Bank Card-Readers: 2FA Not Secure

- or Why Protecting Your PIN Really is Irrelevant

[ advisory - research - working bank hacks
[ reason: to promote uptake of key/software/app-based 2FA, eg: YubiKey, with support for Fido-U2F¹

if last 4/5 digits of card known (some banks, eg: Barclays, use 5 digits), plus account number and sort-code (the latter quite easy to determine, especially if victim's bank known)

...then with experimentation using own number it is possible to calculate hash for fixed (non-variable length) 8 digits of required code

...then reverse engineer card-reader (easily obtainable from any branch of any bank using such, or on demand when opening a new account)

...reversed card-readers are also readily available via the internet

...input last 4/5 digits obtained from another person's discarded paperwork, hacked email account, overheard telephone conversation², etc. (these methods are also used to obtain the bank account number).

...enter numbers into reversed reader for required code and straight into their account: the victim is not even aware that their banking activity is being monitored, and is powerless to prevent many different types of transaction from being executed upon that account; card-payments (for one) are so badly controlled that if a card is used as a payment method the payments cannot be stopped even if the card is replaced (all that can be done is a block put in place to prevent further payments to that payee, and that is usually an ongoing process that can take several weeks to implement with no chance of the original, or initial, payment being recouped).

There is a complete and total lack of safeguards for UK online-banking using card-readers (almost all of them), including banks located in the Isle of Man and the Channel Islands. At a minimum a customer needs to be able to know when their account has been accessed³ and should be able to further secure their account with Fido-U2F grade 2FA, with support for software and key-based authentication devices (eg: Yubikey).

The Police, too, are (as usual with anything involving surveillance) wonderfully complacent about this and do not pose a threat worth bothering with (unfortunately): the onus is on the surveilled to prove their case and the Police are usually only too happy to show how much they disapprove of the victims wasting their time with such nonsense (even in cases where it is being used in the commission of serious and ongoing crime, because it requires resources, specially trained personnel, and specialist equipment).

This is a submitted article, - submitted with proof of concept - it should also be noted that this is not a new issue, and that the banks have been aware of this issue for many years with the usual response, when asked, that they monitor transactions and are therefore unconcerned with such issues [which is unsurprising bearing in mind that the customer normally has to carry any costs associated with compromises of their account(s)].

- Just John, @: Ex5NY27U

- secure email address as detailed above -

IPv6 Ready
Valid CSS!