infection for breaking mtan based
play

Infection for Breaking mTAN-based Online Banking Authentication - PowerPoint PPT Presentation

May 20, 2023 •146 likes •482 views

Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer Institute for Secure Information Technology/CASED, Germany Joint work with Lucas Davi Ahmad-Reza Sadeghi Christopher

  1. Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer Institute for Secure Information Technology/CASED, Germany Joint work with Lucas Davi Ahmad-Reza Sadeghi Christopher Liebchen TU Darmstadt/CASED Fraunhofer SIT TU Darmstadt /CASED TU Darmstadt/CASED Presented by Alexandra Dmitrienko

  2. Online Banking • Widely used overall the world • Convenient for users • Cheap for banks (low per-transaction costs) • Unfortunately, also good for attackers – Attacks can be automated and hence scale well Presented by Alexandra Dmitrienko

  3. Online Banking Security Trends • Cat and mouse games (banks vs. attackers) – Attacks are becoming more sophisticated and real – Banks address new threats by adapting new authentication schemes • Current trend for solutions – Two-factor authentication Presented by Alexandra Dmitrienko

  4. Two-Factor Authentication Schemes • Use two authentication tokens (T1 &T2) • Various solutions exist (based on extra devices, or hardware tokens, mobile phones, etc.) • Solutions involving mobile phones as one factor seem to be very convenient and trendy one-time Typically login password or a credentials cryptographic secret T1 T2 Presented by Alexandra Dmitrienko

  5. Two-factor Authentication Schemes with Mobile Phones mTAN Authentication photoTAN Authentication Transaction Signatures others… Presented by Alexandra Dmitrienko

  6. mTAN Authentication Mobile device 6. mTAN,trans* 5. sendSMS(mTAN,trans*) 10. Accept if mTAN* 7. Check if trans matches mTAN matches trans* 1. login, pwd 2. auth(login, pwd) 3. trans 4. transRequest(trans*) Bank web-server User 8. mTAN 9. authTrans(mTAN*) Computer Login, pwd T1 Mobile Transaction Authentication Number (mTAN) T2 6 Presented by Alexandra Dmitrienko

  7. photoTAN Authentication 7. TAN || trans* = Mobile device Dec(K; photoTAN) {K} 8. trans*, TAN 9. Check if trans 12. Accept if TAN* matches trans* matches TAN 6. photoTAN {K} 1. login, pwd 2. auth(login, pwd) 3. trans 4. transRequest(trans*) 5. photoTAN = Enc(K; TAN || trans*) Bank web-server User 10. TAN 11. authTrans(TAN*) Computer Login, pwd T1 T2 K – a key shared by the mobile device and the bank 7 Presented by Alexandra Dmitrienko

  8. Authentication with Transaction Signatures Mobile device 6. trans* 5. SignatureRequest(trans*) 8. Ack 9. trans_sig = (SK; trans*) 7. Check if trans 10. {0,1} SignVerity(PK; matches trans* {PK, SK} {PK} trans_sig, trans*) 2. auth(login, pwd) 1. login, pwd 4. transRequest(trans*) 3. trans Bank web-server User Computer Login, pwd T1 T2 SK – client private key 8 Presented by Alexandra Dmitrienko

  9. mTAN Scheme: Widely Spread European banks: • Austria, Bulgaria, Germany, Hungary, the Netherlands, Poland, Russia, South Africa, Spain, Switzerland and some in New Zealand and Ukraine American banks: • Provided optionally • E.g., SafePass by Bank of America, the bank with more than 20 million of active online banking users China: • Provided optionally • E.g., SMS verification scheme by ICBC, the largest Chinese commercial bank with more than 100 million of customers using online banking 9 Presented by Alexandra Dmitrienko

  10. Known Attacks on mTAN Scheme SIM Swap Fraud attack [4] • Attacker obtains a replacement SIM for the victim’s phone • Attacker must spoof identity of the victim (e.g., show passport) • The attack can target some specific customers Malicious network operator [5] • Attacks by insiders from telecommunication providers • Attack breaks assumption on trustworthy network operator Online banking malware • Coupled host/mobile malware (e.g., ZeuS/ZitMo and SpyEye/Spitmo) • Targets are Android, Windows Mobile, BlackBerry, Symbian 10 Presented by Alexandra Dmitrienko

  11. News 11 Presented by Alexandra Dmitrienko

  12. News 12 Presented by Alexandra Dmitrienko

  13. News 13 Presented by Alexandra Dmitrienko

  14. ZeuS/ZitMo: Attack Scenario to Compromise End-Points 6. Install malware 5. Send phishing SMS with a link to malware Mobile device M Adversary A Computer C User 2. Asks to enter 1. Primary phone Nr. infection 3. Enters phone Nr. 4. Phone Nr. Presented by Alexandra Dmitrienko

