A Proof of Concept Attack against Norwegian Internet Banking Systems

Authors:
Yngve Espelid;Lars---Helge Netland;André N. Klingsheim;Kjell J. Hole
Affiliations:
NoWires Research Group Department of Informatics, University of Bergen, Norway;NoWires Research Group Department of Informatics, University of Bergen, Norway;NoWires Research Group Department of Informatics, University of Bergen, Norway;NoWires Research Group Department of Informatics, University of Bergen, Norway
Venue:
Financial Cryptography and Data Security
Year:
2008

Citing 6
Cited 0

Why cryptosystems fail

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Understanding PKI: Concepts, Standards, and Deployment Considerations

Understanding PKI: Concepts, Standards, and Deployment Considerations
Reverse Engineering and Design Recovery: A Taxonomy

IEEE Software
Case Study: Online Banking Security

IEEE Security and Privacy
Lessons from the Norwegian ATM System

IEEE Security and Privacy
The unbearable lightness of PIN cracking

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The banking industry in Norway has developed a new security infrastructure for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a practical man-in the- middle attack against online banking applications using BankID. The attack gives an adversary access to customer bank accounts in two different online banking systems. Proof of concept code has been developed and executed to demonstrate the seriousness of the problem.