Man in the Middle Attack on Banks

Post on 08-Jun-2015

462 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Selenium scraping of other people's fun and profit

Transcript of Man in the Middle Attack on Banks

MAN IN THE MIDDLE ATTACK ON BANKS

Selenium scraping of other people's fun and profit

WHO? WHERE? WHAT?

Marko Elezović @melezov

tech lead at Instantor AB

Swedish bank aggregator

Alice Bob

IN A NUTSHELL

Alice BobstEve

IN A NUTSHELL

IN A NUTSHELL

LEGAL, SALES & TECH

LEGAL, SALES & TECH

LEGAL, SALES & TECH

[ ] I have read and agree to the EULA

LEGAL, SALES & TECH

[ ] I have read and agree to the EULA

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

identity (KYC)

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

identity (KYC)

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

identity (KYC)

cashflow (accounts / txns)

stEve says: “You cannot afford to take that loan at this rate”

stEve says: “OK, that will work”

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

identity (KYC)

cashflow (accounts / txns)

budget tool

LEGAL, SALES & TECH

[x] I have read and agree to the EULA

identity (KYC)

cashflow (accounts / txns)

budget tool

TECH

2010 – ???

2010 – ???

2010 – POST

2010 – POST

2010 – POST

2010 – POST

2010 – POST

2010 – POST

def login(number: String, otp: String) = { val req = Post( "https://www.zaba.hr/ebank/gradjani/Prijava" , "command" -> "Prijava" , "linkId" -> "446" , "AppIdentifikator" -> "0" , "KioskVersion" -> "0" , "br_tokena" -> number , "otp" -> otp ) sendAndLog(req, "Login POST")}

2010 – POT OF GOLD

2010 – POT OF GOLD

<xml/>

.csv

.xlsx .html

2010 – PO(S)T OF GOLD

def getTransactions(account: ZabaAccount, dates: Interval) = { val req = Post( "https://www.zaba.hr/ebank/gradjani/Gradjani" , "command" -> "PrometiPoRacunu" , "action" -> account.kind , "download" -> "N" , "cboBrojRacuna" -> account.number , "fieldDatumOd" -> dates.start , "fieldDatumDo" -> dates.end , "commandAction" -> "Prijava" ) sendAndLog(req, "Transactions POST for " + account.number)}

2010 – PO(S)T OF GOLD

2010 – PO(S)T OF GOLD

<div class='main'><div class="naslov"> <div class="title">Prometi</div> <div class='podnaslov'> <div class='title'>Prometi po računu&#160;<span style='font-weight:normal;'>HR602360000</span>1234567890 (tekući račun)&#160;za razdoblje od 05.10.2013. do 05.10.2014.</div> </div> <div id='prometiDospijeli'/><noscript language='JavaScript'><!--var prometiDospijeli=new Array();prometiDospijeli[0]=new Array('07/01/2013','1234567890123456','Pasivna kamata',0.01,null,78.82,'HRK');prometiDospijeli[1]=new Array('08/14/2013','1234567890123451','Uplata redovitog primanja',2677.83,null,4756.65,'HRK');prometiDospijeli[2]=new Array('08/19/2013','1234567890123452','Isplata',null,4750.00,6.65,'HRK');prometiDospijeli[3]=new Array('08/19/2013','1234567890123453','Uplata',20.00,null,26.65,'HRK');prometiDospijeli[4]=new Array('09/06/2013','1234567890123454','Naknada za korištenje - p.a. moderan',null,20.00,6.65,'HRK');prometiDospijeli[44]=new Array('04/01/2014','1234567890123455','Zatezna kamata po nedopuštenom prekoračenju',null,0.10,9.31,'HRK');prometiDospijeli[46]=new Array('04/14/2014','1234567890123456','Osobno primanje isplaćeno u cijelosti',2672.59,null,2661.90,'HRK');prometiDospijeli[57]=new Array('05/26/2014','1234567890123457','E-zaba prijenos - super sport - uplata na račun',null,2.20,0.12,'HRK');createDataTablePrometi('prometiDospijeli',prometiDospijeli);// --></noscript></div><noscript src='./JavaScript/InitPrometiValidation.js?v=1.18.00' language='JavaScript'></noscript>

