Designed to fail: a USB-Connected reader for online banking

Authors:
Arjan Blom;Gerhard de Koning Gans;Erik Poll;Joeri de Ruiter;Roel Verdult
Affiliations:
Flatstones, The Netherlands;Institute for Computing and Information Sciences, Digital Security Group, Radboud University, Nijmegen, The Netherlands;Institute for Computing and Information Sciences, Digital Security Group, Radboud University, Nijmegen, The Netherlands;Institute for Computing and Information Sciences, Digital Security Group, Radboud University, Nijmegen, The Netherlands;Institute for Computing and Information Sciences, Digital Security Group, Radboud University, Nijmegen, The Netherlands
Venue:
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
Year:
2012

Citing 7
Cited 0

The Zurich Trusted Information Channel --- An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks

Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Optimised to Fail: Card Readers for Online Banking

Financial Cryptography and Data Security
Model based testing with labelled transition systems

Formal methods and testing
Chip and PIN is Broken

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Formal analysis of the EMV protocol suite

TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
The SmartLogic Tool: Analysing and Testing Smart Card Protocols

ICST '12 Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation
Using NFC phones for proving credentials

MMB'12/DFT'12 Proceedings of the 16th international GI/ITG conference on Measurement, Modelling, and Evaluation of Computing Systems and Dependability and Fault Tolerance

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device --- a smartcard reader with a display and numeric keyboard --- to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent. The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them. The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is "the most secure sign-what-you-see end-user device ever seen"; this paper demonstrates this claim to be false.