1 00:00:00,000 --> 00:00:14,180 *33C3 preroll music* 2 00:00:14,180 --> 00:00:19,170 Herald: Next talk is gonna be “Shut up and take my money” by Vincent Haupert. 3 00:00:19,170 --> 00:00:22,450 Vincent is a research associate at the security research group 4 00:00:22,450 --> 00:00:26,430 of the Department of Computer Science at Friedrich-Alexander-Universität 5 00:00:26,430 --> 00:00:34,220 in Erlangen, Nürnberg, Germany. Typical, very long German word. 6 00:00:34,220 --> 00:00:37,540 His main research interests are authentication, system security 7 00:00:37,540 --> 00:00:39,970 and software protection of mobile devices. 8 00:00:39,970 --> 00:00:43,170 It’s actually Vincent’s second time speaking at the Congress. 9 00:00:43,170 --> 00:00:48,850 Last year’s talk discussed conceptual insecurity of app-generated passwords 10 00:00:48,850 --> 00:00:53,809 in online banking. This year he will discuss the practical aspects 11 00:00:53,809 --> 00:00:58,900 and some successful hacks that, if I recall correctly, 12 00:00:58,900 --> 00:01:02,269 took over entire bank accounts from users’ mobile apps. 13 00:01:02,269 --> 00:01:05,110 With that, Vincent, over to you. 14 00:01:05,110 --> 00:01:11,710 *applause* 15 00:01:11,710 --> 00:01:15,230 Vincent Haupert: Hello again, thanks for the warm welcome, 16 00:01:15,230 --> 00:01:19,579 and let’s dive right into it because we have a tough program. 17 00:01:19,579 --> 00:01:25,150 Okay. First of all, online banking is something that affects us all, 18 00:01:25,150 --> 00:01:29,350 because virtually everybody uses it. In traditional online banking, 19 00:01:29,350 --> 00:01:33,619 we use two devices. One to initiate our payments 20 00:01:33,619 --> 00:01:36,950 – and to log in with user name and password – 21 00:01:36,950 --> 00:01:41,299 and another device to confirm transactions. 22 00:01:41,299 --> 00:01:47,810 With the rise of mobile devices, app-based confirmation procedures became popular 23 00:01:47,810 --> 00:01:53,210 like this app there. In the recent past, 24 00:01:53,210 --> 00:01:59,090 what I have been talking about last year, it became popular 25 00:01:59,090 --> 00:02:03,420 to implement those two devices in two apps. That means you only have 26 00:02:03,420 --> 00:02:07,049 one single device and have two apps now 27 00:02:07,049 --> 00:02:12,610 to authenticate transactions. 28 00:02:12,610 --> 00:02:18,640 Last year I showed that this has severe conceptional drawbacks. 29 00:02:18,640 --> 00:02:26,800 But this is not the end of it. The latest evolution in online banking 30 00:02:26,800 --> 00:02:31,680 are now one-app authentication models. I already said this last year: 31 00:02:31,680 --> 00:02:36,410 Actually, it doesn’t make so much difference. So banks are no longer faking 32 00:02:36,410 --> 00:02:41,890 to have real two-factor authentication. It’s now clear that it’s just one, 33 00:02:41,890 --> 00:02:46,720 so you do the transaction initialization inside the app 34 00:02:46,720 --> 00:02:51,530 and the confirmation is just another dialog inside the app. 35 00:02:51,530 --> 00:02:55,800 This time I want to talk about N26, 36 00:02:55,800 --> 00:03:02,110 the shining star on the German FinTech sky. 37 00:03:02,110 --> 00:03:09,240 Actually, this time I’m only going to be talking about technical issues. 38 00:03:09,240 --> 00:03:14,490 It’s clear that we have similar conceptual problems like with two-app authentication, 39 00:03:14,490 --> 00:03:21,280 but I will focus on technical issues because we have enough of this there. 40 00:03:21,280 --> 00:03:26,341 Briefly about N26: N26 is a Berlin-based, “Mobile First” FinTech 41 00:03:26,341 --> 00:03:31,150 and it plans to establish your smartphone as your financial hub 42 00:03:31,150 --> 00:03:35,860 for everything, so that you do literally everything 43 00:03:35,860 --> 00:03:40,880 from inside the app. Actually it was only founded in 2013, 44 00:03:40,880 --> 00:03:45,790 it started in 2015 with their app and it already has over 200.000 customers, 45 00:03:45,790 --> 00:03:49,710 which is astonishing, actually. 46 00:03:49,710 --> 00:03:53,650 It now also has its own European banking license. It’s only, I think, 47 00:03:53,650 --> 00:03:59,431 half a year ago; and it announced not even one month ago that it’s now 48 00:03:59,431 --> 00:04:04,510 available in 17 European countries. And they also claim 49 00:04:04,510 --> 00:04:08,820 that you can open a bank account in just eight minutes. As it turns out 50 00:04:08,820 --> 00:04:11,060 you can lose it even faster. 