SlideShare una empresa de Scribd logo

Top vulnerabilities of simulated banking system

Descargar como PPTX, PDF
Positive Hack Days
Positive Hack Days

TecnologíaEconomía y finanzas
1 de 49
Typical Vulnerabilities of E-Banking Systems Typical Vulnerabilities of E-Banking Systems Sergey Scherbel Dmitry Evteev Eugenie Potseluevskaya Positive Technologies
Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank
Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank PHDays I-Bank IS NOT a real remote banking system actually used by any bank. The system was developed specially for PHDays 2012 PHDays I-Bank contains vulnerabilities typical of real remote banking systems Some of the vulnerabilities are found too often
Future Now Identification Predictable user identifiers are far more dangerous than it can seem! A PHDays I-Bank identifier consists of numbers, just like most identifiers in actual remote banking systems Examples of identifiers: 1000001, 1000002, … What’s wrong with it? We'll explain a bit later 
Future Now Password Policy Weak password policy - a problem of all times! The default password is strong, but user can change it for a weak one Even for one composed only of 1 character! The only thing that gets checked is the length of the password So, we're certain to find something like 1234567 or 12345678 Check On Regular Expression Problem - dictionary passwords, for example, P@ssw0rd
Future Now Brute Force? Brute Force against Internet banking? What about security? Types of protection from brute force attacks: Locking accounts Locking IP addresses Using CAPTCHA
Future Now Locking is not the answer! It's easy to bypass these protection mechanisms An account or IP address gets locked after a number of failed authorization attempts (usually 3 or 5). Predictable and weak identifiers Weak password policy ??????? Profit!!!!111
Future Now Locking is not the answer! 1000001 1000002 Collect identifiers 1000003 ... Choose 1 or 2 passwords 1001421:12345678 Match identifiers 1002236:12345678 against passwords, 1002313:12345678 not passwords ... against identifiers
Future Now Locking leads to Denial of Service! After a few failed authentication attempts, the accounts gets locked You can attack a target user If you know all the identifiers... You can conduct a large-scale DoS attack As a rule, to unlock the account, users have to contact the bank office Someone's day might be ruined
Future Now Locking IP Address Locking an IP address is not more prudent. Most companies assign the same external IP address to all its employees Numerous authentication attempts can be treated like a brute- force attempt, thus leading to lock-up of the IP address
Future Now CAPTCHA Problem Possible repetitive sending of the same value The value is sent in the hidden field of the HTML form Sending of an empty value is possible Insufficient validation: it's OK if the length is appropriate or there are certain characters CAPTCHA is not checked for certain headers
Future Now CAPTCHA Problem in PHDays I-Bank The value is sent in a hidden field of the HTML form public function encodeCaptchaCode($code) { return @base64_encode(@strrev(@base64_encode($code))); } Encrypting does not use temporal values, it’s a peace of cake to decrypt a line PUlUTndVVE0=  =ITNwUTM  MTUwNTI=  15052
Future Now CAPTCHA Problem in PHDays I-Bank Besides, one and the same value can be sent repeatedly So, you can conduct a brute-force attack on the account!
Future Now Password Recovery Almost every web application provides for a password recovery. PHDays I-Bank is not an exception
Future Now Password Recovery: Problems If password recovery requires not an email, but an identifier, we can get all identifiers used in the system
Future Now Password Recovery: Problems Some users of the I-Bank could recover their passwords via a web form For others, the rules provided the only recovery way: to contact a bank office  ‘Please contact any office of the PHDays bank for password recovery’
Future Now Password Recovery: Problems The key required for password recovery is generated with weak entropy private function addDataInTable($login) { $key = md5($login.rand(1, 250)); To guess the key, one needs to go through only 250 values! Then a new password will be created
Future Now Weak Entropy of Session Identifier If a session uses its own mechanisms, reliability of identifiers is crucial In PHDays I-Bank identifiers are generated according to a special algorithm private function getSpecialHash($password) { $hash = sprintf("%u", crc32($password)); if(strlen($hash) > 4) { $hash = substr($hash, 0, 4);
Future Now Weak Entropy of Session Identifier The session identifier consists of only 4 characters All characters are numerical, which reduces entropy The session identifier is static. It changes only if the user changes his/her password
Future Now Weak Entropy of Session Identifier Cookie: auth=1000001|2|3016
Future Now Problems with Privilege Isolation While a possibility to transfer money from other accounts is extremely rare, a possibility to address other users' data can still be found Some systems allow sending messages to the support service on behalf of any user Others that allow editing payment templates of other users Such vulnerabilities were not embedded into PHDays I-Bank
Future Now One-time Password One-time passwords are used to protect systems from unauthorized activities (transactions, password change, editing personal data) OTP can be requested either after the initial authentication (login and password) Or before each new transaction (or other action)
Future Now One-Time Password in PHDays I-Bank PHDays I-Bank had 2 types of OTP: Emulation of an external device It was implemented as the TransactionA class in the code OTP on scratch cards It was implemented as the TransactionB class in the code
