Short Paper: How to Attack PSD2 Internet Banking

  • Vincent HaupertEmail author
  • Stephan Gabert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)


Internet banking security is set to take a major step forward: On September 14, 2019, the Regulatory Technical Standards of the Revised Payment Service Directive (PSD2) are going to be effective within the European Union and the European Economic Area. This regulation makes two widely demanded transaction security properties mandatory: two-factor authentication, and the dynamic linking of the authentication code to the transaction’s beneficiary and amount (full transaction authentication). Even though the regulation is undoubtedly a positive development from a security perspective, it does not account for all the technical and human weak points involved in the transaction process. In this paper, we look at a series of attacks targeting online and mobile banking that are possible even in a post-PSD2 era. Despite the regulatory motivation of this work, the presented issues and suggestions to address them are likely to be universal for internet banking in general.


Online banking PSD2 RTS SCA Attacks 


  1. 1.
    Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How to attack two-factor authentication internet banking. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 322–328. Springer, Heidelberg (2013). Scholar
  2. 2.
    Bankenverband/GfK: Online-Banking in Deutschland (2018).
  3. 3.
    Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning EMV cards with the pre-play attack. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, pp. 49–64, 18–21 May 2014.
  4. 4.
    Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI 2006, Montréal, Québec, Canada, pp. 581–590, 22–27 April 2006.
  5. 5.
    Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014). Scholar
  6. 6.
    Dutch Payments Association: Dutch banks introduce innovative IBAN-Name Check (2017).
  7. 7.
    Etaher, N., Weir, G.R.S., Alazab, M.: From ZeuS to zitmo: Trends in banking malware. In: 2015 IEEE TrustCom/BigDataSE/ISPA, Helsinki, Finland, vol. 1, pp. 1386–1391, 20–22 August 2015.
  8. 8.
    European Commission: Commission delegated regulation (EU) 2018/389 supplementing directive (EU) 2015/2366 of the European parliament and of the council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2018).
  9. 9.
    European Commission: Internet banking on the rise (2018).
  10. 10.
    European Union Agency for Network and Information Security: Flash note: EU cyber security agency ENISA; “high roller” online bank robberies reveal security gaps (2012).
  11. 11.
    Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). Scholar
  12. 12.
    Ferradi, H., Géraud, R., Naccache, D., Tria, A.: When organized crime applies academic results: a forensic analysis of an in-card listening device. J. Cryptogr. Eng. 6(1), 49–59 (2016). Scholar
  13. 13.
    Haupert, V., Maier, D., Müller, T.: Paying the price for disruption: how a fintech allowed account takeover. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, pp. 7:1–7:10. ROOTS, ACM, New York (2017).
  14. 14.
    Haupert, V., Maier, D., Schneider, N., Kirsch, J., Müller, T.: Honey, i shrunk your app security: the state of android app hardening. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 69–91. Springer, Cham (2018). Scholar
  15. 15.
    Konoth, R.K., van der Veen, V., Bos, H.: How anywhere computing just killed your phone-based two-factor authentication. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 405–421. Springer, Heidelberg (2017). Scholar
  16. 16.
    Miller, C.: Here’s how iOS 12’s new security code auto-fill feature works (2018).
  17. 17.
    Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013). Scholar
  18. 18.
    Mulliner, C., Golde, N., Seifert, J.: SMS of death: from analyzing to attacking mobile phones on a large scale. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, 8–12 August 2011.
  19. 19.
    Murdoch, S.J., et al.: Are payment card contracts unfair? (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 600–608. Springer, Heidelberg (2017). Scholar
  20. 20.
    Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and PIN is broken. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, pp. 433–446, 16–19 May 2010.
  21. 21.
    Rao, S.P., Kotte, B.T., Holtmanns, S.: Privacy in LTE networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016, Xi’an, China, pp. 176–183, 18–20 June 2016.
  22. 22.
    Rupprecht, D., Kohls, K., Holz, T., Pöpper, C.: Breaking LTE on layer two. In: IEEE Symposium on Security & Privacy (SP). IEEE, May 2019Google Scholar
  23. 23.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, pp. 51–65, 20–23 May 2007.
  24. 24.
    Schneier, B.: Stop trying to fix the user. IEEE Secur. Priv. 14(5), 96 (2016)CrossRefGoogle Scholar
  25. 25.
    Watson, B., Zheng, J.: On the user awareness of mobile security recommendations. In: Proceedings of the 2017 ACM Southeast Regional Conference, Kennesaw, GA, USA, pp. 120–127, 13–15 April 2017.
  26. 26.
    Zhang, X., Du, W.: Attacks on android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Cham (2014). Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.Friedrich-Alexander University Erlangen-Nürnberg (FAU)ErlangenGermany

Personalised recommendations