internet banking safeguards vulnerabilities - owasp appsec eu 2016

57
Wojtek Dworakowski, @wojdwo SecuRing Internet banking safeguards vulnerabilities

Upload: securing

Post on 15-Apr-2017

535 views

Category:

Software


5 download

TRANSCRIPT

Page 1: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Wojtek Dworakowski, @wojdwoSecuRing

Internet banking safeguards vulnerabilities

Page 2: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

2

#loginWojtek Dworakowski

SecuRing (since 2003)

OWASP Poland Chapter Leader

Page 3: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

3

Agenda• Intro

– Banks vs attackers – current state, common security features• Vulnerabilities and best practices

– transaction authorization vulns, trusted recipients feature abuses, transaction limit bypass, user auth mistakes…

• PSD2 – future changes to internet banking security• Should OWASP publish guidelines for specific

application domains (e.g. internet banking)?

Page 4: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

4

Extreme sports and IT security

When I hit the ground I want my gear not to fail

Same applies to internet banking security features in case of attack

Page 5: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

BANKS VS ORGANIZED (?) CRIME

5

Page 6: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Common attack patterns• Malware

– Web inject– Keylogger + remote desktop– Clipboard manipulation

• Vulnerability exploitation– Infrastructure– Application– Libraries / frameworks !

Page 7: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

7

WebInject

source: http://blog.trendmicro.com/trendlabs-security-intelligence/winning-the-online-banking-war/

Page 8: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

8

Clipboard (or memory) manipulation

Source: CERT Polandhttp://www.cert.pl/news/8999/langswitch_lang/en

Page 9: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

9

Clipboard (or memory) manipulation

Source: CERT Polandhttp://www.cert.pl/news/8999/langswitch_lang/en

More info: https://www.cert.pl/en/news/single/vbklip-2-0-no-clipboard-but-matrix-like-effects/

Page 10: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Server vulnerability exploitation• In late 2015 one

of Polish banks was pwned (outdated components)

• Intruder was able to modify transactions

source: www.zaufanatrzeciastrona.pl

~ 40 000 eur

Page 11: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Server vulnerability exploitation

Source: www.zaufanatrzeciastrona.pl

• In late 2015 one of Polish banks was pwned (outdated components)

• Intruder was able to modify transactions

~ 92 000 eur

Page 12: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Server vulnerability exploitation

Source: www.zaufanatrzeciastrona.pl

English writeup:https://www.linkedin.com/pulse/online-banking-owned-single-attacker-wojciech-dworakowski

Page 13: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

How banks mitigate these risks?• Multi-factor authentication• Transaction authorization

– Trusted recipients• Authorization schemes• Transaction limits• Notifications (SMS, e-mail, …)• Channel activation

– Mobile device authorization

img src: http://nuvali.ph/see-and-do/sports/mountain-bike-trails/

Page 14: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

14

What if these protections will fail?

Img src: www.mtb-downhill.net

Page 15: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

SECURITY FEATURES VULNERABILITIES

BEST PRACTICES

Details matter

15

Image: https://www.britishcycling.org.uk

Page 17: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

17Sour

ce: a

liorb

ank.

pl d

emo

Page 18: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

18

Image: Alior Bank

Domestic transfer: Recipient account 22XXXX222 amount 77.34 EUR authorization code: 36032651

Page 19: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

19

Vuln examples (functional)

Domestic transfer from account 99XXXX890 amount 1.00 EUR authorization code: 78537845

Page 20: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

20

Vuln examples (non functional)

POST /domesticTransfer HTTP/1.1task=APPROVE_TRNtrnData.acc_id=910458trnData.bnf_name=TELECOM+OPERATOR+LtdtrnData.bnf_acc_no=PL99111100000000001234567890trnData.amount=1.00trnData.currency=EURtrnData.title=invoice+123456

Step 1: User enters transaction data

Page 21: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

21

Vuln examples (non functional)Step 2: User enters authorization code

POST /domesticTransfer HTTP/1.1task=SEND_RESPONSEtrnData.response=87567340

Page 22: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

22

Vuln examples (non functional)

POST /domesticTransfer HTTP/1.1task=SEND_RESPONSEtrnData.response=8756734trnData.bnf_acc_no=PL66222200000000006666666666trnData.amount=1000.00trnData.currency=EUR

Overwrite transaction data in step 2

Page 23: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

23

Transaction authorization – best practices

Thx !• Steven Wierckx• Adam Zachara• Adam Lange• Sławomir Jasek• Andrzej Kleśnicki• Sven Thomassin• James Holland• Francois-Eric Guyomarch• Milan Khan

Page 24: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Trusted recipients

24

Page 25: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Trusted recipients• The process is very error prone • Developers are using same forms and are slightly

modifying logic to do normal and “trusted” transfers

Page 26: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

26

Vuln example #1: make it trusted1. Send unauthorized transfer2. Add some magic

transferData.trusted=Y

Page 27: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

27

Vuln example #2: overwrite data1. Create the transfer from trusted recipient template2. Add (or overwrite) transfer parameters during sending

transferData.beneficiary_acc_no=66222200000000006666666666transferData.beneficiary_adr=Changed+Address+8%2F5

Page 28: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Vuln example #3: business logic error

trusted recipientAllice Eva

Any account

trusted recipientno additional authorization needed

Yes – it’s totally twisted… but it’s realRead more:

https://www.linkedin.com/pulse/online-banking-owned-single-attacker-wojciech-dworakowski

