COMMAND

    Statistical Attack Against Virtual Banks

SYSTEMS AFFECTED

    Virtual Banks

PROBLEM

    This is less advisory, but  it's reading prepared by Andre  L. Dos
    Santos.  Every bank in the world desires to provide services using
    the World Wide Web.  There are many advantages to the banks, which
    reduce their operating costs, and  to the users, which receive  24
    hours a  day, 7days  a week,  banking services.   Because of these
    advantages, the number of banks providing online banking  services
    has grown at a very large rate. However, flaws in the technologies
    that are used for the World Wide Web have also been reported at  a
    very large rate, and it is common belief that many more are  still
    to  be  discovered.  Some  of  these  flaws  can be used to attack
    Virtual  Bank  services  or  their  users.   The  designers of the
    Virtual  Bank  technologies  affected  by  the  flaws  followed  a
    band-aid approach:  find a flaw  and release a patch.  Because  of
    the advantages  that the  World Wide  Web offers,  the banks  take
    their chances and continue to provide online services.  This  note
    describe a  powerful attack  that does  not depend  on any flaw of
    the technologies and can be used to attack a large portion of  the
    Virtual Banks currently offering World Wide Web services.

    The  Statistical  Attack  was  designed  and  successfully used to
    attack a large multinational  bank that offers online  services in
    November  of  1998,  during  a  contracted  penetration test.  The
    attack uses steps that are considered legal by the bank to subvert
    the authentication  procedure and  impersonate users.   The attack
    was designed to be performed using the secure socket layer,  since
    this was the method the bank was offering, but it can be  extended
    to any method that is used to access online services.

    Many Virtual Banks rely on a fixed length personal  identification
    number (PIN) to identify a user.  Some banks, allow access to  all
    of  their  online  operations  after  a successful identification,
    others  require  additional  identification,  like social security
    number, maiden name or an additional PIN.  The Statistical  Attack
    can be used to attack the first identification, which is based  on
    the personal identification number, and in some cases to attack an
    additional identification.

    As  with  passwords,  users  have  difficulty in remembering large
    personal  identification  numbers.  Therefore,  there is a natural
    tendency to use small, easy to remember numbers (like birthday  or
    1234). Many  Virtual Banks,  anticipating the  problems that  this
    class of numbers can represent, require users to choose PINs  that
    are not easy to guess.  However, the Virtual Banks cannot, in  the
    name of user-friendliness, require the user to use, and  remember,
    a very large  number. Therefore, it  is a wide  spread practice to
    use 4 or 6  digit PINs.  Because  of the small length  of the PINs
    an  attacker  can  target  a   particular  account  and  try   all
    possibilities.  In order to defend against this class of  attacks,
    banks  usually  lock  out  accounts  after  a  certain  number  of
    unsuccessful identification attempts.

    The Statistical Attack relies on the ratio between the size of the
    personal  identification  number  and  the  number of users of the
    service.  Instead  of fixing an  account and varying  the possible
    PINs, which would cause a  lock out in the particular  account, it
    fixes a PIN and varies the account number.  Therefore, if the PINs
    are uniformly chosen and use  4 digits, than a random  guess would
    be a hit for every 10,000  accounts tried.  A hit can  be achieved
    with a much  lower number of  accounts if easy  to guess PINs  are
    allowed.   Using this  approach, the  bank does  not lock  out any
    particular account, since it will be tried again with a  different
    PIN only  after numerous  other accounts  have been  tried.  Thus,
    the lock out protection is not triggered.

    The Statistical Attack can be used to attack Virtual Banks without
    the need to download a Trojan horse program to a user's  computer,
    and without the need  to gain access to  the bank's computer.   In
    addition, the  attack does  not rely  on any  flaw of technologies
    used for the World  Wide Web.  Many  Virtual Banks are subject  to
    this class of attack.

    The  Statistical  Attack  can  also  be generalized to attack many
    different banks  at the  same time.  An attack  performed this way
    can circumvent protections applied by each bank individually,  and
    be successful  based on  the statistical  characteristic of  PINs.
    Attacking  different  banks  at  the  same  time also decrease the
    difficulty of guessing account numbers or online IDs, since  there
    is a larger  sample space for  trying different IDs,  which can be
    fixed and tried for all  attacked banks that have the  same format
    for the IDs.

    Some banks  use alphanumeric  characters for  authentication.   An
    attacker can  use dictionary  words, instead  of numbers,  in this
    case to attack these banks.

SOLUTION

    One difficulty when performing  this attack is to  determine valid
    account numbers,  or in  certain cases  a log-in  ID.   The way to
    guess valid account  numbers, or log-in  IDs, depends on  the bank
    where the attack is performed.   In some cases the online  service
    log-in  procedure  provides  different  responses  for nonexistent
    accounts  than  for  wrong  PINs.   This  can  be  used to build a
    dictionary of  valid accounts.   In other  cases the  log-in ID is
    some number of digits taken from the client's charge card.   Since
    many of the  charge cards in  use today can  be used where  credit
    cards are,  they have  numbers that  are valid  for credit  cards.
    This characteristic  can be  used to  eliminate many  numbers that
    are not  valid credit  card numbers  using the  credit card number
    validation algorithm.  When actual bank accounts are used or  when
    the log-in ID is small, it is sufficient in many cases to use  the
    locality of account numbers and try sequential guesses.

    Two mechanisms  can be  used to  make this  attack more difficult.
    One  is  to  delay  answers  to  failed,  or  positive and failed,
    authentication.     This    mechanism,   however,   reduces    the
    user-friendliness of  the system.  If only  failed authentications
    are delayed, an  attacker can guess  the answer based  on the time
    that it  takes, being  bounded only  by the  positive answer time.
    If both authentication answers are delayed, the user may  perceive
    this  delay  as  a  flawed  or  badly designed system.  The second
    mechanism   is   to   provide   a   time   window,   where  failed
    authentications from fixed IP addressees are counted.  Any request
    from a particular IP is blocked after a specific number of  failed
    authentications.   The  biggest   problem  with  this   protection
    approach is the  generalized use of  proxy servers.   That is, the
    windows must be very carefully designed or legitimate access  will
    be denied due to different users making mistakes in the same  time
    window.  There is also  a potential denial of service  attack when
    proxies are used or when the attacker wants to deny access from  a
    particular computer.  An attacker can also avoid being blocked  by
    capturing  a  router,  or  using  different computers, in order to
    send requests  from different  IPs.   Thus, the  protection can be
    totally circumvented with  a fixed number  of IPs.   The number of
    IPs needed depends on the time window being used.