how to rob an online bank - acros security · java code injection (jboss bug in 2010) php code...
TRANSCRIPT
![Page 1: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/1.jpg)
ACROS PUBLIC © ACROS
How to Rob an Online Bank (and get away with it) SOURCE Boston 2012
Mitja Kolsek ACROS d.o.o. [email protected] www.acrossecurity.com
![Page 2: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/2.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 2
![Page 3: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/3.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 3
![Page 4: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/4.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 4
Evolution Of E-banking Attacks
PAST-PRESENT
PRESENT
FUTURE
FUTURE 2.0
Online Banking Server
Back-End Server
![Page 5: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/5.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 5
Attacks Against Individual Users
E-Banking Server
Back-End Server
Goal: Identity Theft
Methods
Phishing, Fake security alerts
XSS, CSRF
Malware (man in the browser, extraction of certs and private keys)
Problems
User awareness
2-factor authentication
OOB transaction confirmations
Additional passwords/PINs
“Known good” target accounts
![Page 6: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/6.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 6
Attacks Against Corporate Users
Online Banking Server
Back-End Server
Goal: Identity Theft
Methods & Problems
Same as with individual users
Advantages
More money
Large transactions not unusual
Targets can be found in public certificate directories
![Page 7: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/7.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 7
LDAP Explorer – Online Bank Robber’s Google
![Page 8: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/8.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 8
Example: Published Corporate Certificate
ldap://ldap.halcom.si:389/eidCertificateSerialNumber=382631
E-Mail Address
Personal Name
Company Name
![Page 9: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/9.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 9
Attacks Against Online Banking Servers
Online Banking Server
Goal: Exploiting Application Flaws
Methods
Hacking
Problems
Getting noticed while looking for flaws
Advantages
Unlimited amount of money
No user interaction (social engineering)
Possible creation of new money
![Page 10: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/10.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 10
Direct Resource Access
![Page 11: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/11.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 11
Direct Resource Access – URL Cleartext ID
https://bank/balance?uid=7728356 (my account balance data)
https://bank/balance?uid=7728355 (another user’s account balance data)
![Page 12: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/12.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 12
Direct Resource Access – URL Base64 encoding
https://bank/balance?dWlkPTc3MjgzNTY= (my account balance data)
https://bank/balance?dWlkPTc3MjgzNTU= (another user’s account balance data)
Base64decode(“dWlkPTc3MjgzNTY=”)
“uid=7728356”
Base64encode(“uid=7728355”)
![Page 13: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/13.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 13
Direct Resource Access – URL Encryption
/balance?Ko7hIGJJ2GqfhSZ9... (Base64)
/balance?AF86B301008AEF5... (Hex)
enc_params = AES_encrypt(params, key)
path = "/balance?" + base64(enc_params)
params = "uid=7728356"
![Page 14: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/14.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 14
Transferring Money From Other People’s Accounts
/transfer? src=1 & dest=2 & amount=100 (from my account)
/transfer? src=42 & dest=2 & amount=100 (from another user’s account)
![Page 15: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/15.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 15
Transaction Creation Process
I want to transfer some money
Empty transaction form
Filled-out transaction form src=1,dst=2, amount=100
Read-only confirmation form src=1,dst=2, amount=100
Transaction confirmation src=1,dst=2, amount=100
Validation #2
Validation #1
Validation #3
![Page 16: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/16.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 16
Negative Numbers
![Page 17: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/17.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 17
Negative Numbers – A Devastating Oversight
IF RequestedAmount > DisposableAmount THEN ERROR();
IF -100 > 2,000 THEN ERROR(); // No Error Here
IF 3,000 > 2,000 THEN ERROR(); // Error – Insufficient Funds
![Page 18: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/18.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 18
“Here’s minus hundred bucks for you”
Attacker: Victim:
0 $ 100 $
Attacker: Victim:
100 $ 0 $
(Transfer -100 $ to Victim)
![Page 19: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/19.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 19
Creating Money Out Of Thin Air
Normal Account: Savings Account:
0 $ 0 $
