TV coverage of online banking card-reader vulnerabilities

October 26th, 2009 at 13:13 UTC by Steven J. Murdoch

This evening (Monday 26th October 2009, at 19:30 UTC), BBC Inside Out will show Saar Drimer and I demonstrating how the use of smart card readers, being issued in the UK to authenticate online banking transactions, can be circumvented. The programme will be broadcast on BBC One, but only in the East of England and Cambridgeshire, however it should also be available on iPlayer.

In this programme, we demonstrate how a tampered Chip & PIN terminal could collect an authentication code for Barclays online banking, while a customer thinks they are buying a sandwich. The criminal could then, at their leisure, use this code and the customer’s membership number to fraudulently transfer up to £10,000.

Similar attacks are possible against all other banks which use the card readers (known as CAP devices) for online banking. We think that this type of scenario is particularly practical in targeted attacks, and circumvents any anti-malware protection, but criminals have already been seen using banking trojans to attack CAP on a wide scale.

Further information can be found on the BBC online feature, and our research summary. We have also published an academic paper on the topic, which was presented at Financial Cryptography 2009.

Update (2009-10-27): The full programme is now on BBC iPlayer for the next 6 days, and the segment can also be found on YouTube.

BBC Inside Out, Monday 26th October 2009, 19:30, BBC One (East)

Entry filed under: Academic papers, Banking security, Hardware & signals, News coverage, Security economics

9 comments Add your own

  • 1. Daniel Willis  |  October 26th, 2009 at 16:23 UTC

    Steven,

    You may wish to amend the article as the date appears to be incorrect. I’ll be watching this tonight with great interest.

    Regards

    Dan Willis

  • 2. Steven J. Murdoch  |  October 26th, 2009 at 16:46 UTC

    @Daniel

    Oops, now corrected; thanks for pointing this out. The programme airs today, Monday 26th October.

  • 3. Steven J. Murdoch  |  October 27th, 2009 at 02:31 UTC

    The full programme is now on BBC iPlayer for the next 7 days, and a clip is also on YouTube.

  • 4. Matthew Pemble  |  October 27th, 2009 at 14:01 UTC

    Okay, watched the feature – still slightly unsure (it doesn’t help that I don’t bank with Barclays). You can capture the PIN with a modified terminal (fine), you can capture the challenge / response (fine) and you can arrange it that the fixed part of the challenge can be identical to that of an account you own (same account or just last 4 digits the same). The latter, of course, assuming that the SDA chap cycle is identical to the CAP chap cycle.

    So, login? CAP for login with Barclays? Okay – why is the SDA response the same as the CAP response? Major design flaw? Membership number and surname, I’ll grant you.

    Then, once you want to set up the payment mandate, what do you do about the dynamic part of the challenge? Or is this another major design flaw? Replay attacks are a basic part of the security threat model.

    Confused? I am.

  • 5. Matthew Pemble  |  October 27th, 2009 at 14:04 UTC

    Okay, sorry, read the academic paper. No salt. Bad Barclays, naughty Barclays.

  • 6. Steven J. Murdoch  |  October 27th, 2009 at 14:30 UTC

    @Matthew

    I see you worked it out but, for the benefit of other readers, I’ll explain.

    The modified terminal doesn’t capture the PIN, it just impersonates a CAP reader and requests authentication codes from the card. Since the card doesn’t have a display, the customer can’t tell this is what going on, and thinks it is just a normal point of sale transaction.

    Two codes were requested — one for login (identify mode) and to do a transfer (sign mode). In neither of these does the bank provide a nonce. That means the response we get is valid until the legitimate customer logs into online banking. The crook can then use these codes to perform a fraudulent transfer.

    We could have done a similar attack against NatWest/RBS, but it would have simply been harder to film. Since NatWest use respond mode, with a four digit nonce, the transaction would need to happen at the same time as the customer uses the tampered terminal.

    To keep the customer comfortable, we wanted her to be present when we accessed her account (she was behind the camera, just of out shot). If we did a real time attack, this would be hard. We’d also need two camera to keep things honest, and it would be a bit stressful to set everything up to work smoothly.

  • 7. Antonomasia  |  October 27th, 2009 at 23:38 UTC

    You’re all Luddites – this was solved ~25 years ago.
    http://www.atariarchives.org/deli/home_banking.php

    Buy me a sandwich. Buy it yourself – I’ve no cash and only my C&P card on me.
    http://xkcd.com/149/

  • 8. Clive Robinson  |  October 28th, 2009 at 16:12 UTC

    Are any of you going to the Institute of Advanced Legal Studies (IALS) lecture on

    “PINs, ATMs and Liability”

    Given by Stephen Mason (Barrister and Associate Research Fellow) on the 04 November (18:00 – 19:00) at,

    Institute of Advanced Legal Studies
    Charles Clore House
    17 Russell Square
    London WC1B 5DR.

    It’s free, to register go to,

    http://www.sas.ac.uk/events/view/6706

    I might see you there.

  • 9. Bernard Dresner  |  February 12th, 2010 at 15:57 UTC

    Have you also found anything about SAFECART or PAYPAL ?

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

October 2009
M T W T F S S
« Sep   Nov »
 1234
567891011
12131415161718
19202122232425
262728293031