  15. Shortcomings of Existing Online Banking Malware • A lot of user interaction – Phishing to obtain user phone number – Phishing do lure the user to install malware • Users are warned not to fall into phishing trap – By banks (on web-cites) – By police (reports) – Legal authorities (e.g., by German Central Board of Credit Institution) => Can it get worse? More stealthy? Presented by Alexandra Dmitrienko

  16. Our Contribution • Cross-platform infection in context of online banking attacks and attacks against two-factor authentication – Allows the attacker to take control over user’s PC and the mobile phone – Establishes pairing between user’s PC and the mobile phone involved in the same authentication session – Requires no (or minimal) user interaction Presented by Alexandra Dmitrienko

  17. Cross-Platform Infection • As soon as PC and the mobile device get connected USB WiFi Bluetooth Tethering Tethering Tethering Charging Transfer files Both devices smartphone are in one and media WiFi network SDCard as Syncing data external storage * * Cross-device infection over USB has been shown by Stavrou et. al at BlackHat DC 2011 [2] Presented by Alexandra Dmitrienko

  18. Cross-Platform Infection for Bypassing Two-Factor Authentication using Mobile Devices Mobile device M 4. Steal T2 T2 5. Authenticate 2. with T1, T2 Cross-platform infection Bank web-server B Adversary A T1 1. Primary infection 3. Steal T1 Computer C Presented by Alexandra Dmitrienko

  19. Our Attack Instantiation • Attack against mTAN authentication • Primary infected device is the PC • Cross-platform infection – when PC and the mobile device/phone are connected to the same WiFi network • Our target platforms – PC: Windows 7 (Firefox web-browser) – Mobile device: Android 2.2.1 Presented by Alexandra Dmitrienko

  20. Step 1: Primary Infection • PC is compromised – Reasonable and basic assumption (PC malware is widely spread) – Could be done by means of PC-to-PC cross-device infection – Two-factor authentication is meant to tolerate malicious PCs Presented by Alexandra Dmitrienko

  21. Step 2: Cross-Platform Infection Phase 1: Man-in-the Middle Attack in WiFi Network • DHCP Starvation attack + rogue DHCP server to become a man in the middle WiFi router 3. Connect() 1. Denial-of-Service against DHCP Server (DHCP Starvation attack) DHCP Server GetNetConfig() 2. Start rogue DHCP Server NetConfig(Gateway = computer) Mobile device Gateway: IP address of the computer Computer All Internet traffic will be sent to the gateway • Other techniques can be used to become a man-in-the middle (e.g., ARP cache poisoning) 21 Presented by Alexandra Dmitrienko

  22. Step 2: Cross-Platform Infection Phase 2. Page Substitution • Malicious gateway substitutes the requested page with a malicious one PageRequest() Open any malicious page web-page WiFi router User Computer Mobile device 22 Presented by Alexandra Dmitrienko

  23. Step 2: Cross-Platform Infection Phase 3: Remote Exploitation Exploiting a use-after-free vulnerability in WebKit (CVE-2010-1759) obj JavaScript: vtable reference var obj; lookup obj.functionA(); functionCall(); functionA functionB allocmem(); functionC functionD obj.functionD(); … 23 Presented by Alexandra Dmitrienko

  24. Step 2: Cross-Platform Infection Phase 3: Remote Exploitation Exploiting a use-after-free vulnerability in WebKit (CVE-2010-1759) obj JavaScript: vtable reference var obj; obj.functionA(); free() functionCall(); functionA functionB allocmem(); functionC functionD obj.functionD(); … 24 Presented by Alexandra Dmitrienko

  25. Step 2: Cross-Platform Infection Phase 3: Remote Exploitation Exploiting a use-after-free vulnerability in WebKit (CVE-2010-1759) obj JavaScript: vtable vtable reference var obj; obj.functionA(); functionCall(); functionA alloc() functionB allocmem(); shell functionC code lookup functionD obj.functionD(); … 25 Presented by Alexandra Dmitrienko

  26. Step 2: Cross-Platform Infection Phase 4: Privilege Escalation to Root Exploiting the vulnerability in volume manager daemon (CVE-2011-1823) (used also by Gingerbreak [3]) volume daemon malware process with user privileges with root privileges message (MINOR, PARTN) handlePartitionAdded() (system/core/vold/DirectVolume.cpp) int minor = atoi(evt->findParam("MINOR")); int part_num; const char *tmp = evt->findParam("PARTN"); if (tmp) { part_num = atoi(tmp); } [...] mPartMinors[part_num -1] = minor; 26 Presented by Alexandra Dmitrienko

  27. Phase 4: Privilege Escalation to Root (ctd.) vold process space GOT code libraries Heap ... vold - binary vulnerable buffer mPartMinors system() 1. Send message with params: open() PARTN=offset to atoi(), close() MINOR = addr_of_system() read() write() malicous application 2. Overwrite (addr of) atoi() atoi() with system() 27 Presented by Alexandra Dmitrienko

