Abstract
Internet banking security is set to take a major step forward: On September 14, 2019, the Regulatory Technical Standards of the Revised Payment Service Directive (PSD2) are going to be effective within the European Union and the European Economic Area. This regulation makes two widely demanded transaction security properties mandatory: two-factor authentication, and the dynamic linking of the authentication code to the transaction’s beneficiary and amount (full transaction authentication). Even though the regulation is undoubtedly a positive development from a security perspective, it does not account for all the technical and human weak points involved in the transaction process. In this paper, we look at a series of attacks targeting online and mobile banking that are possible even in a post-PSD2 era. Despite the regulatory motivation of this work, the presented issues and suggestions to address them are likely to be universal for internet banking in general.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How to attack two-factor authentication internet banking. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 322–328. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_27
Bankenverband/GfK: Online-Banking in Deutschland (2018). http://go.bdb.de/UHbYz
Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning EMV cards with the pre-play attack. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, pp. 49–64, 18–21 May 2014. https://doi.org/10.1109/SP.2014.11
Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI 2006, Montréal, Québec, Canada, pp. 581–590, 22–27 April 2006. https://doi.org/10.1145/1124772.1124861
Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_24
Dutch Payments Association: Dutch banks introduce innovative IBAN-Name Check (2017). https://www.betaalvereniging.nl/en/actueel/persberichten/dutch-banks-introduce-innovative-iban-name-check/
Etaher, N., Weir, G.R.S., Alazab, M.: From ZeuS to zitmo: Trends in banking malware. In: 2015 IEEE TrustCom/BigDataSE/ISPA, Helsinki, Finland, vol. 1, pp. 1386–1391, 20–22 August 2015. https://doi.org/10.1109/Trustcom.2015.535
European Commission: Commission delegated regulation (EU) 2018/389 supplementing directive (EU) 2015/2366 of the European parliament and of the council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2018). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389
European Commission: Internet banking on the rise (2018). http://ec.europa.eu/eurostat/web/products-eurostat-news/-/DDN-20180115-1
European Union Agency for Network and Information Security: Flash note: EU cyber security agency ENISA; “high roller” online bank robberies reveal security gaps (2012). https://www.enisa.europa.eu/news/enisa-news/copy_of_eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberies-reveal-security-gaps
Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_12
Ferradi, H., Géraud, R., Naccache, D., Tria, A.: When organized crime applies academic results: a forensic analysis of an in-card listening device. J. Cryptogr. Eng. 6(1), 49–59 (2016). https://doi.org/10.1007/s13389-015-0112-3
Haupert, V., Maier, D., Müller, T.: Paying the price for disruption: how a fintech allowed account takeover. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, pp. 7:1–7:10. ROOTS, ACM, New York (2017). https://doi.org/10.1145/3150376.3150383
Haupert, V., Maier, D., Schneider, N., Kirsch, J., Müller, T.: Honey, i shrunk your app security: the state of android app hardening. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 69–91. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_4
Konoth, R.K., van der Veen, V., Bos, H.: How anywhere computing just killed your phone-based two-factor authentication. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 405–421. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_24
Miller, C.: Here’s how iOS 12’s new security code auto-fill feature works (2018). https://9to5mac.com/2018/06/04/safari-security-code-auto-fill
Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39235-1_9
Mulliner, C., Golde, N., Seifert, J.: SMS of death: from analyzing to attacking mobile phones on a large scale. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, 8–12 August 2011. http://static.usenix.org/events/sec11/tech/full_papers/Mulliner.pdf
Murdoch, S.J., et al.: Are payment card contracts unfair? (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 600–608. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_35
Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and PIN is broken. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, pp. 433–446, 16–19 May 2010. https://doi.org/10.1109/SP.2010.33
Rao, S.P., Kotte, B.T., Holtmanns, S.: Privacy in LTE networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016, Xi’an, China, pp. 176–183, 18–20 June 2016. http://dl.acm.org/citation.cfm?id=3021417
Rupprecht, D., Kohls, K., Holz, T., Pöpper, C.: Breaking LTE on layer two. In: IEEE Symposium on Security & Privacy (SP). IEEE, May 2019
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, pp. 51–65, 20–23 May 2007. https://doi.org/10.1109/SP.2007.35
Schneier, B.: Stop trying to fix the user. IEEE Secur. Priv. 14(5), 96 (2016)
Watson, B., Zheng, J.: On the user awareness of mobile security recommendations. In: Proceedings of the 2017 ACM Southeast Regional Conference, Kennesaw, GA, USA, pp. 120–127, 13–15 April 2017. https://doi.org/10.1145/3077286.3077563
Zhang, X., Du, W.: Attacks on android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Financial Cryptography Association
About this paper
Cite this paper
Haupert, V., Gabert, S. (2019). Short Paper: How to Attack PSD2 Internet Banking. In: Goldberg, I., Moore, T. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11598. Springer, Cham. https://doi.org/10.1007/978-3-030-32101-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-32101-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32100-0
Online ISBN: 978-3-030-32101-7
eBook Packages: Computer ScienceComputer Science (R0)