My [AIB Online Banking] compromised

Zab

bk wrote: »

The banks can however fix this issue, by improving the security of their online banking service, by implementing two factor authentication and alternative authentication channels.

With the code card AIB already had two factor authentication. I'm unsure about these Card Readers as opposed to the PIN accessed type of Secure Token that can be used to sign transactions. The chips used on Chip and PIN cards are apparently quite flawed ( http://www.youtube.com/watch?v=6lI56XXeV8g ).

bk

Zab wrote: »

With the code card AIB already had two factor authentication.

Yes, but it doesn't have the alternative authentication and verification channel, which is what the card reader adds.

The problem with the old code cards is that it still had to be entered in the browser and was therefore vulnerable to the classic man in the middle attack.

The card reader eliminates this attack channel. It isn't possible for the man in the middle to add a new account and making transfers without AIB and the customer knowing.

Zab wrote: »

I'm unsure about these Card Readers as opposed to the PIN accessed type of Secure Token that can be used to sign transactions. The chips used on Chip and PIN cards are apparently quite flawed ( http://www.youtube.com/watch?v=6lI56XXeV8g ).

The card readers use a PIN too and are actually more secure then the one time password generator Secure Tokens.

Such Secure Tokens are actually still completely vulnerable to Man In The Middle (MITM) attacks.

The card readers defeat the MITM attacks because when you add a new account or make a payment, you enter the account's details or payment in the card reader which generates a hash code that you enter in the website. If the MITM tries to change this code, the bank will know that it is a fraudulent transaction.

The only way (assuming it is all correctly implemented) the MITM can work is if he gets both your ATM pin and can physically access your ATM card and infect your PC with a trojan!!

Yes, it certainly is possible, but it becomes much, much more difficult. Basically it eliminates the faceless criminal attacking you from across the world on the web. Now the only practical attack is to physically attack you, which is possible, but much less likely.

In computer security there is no such thing as perfect security, there is only adding layers of protection that make it more difficult. Security is always a balance between security versus cost and convenience.

BTW yes chip and pin has been cracked, but that is a different issue, as the attacker would still need physical access to your ATM card.

Zab

Well, I agree with you except about chip and pin being cracked being a separate issue. Also, I wasn't referring to a one time password type of secure token. In fact there's nothing that a secure token can't do that this card reader can except require a (flawed) card and be shared between users. Which isn't to say it's worse than not having it.

frank9901

just got a call from the bank money is being refunded as a gesture of goodwill

frank9901

i asked the lady from the fraud dept about the reader card, she said it would not stop this type of attack

Zab

frank9901 wrote: »

i asked the lady from the fraud dept about the reader card, she said it would not stop this type of attack

I don't have one but assuming that you're entering the details of what you're trying to do into the reader and it's generating a code from that, then she's wrong. The attacker would have your ID and pin but would have no way of transferring money to their account without you entering their account number into the device and typing in the code it gives you, something you hopefully would not do.

bk

Excellent article on the possible weaknesses * in the new Card Readers being issued by AIB and how they maybe attacked, for anyone interested:

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

* I Saw possible, because this article is about the system being deployed by the UK banks, which I assume is the same as being deployed by AIB.

Nonoperational

Sometime a bank won't pay out in this situation, and it would be hard to fight them on it. At the end of the day there HAS to be some malicious code on your machine for this to happen. Granted I'd have more sympathy for people the victim of these attacks than a poor looking phishing page, but still... Never ever ever ever ever give codecard details when logging in. If there's anything other than the usual 3 digits of the PAC then run.

frank9901

i realize i was a complete idiot to be caught out, but i still feel the fraudsters should not be able to make international money transfers with just 2 codes of the card, as they are asked to enter two random codes from 100 so i feel their code card must have been cracked from just two numbers, i was to blame and i feel extremely lucky to be refunded,it just bugs me that the code card became useless when just 2 numbers were revealed

Zab

Are you saying it requires more than two codes to make an international transfer?

Zab

bk wrote: »

Excellent article on the possible weaknesses * in the new Card Readers being issued by AIB and how they maybe attacked, for anyone interested:

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

* I Saw possible, because this article is about the system being deployed by the UK banks, which I assume is the same as being deployed by AIB.

