Today I took some time to write a little about ABN-AMRO’s security weaknesses.
This article including it’s examples and example code (which will be posted later) are for educational purposes only.
Account blocking
It’s made too simple to lock an account for internet banking. Going to https://www.abnamro.nl/nl/homepage/overview.html and typing an existing bank account number with any card number, submit this 5 times and the account will be locked.
The owner of the account needs to call the Service Center (or submit a letter/fax) and request to unlock his/her account. This takes some time,.. meanwhile he/she cannot enjoy internet banking or online stock trading.
You might think: “Nothing wrong, it’s just one account”.
Wrong!, imagine building a script, blocking all account numbers of all internet banking customers.
The bank’s Service Center (0900-0024) will be probably be overloaded, this is the same phone number as being used for payments, stock advice/buying/selling, lost cards, etc.
It’s even more easy because ABN-AMRO uses fixed ranges of account numbers (see this thready for bank account ranges, officially it’s not a given range but let’s say they use the whole 4x.xx.xx.xxx range). That are 100 million numbers.
Info: Officially a bank account number is 10 numbers long but you’ve probably seen them with just 9 numbers so far, the first (10th number) is a leading zero.
Bank account numbers apply to a special algorithm called the ‘11-proef‘. This reduces the number of valid account number dramatically.
Buy some put options first and prepare for a little stock dip ;) But read on and imagine all things mentioned here happen at the same day. Especially a
Normally you would say: Just block the IP-address which does the request, but that’s not a really a good option.
For example: Employees of Shell or a large school are all internet banking during their lunch time. Shell uses NAT and is present with just 1 IP-address on the internet. Blocking the IP-address would block all employees of Shell (i.e. about 40.000 people)..
The only ‘secret question’ there is..
The ABN-AMRO Bank is quite vulnerable for easy ‘social hacking’. When you know someone’s name and account number, you can just block his/her bank card. The only ‘secret question’ thing they can ask is address and birthdate. They will not ask for a Sofinumber or Tin-code because it must be possible to block your card (when it’s stolen) without having this data in front of you. Just say you don’t know the cardnumber because the card is stolen/lost. Maybe even without an account number (only name/birthdate) it will be possible to block someone’s card (test..anyone.. ?). Just say you’re traveling and don’t know the accountnumber,.. it was always on you card.
It would be better the bank asks about your last transaction, the year you opened your account or a combination of all.
Man in the middle (phising)
The reason why all previous phising e-mails failed is that they do not contain proper language. Openings like “Lieve klant,..” and other words/text which is translated from Russian->Dutch does not really persuade the customer. Instead, write a professional Dutch HTML email and take the banks header and footer gif/jpeg files (from the www.abnamro.com domain), say something about checking the customer’s safety and ‘..never trust third-party emails..’. Ask to go to an URL where they need to login with their ‘very secure’ token.
Now setup a reverse-proxy which completely passes through the ABN-AMRO’s website but with a man-in-the-middle piece of code which let the user login and always let is reject his/her first login try (the user will probably believe this and thinks he/she entered the wrong code, so he will login again). The second time the user logs in, it does a payment on the backside. It then shows the user a message like ‘..thank you for validating, we respect customer safety..blabla..’.
Offcourse you need some kind of anonymous payment account to book money on or money-runners/kids which do cash withdrawals the same day,
Note: An ‘evil’ person won’t attack on an ordinary Monday or Tuesday. They will use the last day before an extended weekend, like Thursday-afternoon (April 5th, 2007) or Friday (April 6th, 2007) which is just before the extended Eastern weekend. Friday-afternoon (April 27th, 2007) or Monday (April 30th, 2007 – Quensday) will also be dangerous days. Most bank offices and (IT) departments are closed or less occupied while the whole automated payment scene is running. Lots of transactions which make automated audit tools react/alert slower or will not (or too late) reach the responsible person. Traffic on the streets is chaos which makes camera control (CCTV) hard so cash withdrawels in Amsterdam can be done quite easy and inconspicuous now.
Pin code
Some simple details about the ‘Pin-code’.
The pin-code is stored on the magnetic strip on the card as well as the chip on the card. The evidence for this is when you block your card by typing 3 wrong pin codes on the E-dentifier, you can still pay in shops and do cash withdrawels.
When you try to pay in a shop and enter your pin code 3 times wrong, you can still put your card in your E-dentifier without any notice. The magnetic strip has just a few byte (8bit = 1byte) of storage capacity. The code seem to be stored with a (Triple) DES encryption. Probably with ‘salt’ your account/card number or a combination. A lot of pdf’s about DES encryption and pin codes can be found on the web. A pin code can be any of 10.000 combinations (3 tries), this makes it a change of 0.06% (!) for a good try!
With now-a-days computer power it’s much more easy to brute-force the DES encryption key which is stored on the bank card. Probably within 1 weekend.
Most things mentioned above are possible and known for several years.
Below is a short movie about how to read out the data on a chipcard, finally look at where the powder is and you can see the binary code (example: 11100101011001).