1. Introduction Every bank in the world desires to provide services using the World Wide Web. There are many advantages to the banks, which reduce their operating costs, and to the users, which receive 24 hours a day, 7days a week, banking services. Because of these advantages, the number of banks providing online banking services has grown at a very large rate. However, flaws in the technologies that are used for the World Wide Web have also been reported at a very large rate, and it is common belief that many more are still to be discovered. Some of these flaws can be used to attack Virtual Bank services or their users. The designers of the Virtual Bank technologies affected by the flaws followed a band-aid approach: find a flaw and release a patch. Because of the advantages that the World Wide Web offers, the banks take their chances and continue to provide online services. This note describe a powerful attack that does not depend on any flaw of the technologies and can be used to attack a large portion of the Virtual Banks currently offering World Wide Web services. The Statistical Attack was designed and successfully used to attack a large multinational bank that offers online services in November of 1998, during a contracted penetration test. We delayed the release of this note, and of the paper that we expect to release soon, in order to give time for this particular bank to install security mechanisms that lower the effectiveness of this attack. The attack uses steps that are considered legal by the bank to subvert the authentication procedure and impersonate users. The attack was designed to be performed using the secure socket layer, since this was the method the bank was offering, but it can be extended to any method that is used to access online services. 2. Description Many Virtual Banks rely on a fixed length personal identification number (PIN) to identify a user. Some banks, allow access to all of their online operations after a successful identification, others require additional identification, like social security number, maiden name or an additional PIN. The Statistical Attack can be used to attack the first identification, which is based on the personal identification number, and in some cases to attack an additional identification. As with passwords, users have difficulty in remembering large personal identification numbers. Therefore, there is a natural tendency to use small, easy to remember numbers (like birthday or 1234). Many Virtual Banks, anticipating the problems that this class of numbers can represent, require users to choose PINs that are not easy to guess. However, the Virtual Banks cannot, in the name of user-friendliness, require the user to use, and remember, a very large number. Therefore, it is a wide spread practice to use 4 or 6 digit PINs. Because of the small length of the PINs an attacker can target a particular account and try all possibilities. In order to defend against this class of attacks, banks usually lock out accounts after a certain number of unsuccessful identification attempts. The Statistical Attack relies on the ratio between the size of the personal identification number and the number of users of the service. Instead of fixing an account and varying the possible PINs, which would cause a lock out in the particular account, it fixes a PIN and varies the account number. Therefore, if the PINs are uniformly chosen and use 4 digits, than a random guess would be a hit for every 10,000 accounts tried. A hit can be achieved with a much lower number of accounts if easy to guess PINs are allowed. Using this approach, the bank does not lock out any particular account, since it will be tried again with a different PIN only after numerous other accounts have been tried. Thus, the lock out protection is not triggered. 3. Defenses One difficulty when performing this attack is to determine valid account numbers, or in certain cases a log-in ID. The way to guess valid account numbers, or log-in IDs, depends on the bank where the attack is performed. In some cases the online service log-in procedure provides different responses for nonexistent accounts than for wrong PINs. This can be used to build a dictionary of valid accounts. In other cases the log-in ID is some number of digits taken from the client's charge card. Since many of the charge cards in use today can be used where credit cards are, they have numbers that are valid for credit cards. This characteristic can be used to eliminate many numbers that are not valid credit card numbers using the credit card number validation algorithm. When actual bank accounts are used or when the log-in ID is small, it is sufficient in many cases to use the locality of account numbers and try sequential guesses. Two mechanisms can be used to make this attack more difficult. One is to delay answers to failed, or positive and failed, authentication. This mechanism, however, reduces the user-friendliness of the system. If only failed authentications are delayed, an attacker can guess the answer based on the time that it takes, being bounded only by the positive answer time. If both authentication answers are delayed, the user may perceive this delay as a flawed or badly designed system. The second mechanism is to provide a time window, where failed authentications from fixed IP addressees are counted. Any request from a particular IP is blocked after a specific number of failed authentications. The biggest problem with this protection approach is the generalized use of proxy servers. That is, the windows must be very carefully designed or legitimate access will be denied due to different users making mistakes in the same time window. There is also a potential denial of service attack when proxies are used or when the attacker wants to deny access from a particular computer. An attacker can also avoid being blocked by capturing a router, or using different computers, in order to send requests from different IPs. Thus, the protection can be totally circumvented with a fixed number of IPs. The number of IPs needed depends on the time window being used. 4. Conclusions The Statistical Attack can be used to attack Virtual Banks without the need to download a Trojan horse program to a user's computer, and without the need to gain access to the bank's computer. In addition, the attack does not rely on any flaw of technologies used for the World Wide Web. Many Virtual Banks are subject to this class of attack. The Statistical Attack can also be generalized to attack many different banks at the same time. An attack performed this way can circumvent protections applied by each bank individually, and be successful based on the statistical characteristic of PINs. Attacking different banks at the same time also decrease the difficulty of guessing account numbers or online IDs, since there is a larger sample space for trying different IDs, which can be fixed and tried for all attacked banks that have the same format for the IDs. Some banks use alphanumeric characters for authentication. An attacker can use dictionary words, instead of numbers, in this case to attack these banks. Andre L. M. dos Santos Reliable Software Group University of California, Santa Barbara
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:52 PDT