Future Now One-Time Password, Problems OTP is not requested to transfer small amounts of money (for example, up to $100) One and the same OTP can be sent repeatedly OTP can be predicted Some users disable OTP validation In PHDays I-Bank, transactions without OTP were carried out in TransactionC. User can skip OTP validation and perform the transaction stright away
Future Now One-Time Password, TransactionA OTP is impossible to predict However, the OTP validation step can be skipped to perform the transaction straight away!
Future Now One-Time Password, TransactionA Change step3 for step4
Future Now One-Time Password, TransactionA Profit!!11 Transaction is successfully completed. Simple bypass of a reliable protection
Future Now One-Time Password, TransactionB Algorithm of OTP generation protected function generateOTP() { $OTPs = array(); $s = 44553 + $this->userInfo["id"]; // the variable depends only on // the user's number for($n = 10; $n < 24; $n++) { // generating 14 OTP $OTP = ""; $j = rand(20,39); // the $s variable can take on $j = substr($j, 0, 1); // only two values – 2 or 3 $OTP = $n*$s*$j; $OTP = substr($OTP, 0, 5); // OTP consists of 5 characters $OTPs[] = $OTP;
Future Now One-Time Password, TransactionB OTP can take on only 2 values
Future Now One-Time Password, TransactionC OTP is not requested - transactions can be completed freely In PHDays I-Bank, there were not many users who were not requested OTP for transaction But some participants got lucky 
Future Now Actions without OTP Sometimes OTP is requested only for transactions, while other actions could be completed without it: Send a message to Support Service Change the password Change the payment template Create a payment template Open a new account
Future Now Changing Payment Template Payment templates allow saving time on entering similar data: Recipient's account Recipient's name If an attacker has a chance to change the template data, they can easily change the recipient's account for theirs. The user is likely to overlook the change and confirm the transaction
Future Now How Was It 20,000 rubles (about $700) - the prize fund The day before the competition, participants received the source code of the systems and a virtual machine with installed PHDays I-Bank Then, the participants had 20-30 minutes to use vulnerabilities they had found Automation of the process decided the winning side. Hypothreading played a critical role!
Future Now 2 Tasks to Succeed The competition could virtually be divided into 2 tasks: Gaining access to the account Simple and dictionary passwords Weak entropy of the password recovery key Weak entropy of session identifier OTP bypass OTP was not requested The OTP validation step could be skipped Predictable OTP
Future Now Distribution of Vulnerabilities Distribution of Vulnerabilities 30 18 Simple password Dictionary password 100 Session ID Recovery key 52
Future Now Distribution of Vulnerabilities The money was distributed according to a simple principle: the more difficult it is to get the access, the more money it "costs" The accounts used for demonstration had weak passwords - 1234567 and password The participants' accounts were also vulnerable: the session identifier had weak entropy The most reasonable strategy to follow was to transfer all the money of other participants closer to the end of the competition
Future Now HelpDesk Together with the remote banking, we implemented an elementary HelpDesk HelpDesk is a system for the employees of the bank The main idea was if an attacker managed to get into the "restricted-access" system, they would have enough information to hack the entire system In practice: Password policy, information on protection mechanisms and even user passwords
Future Now HelpDesk in PHDays I-Bank Discussions that hinted at the details to consider Link to the system that displayed users with simple passwords 
Future Now HelpDesk, Authentication Bypass HelpDesk is vulnerable to authentication bypass: You don't need to know the login or the password Just send the following header in each HTTP request if(isset($_SERVER["HTTP_BANKOFFICEUSER"])) { $userId = base64_decode($_SERVER["HTTP_BANKOFFICEUSER"]); $userInfo = $this->user->getUserInfoById($userId); $this->user->setupUserInfo($userInfo); return $this->user; }
Future Now HelpDesk, Authentication Bypass Modify Header - handy for the exploitation:
Future Now Race condition If you send a lot of requests, it can probably lead to a situation when all of the requests will be processed at a time: Request N Request N + 1 Checking for the Checking for the required amount required amount Depositing Depositing Profit! $$$
Future Now Race Condition, Nginx To get protected from Race condition and prevent the situation when money appears from nowhere, nginx was set to block the messages coming too often The limit was 3 requests per second to the script that fulfilled the transactions. Nginx was not installed on the virtual machines, so one of the participants found the Race condition problem.
Future Now Business Impact Analysis - How much would it cost? Assumptions: I-Bank’s capital is 300 million dollars 100 000 clients use online banking services Average sum on every account is 1000 dollars Profit from every client is 500 dollars Operating costs to change users’ passwords – $0,15 for a password Reissuing of one scratch card costs 15 dollars
Future Now Business Impact Analysis – Impact (in millions of dollars)
Future Now Business Impact Analysis – Impact
Future Now Business Impact Analysis: Exploitation Probabilities Distribution of Password Vulnerabilities 30 18 Simple password - 90% Dictionary password -90% 100 Session ID - 70% Recovery key - 50% 52 Distribution of OTP Vulnerabilities 40 80 External Device - 90% Scratch Cards -90% No OTP - 100% 80
Future Now Business Impact Analysis – Risk Assessment Risk=Impact x Probability Probability is 0,54% Risk=9% of the capital Risk level of over 3% of the capital is regarded as critical for a bank!
Future Now Business Impact Analysis: make the right choice Forewarned is forearmed (millions of dollars)
Thank you for your attention

