COMMAND
Statistical Attack Against Virtual Banks
SYSTEMS AFFECTED
Virtual Banks
PROBLEM
This is less advisory, but it's reading prepared by Andre L. Dos
Santos. Every bank in the world desires to provide services using
the World Wide Web. There are many advantages to the banks, which
reduce their operating costs, and to the users, which receive 24
hours a day, 7days a week, banking services. Because of these
advantages, the number of banks providing online banking services
has grown at a very large rate. However, flaws in the technologies
that are used for the World Wide Web have also been reported at a
very large rate, and it is common belief that many more are still
to be discovered. Some of these flaws can be used to attack
Virtual Bank services or their users. The designers of the
Virtual Bank technologies affected by the flaws followed a
band-aid approach: find a flaw and release a patch. Because of
the advantages that the World Wide Web offers, the banks take
their chances and continue to provide online services. This note
describe a powerful attack that does not depend on any flaw of
the technologies and can be used to attack a large portion of the
Virtual Banks currently offering World Wide Web services.
The Statistical Attack was designed and successfully used to
attack a large multinational bank that offers online services in
November of 1998, during a contracted penetration test. The
attack uses steps that are considered legal by the bank to subvert
the authentication procedure and impersonate users. The attack
was designed to be performed using the secure socket layer, since
this was the method the bank was offering, but it can be extended
to any method that is used to access online services.
Many Virtual Banks rely on a fixed length personal identification
number (PIN) to identify a user. Some banks, allow access to all
of their online operations after a successful identification,
others require additional identification, like social security
number, maiden name or an additional PIN. The Statistical Attack
can be used to attack the first identification, which is based on
the personal identification number, and in some cases to attack an
additional identification.
As with passwords, users have difficulty in remembering large
personal identification numbers. Therefore, there is a natural
tendency to use small, easy to remember numbers (like birthday or
1234). Many Virtual Banks, anticipating the problems that this
class of numbers can represent, require users to choose PINs that
are not easy to guess. However, the Virtual Banks cannot, in the
name of user-friendliness, require the user to use, and remember,
a very large number. Therefore, it is a wide spread practice to
use 4 or 6 digit PINs. Because of the small length of the PINs
an attacker can target a particular account and try all
possibilities. In order to defend against this class of attacks,
banks usually lock out accounts after a certain number of
unsuccessful identification attempts.
The Statistical Attack relies on the ratio between the size of the
personal identification number and the number of users of the
service. Instead of fixing an account and varying the possible
PINs, which would cause a lock out in the particular account, it
fixes a PIN and varies the account number. Therefore, if the PINs
are uniformly chosen and use 4 digits, than a random guess would
be a hit for every 10,000 accounts tried. A hit can be achieved
with a much lower number of accounts if easy to guess PINs are
allowed. Using this approach, the bank does not lock out any
particular account, since it will be tried again with a different
PIN only after numerous other accounts have been tried. Thus,
the lock out protection is not triggered.
The Statistical Attack can be used to attack Virtual Banks without
the need to download a Trojan horse program to a user's computer,
and without the need to gain access to the bank's computer. In
addition, the attack does not rely on any flaw of technologies
used for the World Wide Web. Many Virtual Banks are subject to
this class of attack.
The Statistical Attack can also be generalized to attack many
different banks at the same time. An attack performed this way
can circumvent protections applied by each bank individually, and
be successful based on the statistical characteristic of PINs.
Attacking different banks at the same time also decrease the
difficulty of guessing account numbers or online IDs, since there
is a larger sample space for trying different IDs, which can be
fixed and tried for all attacked banks that have the same format
for the IDs.
Some banks use alphanumeric characters for authentication. An
attacker can use dictionary words, instead of numbers, in this
case to attack these banks.
SOLUTION
One difficulty when performing this attack is to determine valid
account numbers, or in certain cases a log-in ID. The way to
guess valid account numbers, or log-in IDs, depends on the bank
where the attack is performed. In some cases the online service
log-in procedure provides different responses for nonexistent
accounts than for wrong PINs. This can be used to build a
dictionary of valid accounts. In other cases the log-in ID is
some number of digits taken from the client's charge card. Since
many of the charge cards in use today can be used where credit
cards are, they have numbers that are valid for credit cards.
This characteristic can be used to eliminate many numbers that
are not valid credit card numbers using the credit card number
validation algorithm. When actual bank accounts are used or when
the log-in ID is small, it is sufficient in many cases to use the
locality of account numbers and try sequential guesses.
Two mechanisms can be used to make this attack more difficult.
One is to delay answers to failed, or positive and failed,
authentication. This mechanism, however, reduces the
user-friendliness of the system. If only failed authentications
are delayed, an attacker can guess the answer based on the time
that it takes, being bounded only by the positive answer time.
If both authentication answers are delayed, the user may perceive
this delay as a flawed or badly designed system. The second
mechanism is to provide a time window, where failed
authentications from fixed IP addressees are counted. Any request
from a particular IP is blocked after a specific number of failed
authentications. The biggest problem with this protection
approach is the generalized use of proxy servers. That is, the
windows must be very carefully designed or legitimate access will
be denied due to different users making mistakes in the same time
window. There is also a potential denial of service attack when
proxies are used or when the attacker wants to deny access from a
particular computer. An attacker can also avoid being blocked by
capturing a router, or using different computers, in order to
send requests from different IPs. Thus, the protection can be
totally circumvented with a fixed number of IPs. The number of
IPs needed depends on the time window being used.