Attacking of smartcard-based banking applications with javascript-based rootkits

  • Authors:

  • Daniel Bußmeyer;Felix Gröbert;Jörg Schwenk;Christoph Wegener

  • Affiliations:

  • Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum;Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum;Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum;Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum

  • Venue:
  • FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Due to recent attacks on online banking systems and consequent soaring losses through fraud, different methods have been developed to ensure a secure connection between a bank and its customers. One method is the inclusion of smart card readers into these schemes, which come along with different benefits, e.g., convenience and costs, and endangerments, especially on the security side. We give a review on a security concept and its implementation deployed as an online banking solution, which consists of a USB smart card reader and a customized browser. We propose a thread model and an attack vector exploiting the limited capabilities of the class one smart card reader. Furthermore a proof of concept malware is presented, which utilizes the primary vulnerability, i.e., class one reader, and otherwise supporting vulnerabilities, to show how transactions may be manipulated.