Recomendados

Snatch2
Snatch2Snatch2
Snatch2Positive Hack Days
 
otp crid cards
otp crid cardsotp crid cards
otp crid cardsBayalagmaa Davaanyam
 
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...ijiert bestjournal
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical passwordVishnuVardhan mooli
 
Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Shakas Technologies
 
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONGENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONcscpconf
 
Graphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureGraphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureeSAT Journals
 
Vshantaram
VshantaramVshantaram
Vshantaramsparsh dwivedi
 

Recomendados

Snatch2
Snatch2Snatch2
Snatch2Positive Hack Days
 
otp crid cards
otp crid cardsotp crid cards
otp crid cardsBayalagmaa Davaanyam
 
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...ijiert bestjournal
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical passwordVishnuVardhan mooli
 
Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Shakas Technologies
 
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONGENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONcscpconf
 
Graphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureGraphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureeSAT Journals
 
Vshantaram
VshantaramVshantaram
Vshantaramsparsh dwivedi
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
Sudhanshu Raman
Sudhanshu RamanSudhanshu Raman
Sudhanshu RamanSudhanshu Raman
 
COLOUR LOCK
COLOUR LOCKCOLOUR LOCK
COLOUR LOCKsreelekshmi kishna
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authenticationnirmal08
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor reportLove Kothari
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphicalKamal Spring
 
11aman
11aman11aman
11amanAnu Jamwal
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...IGEEKS TECHNOLOGIES
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
Otp
OtpOtp
Otpdraihl
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time PasswordAta Ebrahimi
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad EncryptionCharles Southerland
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption TechniqueJohn Adams
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:Asad Ali
 
One Time Password
One Time PasswordOne Time Password
One Time Passwordmahdi ataeyan
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
The Yubikey
The YubikeyThe Yubikey
The YubikeyDavid Page
 

Más contenido relacionado

La actualidad más candente

Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authenticationnirmal08
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor reportLove Kothari
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphicalKamal Spring
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...IGEEKS TECHNOLOGIES
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 

La actualidad más candente (11)

Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
 
Sudhanshu Raman
Sudhanshu RamanSudhanshu Raman
Sudhanshu Raman
 
COLOUR LOCK
COLOUR LOCKCOLOUR LOCK
COLOUR LOCK
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authentication
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor report
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphical
 