Recommend

2013 2014 Development of an Evidence-Based Surgical Chairman, Infection Control Committee

2013 2014 Development of an Evidence-Based Surgical Chairman, Infection Control Committee

Froedtert Hospital Infection Control Team Moving Beyond SCIP: 2013 2014 Development of an Evidence-Based Surgical Chairman, Infection Control Committee Bundle to Improve Patient Mary Beth Graham, MD, Outcome Infection Control

545 views • 18 slides
Objectives Discuss how to calculate basic infection rates Describe how this information is

Objectives Discuss how to calculate basic infection rates Describe how this information is

Infection Prevention Boot Camp I for the Novice January 16 17, 2020 Infection Preventionist Infection Prevention Data Submission and Analysis Linda R. Greene, RN, MPS,CIC,FAPIC Manager, Infection Prevention UR Highland Hospital Rochester,

425 views • 16 slides
Facility Based Infection Prevention & Control Cascade Sharing By: Background Coronavirus

Facility Based Infection Prevention & Control Cascade Sharing By: Background Coronavirus

Facility Based Infection Prevention & Control Cascade Sharing By: Background Coronavirus disease 2019 (COVID-19) is a respiratory tract infection caused by a newly emergent coronavirus, that was first recognized in Wuhan, China, in

606 views • 29 slides
Breaking new ground for biodiversity-based products b Martha K Kangandjo, Manager Eudafano

Breaking new ground for biodiversity-based products b Martha K Kangandjo, Manager Eudafano

6 to 7 P.M. - 19 July 2016 - KICC Amphitheatre room, Nairobi Breaking new ground for biodiversity-based products b Martha K Kangandjo, Manager Eudafano Womens Co -operative in Namibia 1 1 Breaking new ground for biodiversity-based products

358 views • 8 slides
Basic Infection Prevention Issues New Construction Renovation Repairs Lets Start with New

Basic Infection Prevention Issues New Construction Renovation Repairs Lets Start with New

Infection Prevention Boot Camp I for the Novice January 16 17, 2020 Infection Preventionist Infection Prevention in Construction and Renovation Linda R. Greene, RN, MPS,CIC, FAPIC Barbara Russell, MPH, BS, RN, CIC, FAPIC Basic Infection

394 views • 17 slides
HIV epidemiology Routes of infection MSM: Men who have sex with men Phylogeny-based HIV

HIV epidemiology Routes of infection MSM: Men who have sex with men Phylogeny-based HIV

Phylogeny-based HIV transmission networks Prabhav Kalaghatgi Max Planck Institute for Informatics AREVIR, May 8 2015 eu resist HIV epidemiology Routes of infection MSM: Men who have sex with men Phylogeny-based HIV transmission networks

1.19k views • 61 slides
Objectives Describe the role of the Infection Preventionist in the Acute Care setting

Objectives Describe the role of the Infection Preventionist in the Acute Care setting

Infection Prevention Boot Camp for Novice May 30, 2019 Infection Preventionists Infection Preventionist: Your Role in the Acute Care Setting Linda R. Greene, RN, MPS,CIC,FAPIC Manager, Infection Prevention UR Highland Hospital Rochester, NY

329 views • 13 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Infection Prevention & Control (IP&C) Infection Prevention & Control (IP&C)

Infection Prevention & Control (IP&C) Infection Prevention & Control (IP&C)

Infection Prevention & Control (IP&C) Infection Prevention & Control (IP&C) Infection Prevention & Control (IP&C) Key Contact: Irene Houghton RN, MSc, Clinical Safety Standards and IPC Coordinator. RELATED

505 views • 26 slides
Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and

Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and

Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and Consultant nurse Summary History of infection prevention and control National issues UCLH Future Infection Control What is

290 views • 27 slides
Objectives Discuss the basic elements of an effective infection prevention program

Objectives Discuss the basic elements of an effective infection prevention program

Infection Prevention Boot Camp I for the Novice January 16 17, 2020 Infection Preventionist Elements of an Effective Program Linda R. Greene, RN, MPS,CIC, FAPIC Manager, Infection Prevention UR Highland Hospital Rochester, NY

796 views • 31 slides
Objective Define Antibiotic Stewardship Identify the core elements of stewardship

Objective Define Antibiotic Stewardship Identify the core elements of stewardship

Infection Prevention Boot Camp I for the Novice January 16 17, 2020 Infection Preventionist Antibiotic Stewardship; Role of the Infection Preventionist Linda R. Greene, RN, MPS,CIC,FAPIC Manager, Infection Prevention UR Highland Hospital

405 views • 16 slides
Is the Future of Infection Carbon-based ? University of Massachusetts James T.

