Bank Card-Readers: 2FA Not Secure
- or Why Protecting Your PIN Really is Irrelevant
advisory - research - working bank hacks
reason: to promote uptake of key/software/app-based 2FA, eg
: YubiKey, with support for Fido-U2F¹
if last 4/5 digits of card known (some banks, eg
: Barclays, use 5 digits), plus account number and sort-code (the latter quite easy to determine, especially if victim's bank known)
...then with experimentation using own number it is possible to calculate hash for fixed (non-variable length) 8 digits of required code
...then reverse engineer card-reader (easily obtainable from any branch of any bank using such, or on demand when opening a new account)
...reversed card-readers are also readily available via the internet
...input last 4/5 digits obtained from another person's discarded paperwork, hacked email account, overheard telephone conversation², etc
. (these methods are also used to obtain the bank account number).
...enter numbers into reversed reader for required code and straight into their account: the victim is not even aware that their banking activity is being monitored, and is powerless to prevent many different types of transaction from being executed upon that account; card-payments (for one) are so badly controlled that if a card is used as a payment method the payments cannot be stopped even if the card is replaced (all that can be done is a block put in place to prevent further payments to that payee, and that is usually an ongoing process that can take several weeks to implement with no chance of the original, or initial, payment being recouped).
There is a complete and total lack of safeguards for UK online-banking using card-readers (almost all of them), including banks located in the Isle of Man and the Channel Islands. At a minimum a customer needs to be able to know when their account has been accessed³ and should be able to further secure their account with Fido-U2F grade 2FA, with support for software and key-based authentication devices (eg
The Police, too, are (as usual with anything involving surveillance) wonderfully complacent about this and do not pose a threat worth bothering with (unfortunately): the onus is on the surveilled to prove their case and the Police are usually only too happy to show how much they disapprove of the victims wasting their time with such nonsense (even in cases where it is being used in the commission of serious and ongoing crime, because it requires resources, specially trained personnel, and specialist equipment).
- [ ¹ ] a strong, open-source, cryptographic standard with good anti-phishing support.
- [ ² ] everyone's favourite DECT handset (in that absolutely everyone has one if they have a landline, even if they primarily use their mobile handset for everything). The DECT 1.0 standard, is trivially easy to hack (computer / Android smartphone / Raspberry > inbuilt audio > wireless networking > software freely available on the internet) and is universally utilised by criminals and perverts all across Britain and beyond as a means of surveilling people.
Attempts have been made to release a fully secure DECT 2.0 standard but, as with IoT (the Internet of Things) nothing is coming of this and DECT 1.0 continues to be utilised as a de facto way of obtaining all the information and more that a criminal could ever want on anyone and everyone with DECT devices (including baby and child monitors) in their household and workplaces (which also includes all public health and education facilities, not to mention most shelters and supposedly secure or protected housing options).
- [ ³ ] text-messaging alone does not adequately fulfil that requirement, as it is trivial to intercept / filter / modify such messages outside of a secure email framework - DKIM, DMARC, DANE on both the customer and server side and a secure email application or client being used by the customer, with an absolute avoidance of any information being exchanged verbally as part of support / security processes that could be used to compromise the keys or mechanism in general.
This is a submitted article, - submitted with proof of concept - it should also be noted that this is not a new issue, and that the banks have been aware of this issue for many years with the usual response, when asked, that they monitor transactions and are therefore unconcerned with such issues [which is unsurprising bearing in mind that the customer normally has to carry any costs associated with compromises of their account(s)].
- Just John, @: Ex5NY27U corequery.uk
- secure email address as detailed above -