Normal Account: Savings Account:
100 $ 0 $
(Transfer -100 $ to Savings Account)
![Page 20: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/20.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 20
Bypassing Limit Checks
![Page 21: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/21.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 21
Normal Overdraft
Account #1: Account #2:
100 $ 0 $
Account #1: Account #2:
-900 $ 1,000 $
(Transfer 1,000 $ from #1 to #2)
![Page 22: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/22.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 22
“Over-Overdraft”
Account #1: Account #2:
100 $ 0 $
Account #1: Account #2:
-999,900 $ 1,000,000 $
(Transfer 1,000,000 $ from #1 to #2)
![Page 23: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/23.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 23
HTTP Parameter Pollution
Luca Carettoni & Stefano di Paola http://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacks
![Page 24: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/24.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 24
User – Public Server – Back End Server
POST /transfer source=1 & dest=2 & amount=100
source = request.getParameter(“source”) // 1
amount = request.getParameter(“amount”) // 100
IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()
Call BackEndTransaction(request)
source = $_POST[“source”] // 1
dest = $_POST[“dest”] // 2
amount = $_POST[“amount”] // 100
POST /BackEndTransaction source=1 & dest=2 & amount=100
PHP
JSP
![Page 25: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/25.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 25
HTTP Parameter Pollution – Source account
POST /transfer source=1 & dest=2 & amount=100 & source=42
source = request.getParameter(“source”) // 1
amount = request.getParameter(“amount”) // 100
IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()
Call BackEndTransaction(request)
source = $_POST[“source”] // 42
dest = $_POST[“dest”] // 2
amount = $_POST[“amount”] // 100
POST /BackEndTransaction source=1 & dest=2 & amount=100 & source=42
PHP
JSP
IF NOT user_authorized_for(source) THEN ERROR()
![Page 26: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/26.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 26
HTTP Parameter Pollution – Transfer Amount
POST /transfer source=1 & dest=2 & amount=100 & amount=100000
source = request.getParameter(“source”) // 1
amount = request.getParameter(“amount”) // 100
IF NOT user_authorized_for(source) THEN ERROR()
IF disposable(source) < amount THEN ERROR()
Call BackEndTransaction(request)
source = $_POST[“source”] // 1
dest = $_POST[“dest”] // 2
amount = $_POST[“amount”] // 100000
POST /BackEndTransaction source=1 & dest=2 & amount=100 & amount=100000
PHP
JSP
IF NOT user_authorized_for(source) THEN ERROR()
![Page 27: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/27.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 27
SQL Injection
![Page 28: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/28.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 28
SQL Injection – Data Theft
“SELECT rate FROM exch_rates WHERE currency = ‘”.$currency.”’”
“SELECT rate FROM exch_rates WHERE currency = ‘’ UNION SELECT balance FROM accounts WHERE account_id = ‘887296’”
![Page 29: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/29.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 29
SQL Injection – Messing With Transactions
“UPDATE accounts SET balance = 0 WHERE account_id = ‘”.$acctid1.”’”
“UPDATE accounts SET balance = 100 WHERE account_id = ‘”.$acctid2.”’”
“COMMIT TRANSACTION”
“BEGIN TRANSACTION”
![Page 30: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/30.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 30
SQL Injection – Messing With Transactions
“UPDATE accounts SET balance = 0 WHERE account_id = ‘123’”
“UPDATE accounts SET balance = 100 WHERE account_id = ‘456’”
“COMMIT TRANSACTION”
“BEGIN TRANSACTION”
![Page 31: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/31.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 31
SQL Injection – Messing With Transactions
“UPDATE accounts SET balance = 0 WHERE account_id = ‘123’”
“UPDATE accounts SET balance = 100 WHERE account_id = ‘456’ OR account_id = ‘123’”
“COMMIT TRANSACTION”
“BEGIN TRANSACTION”
![Page 32: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/32.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 32
Forging Bank’s Digital Signatures
![Page 33: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/33.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 33
Automated Signing Of Deposit Agreement
Deposit request: 100€, 31 days
Deposit agreement for signing (Legal text, interest rate)
Bank’s Signing key
User’s Signing key
Signed MODIFIED deposit agreement
Counter-signed MODIFIED deposit agreement
![Page 34: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/34.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 34
Server-Side Code Execution
![Page 35: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/35.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 35
Server-Side Code Execution
Examples
Java code injection (JBoss bug in 2010)
PHP code injection (eval, system, includes...)
