Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Banks

Shmoocon 2011: Defeating mTANs for profit

Defeating mTANs for profit

Axelle Apvrille and Kyle Yang


Zeus In The MObile –> ZITMO

Malware for Symbian OS > 9.0

Intercepts mTANs (one-time passwords sent over SMS)

Targeting Spanish online banks

Propagated on PC by Zeus botnet

First case seen of organized criminals exploiting mobile TANs


Zeus (AKA Zbot)

It’s a crimeware kit and not a single botnet (there are several)

Designed to steal banking credentials

Zitmo in a nutshell

Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.

This means attackers can do the transfer at any point they wish without any user interaction.

Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.

However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?

Reverse Engineering Zitmo

Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)

2 separate processes –> INIT and SMS Processing Engine

Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.

Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.

Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.

Zitmo Commands

  • ON / OFF (disable Zitmo)
  • SET ADMIN xx
  • ADD SENDER xx, xx / ALL
  • REM SENDER xx, xx / ALL
  • BLOCK ON / OFF (block incoming calls)

Spoof administrator

Protocol flaw: Anybody can claim to be the administrator!

How to 0wn the adm1n :

  1. Method 1: Send SET ADMIN command by SMS to the phone
  2. Method 2: Craft a new settings file

By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.

Zitmo’s Hidden debug window

Zitmo was secretly writing to a hidden debug window

By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.


Very difficult to spot due to the lack of symptoms

One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)

It also shows in the installed applications list

Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed

This is not uncommon however as multiple malware has been signed using this abuse


  • Shmoocon Schedule –> HERE
  • Talk Synopsis –> HERE
  • Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog
  • Fortinet

26C3: Optimised to fail – Card readers for online banking

Card readers for online banking

The Chip Authentication Programme (CAP) has been introduced by banks
in Europe to deal with the soaring losses due to online banking fraud.
A handheld reader is used together with the customer’s debit card to
generate one-time codes for both login and transaction authentication.
The CAP protocol is not public, and was rolled out without any public
scrutiny. We reverse engineered the UK variant of card readers and
smart cards and here provide the first public description of the
protocol. We found numerous design errors, which could be exploited by

Banks throughout Europe are now issuing hand-held smart card readers
to their customers. These are used, along with the customer’s bank
card, for performing online banking transactions. In this talk I will
describe how we reversed-engineered the cryptographic protocol used by
these readers, using some custom-designed smart card analysis hardware.
We discovered several flaws in this protocol, which could be exploited
by criminals (and some already are). This talk will explain what
vulnerabilities exist, and what the impact on customers could be.

Online banking fraud has increased 185% between 2007 and 2008.

Simple fraud techniques dominate due to poor overall security and awareness :

  • Phishing emails
  • Keyboard loggers

Some common security measures that UK banks have implemented :

  • On-Screen keyboards
  • Picture passwords
  • Device fingerprinting (using HTTP header information to track and block)
  • One-time-passwords/iTAN

All of these are bypassable in one way or another. Whether it’s through MitM style attacks, of faking headers. Commonly however Man in the Browser attacks are used, as it offers a complete control over the victim’s machine. What the victim sees, isn’t what they send/receive.

To combat this, the response must be bound to the transaction to be authorised. Various methods have been implemented, including several UK banks that are now using hardware based challenge/response for authorisation of transactions. These devices conform to the EMV specification v4.2

  • Customer enters PIN
  • Customer enters transaction details
  • Reader displays authorisation code
  • Customer enters code into the browser
  • Bank verifies the authorisation code in the background

How this protocol works is a closed box.

By building a smart card snooper (based on the Xilinx FPGA development board from Opal Kelly) it was possible to discover information about the underlying protocols.

  • Protocol very similar to EMV (used for smartcard payments in Europe)
  • Looks like a transaction but cancelled at the last stage
  • Contains 2 data items not listed in the EMV specification

Changing some data

By modifying specific pieces of data and leaving others the same, it was possible to observe the reaction of the device. By flipping 1 bit, sometimes the transaction failed, other times the resulting code was different.

  • The authentication code comes from the cryptogram generated by the card at the end of the transaction
  • The mysterious tag 9f56 was a ‘bit filter’ which selects which bits from the cryptogram are used for the response
  • The filtered cryptogram is then converted to decimal

It was found that there were no cryptographic secrets within the device itself. This means that a software implementation was easy to achieve (a number are available).

Useability failures aid fraudsters

The different banks use varied features of the devices. This leads to confusion where a fraudster can fool a user into using the device in a way that the input is what the fraudster wants and not what the bank expects.

Nonce is small or absent

  • No nonce in Barclays variant, so response stays valid
  • Only a 4 digit nonce with Natwest (weak 100 guesses = 63% success rate)

Fake point of sales devices can get responses in advance.

CAP readers help muggers – CAP readers can be used to check if the PIN number is correct or not.
Supply chain infiltration – In the past chip & pin terminals with GSM modules have already been found in the wild. The control of CAP readers is significantly less controlled.

What does this mean for customers

  • CAP is far better than existing UK systems
  • Authentication codes are dynamic
  • Authentication codes are bound to transaction

However, banks are now claiming that any transaction using this process must have been authorised by the user. This means that if you are a victim of fraud, the bank will probably deny your claims. Currently ~20% of claims are turned down.

Recent attempts to test this in court failed, with the Bank winning (Halifax). The evidence provided by the bank was simply a log file showing that the transaction was chip read (04 in the log).

HHD 1.3

Standard from ZKA, Germany

Stronger than UK CAP, but more user input required

  • Many more modes
  • Mode number alters meaningful prompts
  • Up to 7 digit nonce
  • Nonce, and mode number are included in MAC
  • PIN verification

Other solutions

  • Flicker TAN – Device reads information from a flickering animation (using sensors)
  • USB connected readers – Require drivers, so could be an issue without Admin permissions
  • Cronto PhotoTAN – Uses a 2D barcode read by a mobile phone application (uses a cryptographic key to prevent MitM)

More information can be found on the CCC wiki. Access to the slides (PDF)