Intruder Money mule

Page 29: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

29

Trusted recipientsRecommendations

• Decision should be taken server-side• Carefully control transfer state• Do not allow additional params• Control gate (go | not go) at the end of the process

Page 30: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

TRANSACTION LIMITS

Page 31: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Limit examples• transfers / card operations• cash / online• one-time amount• daily / weekly sum• daily transactions number• business parameters

(e.g. max/min deposit amount)• …

• If the limit is exceeded:– forbid operation– ask for additional credentials– call customer to verify the

transaction– …

Image: http://learnaboutbicycles.com/bicycle-helmet/

Page 32: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

32

Vuln example #1• Simply – change limits• Sometimes it doesn’t require additonal authorization ;)

Page 33: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

33

Vuln example #2: overwrite at confirmation

Enter transaction data below limitsSend form Limits are validated Confirmation form

POST /retail/transfertask=APPROVE_TRANSFERtrn_amount=1000000

Page 34: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

34

Transaction limits - requirements• Transaction limits change should require additional

authorization (SMS code, one time token, challenge-response, …)

• Do not allow additional params• Control gate (check limits) also at the end of the process

Page 35: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

NOTIFICATIONS

Page 36: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

36

Vuln examples• Simply change phone number (or email)• …or disable / reconfigure notifications• Sometimes it doesn’t require additonal authorization

Page 37: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

37

Notifications - requirements• Notification change should require additional authorization

(SMS code, one time token, challenge-response, …)• User should be notified about:

– wrong authentication attempt– (even better) about positive authentication– transaction (SUM) above defined limit– activation of new access channel (mobile, IVR) or new device pairing– password or phone number change

Page 38: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

USER AUTHENTICATION

Image: http://www.cyclingweekly.co.uk/

Page 39: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

We are teaching users to have strong passwords

Source: http://xkcd.com/936/

28 characters

Page 40: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Passphrases and password managers obstacles

• Limited length• Limited chars

– Extreme case:8 digits

• Masked passwords

Source: Data collected by SecuRing during research on security features used by online banking in Poland (17 banks)

28 characters

Page 41: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

41

Authentication - requirements• Functional

– Require strong password– Don’t limit use of passphrases !– User should be notified about wrong/positive authentication– Visible info about last good/bad authentication

• Take care about password recovery path!

Page 42: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

FUTURE – CRASH COURSE IN PSD2

42

Fot. STEFANO RELLANDINI REUTERS

Page 43: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

PSD2Payment Services Directive (revised)

Major topics:• SCA – Strong Customer Authentication• PIS – Payment Initiation Service• AIS – Account Information ServiceScope:• Mandatory for all „Payment Service Providers”

Page 44: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

44

Strong Customer Authentication (SCA)

‘strong customer authentication’ means an authentication based on the use of• two or more elements categorised as

– knowledge (something only the user knows),– possession (something only the user possesses)– inherence (something the user is)

• that are independent, in that the breach of one does not compromise the reliability of the others,

• and is designed in such a way as to protect the confidentiality of the authentication data;

Page 45: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

45

Payment Initiation Service

Icons made by Madebyoliver and Freepik from www.flaticon.com

MerchantPayment Initiation Service Provider

User’s Bank

Merchant’s Bank

Bank’s APIScraping

old way

new way

Page 46: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

46

PIS – scraping example

Page 47: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

47

Account Information Service• online service to provide consolidated information on one

or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider;

• Examples:– Personal finance management– Automated creditworthiness and financial situation analysis

Page 48: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

48

Account Information Service

Icons made by Madebyoliver and Freepik from www.flaticon.com

Account Information Service Provider

Bank’s APIScraping

Page 49: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

49

SCA / PIS / AIS• Possible implementation errors

cosequences– Payment data change– Unauthorized access to user’s data

(mass scale?)– Authentication bypass– …

Page 50: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

50

PSD2 - current state• EBA will issue Regulatory Technical Standard (Jan 2017)

– Until then, current status quo should be maintained• EBA released Discussion Paper, call for comments was

closed 8 Feb 2016– My AppSec related comments:

https://www.linkedin.com/pulse/strong-customer-authentication-secure-communication-psd2-dworakowski

Page 51: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

SUMMARY & WHAT NEXT?

51

image:: http://www.pinkbike.com/

Page 52: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

52

Implementation errors = vulnerabilities

• If security controls are implemented with vulnerabilities then they are useless

• Vulnerable safeguards cause false sense of security

Page 53: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

53

Precise requirements

Page 54: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

54

OWASP to the rescue !• Common problems:

– SQLi– XSS

• ..or features– Authentication, 2FA– Transaction authorization

• Cheat Sheet Series• ASVS• Dev Guide• SKF• …

Page 55: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

55

OWASP to the rescue ?Common application business domains (and features)• online banking / mobile banking• PIS / AIS (PSD2)• e-commerce• SCADA• social networking• company webpage• …

?Shouldn’t we have common requirements for common app domains?

Page 56: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

56

Internet banking - proposal• Online Banking Cheat Sheet• ASVS „module”• Dev Guide chapter

Let me know if you want to help !

Page 57: Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016

Q & A

57

img src:: pivotcycles.com

@[email protected]://www.securing.pl/en