<br /><br /></div></div></div>

2010 – PO(S)T OF GOLD

<div class='main'><div class="naslov"> <div class="title">Prometi</div> <div class='podnaslov'> <div class='title'>Prometi po računu&#160;<span style='font-weight:normal;'>HR602360000</span>1234567890 (tekući račun)&#160;za razdoblje od 05.10.2013. do 05.10.2014.</div> </div> <div id='prometiDospijeli'/><noscript language='JavaScript'><!--var prometiDospijeli=new Array();prometiDospijeli[0]=new Array('07/01/2013','1234567890123456','Pasivna kamata',0.01,null,78.82,'HRK');prometiDospijeli[1]=new Array('08/14/2013','1234567890123451','Uplata redovitog primanja',2677.83,null,4756.65,'HRK');prometiDospijeli[2]=new Array('08/19/2013','1234567890123452','Isplata',null,4750.00,6.65,'HRK');prometiDospijeli[3]=new Array('08/19/2013','1234567890123453','Uplata',20.00,null,26.65,'HRK');prometiDospijeli[4]=new Array('09/06/2013','1234567890123454','Naknada za korištenje - p.a. moderan',null,20.00,6.65,'HRK');prometiDospijeli[44]=new Array('04/01/2014','1234567890123455','Zatezna kamata po nedopuštenom prekoračenju',null,0.10,9.31,'HRK');prometiDospijeli[46]=new Array('04/14/2014','1234567890123456','Osobno primanje isplaćeno u cijelosti',2672.59,null,2661.90,'HRK');prometiDospijeli[57]=new Array('05/26/2014','1234567890123457','E-zaba prijenos - super sport - uplata na račun',null,2.20,0.12,'HRK');createDataTablePrometi('prometiDospijeli',prometiDospijeli);// --></noscript></div><noscript src='./JavaScript/InitPrometiValidation.js?v=1.18.00' language='JavaScript'></noscript>

<br /><br /></div></div></div>

2010 – PO(S)T OF GOLD

<div class='main'><div class="naslov"> <div class="title">Prometi</div> <div class='podnaslov'> <div class='title'>Prometi po računu&#160;<span style='font-weight:normal;'>HR602360000</span>1234567890 (tekući račun)&#160;za razdoblje od 05.10.2013. do 05.10.2014.</div> </div> <div id='prometiDospijeli'/><noscript language='JavaScript'><!--var prometiDospijeli=new Array();prometiDospijeli[0]=new Array('07/01/2013','1234567890123456','Pasivna kamata',0.01,null,78.82,'HRK');prometiDospijeli[1]=new Array('08/14/2013','1234567890123451','Uplata redovitog primanja',2677.83,null,4756.65,'HRK');prometiDospijeli[2]=new Array('08/19/2013','1234567890123452','Isplata',null,4750.00,6.65,'HRK');prometiDospijeli[3]=new Array('08/19/2013','1234567890123453','Uplata',20.00,null,26.65,'HRK');prometiDospijeli[4]=new Array('09/06/2013','1234567890123454','Naknada za korištenje - p.a. moderan',null,20.00,6.65,'HRK');prometiDospijeli[44]=new Array('04/01/2014','1234567890123455','Zatezna kamata po nedopuštenom prekoračenju',null,0.10,9.31,'HRK');prometiDospijeli[46]=new Array('04/14/2014','1234567890123456','Osobno primanje isplaćeno u cijelosti',2672.59,null,2661.90,'HRK');prometiDospijeli[57]=new Array('05/26/2014','1234567890123457','E-zaba prijenos - super sport - uplata na račun',null,2.20,0.12,'HRK');createDataTablePrometi('prometiDospijeli',prometiDospijeli);// --></noscript></div><noscript src='./JavaScript/InitPrometiValidation.js?v=1.18.00' language='JavaScript'></noscript>

<br /><br /></div></div></div>

2010 – POST

2011 – POST

2011 – POST MORTEM

2011 – SELENIUM

2011 – SELENIUM

def doLogin(userCode: String, password: String) = { val UserCode = By.xpath("//input[@id and @name='username']") val Password = By.xpath("//input[@name='password']") val ButtonOk = By.xpath("//button[@name='loginButton']")

findElement(UserCode).sendKeys(userCode) findElement(Password).sendKeys(password) findElement(ButtonOk).click()}

2012 – SELENIUM (34SE)

2012 – SELENIUM (34SE)

Selenium 1.xSelenium

+WebDriver

(2.x)

2012 – SELENIUM 2.X

• Non – JavaScript based

• Dismiss dialogs & alerts

• Upload / Download files (Save as…)

• Firefox, Chrome, Opera, IE, …

2012 – SELENIUM 2.X

• Non – JavaScript based

• Dismiss dialogs & alerts

• Upload / Download files (Save as…)

• Firefox, Chrome, Opera, IE, …

Missing remote session support!