11aman
11aman11aman
11aman
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...Captcha as graphical passwords a new security primitive based on hard ai prob...
Captcha as graphical passwords a new security primitive based on hard ai prob...
 
this is test for today
this is test for todaythis is test for today
this is test for today
 

Destacado

One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption TechniqueJohn Adams
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:Asad Ali
 

Destacado (8)

One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
Otp
OtpOtp
Otp
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption Technique
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
 
One Time Password
One Time PasswordOne Time Password
One Time Password
 

Similar a Top vulnerabilities of simulated banking system

SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 
Evolveum: IDM story for a growing company
Evolveum: IDM story for a growing companyEvolveum: IDM story for a growing company
Evolveum: IDM story for a growing companyEvolveum
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsBayalagmaa Davaanyam
 
Two factor authentication.pptx
Two factor authentication.pptxTwo factor authentication.pptx
Two factor authentication.pptxArpithaShoby
 

Similar a Top vulnerabilities of simulated banking system (20)

SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
The Yubikey
The YubikeyThe Yubikey
The Yubikey
 
E banking security
E banking securityE banking security
E banking security
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
C0210014017
C0210014017C0210014017
C0210014017
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Coding to the MasterCard OpenAPIs
Coding to the MasterCard OpenAPIsCoding to the MasterCard OpenAPIs
Coding to the MasterCard OpenAPIs
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web Security
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
 
Evolveum: IDM story for a growing company
Evolveum: IDM story for a growing companyEvolveum: IDM story for a growing company
Evolveum: IDM story for a growing company
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authentication
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
 
Two factor authentication.pptx
Two factor authentication.pptxTwo factor authentication.pptx
Two factor authentication.pptx
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Último (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Top vulnerabilities of simulated banking system