Shell argument injection (command1&command2)
Buffer overflows
Impact
Change e-banking application code
Obtain database/WS credentials,
issue direct requests to DB or back-end WS
![Page 36: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/36.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 36
The List Goes On...
![Page 37: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/37.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 37
Other Attacks
Session Puzzling
Insecure Mass Assignment
Numerical Magic: Overflows, Underflows, Exponential Notation, Reserved words (Corsaire whitepaper)
“Stale” Currency Exchange
Race Conditions
...
New functionalities: automated deposits, loans, investment portfolio management, ...
![Page 38: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/38.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 38
Getting Rich Without Breaking The Law
http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
![Page 39: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/39.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 39
Loss : -0,00364 $ = -27%
Profit : +0,00266 € = +36%
Rounding And Currency Exchange
1 € 1,364 $
0,01 € 0,01364 $
0,01 € 0,01 $
![Page 40: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/40.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 40
Asymmetric Currency Rounding
by M'Raïhi, Naccache and Tunstall
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.91.8055&rep=rep1&type=pdf
KNOWN AT LEAST
SINCE
2001
![Page 41: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/41.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 41
Currency Rounding Attack: Algorithm
2:
1:
goto 1 3:
for i = 1 to 13640
Convert 100€ to $
Convert 0,01$ to 0,01€
// Now we have 136,40€
// We have 136,40$
![Page 42: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/42.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 42
Currency Rounding Attacks The Speed Of Getting Rich
Assume: 10 exchanges / second
1 day = 86.400 seconds
Daily profit: 2.300 €
Monthly profit: ~ 70.000 €
Improvements
Optimal exchange rate (getting as close to 0,005 as possible)
Corporate banking: packets (1000s of exchanges in one packet)
Does it really work?
My personal e-banking: YES
My company’s corporate e-banking: YES
Countermeasures
Limit minimum amount to 1 whole unit, exchange fee
![Page 43: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/43.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 43
Getting Away With It
![Page 44: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/44.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 44
Getting Away With It
Avoiding Detection
While searching for vulnerabilities
While performing the attack
Solution: “User in the middle” – hiding behind a user
Breaking The Money Trail
ATMs, Western Union
Money Mules
BitCoin, WebMoney, Liberty Reserve, ...
Chaining multiple “users in the middle” in different countries
![Page 45: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/45.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 45
2007: iWire - $5M (9,000 prepaid cards) 2008: Citibank - $2M (hacked ATM network, stolen PIN codes) 2008: WorldPay - $9M (44 debit cards, lifted limit)
2011: Florida bank - $13M (22 debit cards, lifted limit)
2012: Postbank – $6.7M (stolen teller identity, transfers to other accounts, lifted limit)
ATM – The Final Destination
![Page 46: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/46.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 46
![Page 47: How to Rob an Online Bank - ACROS Security · Java code injection (JBoss bug in 2010) PHP code injection (eval, system, includes...) Shell argument injection (command1&command2) Buffer](https://reader034.vdocuments.net/reader034/viewer/2022042802/5f3ff7860a932b72b36e1541/html5/thumbnails/47.jpg)
ACROS PUBLIC SOURCE Boston 2012 Page 47
Mitja Kolsek
ACROS d.o.o. www.acrossecurity.com
Twitter: @acrossecurity, @mkolsek
Thanks: Mikko H. Hypponen, René Pfeiffer, Claudio Criscione, Stefan Ortloff and Candi Carrera for help with gathering information on national digital certificate usage
Speaker Feedback: https://www.surveymonkey.com/sourceboston12