Skip to main content

Designed to Fail: A USB-Connected Reader for Online Banking

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7617)

Abstract

We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.

The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them.

The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is “the most secure sign-what-you-see end-user device ever seen”; this paper demonstrates this claim to be false.

Keywords

  • Near Field Communication
  • Malicious Code
  • Internet Banking
  • Card Reader
  • Online Banking

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aarts, F., Poll, E., de Ruiter, J.: Formal models of bank cards for free. Draft (2012)

    Google Scholar 

  2. Alpár, G., Batina, L., Verdult, R.: Using NFC Phones for Proving Credentials. In: Schmitt, J.B. (ed.) MMB & DFT 2012. LNCS, vol. 7201, pp. 317–330. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  3. Barisani, A., Bianco, D., Laurie, A., Franken, Z.: Chip & PIN is definitely broken. Presentation at CanSecWest Applied Security Conference, Vancouver (2011), More info available at http://dev.inversepath.com/download/emv

  4. Bonneau, J., Preibusch, S., Anderson, R.: A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  5. Check-In-Phone – Technology and Security, http://upload.rb.ru/upload/users/files/3374/check-in-phone-technologie_security-english-_2010-08-12_20.05.11.pdf

  6. de Koning Gans, G., de Ruiter, J.: The smartlogic tool: Analysing and testing smart card protocols. In: IEEE Fifth International Conference on Software Testing, Verification, and Validation, pp. 864–871 (2012)

    Google Scholar 

  7. de Ruiter, J., Poll, E.: Formal Analysis of the EMV Protocol Suite. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 113–129. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  8. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  9. EMVCo. EMV– Integrated Circuit Card Specifications for Payment Systems, Book 1-4 (2008), http://emvco.com

  10. CEN Workshop Agreement (CWA) 14174: Financial transactional IC card reader (FINREAD) (2004)

    Google Scholar 

  11. Gullberg, P.: Method and device for creating a digital signature. European Patent Application EP 2 166 483 A1, filed September 17, 2008 (March 24, 2010)

    Google Scholar 

  12. Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Symposium on Security and Privacy, pp. 433–446. IEEE (2010)

    Google Scholar 

  13. Ortiz-Yepes, D.A.: Nfc-cap security assessment. Technical report, IBM Zurich Research Laboratory (2009)

    Google Scholar 

  14. Saleh, Z., Alsmadi, I.: Using RFID to enhance mobile banking security. International Journal of Computer Science and Information Security (IJCSIS) 8(9), 176–182 (2010)

    Google Scholar 

  15. Szikora, J.-P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)

    Google Scholar 

  16. Tretmans, J.: Model Based Testing with Labelled Transition Systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) FORTEST. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  17. Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern internet banking services. In: 2011 World Congress on Internet Security (WorldCIS), pp. 125–132. IEEE (2011)

    Google Scholar 

  18. Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel–an efficient defence against man-in-the-middle and malicious software attacks. In: Trusted Computing-Challenges and Applications, pp. 75–91 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R. (2012). Designed to Fail: A USB-Connected Reader for Online Banking. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34210-3_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34209-7

  • Online ISBN: 978-3-642-34210-3

  • eBook Packages: Computer ScienceComputer Science (R0)