  • 1. Typical Vulnerabilities of E-Banking Systems Typical Vulnerabilities of E-Banking Systems Sergey Scherbel Dmitry Evteev Eugenie Potseluevskaya Positive Technologies
  • 2. Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank
  • 3. Future Now Vulnerabilities of Remote Banking As Examplified by PHDays I-Bank PHDays I-Bank IS NOT a real remote banking system actually used by any bank. The system was developed specially for PHDays 2012 PHDays I-Bank contains vulnerabilities typical of real remote banking systems Some of the vulnerabilities are found too often
  • 4. Future Now Identification Predictable user identifiers are far more dangerous than it can seem! A PHDays I-Bank identifier consists of numbers, just like most identifiers in actual remote banking systems Examples of identifiers: 1000001, 1000002, … What’s wrong with it? We'll explain a bit later 
  • 5. Future Now Password Policy Weak password policy - a problem of all times! The default password is strong, but user can change it for a weak one Even for one composed only of 1 character! The only thing that gets checked is the length of the password So, we're certain to find something like 1234567 or 12345678 Check On Regular Expression Problem - dictionary passwords, for example, P@ssw0rd
  • 6. Future Now Brute Force? Brute Force against Internet banking? What about security? Types of protection from brute force attacks: Locking accounts Locking IP addresses Using CAPTCHA
  • 7. Future Now Locking is not the answer! It's easy to bypass these protection mechanisms An account or IP address gets locked after a number of failed authorization attempts (usually 3 or 5). Predictable and weak identifiers Weak password policy ??????? Profit!!!!111
  • 8. Future Now Locking is not the answer! 1000001 1000002 Collect identifiers 1000003 ... Choose 1 or 2 passwords 1001421:12345678 Match identifiers 1002236:12345678 against passwords, 1002313:12345678 not passwords ... against identifiers
  • 9. Future Now Locking leads to Denial of Service! After a few failed authentication attempts, the accounts gets locked You can attack a target user If you know all the identifiers... You can conduct a large-scale DoS attack As a rule, to unlock the account, users have to contact the bank office Someone's day might be ruined
  • 10. Future Now Locking IP Address Locking an IP address is not more prudent. Most companies assign the same external IP address to all its employees Numerous authentication attempts can be treated like a brute- force attempt, thus leading to lock-up of the IP address
  • 11. Future Now CAPTCHA Problem Possible repetitive sending of the same value The value is sent in the hidden field of the HTML form Sending of an empty value is possible Insufficient validation: it's OK if the length is appropriate or there are certain characters CAPTCHA is not checked for certain headers
  • 12. Future Now CAPTCHA Problem in PHDays I-Bank The value is sent in a hidden field of the HTML form public function encodeCaptchaCode($code) { return @base64_encode(@strrev(@base64_encode($code))); } Encrypting does not use temporal values, it’s a peace of cake to decrypt a line PUlUTndVVE0=  =ITNwUTM  MTUwNTI=  15052
  • 13. Future Now CAPTCHA Problem in PHDays I-Bank Besides, one and the same value can be sent repeatedly So, you can conduct a brute-force attack on the account!
  • 14. Future Now Password Recovery Almost every web application provides for a password recovery. PHDays I-Bank is not an exception
  • 15. Future Now Password Recovery: Problems If password recovery requires not an email, but an identifier, we can get all identifiers used in the system
  • 16. Future Now Password Recovery: Problems Some users of the I-Bank could recover their passwords via a web form For others, the rules provided the only recovery way: to contact a bank office  ‘Please contact any office of the PHDays bank for password recovery’
  • 17. Future Now Password Recovery: Problems The key required for password recovery is generated with weak entropy private function addDataInTable($login) { $key = md5($login.rand(1, 250)); To guess the key, one needs to go through only 250 values! Then a new password will be created
  • 18. Future Now Weak Entropy of Session Identifier If a session uses its own mechanisms, reliability of identifiers is crucial In PHDays I-Bank identifiers are generated according to a special algorithm private function getSpecialHash($password) { $hash = sprintf("%u", crc32($password)); if(strlen($hash) > 4) { $hash = substr($hash, 0, 4);
  • 19. Future Now Weak Entropy of Session Identifier The session identifier consists of only 4 characters All characters are numerical, which reduces entropy The session identifier is static. It changes only if the user changes his/her password
  • 20. Future Now Weak Entropy of Session Identifier Cookie: auth=1000001|2|3016
  • 21. Future Now Problems with Privilege Isolation While a possibility to transfer money from other accounts is extremely rare, a possibility to address other users' data can still be found Some systems allow sending messages to the support service on behalf of any user Others that allow editing payment templates of other users Such vulnerabilities were not embedded into PHDays I-Bank
  • 22. Future Now One-time Password One-time passwords are used to protect systems from unauthorized activities (transactions, password change, editing personal data) OTP can be requested either after the initial authentication (login and password) Or before each new transaction (or other action)
  • 23. Future Now One-Time Password in PHDays I-Bank PHDays I-Bank had 2 types of OTP: Emulation of an external device It was implemented as the TransactionA class in the code OTP on scratch cards It was implemented as the TransactionB class in the code
  • 24. Future Now One-Time Password, Problems OTP is not requested to transfer small amounts of money (for example, up to $100) One and the same OTP can be sent repeatedly OTP can be predicted Some users disable OTP validation In PHDays I-Bank, transactions without OTP were carried out in TransactionC. User can skip OTP validation and perform the transaction stright away
