This talk discusses rounding vulnerabilities which are often present in internet banking applications. Several techniques for exploiting these vulnerabilities are presented, including a machine that abuses the digipass/security token in order to allow an attacker to perform a high number of transactions automatically, in a short period of time. Several internet banking applications are vulnerable to the so called ‘rounding attacks’.
This is a known type of attack which takes advantage of the automatic rounding made by some applications when a user performs currency exchange transactions. By exploiting some corner cases, a user is able to gain certain amount of money from the bank in a manner that is difficult to consider illegal. This talk dives into the techniques of exploiting the rounding vulnerabilities in internet banking applications and analyzes the common protection mechanisms used by the banks to defend against this type of attacks. An important part of this talk is dedicated to analyzing a set of techniques for bypassing digipasses / security tokens, which are devices used by the banks for transaction signing and second factor authentication. In order to gain a significant amount of money from rounding vulnerabilities, the attacker needs to perform thousands of micro-transactions.
The banks believe that the digipass protects them against this type of attacks because using it manually to perform lots of transactions in a short time is not feasible. In this talk the author will presents a machine (see attached picture) which automates the process of using a digipass (typing the challenge code and reading the response). The machine is controlled in real time from a computer and can be interfaced with any internet banking application (client side) in order to perform lots of transactions automatically in a short time, allowing the attacker to gain money from the bank. After presenting a set of recommendations for banks to efficiently protect against this type of attack, the author will make a live demonstration of the machine.