Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable.

These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had to rob the banks the old fashioned way with guns and actual physical presence, risking his life and endangering the lives of others. Today, 90% of all money is in  digital form inside banking databases. It therefore shouldn’t surprise us if tomorrow’s Suttons will break into banks disguised in malicious server requests that sneak past the predictable e-guards and force the compliable bank e-tellers to hand over the money or send it to a foreign account.

An online banking server application is an implementation of the business logic that provides online banking services to remote users on PCs or mobile devices. Security requirements are plenty and diverse, for instance: making sure who the user is, preventing users from accessing data or funds from another user (unless authorised) and limiting payments to available funds and preventing unauthorised overdrafts. And stakes are very high: a single error in such application can potentially provide a way to steal large sums of money from personal or corporate users, to instantly borrow an unlimited amount without authorisation, to enter a maliciously-doctored legally binding agreement with the bank or even to create new money out of thin air.

The presentation by Mitja Kolsek will reveal future attacks against online banks, which we continually find possible in our security reviews. We’ll show how e-bank robbers of tomorrow will approach the targets, hide their reconnaissance and attacks, cloak their identities and retrieve the stolen funds. You will also see how a frequent error in online banking applications allows users to make serious profits on simple automated operations – without ever breaking the law.

The bankers in the audience will have a rare opportunity to get a heads up about future attacks before these are mounted against their systems, and those developing online banking systems will get a list of most critical security flaws they absolutely have to avoid. The attacks presented will be a mix of surprising triviality and devious cleverness, leaving the audience slightly worried about the fragility and vulnerability of today’s financial systems.

Bank robbers are kindly asked not to attend this talk.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.