  • 25. Future Now One-Time Password, TransactionA OTP is impossible to predict However, the OTP validation step can be skipped to perform the transaction straight away!
  • 26. Future Now One-Time Password, TransactionA Change step3 for step4
  • 27. Future Now One-Time Password, TransactionA Profit!!11 Transaction is successfully completed. Simple bypass of a reliable protection
  • 28. Future Now One-Time Password, TransactionB Algorithm of OTP generation protected function generateOTP() { $OTPs = array(); $s = 44553 + $this->userInfo["id"]; // the variable depends only on // the user's number for($n = 10; $n < 24; $n++) { // generating 14 OTP $OTP = ""; $j = rand(20,39); // the $s variable can take on $j = substr($j, 0, 1); // only two values – 2 or 3 $OTP = $n*$s*$j; $OTP = substr($OTP, 0, 5); // OTP consists of 5 characters $OTPs[] = $OTP;
  • 29. Future Now One-Time Password, TransactionB OTP can take on only 2 values
  • 30. Future Now One-Time Password, TransactionC OTP is not requested - transactions can be completed freely In PHDays I-Bank, there were not many users who were not requested OTP for transaction But some participants got lucky 
  • 31. Future Now Actions without OTP Sometimes OTP is requested only for transactions, while other actions could be completed without it: Send a message to Support Service Change the password Change the payment template Create a payment template Open a new account
  • 32. Future Now Changing Payment Template Payment templates allow saving time on entering similar data: Recipient's account Recipient's name If an attacker has a chance to change the template data, they can easily change the recipient's account for theirs. The user is likely to overlook the change and confirm the transaction
  • 33. Future Now How Was It 20,000 rubles (about $700) - the prize fund The day before the competition, participants received the source code of the systems and a virtual machine with installed PHDays I-Bank Then, the participants had 20-30 minutes to use vulnerabilities they had found Automation of the process decided the winning side. Hypothreading played a critical role!
  • 34. Future Now 2 Tasks to Succeed The competition could virtually be divided into 2 tasks: Gaining access to the account Simple and dictionary passwords Weak entropy of the password recovery key Weak entropy of session identifier OTP bypass OTP was not requested The OTP validation step could be skipped Predictable OTP
  • 35. Future Now Distribution of Vulnerabilities Distribution of Vulnerabilities 30 18 Simple password Dictionary password 100 Session ID Recovery key 52
  • 36. Future Now Distribution of Vulnerabilities The money was distributed according to a simple principle: the more difficult it is to get the access, the more money it "costs" The accounts used for demonstration had weak passwords - 1234567 and password The participants' accounts were also vulnerable: the session identifier had weak entropy The most reasonable strategy to follow was to transfer all the money of other participants closer to the end of the competition
  • 37. Future Now HelpDesk Together with the remote banking, we implemented an elementary HelpDesk HelpDesk is a system for the employees of the bank The main idea was if an attacker managed to get into the "restricted-access" system, they would have enough information to hack the entire system In practice: Password policy, information on protection mechanisms and even user passwords
  • 38. Future Now HelpDesk in PHDays I-Bank Discussions that hinted at the details to consider Link to the system that displayed users with simple passwords 
  • 39. Future Now HelpDesk, Authentication Bypass HelpDesk is vulnerable to authentication bypass: You don't need to know the login or the password Just send the following header in each HTTP request if(isset($_SERVER["HTTP_BANKOFFICEUSER"])) { $userId = base64_decode($_SERVER["HTTP_BANKOFFICEUSER"]); $userInfo = $this->user->getUserInfoById($userId); $this->user->setupUserInfo($userInfo); return $this->user; }
  • 40. Future Now HelpDesk, Authentication Bypass Modify Header - handy for the exploitation:
  • 41. Future Now Race condition If you send a lot of requests, it can probably lead to a situation when all of the requests will be processed at a time: Request N Request N + 1 Checking for the Checking for the required amount required amount Depositing Depositing Profit! $$$
  • 42. Future Now Race Condition, Nginx To get protected from Race condition and prevent the situation when money appears from nowhere, nginx was set to block the messages coming too often The limit was 3 requests per second to the script that fulfilled the transactions. Nginx was not installed on the virtual machines, so one of the participants found the Race condition problem.
  • 43. Future Now Business Impact Analysis - How much would it cost? Assumptions: I-Bank’s capital is 300 million dollars 100 000 clients use online banking services Average sum on every account is 1000 dollars Profit from every client is 500 dollars Operating costs to change users’ passwords – $0,15 for a password Reissuing of one scratch card costs 15 dollars
  • 44. Future Now Business Impact Analysis – Impact (in millions of dollars)
  • 45. Future Now Business Impact Analysis – Impact
  • 46. Future Now Business Impact Analysis: Exploitation Probabilities Distribution of Password Vulnerabilities 30 18 Simple password - 90% Dictionary password -90% 100 Session ID - 70% Recovery key - 50% 52 Distribution of OTP Vulnerabilities 40 80 External Device - 90% Scratch Cards -90% No OTP - 100% 80
  • 47. Future Now Business Impact Analysis – Risk Assessment Risk=Impact x Probability Probability is 0,54% Risk=9% of the capital Risk level of over 3% of the capital is regarded as critical for a bank!
  • 48. Future Now Business Impact Analysis: make the right choice Forewarned is forearmed (millions of dollars)
  • 49. Thank you for your attention