Type of Publication: Article in Collected Edition

Over-the-air Cross-Platform Infection for Breaking mTAN-based Online Banking Authentication

Author(s):

Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Sadeghi, Ahmad-Reza

Title of Anthology:

Proc. of 2012 BlackHat Abu Dhabi

Publisher:

Black Hat Briefings

Location(s):

Abu Dhabi, UAE

Publication Date:

2012

Link to complete version:

https://media.blackhat.com/ad-12/Dmitrienko/bh-ad-12-over-the-air-dmitrienko-WP.pdf

Citation:

Download BibTeX

Abstract

We present a novel stealthy cross-platform infection attack in WiFi networks. Our attack has high impact on two-factor authentication schemes that make use of mobile phones. In particular,
we apply our attack to break mTAN authentication, one of the most used scheme for online banking worldwide (Europe, US, China). We present the design and implementation of the online banking Trojan which spreads over the WiFi network from the user's PC to her mobile phone and automatically pairsthese devices. When paired, the host and the mobile malware deliver to the attacker authentication secrets which allow her to successfully authenticate against the online-banking portal and perform financial transactions in the name of the user. Our attack is stealthy compared to the known banking Trojans ZeuS/ZitMo and SpyEye/Spitmo, as it does not rely on phishing or naïve user behavior for malware spreading and pairing.
 

Our reference implementation targets Windows PCs and Android based smartphones, although our attack is not platform specic. To achieve cross-platform infection, we applied and adapted attack
techniques such as remote code execution, privilege escalation, GOT overwriting, DLL injection and function hooking. Our attack can be implemented by knowledgeable attackers and calls for re-thinking of security measures deployed for protection of online transactions by banks.