51 00:04:11,060 --> 00:04:14,730 *laughter* 52 00:04:14,730 --> 00:04:20,810 Okay, let’s talk briefly about transaction security in the Number 26 app. 53 00:04:20,810 --> 00:04:23,509 If you want to do a transaction, you at first need to log in. 54 00:04:23,509 --> 00:04:27,810 This works with your user name, in this case it’s just your email address, 55 00:04:27,810 --> 00:04:29,999 and your password. This is pretty standard. 56 00:04:29,999 --> 00:04:34,220 Afterwards you are good to initiate a transaction. After you have entered 57 00:04:34,220 --> 00:04:39,300 all the details you also have to supply a transfer code. This is just a four-digit 58 00:04:39,300 --> 00:04:45,780 number, you use this also to withdraw cash. Probably you would call this ‘PIN’. 59 00:04:45,780 --> 00:04:50,830 The last factor in this authentication scheme is you paired phone. 60 00:04:50,830 --> 00:04:55,990 This is actually the most important security feature of the N26 account, 61 00:04:55,990 --> 00:05:00,930 and you can only pair one smartphone with you N26 account. 62 00:05:00,930 --> 00:05:05,449 That means, from a technical perspective, the N26 app, 63 00:05:05,449 --> 00:05:09,699 the very first time you start it, generates a RSA key pair 64 00:05:09,699 --> 00:05:13,199 and sends the public key to the N26 backend. And whenever you initiate 65 00:05:13,199 --> 00:05:17,889 a transaction they are going to send an encrypted challenge to your smartphone 66 00:05:17,889 --> 00:05:22,709 and you send it back decrypted. That’s how it works. Actually, 67 00:05:22,709 --> 00:05:27,960 re-pairing, that means pairing another phone is a pretty well secured process, 68 00:05:27,960 --> 00:05:32,900 but we will talk about this later. Just to talk about the infrastructure 69 00:05:32,900 --> 00:05:37,639 of N26: basically they have two apps, one for iOS, one for Android, 70 00:05:37,639 --> 00:05:42,179 and they communicate over a JSON-based protocol, TLS encrypted. 71 00:05:42,179 --> 00:05:47,099 The backend is at api.tech26.de. 72 00:05:47,099 --> 00:05:50,719 How do I know, actually, that this is a JSON-based protocol: because I used 73 00:05:50,719 --> 00:05:56,979 a TLS man-in-the-middle attack to log the protocol. 74 00:05:56,979 --> 00:06:02,919 I only needed to install a certificate, the MITM proxy certificate on the client, 75 00:06:02,919 --> 00:06:06,740 but actually I was surprised that I didn’t need to touch the client, because 76 00:06:06,740 --> 00:06:10,129 they didn’t implement any certificate pinning. 77 00:06:10,129 --> 00:06:16,490 *applause* 78 00:06:16,490 --> 00:06:21,690 So that means, the first thing that comes into mind is like: 79 00:06:21,690 --> 00:06:25,759 Let’s do real-time transaction manipulation. That means we manipulate 80 00:06:25,759 --> 00:06:30,219 a transaction that the user does, but we will change the recipient 81 00:06:30,219 --> 00:06:36,259 and the user won’t see nothing about this. So if we look at this graphic again, 82 00:06:36,259 --> 00:06:42,049 what if an attacker could get the DNS record of api.tech26.de under his control? 83 00:06:42,049 --> 00:06:48,079 This would mean that all traffic is routed over the man-in-the-middle attacker server 84 00:06:48,079 --> 00:06:53,820 and, as there is no certificate pinning, we could just issue a Letsencrypt 85 00:06:53,820 --> 00:06:59,930 TLS certificate and the app is going to trust the certificate. 86 00:06:59,930 --> 00:07:04,230 How does this work? Let’s take an example here. 87 00:07:04,230 --> 00:07:08,580 Let’s image I want to transfer 2 Euro to my friend Dominik. 88 00:07:08,580 --> 00:07:13,240 After I entered all the transaction details I have to enter my transfer code, too. 89 00:07:13,240 --> 00:07:18,930 When I did this I get like the second factor where you need the paired device 90 00:07:18,930 --> 00:07:23,669 and I need to confirm it. This is just like the next dialogue inside the app. 91 00:07:23,669 --> 00:07:27,890 After I confirmed it, the transaction went through, everything looks good. 92 00:07:27,890 --> 00:07:32,199 2 Euro less on my account, pretty good. 93 00:07:32,199 --> 00:07:37,479 In the next step you can see in your transaction overview too, that 94 00:07:37,479 --> 00:07:42,690 there are 2 Euro less. But after the attack when N26 realized that something wrong 95 00:07:42,690 --> 00:07:47,000 was going on and they fixed it you will realize that we actually transferred 96 00:07:47,000 --> 00:07:51,539 20 Euro, not 2. But this was completely transparent for the user 97 00:07:51,539 --> 00:07:56,209 even after the attack. Okay, this is nice. 98 00:07:56,209 --> 00:07:59,790 We can manipulate a transaction in real time, but 99 00:07:59,790 --> 00:08:05,419 wouldn’t it be even more interesting to take over entire accounts 100 00:08:05,419 --> 00:08:09,010 to do our own transactions? 101 00:08:09,010 --> 00:08:13,669 For this, we need the login credentials, the transfer code and the paired phone. 102 00:08:13,669 --> 00:08:17,069 So we need to obtain all of them. 103 00:08:17,069 --> 00:08:20,459 Let’s start with the login credentials. 104 00:08:20,459 --> 00:08:26,479 Actually, I want to assume, that the login credentials are already compromised. 105 00:08:26,479 --> 00:08:33,530 But there are some weak points in the security system of the N26 transactions, 106 00:08:33,530 --> 00:08:37,260 that make it an easier task to obtain those login credentials. 107 00:08:37,260 --> 00:08:41,919 There are two things I want to talk about. The first thing is the recovery-from-loss 108 00:08:41,919 --> 00:08:47,460 procedure. When you forget your password, N26 just sends 109 00:08:47,460 --> 00:08:50,500 an email to your email account. There is a link inside, you click it 110 00:08:50,500 --> 00:08:53,959 and you can just reset your password. 111 00:08:53,959 --> 00:08:58,160 This breaks the N26 password policy 112 00:08:58,160 --> 00:09:04,060 which is actually pretty solid, because if you have access to the email account, 113 00:09:04,060 --> 00:09:08,029 you have automatically access to the N26 account, too 114 00:09:08,029 --> 00:09:14,389 and the access to the email account could be as bad as “password” or “123456”. 115 00:09:14,389 --> 00:09:18,440 Another idea is spear phishing. Think of spear phishing like a more targeted 116 00:09:18,440 --> 00:09:22,839 version of phishing. What you always need for phishing is a similar domain, 117 00:09:22,839 --> 00:09:27,010 something the user can relate to. And if you want to make spear phishing 118 00:09:27,010 --> 00:09:30,350 you want to have it more targeted. That means you want to expose 119 00:09:30,350 --> 00:09:34,759 N26 customers, so only send out mails to them. And you need to have 120 00:09:34,759 --> 00:09:39,249 a valid reason to contact them. About the domain: 121 00:09:39,249 --> 00:09:45,139 usually N26 uses number26.de; and for password resets 122 00:09:45,139 --> 00:09:51,480 e.g. number26.tech. Sounds pretty valid in my eyes. 123 00:09:51,480 --> 00:09:57,740 Only by chance I happen to own that domain. *laughter* 124 00:09:57,740 --> 00:10:03,520 The next thing is exposing N26 customers. N26 offers 125 00:10:03,520 --> 00:10:09,840 peer to peer transactions, that means if your recipient also has a N26 account, 126 00:10:09,840 --> 00:10:15,660 those transactions are instant. To show the N26 customers 127 00:10:15,660 --> 00:10:20,040 who of his contacts actually have an N26 account, they upload 128 00:10:20,040 --> 00:10:25,089 all of the email addresses, all of the phone numbers in your address book 129 00:10:25,089 --> 00:10:30,160 to the N26 backend. Unhashed. 130 00:10:30,160 --> 00:10:34,860 *applause* 131 00:10:34,860 --> 00:10:39,709 But we actually want to use this to identify customers of a given dataset. 132 00:10:39,709 --> 00:10:43,779 We can actually abuse this API for that. 133 00:10:43,779 --> 00:10:49,410 Do you remember the recent Dropbox leak that revealed 68 million accounts? 134 00:10:49,410 --> 00:10:54,649 We evaluated all of those 68 million email accounts against this API 135 00:10:54,649 --> 00:10:58,680 and N26 took no notice of this. There were no limits applied. 136 00:10:58,680 --> 00:11:03,439 They just think, I’m really popular. *laughter* 137 00:11:03,439 --> 00:11:10,519 *applause* 138 00:11:10,519 --> 00:11:17,870 In the end, we revealed 33.000 N26 customers and could now send out 139 00:11:17,870 --> 00:11:22,500 e-mails to them. Actually, this also provides a valid reason to contact them. 140 00:11:22,500 --> 00:11:27,520 E.g. the usual e-mail of N26 looks somehow like this. 141 00:11:27,520 --> 00:11:31,759 So we could say to them: “Hey, you are affected by the Dropbox leak, please 142 00:11:31,759 --> 00:11:41,070 change your password for your own security. Click this link to change your password.” 143 00:11:41,070 --> 00:11:47,480 Now I can already see the N26 management board nervous, 144 00:11:47,480 --> 00:11:52,220 but don’t worry, we didn’t do this. My professor had legal concerns. 145 00:11:52,220 --> 00:11:57,250 *laughter* 146 00:11:57,250 --> 00:12:02,829 Now, that we have the login credentials, we have to wonder: Can we already 147 00:12:02,829 --> 00:12:08,940 do something with those login credentials? And this brings me to Siri transactions. 148 00:12:08,940 --> 00:12:13,979 With iOS 10 N26 now supports transactions using Siri. That means 149 00:12:13,979 --> 00:12:19,200 now you can just say: “Send 5 Euro to Dominik Maier using N26”, then 150 00:12:19,200 --> 00:12:24,200 the transaction pops up and you can say: “Send it” and afterwards it’s gone. 151 00:12:24,200 --> 00:12:29,389 The app doesn’t even open. So this already sounds wrong, 152 00:12:29,389 --> 00:12:33,680 *laughter* …but you can only do this with the paired device. 153 00:12:33,680 --> 00:12:39,579 If you use another phone and just log in and try to use Siri with this, 154 00:12:39,579 --> 00:12:43,500 this dialogue appears and you really have to open the app and have 155 00:12:43,500 --> 00:12:51,709 to confirm it with the paired phone. As it turns out, this is just a client feature. 156 00:12:51,709 --> 00:12:53,819 *laughter* 157 00:12:53,819 --> 00:12:57,449 This is actually the entire payload you need. It’s just like “5 Euro 158 00:12:57,449 --> 00:13:02,260 to Dominik Maier”, and there is the phone number. And look at this API endpoint, 159 00:13:02,260 --> 00:13:07,880 ‘/transactions/unverified’. So it turns out 160 00:13:07,880 --> 00:13:11,939 you don’t need the paired phone to do this type of transactions. 161 00:13:11,939 --> 00:13:19,839 *applause* 162 00:13:19,839 --> 00:13:23,709 Yet another thing that’s interesting is that N26 claims that they have 163 00:13:23,709 --> 00:13:28,050 some intelligent algorithms to immediately detect irregularities 164 00:13:28,050 --> 00:13:34,079 and prevent fraud before it even occurs. So we thought: “Challenge accepted!” 165 00:13:34,079 --> 00:13:38,879 *laughter and applause* 166 00:13:38,879 --> 00:13:42,829 And what we actually did, and I think this is pretty irregular, 167 00:13:42,829 --> 00:13:48,680 we sent 2000 Siri transactions worth 1 Cent within 30 minutes. 168 00:13:48,680 --> 00:13:51,180 *laughter* 169 00:13:51,180 --> 00:13:56,820 Try to speak that fast. Ok. 170 00:13:56,820 --> 00:14:02,779 And so what happened? Like we waited the next day and the day after nobody actually 171 00:14:02,779 --> 00:14:07,120 made contact with us, and we thought they would never actually make contact. 172 00:14:07,120 --> 00:14:10,829 But over three weeks later N26 required Dominik to explain 173 00:14:10,829 --> 00:14:15,790 the “unusual amount” of transactions. Okay, they even threatened to cancel 174 00:14:15,790 --> 00:14:20,449 his account. I mean, this is actually… it’s reasonable because it’s a clear misuse 175 00:14:20,449 --> 00:14:24,489 of the account and it violates the Terms of Service of them. 176 00:14:24,489 --> 00:14:29,520 But Dominik didn’t send those transactions, he received them! 177 00:14:29,520 --> 00:14:30,620 *laughter* 178 00:14:30,620 --> 00:14:35,240 They contacted the wrong person! This is kind of like 179 00:14:35,240 --> 00:14:38,590 if Gmail cancels your account because you received Spam! 180 00:14:38,590 --> 00:14:41,509 *loud laughter* 181 00:14:41,509 --> 00:14:49,310 *applause* 182 00:14:49,310 --> 00:14:53,709 Okay, let’s go back to the account hijacking. And the next thing we need 183 00:14:53,709 --> 00:14:59,020 to obtain is the transfer code and get the control over the paired phone. 184 00:14:59,020 --> 00:15:03,480 What we will do: with the transfer code we will try to reset it; and 185 00:15:03,480 --> 00:15:07,220 the paired phone we have to un-pair. Actually, those processes are 186 00:15:07,220 --> 00:15:14,060 not as independent as it seems. So I will right start with the paired phone. 187 00:15:14,060 --> 00:15:17,980 As I told in the beginning, un-pairing is actually a highly-secured process 188 00:15:17,980 --> 00:15:24,720 and I mean, this is my serious opinion. So let’s look at the process. 189 00:15:24,720 --> 00:15:29,029 At first, when you want to pair a new phone, like I said, you need to un-pair 190 00:15:29,029 --> 00:15:33,509 the existing one. Therefor, you open the app, then you click at “Un-pair” and 191 00:15:33,509 --> 00:15:40,230 afterwards they send a link to your email account. Then, in the e-mail 192 00:15:40,230 --> 00:15:46,290 you need to follow the un-pairing link. 193 00:15:46,290 --> 00:15:50,570 In the next step the real un-pairing process starts, where you 194 00:15:50,570 --> 00:15:55,379 have to enter your transfer code first, then your MasterCard ID. This is something 195 00:15:55,379 --> 00:16:01,319 that is kind of special for N26, like, every N26 account comes with a MasterCard, 196 00:16:01,319 --> 00:16:06,760 and they have printed a 10-digit numerical token below your name. I don’t know 197 00:16:06,760 --> 00:16:09,570 what this actually is, it’s not the PAN, it’s not the credit card number but 198 00:16:09,570 --> 00:16:14,890 some other sort of token. So you need to have the Mastercard, actually. 199 00:16:14,890 --> 00:16:19,279 And in the last step they’re going to send an SMS to you with a token, and you have 200 00:16:19,279 --> 00:16:24,130 to enter it. And only after this process the un-pairing is done. 201 00:16:24,130 --> 00:16:28,170 So that means we need to have access to the e-mail account. We need to know 202 00:16:28,170 --> 00:16:31,890 the transfer code. We need to have the Mastercard and we need to own the SIM card 203 00:16:31,890 --> 00:16:40,869 in order to receive the token. You can’t screw up each of those. 204 00:16:40,869 --> 00:16:47,760 *laughter and applause* 205 00:16:47,760 --> 00:16:52,430 Okay. Let’s go into it. So, the first thing: when you actually click 206 00:16:52,430 --> 00:16:58,110 on that item in your app where it says “Start un-pairing” 207 00:16:58,110 --> 00:17:03,379 it sends – this is basically HTTP GET request but you wouldn’t believe 208 00:17:03,379 --> 00:17:08,949 that they send the link as a response. So – it’s not this plate (?) 209 00:17:08,949 --> 00:17:13,680 but it’s there. So you don’t need to have access to the e-mail account 210 00:17:13,680 --> 00:17:17,289 because it’s in the response. *laughs* 211 00:17:17,289 --> 00:17:20,119 *laughter* 212 00:17:20,119 --> 00:17:25,270 Okay. Next thing. The transfer code – I actually will skip this for the moment 213 00:17:25,270 --> 00:17:29,789 and we’ll get right back to this. But the next thing is actually the Mastercard ID. 214 00:17:29,789 --> 00:17:35,870 And this ID is printed on the card, and we don’t have access to that card. 215 00:17:35,870 --> 00:17:40,790 So what will we do? In the transaction overview 216 00:17:40,790 --> 00:17:45,340 N26 shows a lot of properties, e.g. the amount, the beneficiary, 217 00:17:45,340 --> 00:17:49,770 whatever. And it turns out that this… 218 00:17:49,770 --> 00:17:52,909 *laughter and turmoil* that they used 219 00:17:52,909 --> 00:17:57,220 this Mastercard ID, they thought: “Oh, this is actually a nice ID, let’s use it 220 00:17:57,220 --> 00:18:02,260 as a prefix”. So, again, this is not displayed to the user inside the app 221 00:18:02,260 --> 00:18:07,960 but it’s clearly there in the API. It’s way too verbose. 222 00:18:07,960 --> 00:18:14,889 So… *applause* 223 00:18:14,889 --> 00:18:19,940 Okay. Whenever… 224 00:18:19,940 --> 00:18:23,610 the step that I just skipped was this transfer code. 225 00:18:23,610 --> 00:18:29,000 The transfer code is unknown. But you can reset the transfer code. 226 00:18:29,000 --> 00:18:32,590 And it is – as it turns out – what you need to reset the transfer code 227 00:18:32,590 --> 00:18:35,480 is the Mastercard ID. *laughs* 228 00:18:35,480 --> 00:18:43,000 *laughter and applause* 229 00:18:43,000 --> 00:18:47,320 So you need to enter this Mastercard ID 230 00:18:47,320 --> 00:18:52,510 that I just told how we will get it and then we just will confirm 231 00:18:52,510 --> 00:18:57,870 our new transfer code. Think of one, I don’t know. Any code. 232 00:18:57,870 --> 00:19:01,840 And therefor we don’t need to know the transfer code. Not even the old one 233 00:19:01,840 --> 00:19:06,660 because it’s not required. The Mastercard ID is sufficient. 234 00:19:06,660 --> 00:19:11,940 Then. The last step. SMS. The SIM card is inaccessible. 235 00:19:11,940 --> 00:19:17,450 We don’t have access to that phone. But this is a 5-digit token that they send out 236 00:19:17,450 --> 00:19:22,659 and it’s only numbers. I mean this is 100.000 possibilities. 237 00:19:22,659 --> 00:19:28,980 And even though the login procedure, the login form, has a brute-force protection 238 00:19:28,980 --> 00:19:32,000 this doesn’t have any brute force protection. So… 239 00:19:32,000 --> 00:19:35,470 *laughter* 240 00:19:35,470 --> 00:19:39,920 …the maximum that I could get out of the backend was 160 requests per second! 241 00:19:39,920 --> 00:19:42,430 *laughter* 242 00:19:42,430 --> 00:19:45,760 So this means… *laughs* 243 00:19:45,760 --> 00:19:54,630 *applause* 244 00:19:54,630 --> 00:20:04,230 So that means that it takes on average approx. 5 minutes to get this token. 245 00:20:04,230 --> 00:20:09,190 In the end we will just brute-force it and that’s it. Okay. That’s… 246 00:20:09,190 --> 00:20:11,740 *laughter* 247 00:20:11,740 --> 00:20:17,000 Let’s look if this really works. At first we will login to the app 248 00:20:17,000 --> 00:20:22,280 just to see that it’s paired. And if it wouldn’t be paired we would know, 249 00:20:22,280 --> 00:20:27,320 like, see a dialogue that we should pair our phone. 250 00:20:27,320 --> 00:20:30,960 So now it opens. Great. 251 00:20:30,960 --> 00:20:36,770 And now we will start our script. 252 00:20:36,770 --> 00:20:43,460 And N26 claimed that this attack doesn’t scale, just don’t blink! 253 00:20:43,460 --> 00:20:45,030 *exhales sharply* 254 00:20:45,030 --> 00:20:47,240 So those are the login credentials *laughter* 255 00:20:47,240 --> 00:20:50,960 …that will do all the fun. And actually, everything already happened, it’s just 256 00:20:50,960 --> 00:20:55,450 the brute-forcing that now takes place. And I have to admit that I have been 257 00:20:55,450 --> 00:21:02,559 really lucky this time because we are done now. *laughter* 258 00:21:02,559 --> 00:21:07,220 So this is the response, now the SMS numeric token is valid, and the phone 259 00:21:07,220 --> 00:21:12,100 has been successfully un-paired. Okay, now let’s verify in the app… if this worked 260 00:21:12,100 --> 00:21:19,800 really? So let’s open it again. Touch-ID expired, so this is actually good. 261 00:21:19,800 --> 00:21:27,250 That means that something happened. Let’s login with our password. 262 00:21:27,250 --> 00:21:31,020 And there it prompts us for pairing the phone. So it worked. 263 00:21:31,020 --> 00:21:39,860 *applause* 264 00:21:39,860 --> 00:21:44,030 Yeah… *laughter* 265 00:21:44,030 --> 00:21:50,470 This… even though I said that this attack really scales very well it has a drawback. 266 00:21:50,470 --> 00:21:54,549 Because three mails are sent out to the user. The first one when you actually 267 00:21:54,549 --> 00:21:58,470 start the un-pairing, the second one when you reset the transfer PIN and 268 00:21:58,470 --> 00:22:02,149 the third one when the un-pairing is successful. And the user also receives 269 00:22:02,149 --> 00:22:08,200 an SMS. But I mean fraud is perfectly possible. But is there a possibility 270 00:22:08,200 --> 00:22:14,550 to avoid this? Let’s try to call the customer support. 271 00:22:14,550 --> 00:22:19,850 The customer support is actually the most powerful entity in the N26 security model. 272 00:22:19,850 --> 00:22:23,460 Because they can even change things you can’t change inside the app. 273 00:22:23,460 --> 00:22:27,260 E.g. your email address, or name – you cannot change. 274 00:22:27,260 --> 00:22:32,950 But they can. So let’s talk with them. They can… it turns out they can also 275 00:22:32,950 --> 00:22:38,370 un-pair phones. So now the question arises of course you cannot just call there 276 00:22:38,370 --> 00:22:42,029 and say: “Hey, my name is Vincent, please un-pair my phone.” Of course they 277 00:22:42,029 --> 00:22:47,239 are going to authenticate you. And what… *loud laughter* 278 00:22:47,239 --> 00:22:53,120 …and what will they ask? They will ask for the Mastercard ID. We know that. 279 00:22:53,120 --> 00:22:56,410 The current account balance is always available if you have the login credentials. 280 00:22:56,410 --> 00:23:00,539 Okay. There’s one thing that is still missing. Place of birth. 281 00:23:00,539 --> 00:23:05,590 It’s always the same. *laughter* 282 00:23:05,590 --> 00:23:11,500 It’s, again, you can’t see this information inside the app. It’s just not displayed. 283 00:23:11,500 --> 00:23:14,340 But it’s there. There’s so much information you can’t think of. 284 00:23:14,340 --> 00:23:19,780 Really, they know more about me than I do. *laughter* 285 00:23:19,780 --> 00:23:23,850 Now that means we have all information available, and we can change any data. 286 00:23:23,850 --> 00:23:28,230 And the user won’t receive any notice of that. So no email, nothing. 287 00:23:28,230 --> 00:23:32,390 So we can just un-pair the phone, and later we can pair our own one, 288 00:23:32,390 --> 00:23:36,460 or… this is perfectly stealth. 289 00:23:36,460 --> 00:23:42,500 Now actually I heard already: “Ah, I only got 50 Euro on my account, 290 00:23:42,500 --> 00:23:46,610 why should I care?” 291 00:23:46,610 --> 00:23:52,020 This is actually a valid argument because many N26 accounts are opened out of 292 00:23:52,020 --> 00:23:58,559 curiosity, and many are inactive, or not used seriously, that means you only use it 293 00:23:58,559 --> 00:24:02,590 for travelling or paying things online because of the conditions. 294 00:24:02,590 --> 00:24:06,919 But you don’t use it as the salary account so there is frequently not so much money 295 00:24:06,919 --> 00:24:13,740 in it. But as this wants to be the financial hub for all the services 296 00:24:13,740 --> 00:24:19,850 you of course can also apply for an overdraft. And this is an instant overdraft 297 00:24:19,850 --> 00:24:25,110 that is granted during two minutes. And it’s between… you have guaranteed 298 00:24:25,110 --> 00:24:32,100 50 Euro and up to 2000. This requires the paired device. What did we just do? 299 00:24:32,100 --> 00:24:35,200 We have the paired device. We have the entire account. 300 00:24:35,200 --> 00:24:39,159 So what do we do? We will just hijack the account 301 00:24:39,159 --> 00:24:43,559 then we apply for an overdraft, and then we will take all the money 302 00:24:43,559 --> 00:24:47,350 he has as a balance and as an overdraft. 303 00:24:47,350 --> 00:24:50,470 So even if you don’t have money on your account and think you’re safe 304 00:24:50,470 --> 00:24:54,779 you are not. *laughs* 305 00:24:54,779 --> 00:25:02,480 Okay. This was quite a bit, something. I want to talk briefly about disclosure 306 00:25:02,480 --> 00:25:07,030 before I will draw my conclusion. 307 00:25:07,030 --> 00:25:12,720 I reported all these issues to N26 on September 25. I didn’t establish 308 00:25:12,720 --> 00:25:16,500 the contact, this was the CCC. Thank you for that. 309 00:25:16,500 --> 00:25:22,240 I did this because I didn’t know how N26 would react to this kind of vulnerabilities. 310 00:25:22,240 --> 00:25:26,350 But, actually, there was no reason to think so. Because they acted 311 00:25:26,350 --> 00:25:31,649 really professional. And they were actually thankful that I revealed 312 00:25:31,649 --> 00:25:34,930 these vulnerabilities. 313 00:25:34,930 --> 00:25:45,490 *applause* 314 00:25:45,490 --> 00:25:49,940 Then, afterwards, they started to incrementally fix the issues. 315 00:25:49,940 --> 00:25:54,519 I don’t know when they fixed the first thing. I didn’t monitor the process. 316 00:25:54,519 --> 00:25:58,039 But the last fix I know of happened on December 13 when they implemented 317 00:25:58,039 --> 00:26:02,760 certificate pinning on iOS. And, apparently, I have to say that 318 00:26:02,760 --> 00:26:10,019 I didn’t check everything. But apparently all issues are resolved. 319 00:26:10,019 --> 00:26:15,390 But what are the consequences out of this? It is obvious that N26 needs to put 320 00:26:15,390 --> 00:26:22,789 more emphasis on security. It’s important to notice that this wasn’t a coincidence. 321 00:26:22,789 --> 00:26:27,730 It simply wasn’t! And N26 needs to understand that it’s not enough to release 322 00:26:27,730 --> 00:26:31,340 videos with caption “mobile first meets safety first” and to claim that security 323 00:26:31,340 --> 00:26:39,770 is of paramount importance of them. So PR shouldn’t do your security. 324 00:26:39,770 --> 00:26:45,360 It’s funny: If you visit the N26 home page you will find out that they currently have 325 00:26:45,360 --> 00:26:53,200 44 open positions. Not even one is dedicated to security. 326 00:26:53,200 --> 00:26:56,690 Furthermore, with such a strategy FinTechs squander the trust 327 00:26:56,690 --> 00:27:01,420 in financial institutions that banks established over years, actually. 328 00:27:01,420 --> 00:27:06,610 Today you usually trust in your bank that they will deal with your money 329 00:27:06,610 --> 00:27:11,750 responsibly. And in the end you also need to question authorities. I mean 330 00:27:11,750 --> 00:27:18,779 it was BaFin that granted a banking license to N26 only six months ago. 331 00:27:18,779 --> 00:27:26,499 And, really, those vulnerabilities are in sight for longer time. 332 00:27:26,499 --> 00:27:32,190 Okay. I think, like… résumé for this is: 333 00:27:32,190 --> 00:27:36,409 you shouldn’t say “Works for me” when it’s about security. 334 00:27:36,409 --> 00:27:38,939 So, thank you! 335 00:27:38,939 --> 00:27:59,239 *applause* 336 00:27:59,239 --> 00:28:05,510 Herald: Thank you Vincent. That was awesome. And also kind of fucking scary. 337 00:28:05,510 --> 00:28:09,820 We only have a short time for questions. Is there anybody who has a question 338 00:28:09,820 --> 00:28:18,950 for Vincent? 339 00:28:18,950 --> 00:28:22,970 No, I guess everybody is out deleting banking apps. 340 00:28:22,970 --> 00:28:26,760 *laughter* 341 00:28:26,760 --> 00:28:31,730 Oh, number 6! 342 00:28:31,730 --> 00:28:35,800 Question: Quick question. 343 00:28:35,800 --> 00:28:40,429 Do you know whether they have disallowed those apps 344 00:28:40,429 --> 00:28:44,370 that have not yet been updated to still manage their bank account? 345 00:28:44,370 --> 00:28:49,889 So e.g. if someone has a mobile app that has not yet been updated 346 00:28:49,889 --> 00:28:52,750 to the version that includes certificate pinning would that person 347 00:28:52,750 --> 00:28:55,100 still be vulnerable to man-in-the-middle attacks? 348 00:28:55,100 --> 00:28:56,530 Vincent: Yes. 349 00:28:56,530 --> 00:28:59,640 *laughter* *laughs* 350 00:28:59,640 --> 00:29:03,909 Actually they don’t have so much of an idea which device you are using. 351 00:29:03,909 --> 00:29:10,970 They don’t even know which is the paired device! This is only a client value. 352 00:29:10,970 --> 00:29:14,500 Herald: Do two more, it’s a guy here on number 1. 353 00:29:14,500 --> 00:29:18,429 Question: Thanks for the talk. Did they actually invite you to help them 354 00:29:18,429 --> 00:29:22,540 or give your talk at N26? Have they been in contact with you? 355 00:29:22,540 --> 00:29:26,970 Vincent: Yes, we have been in contact and I also visited them and gave a workshop, 356 00:29:26,970 --> 00:29:29,000 so yeah, they… 357 00:29:29,000 --> 00:29:32,790 *laughter and applause* 358 00:29:32,790 --> 00:29:34,320 Question: Are you serious? 359 00:29:34,320 --> 00:29:39,439 Vincent: I am serious, yes! *ongoing applause* 360 00:29:39,439 --> 00:29:42,189 Herald: And we do one last, one here, from number 5, please. 361 00:29:42,189 --> 00:29:45,120 Question: So during your talk you name-dropped Letsencrypt, and 362 00:29:45,120 --> 00:29:48,330 you kind of glossed over that bit, about getting them to issue a certificate 363 00:29:48,330 --> 00:29:53,190 for their API host name. Do you know something I don’t? 364 00:29:53,190 --> 00:29:55,750 Vincent: Ehm, the question, again? I don’t… 365 00:29:55,750 --> 00:29:59,530 Question: So you mentioned getting a Letsencrypt certificate to impersonate 366 00:29:59,530 --> 00:30:02,450 their API host name, because they weren’t using certificate pinning. 367 00:30:02,450 --> 00:30:04,770 How did you go by doing that? 368 00:30:04,770 --> 00:30:07,500 Vincent: But I didn’t do. This, like, was a scenario. 369 00:30:07,500 --> 00:30:15,500 That’s an attack scenario. I didn’t hijack the DNS record, okay, sorry. 370 00:30:15,500 --> 00:30:16,970 *laughs* 371 00:30:16,970 --> 00:30:19,509 Question: Thank you. 372 00:30:19,509 --> 00:30:22,030 Herald: Alright. Thanks everybody for joining. And get a big round of applause 373 00:30:22,030 --> 00:30:23,610 here for Vincent! 374 00:30:23,610 --> 00:30:27,260 *applause* 375 00:30:27,260 --> 00:30:32,240 *postroll music* 376 00:30:32,240 --> 00:30:50,981 *Subtitles created by c3subtitles.de in the year 2017. Join and help us!*