Is the Future of Infection Carbon-based ? University of Massachusetts James T.

Is the Future of Infection Carbon-based ? University of Massachusetts James T. Griffith,Ph.D.,CLS(NCA) Chancellor Professor Emeritus Dept. of Medical Laboratory Science University of Massachusetts Managing Partner Forensic

666 views • 62 slides
Objectives Introducing the Florida Department of Healths Health Care-Associated Infection

Objectives Introducing the Florida Department of Healths Health Care-Associated Infection

Chasing Zero Infections - Connecting the Dots Thursday, May 25, 2017 to Reduce Patient Harm: Hot Topics in Infection Prevention and Stewardship The Big Picture: Statewide Program Targeting Clostridium difficile Infection and Establishing a

471 views • 14 slides
Objectives Discuss the basic elements of an effective infection prevention program

Objectives Discuss the basic elements of an effective infection prevention program

Infection Prevention Boot Camp for Novice Infection May 30, 2019 Preventionists Elements of an Effective Program Linda R. Greene, RN, MPS,CIC, FAPIC Manager, Infection Prevention UR Highland Hospital Rochester, NY linda_greene@urmc.rochester

474 views • 30 slides
Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123

Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123

Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123 (arXiv:0902.0464) Jae Yong Lee (KIAS) in collaboration with Dong-Won Jung (NCU) PHENO 2009 SYMPOSIUM 1 OUTLINE

439 views • 26 slides
FGI- Types of Evidence Rational understanding/experience: The requirements supported by this

FGI- Types of Evidence Rational understanding/experience: The requirements supported by this

Infection Prevention Boot Camp for Novice May 31, 2019 Infection Preventionists Construction and Environmental Concerns for IP Linda R. Greene, RN, MPS,CIC, FAPIC Manager, Infection Prevention UR Highland Hospital Rochester, NY

764 views • 18 slides
Infection Control Best Practices for Home-Based Programs Those who bring beauty and love

Infection Control Best Practices for Home-Based Programs Those who bring beauty and love

5/4/2011 Infection Control Best Practices for Home-Based Programs Those who bring beauty and love into the world cannot keep it from themselves themselves Miranda Spindel, DVM, MS Director of Veterinary Outreach ASPCA 1

556 views • 36 slides
What do all the letters mean? JC- Joint Commission ( accrediting body) DNV -Det Norske

What do all the letters mean? JC- Joint Commission ( accrediting body) DNV -Det Norske

Infection Prevention Boot Camp for Novice May 30, 2019 Infection Preventionists Accreditation and Regulatory Compliance Linda R.Greene,RN,MPS,CIC,FAPIC linda_greene@urmc.rochester.edu Manager, Infection Prevention UR Highland Hospital

235 views • 6 slides
What is a CAUTI? Catheter-Associated Urinary Tract Infection Projected to occur in

What is a CAUTI? Catheter-Associated Urinary Tract Infection Projected to occur in

Questionable Validity of the Catheter-Associated Urinary Tract Infection (CAUTI) Metric for Value-based Purchasing By Mara Rice-Stubbs RN, BSN What is a CAUTI? Catheter-Associated Urinary Tract Infection Projected to occur in

695 views • 22 slides
May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019

May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019

Infection Prevention Boot Camp for May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019 Cheryl Love, RN, BSN, BSHCA, MBA, LHRM, CPHRM Director of Quality and Patient Safety; HIIN Improvement Advisor

413 views • 8 slides
Supporting summer learning and breaking new intellectual ground with evidence-based text messages

Supporting summer learning and breaking new intellectual ground with evidence-based text messages

Supporting summer learning and breaking new intellectual ground with evidence-based text messages for parents Benjamin N. York, Ph.D. and Tiffany Graham, M.Ed., ParentPowered PBC Chloe Gibbs, Ph.D. and Andrea Ringer, LEO at Notre Dame

432 views • 24 slides
What is a CAUTI? Questionable Validity of the Catheter-Associated Urinary Tract Infection

What is a CAUTI? Questionable Validity of the Catheter-Associated Urinary Tract Infection

11/12/2015 What is a CAUTI? Questionable Validity of the Catheter-Associated Urinary Tract Infection (CAUTI) Metric Catheter-Associated Urinary Tract Infection for Value-based Purchasing Projected to occur in 290,000 US Hospital

340 views • 4 slides
Surgical Infection Prevention (SIP) Webinar Series #3: Infection Prevention Strategies in the

Surgical Infection Prevention (SIP) Webinar Series #3: Infection Prevention Strategies in the

An Initiative of the Florida Hospital Association Hospital Improvement Innovation Network Surgical Infection Prevention (SIP) Webinar Series #3: Infection Prevention Strategies in the Post-operative Period June 25, 2019 Agenda Welcome

931 views • 54 slides

More recommend