That was quite interesting. The AIB one looks the same as the NatWest one in the report. I'm always amazed by how often banks screw this stuff up. Saying "REF" when it's asking for an account number is particularly brilliant.

frank9901

Zab wrote: »

Are you saying it requires more than two codes to make an international transfer?

it takes two codes, for example if the fraudster has codes 4 and 7 it may ask them for code 89 and 67 or any two from 100, so your 4 and 7 would be no good unless you cracked the card and could figure any code number they may ask for

dotsman

frank9901 wrote: »

it takes two codes, for example if the fraudster has codes 4 and 7 it may ask them for code 89 and 67 or any two from 100, so your 4 and 7 would be no good unless you cracked the card and could figure any code number they may ask for

As a matter of interest, can you remember if you were asked for the codes on the first page when you logged in, or was it afterwards (ie a second page)?

bk

frank9901 wrote: »

i realize i was a complete idiot to be caught out, but i still feel the fraudsters should not be able to make international money transfers with just 2 codes of the card, as they are asked to enter two random codes from 100 so i feel their code card must have been cracked from just two numbers, i was to blame and i feel extremely lucky to be refunded,it just bugs me that the code card became useless when just 2 numbers were revealed

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

dotsman

bk wrote: »

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

Yes, that is what I suspect is happening. The only thing I'm not clear on is how it is doing this if the logon and giving the codes was all done at the same moment.

Surely it would need to take the victims log on details, then submit the transfer request and then ask the victim for the relevant 2 codes that AIB has challenged.

Zab

dotsman wrote: »

Yes, that is what I suspect is happening. The only thing I'm not clear on is how it is doing this if the logon and giving the codes was all done at the same moment.

Surely it would need to take the victims log on details, then submit the transfer request and then ask the victim for the relevant 2 codes that AIB has challenged.

I haven't seen the trojan so I don't know if it's asking for the codes immediately but if it is it just means that the transaction have already been set up in the background between you submitting the PAC and it asking you for the codes. I think what you're overlooking is how quickly this can be done by a computer rather than a human.

dotsman

Zab wrote: »

between you submitting the PAC and it asking you for the codes

Yes, that is how I imagine it must be done.

Zab wrote: »

I think what you're overlooking is how quickly this can be done by a computer rather than a human.

Oh, I fully appreciate that.

Zab

eh ... what were you asking for then?

frank9901

bk wrote: »

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

no, i am just logging in to top up a mobile phone, the fraudsters get the two 4 digit code card numbers from me (stupid) but aib are not asking me for card numbers when i am in the site, i would only be asked for numbers if doing an international money transfer so all they have is the two numbers i gave them, there is nothing else for them to watch or to copy regarding code card numbers, so when they did the transfer they would be asked for
two randow 4 digit code card numbers which i have never used
they transfer the money over the next two days, not when i am logged in

just to add i foolishly gave the two 4 digit code card numbers on the 12/2/12 the money was transferred on the 13th and again on the 14th

Zab

You're misunderstanding what bk is saying Frank. An example timeline of how this works would be:

You go to the "AIB" website and enter your account number and PAC
The attacker (very quickly, a computer not a person) logs into the real AIB site with your details and starts to do an international transfer. AIB asks the attacked for codes 7 and 42.
The "AIB" site then asks you for the same two codes (7 and 42). This could happen right after you log in.

The idea is that you aren't asked for the two codes until the attacker is already in the middle of creating the transfer, and thus knows which codes to ask for.

With respect to your edit at the end, I believe you can set up a payee with two codes (in real-time as above) and then you won't be asked for the codes again.

bk

Yup, Zab has explained it better then me and he didn't even need to mention Alice and Bob

It sounds like that no, the AIB code card hasn't been cracked, it is instead just a classic, but very sophisticated "Man In The Middle" attack.

Very interesting stuff, the new card readers would definitely protect against this.

Tow

bk wrote: »

Very interesting stuff, the new card readers would definitely protect against this.

How would a basic card reader protect against this type of hack, the 'middle site' could just pass the data to/from the card reader through it?

frank9901

Zab wrote: »

You're misunderstanding what bk is saying Frank. An example timeline of how this works would be:

You go to the "AIB" website and enter your account number and PAC
The attacker (very quickly, a computer not a person) logs into the real AIB site with your details and starts to do an international transfer. AIB asks the attacked for codes 7 and 42.
The "AIB" site then asks you for the same two codes (7 and 42). This could happen right after you log in.

The idea is that you aren't asked for the two codes until the attacker is already in the middle of creating the transfer, and thus knows which codes to ask for.

With respect to your edit at the end, I believe you can set up a payee with two codes (in real-time as above) and then you won't be asked for the codes again.

when i am logged in to the aib site am not asked for any code card numbers, they would only ask for them if i was doing an international money transfer, which i was not. so they had the two codes which i gave them on the bogus log in page, they are the only codes i reveal, even if they shadow me and log in with me there is no further use of card codes. undoubtedly when i finish my session i have left them with enough detail to log in to my account but they still only have two 4 digit code card numbers,now when they logged in on the 13th feb and transfered money they would be asked for two random card numbers from a possible 100, then when they logged in again on the 14th and transferred money they would be asked for a further two random card numbers, in all they were able to respond to 4 challenges.

