Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

In this talk Dr. Svetlin Nakov will explain and demonstrate how easily a 10-years old child can gain full control over modern European online banking apps, through hijacking an Android mobile phone, using trivial remote administration tools and screen recording apps from the official Android app store. The speaker will demonstrate why online banking should not rely for the multi-factor authentication on a single connected device. Finally, the speaker will give recommendations for fixing the security in online banking systems.

Dr. Svetlin Nakov (https://nakov.com) is a passionate software engineer, inspirational technical trainer and tech entrepreneur, with 20 years of experience in a broad range of programming languages, software technologies and platforms, applied cryptography and cybersecurity. He is an author of the “Practical Cryptography for Developers” book (https://cryptobook.nakov.com). Svetlin is co-founder of several highly successful tech startups and non-profit organizations. Currently, he is innovation and inspiration manager at SoftUni (https://softuni.org) - the largest tech education provider in South-Eastern Europe

6d817debf2ee0bd27ed1e032bdcd7263?s=128

OWASP Sofia

August 01, 2021
Tweet

Transcript

  1. Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android

    Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org
  2.  Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+

    technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2
  3.  Most modern baking apps are insecure!  Compromised smartphone

    == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3
  4.  Physical access to the device  Attackers directly install

    remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4
  5. Warning! The following demo is for educational purposes only! Secretly

    hijacking mobile devices is illegal in most countries!
  6. 1. Gain a physical access to the mobile device 

    E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6
  7. 2. Install TeamViewer Hos t from the official app store

    3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7
  8. Alternative: AnyDesk Remote Control 8

  9.  AnyDesk allows unattended (silent) access:  Remote clients use

    password  Sessions are created without confirmation Unattended Access in AnyDesk 9
  10. 5. Hide app notifications (optionally)  This will make the

    remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10
  11. Hijacking Android Mobile Phone – Example 11 6. Connect remotely

    with TeamViewer Remote Control  View the phone's screen and click on it remotely
  12. 7. Wait for the smartphone owner to unlock the device

     Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12
  13. Hijacking Android Mobile Phone – Example 13 8. View the

    saved passwords from the Web browser
  14.  In some Android versions, apps may use Display.FLAG_SECURE to

    prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14
  15. Hijacking Android Mobile Phone – Example 15 9. Install a

    screen recorder to collect passwords and PIN codes through screencast videos
  16.  Wait for the phone owner to login in the

    online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16
  17. Hijacking Android Mobile Phone – Example 17 9. Тhe mobile

    banking credentials can also be taken
  18. 10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android

    Mobile Phone – Example 18
  19.  Lock Screen: unsafe PIN  visible; pattern  visible

    by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19
  20. Fixing the Online Banking Security Recommendations and Best Practices

  21.  Use hardware OTP generators  Use biometry to unlock

    the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps
  22.  Recommendations for improved mobile device security  Beware of

    apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22
  23. Questions? https://nakov.com Compromising Mobile Banking Apps