Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Svetlin Nakov - Compromising Mode...

OWASP Sofia
August 01, 2021
Technology
0
320

[OWASP Sofia] Svetlin Nakov - Compromising Modern Online Banking Apps through Hijacking Android Device (27th of March, 2021)

In this talk Dr. Svetlin Nakov will explain and demonstrate how easily a 10-years old child can gain full control over modern European online banking apps, through hijacking an Android mobile phone, using trivial remote administration tools and screen recording apps from the official Android app store. The speaker will demonstrate why online banking should not rely for the multi-factor authentication on a single connected device. Finally, the speaker will give recommendations for fixing the security in online banking systems.

Dr. Svetlin Nakov (https://nakov.com) is a passionate software engineer, inspirational technical trainer and tech entrepreneur, with 20 years of experience in a broad range of programming languages, software technologies and platforms, applied cryptography and cybersecurity. He is an author of the “Practical Cryptography for Developers” book (https://cryptobook.nakov.com). Svetlin is co-founder of several highly successful tech startups and non-profit organizations. Currently, he is innovation and inspiration manager at SoftUni (https://softuni.org) - the largest tech education provider in South-Eastern Europe

OWASP Sofia

August 01, 2021
Tweet

More Decks by OWASP Sofia

See All by OWASP Sofia
[OWASP Sofia] Dimitar Boyanov - XSS Attacks and Defenses (27th of April, 2021)
owaspsofia
1
320
[OWASP Sofia] Dan Cornell - AppSec Fast and Slow: Your DevSecOps CI⁄CD Pipeline Isn’t an SSA Program (July 27th, 2021)
owaspsofia
0
280
[OWASP Sofia] Atanas Pashov - Pros n Cons of Penetration Testing (June 27th, 2019)
owaspsofia
0
320
[OWASP Sofia] Angel Bochev - Penetration Testing: OSINT (May 9th, 2019)
owaspsofia
1
350

Other Decks in Technology

See All in Technology
AWS パートナー企業でテクニカルサポートに従事して 3年経ったので思うところをまとめてみた
kazzpapa3
1
180
利きプロセススケジューラ
sat
PRO
4
1.9k
신뢰할 수 있는 AI 검색 엔진을 만들기 위한 Liner의 여정
huffon
0
470
物価高なラスベガスでの過ごし方
zakky
0
490
AI機能の開発運用のリアルと今後のリアル
akiroom
0
170
フルカイテン株式会社 採用資料
fullkaiten
0
39k
Product Engineer Night #6プロダクトエンジニアを育む仕組み・施策
hacomono
PRO
1
520
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
What to do after `laravel new`
mattstauffer
0
120
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
2
660
全社横断データ活用推進のコツと その負債とのつき合い方
masatoshi0205
0
110

Featured

See All Featured
Statistics for Hackers
jakevdp
796
220k
Thoughts on Productivity
jonyablonski
67
4.3k
Become a Pro
speakerdeck
PRO
24
5k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Teambox: Starting and Learning
jrom
132
8.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Designing for humans not robots
tammielis
249
25k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Faster Mobile Websites
deanohume
304
30k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M

Transcript

  1. Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android

    Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org

  2.  Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+

    technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2

  3.  Most modern baking apps are insecure!  Compromised smartphone

    == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3

  4.  Physical access to the device  Attackers directly install

    remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4

  5. Warning! The following demo is for educational purposes only! Secretly

    hijacking mobile devices is illegal in most countries!

  6. 1. Gain a physical access to the mobile device 

    E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6

  7. 2. Install TeamViewer Hos t from the official app store

    3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7

  8. Alternative: AnyDesk Remote Control 8

  9.  AnyDesk allows unattended (silent) access:  Remote clients use

    password  Sessions are created without confirmation Unattended Access in AnyDesk 9

  10. 5. Hide app notifications (optionally)  This will make the

    remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10

  11. Hijacking Android Mobile Phone – Example 11 6. Connect remotely

    with TeamViewer Remote Control  View the phone's screen and click on it remotely

  12. 7. Wait for the smartphone owner to unlock the device

     Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12

  13. Hijacking Android Mobile Phone – Example 13 8. View the

    saved passwords from the Web browser

  14.  In some Android versions, apps may use Display.FLAG_SECURE to

    prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14

  15. Hijacking Android Mobile Phone – Example 15 9. Install a

    screen recorder to collect passwords and PIN codes through screencast videos

  16.  Wait for the phone owner to login in the

    online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16

  17. Hijacking Android Mobile Phone – Example 17 9. Тhe mobile

    banking credentials can also be taken

  18. 10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android

    Mobile Phone – Example 18

  19.  Lock Screen: unsafe PIN  visible; pattern  visible

    by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19

  20. Fixing the Online Banking Security Recommendations and Best Practices

  21.  Use hardware OTP generators  Use biometry to unlock

    the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps

  22.  Recommendations for improved mobile device security  Beware of

    apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22

  23. Questions? https://nakov.com Compromising Mobile Banking Apps