Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

OWASP Sofia
August 01, 2021
Technology
0
260

[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

In this talk Dr. Svetlin Nakov will explain and demonstrate how easily a 10-years old child can gain full control over modern European online banking apps, through hijacking an Android mobile phone, using trivial remote administration tools and screen recording apps from the official Android app store. The speaker will demonstrate why online banking should not rely for the multi-factor authentication on a single connected device. Finally, the speaker will give recommendations for fixing the security in online banking systems.

Dr. Svetlin Nakov (https://nakov.com) is a passionate software engineer, inspirational technical trainer and tech entrepreneur, with 20 years of experience in a broad range of programming languages, software technologies and platforms, applied cryptography and cybersecurity. He is an author of the “Practical Cryptography for Developers” book (https://cryptobook.nakov.com). Svetlin is co-founder of several highly successful tech startups and non-profit organizations. Currently, he is innovation and inspiration manager at SoftUni (https://softuni.org) - the largest tech education provider in South-Eastern Europe

OWASP Sofia

August 01, 2021
Tweet

More Decks by OWASP Sofia

See All by OWASP Sofia
[OWASP Sofia] Dimitar Boyanov - XSS Attacks and Defenses (27th of April, 2021)
owaspsofia
1
260
[OWASP Sofia] Dan Cornell - AppSec Fast and Slow: Your DevSecOps CI⁄CD Pipeline Isn’t an SSA Program (July 27th, 2021)
owaspsofia
0
230
[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)
owaspsofia
0
250
[OWASP Sofia] Angel Bochev - Penetration Testing: OSINT (May 9th, 2019)
owaspsofia
0
310

Other Decks in Technology

See All in Technology
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
小さな開発会社がWebサービスを作る理由
polidog
PRO
0
140
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190
PHP"オレ"カンファレンスの告知
ysknsid25
0
320
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
0
290
シン・Kafka / shin-kafka
oracle4engineer
PRO
6
2.7k
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
1
320
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
100
[2024年3月版] Databricksのシステムアーキテクチャ
databricksjapan
7
1.9k
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
730
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
200
20240416_devopsdaystokyo
kzkmaeda
1
180

Featured

See All Featured
Writing Fast Ruby
sferik
619
60k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Visualization
eitanlees
135
14k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
Gamification - CAS2011
davidbonilla
76
4.6k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Web Components: a chance to create the future
zenorocha
304
41k
4 Signs Your Business is Dying
shpigford
175
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k

Transcript

  1. Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android

    Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org

  2.  Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+

    technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2

  3.  Most modern baking apps are insecure!  Compromised smartphone

    == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3

  4.  Physical access to the device  Attackers directly install

    remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4

  5. Warning! The following demo is for educational purposes only! Secretly

    hijacking mobile devices is illegal in most countries!

  6. 1. Gain a physical access to the mobile device 

    E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6

  7. 2. Install TeamViewer Hos t from the official app store

    3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7

  8. Alternative: AnyDesk Remote Control 8

  9.  AnyDesk allows unattended (silent) access:  Remote clients use

    password  Sessions are created without confirmation Unattended Access in AnyDesk 9

  10. 5. Hide app notifications (optionally)  This will make the

    remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10

  11. Hijacking Android Mobile Phone – Example 11 6. Connect remotely

    with TeamViewer Remote Control  View the phone's screen and click on it remotely

  12. 7. Wait for the smartphone owner to unlock the device

     Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12

  13. Hijacking Android Mobile Phone – Example 13 8. View the

    saved passwords from the Web browser

  14.  In some Android versions, apps may use Display.FLAG_SECURE to

    prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14

  15. Hijacking Android Mobile Phone – Example 15 9. Install a

    screen recorder to collect passwords and PIN codes through screencast videos

  16.  Wait for the phone owner to login in the

    online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16

  17. Hijacking Android Mobile Phone – Example 17 9. Тhe mobile

    banking credentials can also be taken

  18. 10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android

    Mobile Phone – Example 18

  19.  Lock Screen: unsafe PIN  visible; pattern  visible

    by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19

  20. Fixing the Online Banking Security Recommendations and Best Practices

  21.  Use hardware OTP generators  Use biometry to unlock

    the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps

  22.  Recommendations for improved mobile device security  Beware of

    apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22

  23. Questions? https://nakov.com Compromising Mobile Banking Apps