Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Optimised to Fail: Card Readers for Online Banking
Financial Cryptography and Data Security
Model based testing with labelled transition systems
Formal methods and testing
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Formal analysis of the EMV protocol suite
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
The SmartLogic Tool: Analysing and Testing Smart Card Protocols
ICST '12 Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation
Using NFC phones for proving credentials
MMB'12/DFT'12 Proceedings of the 16th international GI/ITG conference on Measurement, Modelling, and Evaluation of Computing Systems and Dependability and Fault Tolerance
Hi-index | 0.00 |
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device --- a smartcard reader with a display and numeric keyboard --- to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is seriously flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent. The flaw is not due to a simple implementation bug in one of the components (e.g. the device or the software components on the PC). It is a more fundamental design flaw, introduced in assigning responsibilities to the different components and designing the protocols between them. The system we studied, used by the Dutch bank ABN-AMRO, was developed by the Swedish company Todos AB. This company has since been acquired by Gemalto. ABN-AMRO is one of the three biggest banks in the Netherlands, with 6.8 million customers. Given the popularity of internet banking in the Netherlands, this means that millions of these devices are in the field. The manufacturer claims this device is "the most secure sign-what-you-see end-user device ever seen"; this paper demonstrates this claim to be false.