Designed to Fail: A USB-Connected Reader for Online Banking

  • Arjan Blom
  • Gerhard de Koning Gans
  • Erik Poll
  • Joeri de Ruiter
  • Roel Verdult
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7617)


We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.

The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them.

The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is “the most secure sign-what-you-see end-user device ever seen”; this paper demonstrates this claim to be false.


Near Field Communication Malicious Code Internet Banking Card Reader Online Banking 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aarts, F., Poll, E., de Ruiter, J.: Formal models of bank cards for free. Draft (2012)Google Scholar
  2. 2.
    Alpár, G., Batina, L., Verdult, R.: Using NFC Phones for Proving Credentials. In: Schmitt, J.B. (ed.) MMB & DFT 2012. LNCS, vol. 7201, pp. 317–330. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Barisani, A., Bianco, D., Laurie, A., Franken, Z.: Chip & PIN is definitely broken. Presentation at CanSecWest Applied Security Conference, Vancouver (2011), More info available at
  4. 4.
    Bonneau, J., Preibusch, S., Anderson, R.: A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
  6. 6.
    de Koning Gans, G., de Ruiter, J.: The smartlogic tool: Analysing and testing smart card protocols. In: IEEE Fifth International Conference on Software Testing, Verification, and Validation, pp. 864–871 (2012)Google Scholar
  7. 7.
    de Ruiter, J., Poll, E.: Formal Analysis of the EMV Protocol Suite. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 113–129. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    EMVCo. EMV– Integrated Circuit Card Specifications for Payment Systems, Book 1-4 (2008),
  10. 10.
    CEN Workshop Agreement (CWA) 14174: Financial transactional IC card reader (FINREAD) (2004)Google Scholar
  11. 11.
    Gullberg, P.: Method and device for creating a digital signature. European Patent Application EP 2 166 483 A1, filed September 17, 2008 (March 24, 2010)Google Scholar
  12. 12.
    Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Symposium on Security and Privacy, pp. 433–446. IEEE (2010)Google Scholar
  13. 13.
    Ortiz-Yepes, D.A.: Nfc-cap security assessment. Technical report, IBM Zurich Research Laboratory (2009)Google Scholar
  14. 14.
    Saleh, Z., Alsmadi, I.: Using RFID to enhance mobile banking security. International Journal of Computer Science and Information Security (IJCSIS) 8(9), 176–182 (2010)Google Scholar
  15. 15.
    Szikora, J.-P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)Google Scholar
  16. 16.
    Tretmans, J.: Model Based Testing with Labelled Transition Systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) FORTEST. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern internet banking services. In: 2011 World Congress on Internet Security (WorldCIS), pp. 125–132. IEEE (2011)Google Scholar
  18. 18.
    Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel–an efficient defence against man-in-the-middle and malicious software attacks. In: Trusted Computing-Challenges and Applications, pp. 75–91 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Arjan Blom
    • 1
  • Gerhard de Koning Gans
    • 2
  • Erik Poll
    • 2
  • Joeri de Ruiter
    • 2
  • Roel Verdult
    • 2
  1. 1.FlatstonesThe Netherlands
  2. 2.Institute for Computing and Information Sciences, Digital Security GroupRadboud UniversityNijmegenThe Netherlands

Personalised recommendations