DefCamp 2012: Bypassing Security Tokens for Exploitation of Rounding Vulnerabilities
Presentation of a clever device developed by Adrian Furtuna
We're in Bucharest at the 2012 edition of the DefCamp security conference and, so far, a number of great speakers have presented their findings. One of them is Adrian Furtuna – a security consultant for KPMG Romania – who has developed an interesting gadget that can be successfully utilized for exploiting rounding vulnerabilities in some online banking applications.The concept of rounding attacks has been around for over one decade. These attacks leverage the fact that the applications used by financial institutions do rounding of amounts when customers perform online currency exchanges.
For instance, 8.3478 EUR is rounded to 8.35 EUR and 8.3436 EUR is rounded as 8.34 EUR. By knowing this “secret,” bank customers or malicious actors can make a decent profit by choosing amounts that are always rounded in their favor.
According to the researcher’s calculations, by performing around 4,300 small-amount transactions, an attacker could make a profit of around 20 EUR ($26).
Many financial institutions are aware of these types of attacks. However, they highlight the fact that two-factor authentication tokens prevent them from being efficient.
The device made by Adrian Furtuna shows that the protection offered by the tokens can be bypassed. The machine basically mimics the operations performed by a human at a much higher speed. Using this device, one could gain about 100 EUR ($129) per day.
It enters the PIN and the challenge code by using mechanical “fingers” – a special type of electromagnets – after which it utilizes a webcam and an optical character recognition (OCR) software to read the security code from the token’s screen.
The apparatus relies on simple electronics principles and it’s composed of cheap, freely-available parts.
The researcher emphasizes the fact that although some banks have probably implemented systems that would prevent customers from performing too many suspicious transactions, there are many financial institutions worldwide and, most likely, some of them haven’t deployed protections against such attacks.
The demonstration doesn’t calculate the time needed to inject the security codes into the web application and the time it would take to process them. However, the device is just a low-cost prototype and the predictions are made for operations performed on a single bank account.
In order to protect themselves against such fraudulent transactions, banks should limit the number of operations performed by a regular user, they should limit the minimum amount of money that can be exchanged, and deploy monitoring systems for suspicious transactions.
They should also clearly stipulate in customer contracts that such operations are illegal, or simply add a small commission for currency exchanges. Even a very small commission would make these attacks unprofitable.
The complete presentation is available here.
Here is a small video demonstration from DefCamp 2012 Bucharest:
Note for Romanian readers! The video's purpose is to show how the device works. What the researcher says about its efficiency in this case is irrelevant because it's taken out of context.
Here is the complete presentation made by Adrian Furtuna at Hacktivity earlier this year: