FAU IT specialists in demonstrate the structural problems inherent in single device-based authentication processes.
IT specialists at Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) have demonstrated that 31 apps for mobile online banking are not secure, including those of the German banks Sparkasse, Volksbank, Raiffeisenbank and Commerzbank. The researchers managed to automate the deactivation of established security software, which would have allowed them to manipulate transaction processes. This once again provides evidence of weaknesses in the design of single device-based banking services.
Online banking using smartphones is convenient and gaining in popularity. However, there are risks caused by installing the banking app and the app that generates the TAN numbers – used as a form of one-time passwords – on a single device. To increase the security of mobile banking, numerous financial service providers worldwide are relying on the SHIELD software of the Norwegian IT service provider Promon. Promon is supposed to prevent banking with compromised devices by interacting with the TAN app. If this is manipulated, Promon blocks all transaction processes. The TAN app will also not work if the security software has not been installed. According to Vincent Haupert of the IT Security Infrastructure group at FAU, ‘the apps used by the Sparkasse, Volksbank and Raiffeisenbank groups now heavily rely on the security architecture of the Promon SHIELD’.
Researchers manipulate security software
Haupert and his co-researcher Nicolas Schneider have now managed to analyse the Promon SHIELD in a step-by-step process and manipulate it. They have written software that completely deactivates the security and hardening technology incorporated in 31 financial apps worldwide, including those of the Sparkasse, Volksbank, Raiffeisenbank and Commerzbank. ‘The software is device- and version-independent and fully automated,’ explains Schneider. We can use it to copy apps, change the IBAN and send TANs to any devices. Criminal hackers would go undetected when diverting customers’ money into their own accounts.’ However, deactivation of the Promon SHIELD is not only a problem that affects banking, but also certificate pinning and the encryption of sensitive customer data, both of which can be disabled. Although attacks have thus far only been simulated for the Android operating system, the researchers wish to demonstrate that it is also possible on devices using iOS.
Dispensing with independent two-factor authentication remains a problematic process
Through this research, the FAU-based IT specialists have repeatedly demonstrated that the use of both the banking app and the TAN app on a single device is not a secure concept. In recent years they have managed to manipulate various PushTAN and PhotoTAN procedures in such a way that transactions with amended amounts can be diverted to other accounts without this being visible to the user. ‘The banks mostly dismissed our attacks as an academic laboratory experiment,’ says Vincent Haupert. ‘However, we regard dispensing with so-called two-factor authentication, in which a TAN is generated on a separate device, as a weakness in the design of mobile banking. Even the most sophisticated security software will not change this.’ Haupert thus advises those who wish to use mobile banking to use a separate TAN generator instead.