28064212

frank9901 wrote: »

when i am logged in to the aib si am not asked for any code card numbers, they would only ask for them if i was doing an international money transfer, which i was not. so they had the two codes which i gave them on the bogus log in page,

You only see a login page. In the background, they've already made the international transfer request, and been challenged for the two numbers. They ask you for those two numbers, and that's all they need

frank9901 wrote: »

now when they logged in on the 13th feb and transfered money they would be asked for two random card numbers from a possible 100, then when they logged in again on the 14th and transferred money they would be asked for a further two random card numbers, in all they were able to respond to 4 challenges.

There is a way to reuse international payment data: http://www.aib.ie/servlet/Satellite?c=IBContent_C&cid=1231170958993&pagename=aib-IBHelpInfo%2Faib-ib_main&section=aib-S005#q25. I don't know for sure if you just need a digit of your PIN like you do for payees, or you're asked for 2 more codes, but I'm guessing the former

frank9901

28064212 wrote: »

You only see a login page. In the background, they've already made the international transfer request, and been challenged for the two numbers. They ask you for those two numbers, and that's all they need


There is a way to reuse international payment data: http://www.aib.ie/servlet/Satellite?c=IBContent_C&cid=1231170958993&pagename=aib-IBHelpInfo%2Faib-ib_main&section=aib-S005#q25. I don't know for sure if you just need a digit of your PIN like you do for payees, or you're asked for 2 more codes, but I'm guessing the former

yes you can reuse a payment log without being asked for more numbers BUT they transfered to two different accounts, it was not two transfers to one account. if i remember one transfer was to a payee "save now " and another was to family something, they ask for the two numbers on the bogus page not after log in, and as i said the money was not transfered on that day, they logged in on the 13th and again on the 14th the two numbers they had from a previous session would be useless, unless they could manipulate the system to ask for those two particular numbers.

Zab

Tow wrote: »

How would a basic card reader protect against this type of hack, the 'middle site' could just pass the data to/from the card reader through it?

The card reader is not hooked up to the computer. When transferring money you have to enter the destination account and amount into the card reader*. The code it gives you is only valid for sending the specified amount to the specified account (well, that's the idea, but in reality there will probably be a set of valid accounts). This is in contrast to the code card, where the codes are all general purpose. That fact is what allowed the flaw in this thread to be exploited, as the codes users were entering for one thing were in fact being used for something else.

You could have a version of this where the device is hooked up to the computer. In that case the computer would set up all the details on the card reader and the user would verify them by looking at the screen on the card reader and pressing a button on it. This stops the computer maliciously authorizing transactions the user doesn't want.

Unfortunately the interface on the device is supposed to be poor. They wanted to keep it as multi-function as they could so the interface isn't very specific about what information it's requesting. For instance, it apparently asks for a "REF" when you are entering the IBAN instead of asking for "IBAN" or "Account number". This allows the bank to use the same function for something else (such as authenticating a phone number change or whatever) but also raises the possibility that an attacker could trick an uneducated user into authenticating a transfer to his account by telling him that it was a "routine reference check" or similar.

*I haven't seen the AIB version but some implementations include a random number from the website. This stops the resulting code being reused at another time or precomputed.

Zab

frank9901 wrote: »

yes you can reuse a payment log without being asked for more numbers BUT they transfered to two different accounts, it was not two transfers to one account. if i remember one transfer was to a payee "save now " and another was to family something, they ask for the two numbers on the bogus page not after log in, and as i said the money was not transfered on that day, they logged in on the 13th and again on the 14th the two numbers they had from a previous session would be useless, unless they could manipulate the system to ask for those two particular numbers.

Interesting. It is possible that AIB made a mistake either with the code-card randomization or with their website. However, it's also possible that you're overlooking something, such as the two transfers being to the same account but with different references.

frank9901

Zab wrote: »

Interesting. It is possible that AIB made a mistake either with the code-card randomization or with their website. However, it's also possible that you're overlooking something, such as the two transfers being to the same account but with different references.

that is possible, if everything was done when they asked me for the two numbers,
but it was done in two further sessions 13th and 14th any scenario i can think of would not account for that

Zab

They set up the payee at the time and then transferred the money with a different reference on the 13th and 14th? You get to put a different reference for each transfer.

frank9901

Zab wrote: »

They set up the payee at the time and then transferred the money with a different reference on the 13th and 14th? You get to put a different reference for each transfer.

that must be the correct answer,nothing else fits