Abstract
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.
The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them.
The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is “the most secure sign-what-you-see end-user device ever seen”; this paper demonstrates this claim to be false.
Keywords
- Near Field Communication
- Malicious Code
- Internet Banking
- Card Reader
- Online Banking
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Aarts, F., Poll, E., de Ruiter, J.: Formal models of bank cards for free. Draft (2012)
Alpár, G., Batina, L., Verdult, R.: Using NFC Phones for Proving Credentials. In: Schmitt, J.B. (ed.) MMB & DFT 2012. LNCS, vol. 7201, pp. 317–330. Springer, Heidelberg (2012)
Barisani, A., Bianco, D., Laurie, A., Franken, Z.: Chip & PIN is definitely broken. Presentation at CanSecWest Applied Security Conference, Vancouver (2011), More info available at http://dev.inversepath.com/download/emv
Bonneau, J., Preibusch, S., Anderson, R.: A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)
Check-In-Phone – Technology and Security, http://upload.rb.ru/upload/users/files/3374/check-in-phone-technologie_security-english-_2010-08-12_20.05.11.pdf
de Koning Gans, G., de Ruiter, J.: The smartlogic tool: Analysing and testing smart card protocols. In: IEEE Fifth International Conference on Software Testing, Verification, and Validation, pp. 864–871 (2012)
de Ruiter, J., Poll, E.: Formal Analysis of the EMV Protocol Suite. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 113–129. Springer, Heidelberg (2012)
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
EMVCo. EMV– Integrated Circuit Card Specifications for Payment Systems, Book 1-4 (2008), http://emvco.com
CEN Workshop Agreement (CWA) 14174: Financial transactional IC card reader (FINREAD) (2004)
Gullberg, P.: Method and device for creating a digital signature. European Patent Application EP 2 166 483 A1, filed September 17, 2008 (March 24, 2010)
Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Symposium on Security and Privacy, pp. 433–446. IEEE (2010)
Ortiz-Yepes, D.A.: Nfc-cap security assessment. Technical report, IBM Zurich Research Laboratory (2009)
Saleh, Z., Alsmadi, I.: Using RFID to enhance mobile banking security. International Journal of Computer Science and Information Security (IJCSIS) 8(9), 176–182 (2010)
Szikora, J.-P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)
Tretmans, J.: Model Based Testing with Labelled Transition Systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) FORTEST. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008)
Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern internet banking services. In: 2011 World Congress on Internet Security (WorldCIS), pp. 125–132. IEEE (2011)
Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel–an efficient defence against man-in-the-middle and malicious software attacks. In: Trusted Computing-Challenges and Applications, pp. 75–91 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R. (2012). Designed to Fail: A USB-Connected Reader for Online Banking. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)
