[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

Transcript

1. Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android

   Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org

2.  Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+

   technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2

3.  Most modern baking apps are insecure!  Compromised smartphone

   == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3

4.  Physical access to the device  Attackers directly install

   remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4

5. Warning! The following demo is for educational purposes only! Secretly

   hijacking mobile devices is illegal in most countries!

6. 1. Gain a physical access to the mobile device 

   E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6

7. 2. Install TeamViewer Hos t from the official app store

   3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7

8. Alternative: AnyDesk Remote Control 8

9.  AnyDesk allows unattended (silent) access:  Remote clients use

   password  Sessions are created without confirmation Unattended Access in AnyDesk 9

10. 5. Hide app notifications (optionally)  This will make the

    remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10

11. Hijacking Android Mobile Phone – Example 11 6. Connect remotely

    with TeamViewer Remote Control  View the phone's screen and click on it remotely

12. 7. Wait for the smartphone owner to unlock the device

     Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12

13. Hijacking Android Mobile Phone – Example 13 8. View the

    saved passwords from the Web browser

14.  In some Android versions, apps may use Display.FLAG_SECURE to

    prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14

15. Hijacking Android Mobile Phone – Example 15 9. Install a

    screen recorder to collect passwords and PIN codes through screencast videos

16.  Wait for the phone owner to login in the

    online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16

17. Hijacking Android Mobile Phone – Example 17 9. Тhe mobile

    banking credentials can also be taken

18. 10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android

    Mobile Phone – Example 18

19.  Lock Screen: unsafe PIN  visible; pattern  visible

    by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19

20. Fixing the Online Banking Security Recommendations and Best Practices

21.  Use hardware OTP generators  Use biometry to unlock

    the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps

22.  Recommendations for improved mobile device security  Beware of

    apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22

23. Questions? https://nakov.com Compromising Mobile Banking Apps