So no email, nothing.
0:23:28.230,0:23:32.390
So we can just un-pair the phone,[br]and later we can pair our own one,
0:23:32.390,0:23:36.460
or… this is perfectly stealth.
0:23:36.460,0:23:42.500
Now actually I heard already: “Ah,[br]I only got 50 Euro on my account,
0:23:42.500,0:23:46.610
why should I care?”
0:23:46.610,0:23:52.020
This is actually a valid argument because[br]many N26 accounts are opened out of
0:23:52.020,0:23:58.559
curiosity, and many are inactive, or not[br]used seriously, that means you only use it
0:23:58.559,0:24:02.590
for travelling or paying things online[br]because of the conditions.
0:24:02.590,0:24:06.919
But you don’t use it as the salary account[br]so there is frequently not so much money
0:24:06.919,0:24:13.740
in it. But as this wants to be the[br]financial hub for all the services
0:24:13.740,0:24:19.850
you of course can also apply for an[br]overdraft. And this is an instant overdraft
0:24:19.850,0:24:25.110
that is granted during two minutes.[br]And it’s between… you have guaranteed
0:24:25.110,0:24:32.100
50 Euro and up to 2000. This requires[br]the paired device. What did we just do?
0:24:32.100,0:24:35.200
We have the paired device.[br]We have the entire account.
0:24:35.200,0:24:39.159
So what do we do?[br]We will just hijack the account
0:24:39.159,0:24:43.559
then we apply for an overdraft,[br]and then we will take all the money
0:24:43.559,0:24:47.350
he has as a balance[br]and as an overdraft.
0:24:47.350,0:24:50.470
So even if you don’t have money[br]on your account and think you’re safe
0:24:50.470,0:24:54.779
you are not.[br]laughs
0:24:54.779,0:25:02.480
Okay. This was quite a bit, something.[br]I want to talk briefly about disclosure
0:25:02.480,0:25:07.030
before I will draw my conclusion.
0:25:07.030,0:25:12.720
I reported all these issues to N26 on[br]September 25. I didn’t establish
0:25:12.720,0:25:16.500
the contact, this was the CCC.[br]Thank you for that.
0:25:16.500,0:25:22.240
I did this because I didn’t know how N26[br]would react to this kind of vulnerabilities.
0:25:22.240,0:25:26.350
But, actually, there was no reason[br]to think so. Because they acted
0:25:26.350,0:25:31.649
really professional. And they were[br]actually thankful that I revealed
0:25:31.649,0:25:34.930
these vulnerabilities.
0:25:34.930,0:25:45.490
applause
0:25:45.490,0:25:49.940
Then, afterwards, they started[br]to incrementally fix the issues.
0:25:49.940,0:25:54.519
I don’t know when they fixed the first[br]thing. I didn’t monitor the process.
0:25:54.519,0:25:58.039
But the last fix I know of happened on[br]December 13 when they implemented
0:25:58.039,0:26:02.760
certificate pinning on iOS. And,[br]apparently, I have to say that
0:26:02.760,0:26:10.019
I didn’t check everything. But[br]apparently all issues are resolved.
0:26:10.019,0:26:15.390
But what are the consequences out of[br]this? It is obvious that N26 needs to put
0:26:15.390,0:26:22.789
more emphasis on security. It’s important[br]to notice that this wasn’t a coincidence.
0:26:22.789,0:26:27.730
It simply wasn’t! And N26 needs to[br]understand that it’s not enough to release
0:26:27.730,0:26:31.340
videos with caption “mobile first meets[br]safety first” and to claim that security
0:26:31.340,0:26:39.770
is of paramount importance of them.[br]So PR shouldn’t do your security.
0:26:39.770,0:26:45.360
It’s funny: If you visit the N26 home page[br]you will find out that they currently have
0:26:45.360,0:26:53.200
44 open positions. Not even one[br]is dedicated to security.
0:26:53.200,0:26:56.690
Furthermore, with such a strategy[br]FinTechs squander the trust
0:26:56.690,0:27:01.420
in financial institutions that banks[br]established over years, actually.
