Designed to Fail: A USB-Connected Reader for Online Banking
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.
The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them.
The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is “the most secure sign-what-you-see end-user device ever seen”; this paper demonstrates this claim to be false.
Unable to display preview. Download preview PDF.
- 1.Aarts, F., Poll, E., de Ruiter, J.: Formal models of bank cards for free. Draft (2012)Google Scholar
- 3.Barisani, A., Bianco, D., Laurie, A., Franken, Z.: Chip & PIN is definitely broken. Presentation at CanSecWest Applied Security Conference, Vancouver (2011), More info available at http://dev.inversepath.com/download/emv
- 5.Check-In-Phone – Technology and Security, http://upload.rb.ru/upload/users/files/3374/check-in-phone-technologie_security-english-_2010-08-12_20.05.11.pdf
- 6.de Koning Gans, G., de Ruiter, J.: The smartlogic tool: Analysing and testing smart card protocols. In: IEEE Fifth International Conference on Software Testing, Verification, and Validation, pp. 864–871 (2012)Google Scholar
- 9.EMVCo. EMV– Integrated Circuit Card Specifications for Payment Systems, Book 1-4 (2008), http://emvco.com
- 10.CEN Workshop Agreement (CWA) 14174: Financial transactional IC card reader (FINREAD) (2004)Google Scholar
- 11.Gullberg, P.: Method and device for creating a digital signature. European Patent Application EP 2 166 483 A1, filed September 17, 2008 (March 24, 2010)Google Scholar
- 12.Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Symposium on Security and Privacy, pp. 433–446. IEEE (2010)Google Scholar
- 13.Ortiz-Yepes, D.A.: Nfc-cap security assessment. Technical report, IBM Zurich Research Laboratory (2009)Google Scholar
- 14.Saleh, Z., Alsmadi, I.: Using RFID to enhance mobile banking security. International Journal of Computer Science and Information Security (IJCSIS) 8(9), 176–182 (2010)Google Scholar
- 15.Szikora, J.-P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)Google Scholar
- 17.Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern internet banking services. In: 2011 World Congress on Internet Security (WorldCIS), pp. 125–132. IEEE (2011)Google Scholar
- 18.Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel–an efficient defence against man-in-the-middle and malicious software attacks. In: Trusted Computing-Challenges and Applications, pp. 75–91 (2008)Google Scholar