Banks hacked 2013

This is a valid transaction since Bob exists in the list of approved beneficiaries. The Authentication characters can be considered to be Key Value pairs, where there are 16 Keys 1… There exist authentication digits for each of these. The Bypass payment hack happens in step 3. Eve, the adversary can tamper the request as. As described in the transaction steps, authentication values need to be provided. The server asks for 3 values randomly out of 16, as a two factor auth.

Eve can tamper with the request response, and provide the 3 valid key value pairs she knows. Thus irrespective of what the server asks for, Eve can provide the key value pairs she knows, and the transaction still goes through. Thus she effectively bypasses the security mechanism since she can spoof each transaction.

This attack is an advanced one, and requires Eve to possess the session key. These flaws are related to the logic and may not fall under the banks threat model, as they assume the application to be in the trusted computing base.

However, this assumption, may not hold true, given how easy it is to poison the phone certificate store through an application with misleading permissions. Public Key Pinning would solve the problem in the sniffing, However there may be an adversary sniffing traffic on the first install and run of the banking application. In addition, these logic vulnerabilities would exist even in the web banking application. That should offer a wake-up call to policymakers of how important it is to know where their IT products are originate.

This is a BETA experience. You may opt-out by clicking here. More From Forbes. Jan 12, , pm EST. Jan 12, , am EST. Jan 11, , am EST. Jan 10, , pm EST. Jan 10, , am EST. Jan 9, , pm EST. Edit Story. Mar 17, , am EDT. A growing number of banks are starting to tell customers they should have been more careful with their passwords or personal data.

Another reason to always a have some cash on hand. Keeping your money in these banks is starting to become a dangerous proposition.

Hate to say it but this seems like the start of some major trouble. Almost an online war of sorts that could do considerable damage to our financial infrastructure.

I did not know this. Keeping hard copies of account information and having your own cash stash is now smarter than ever. Thanks for a great article.

If its not the government stealing information its a competitor government. SAD but the old coffee can and shovels in the back yard are looking like the safer route these days.