0:27:01.420,0:27:06.610
Today you usually trust in your bank[br]that they will deal with your money
0:27:06.610,0:27:11.750
responsibly. And in the end you also[br]need to question authorities. I mean
0:27:11.750,0:27:18.779
it was BaFin that granted a banking[br]license to N26 only six months ago.
0:27:18.779,0:27:26.499
And, really, those vulnerabilities[br]are in sight for longer time.
0:27:26.499,0:27:32.190
Okay. I think, like… résumé for this is:
0:27:32.190,0:27:36.409
you shouldn’t say “Works for me”[br]when it’s about security.
0:27:36.409,0:27:38.939
So, thank you!
0:27:38.939,0:27:59.239
applause
0:27:59.239,0:28:05.510
Herald: Thank you Vincent. That was[br]awesome. And also kind of fucking scary.
0:28:05.510,0:28:09.820
We only have a short time for questions.[br]Is there anybody who has a question
0:28:09.820,0:28:18.950
for Vincent?
0:28:18.950,0:28:22.970
No, I guess everybody is out[br]deleting banking apps.
0:28:22.970,0:28:26.760
laughter
0:28:26.760,0:28:31.730
Oh, number 6!
0:28:31.730,0:28:35.800
Question: Quick question.
0:28:35.800,0:28:40.429
Do you know whether they[br]have disallowed those apps
0:28:40.429,0:28:44.370
that have not yet been updated[br]to still manage their bank account?
0:28:44.370,0:28:49.889
So e.g. if someone has a mobile app[br]that has not yet been updated
0:28:49.889,0:28:52.750
to the version that includes certificate[br]pinning would that person
0:28:52.750,0:28:55.100
still be vulnerable to[br]man-in-the-middle attacks?
0:28:55.100,0:28:56.530
Vincent: Yes.
0:28:56.530,0:28:59.640
laughter[br]laughs
0:28:59.640,0:29:03.909
Actually they don’t have so much of an[br]idea which device you are using.
0:29:03.909,0:29:10.970
They don’t even know which is the paired[br]device! This is only a client value.
0:29:10.970,0:29:14.500
Herald: Do two more,[br]it’s a guy here on number 1.
0:29:14.500,0:29:18.429
Question: Thanks for the talk. Did they[br]actually invite you to help them
0:29:18.429,0:29:22.540
or give your talk at N26?[br]Have they been in contact with you?
0:29:22.540,0:29:26.970
Vincent: Yes, we have been in contact and[br]I also visited them and gave a workshop,
0:29:26.970,0:29:29.000
so yeah, they…
0:29:29.000,0:29:32.790
laughter and applause
0:29:32.790,0:29:34.320
Question: Are you serious?
0:29:34.320,0:29:39.439
Vincent: I am serious, yes![br]ongoing applause
0:29:39.439,0:29:42.189
Herald: And we do one last,[br]one here, from number 5, please.
0:29:42.189,0:29:45.120
Question: So during your talk you[br]name-dropped Letsencrypt, and
0:29:45.120,0:29:48.330
you kind of glossed over that bit, about[br]getting them to issue a certificate
0:29:48.330,0:29:53.190
for their API host name.[br]Do you know something I don’t?
0:29:53.190,0:29:55.750
Vincent: Ehm, the question, again?[br]I don’t…
0:29:55.750,0:29:59.530
Question: So you mentioned getting[br]a Letsencrypt certificate to impersonate
0:29:59.530,0:30:02.450
their API host name, because they[br]weren’t using certificate pinning.
0:30:02.450,0:30:04.770
How did you go by doing that?
0:30:04.770,0:30:07.500
Vincent: But I didn’t do.[br]This, like, was a scenario.
0:30:07.500,0:30:15.500
That’s an attack scenario. I didn’t hijack[br]the DNS record, okay, sorry.
0:30:15.500,0:30:16.970
laughs
0:30:16.970,0:30:19.509
Question: Thank you.
0:30:19.509,0:30:22.030
Herald: Alright. Thanks everybody for[br]joining. And get a big round of applause
0:30:22.030,0:30:23.610
here for Vincent!
0:30:23.610,0:30:27.260
applause
0:30:27.260,0:30:32.240
postroll music
0:30:32.240,0:30:50.981
Subtitles created by c3subtitles.de[br]in the year 2017. Join and help us!