2012 – SELENIUM 2.X

• Non – JavaScript based

• Dismiss dialogs & alerts

• Upload / Download files (Save as…)

• Firefox, Chrome, Opera, IE, …

Missing remote session support!https://github.com/tferega/selenate

2012 - SELENATE

• Runs on Akka remote

• Session support through GUIDs

• M-N session connectivity

2012 - SELENATE

• Runs on Akka remote

• Session support through GUIDs

• M-N session connectivity

Client

Servers(no session IDs)

2012 - SELENATE

• Runs on Akka remote

• Session support through GUIDs

• M-N session connectivity

Client

Servers(no session IDs)

Production client Debug

client

session #3FCArunning on node 4

session #2898running on node 2

2014+ - SELENATE 3.0

• Akka cluster support

• (gossip protocol)

2014+ - SELENATE 3.0

• Akka cluster support

• (gossip protocol)

• Robot & Sikuli support

• OCR through Tesseract

2013 – PATTERN MATCHING

• approx. hundred “lines” for what was previously a simple POST

2013 – PATTERN MATCHING

• approx. hundred “lines” for what was previously a simple POST

• multiple selectors and failovers

• ID -> Name -> Title -> Regex

2013 – PATTERN MATCHING

• approx. hundred “lines” for what was previously a simple POST

• multiple selectors and failovers

• ID -> Name -> Title -> Regex

• countless bugs & special cases

2013 – PATTERN MATCHING

• approx. hundred “lines” for what was previously a simple POST

• multiple selectors and failovers

• ID -> Name -> Title -> Regex

• countless bugs & special cases

Refactoring special cases is DIFFICULT

PHILOSOPHICAL YAMMER

I have seen things you people wouldn't believe...Submit buttons, disabled for days…I watched broken TLS implementations break 20% of all requests.All those bugs will be lost in time, because I didn’t take screenshots.

- Replicator node 7, Selenium Runner

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

Pro tip:Virtual Frame Buffer

(Xvfb)

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

SECURITY THROUGH OBSCURITY

LiveConnect?

LIVECONNECT ._.

LIVECONNECT ._.

Legend:

JRE version

Firefox version

Point in time

6u45

7u15

7u51

7u45

7u25

8u20

8u11

FF18 FF21

2011

2012

FF15

2013

FF29

FF40

DANID PSYCHOLOGICAL OPERATIONS DIVISON SECRET WEAPON

DANID PSYCHOLOGICAL OPERATIONS DIVISON SECRET WEAPON

Wuddlecakes

DANID PSYCHOLOGICAL OPERATIONS DIVISON SECRET WEAPON

WuddlecakesFoofieface

DANID PSYCHOLOGICAL OPERATIONS DIVISON SECRET WEAPON

WuddlecakesFoofiefaceWoogycute

LoverschnookumloveSchmoopiecake

WooglecakesCuddlypooPoofcuddle

MoopsiewookieWookumdarlingSnookieKissie

PLENTY MORE WHERE THAT CAME FROM!

CATS ARE USELESS

Alice Bob

CATS ARE USELESS

Alice Bob

CATS ARE USELESS

Alice Bob

Alice BobstEve

CATS ARE USELESS

Alice BobstEve

CATS ARE USELESS

Alice BobstEve

CATS ARE USELESS

LESS RANTS,HIGER SECURITY BY 2015

F.Q.A.

F.Q.A.(Faked Questions from the Audience)

def doLogin(userCode: String, password: String) = { val UserCode = By.xpath("//input[@id and @name='username']") val Password = By.xpath("//input[@name='password']") val ButtonOk = By.xpath("//button[@name='loginButton']")

findElement(UserCode).sendKeys(userCode) findElement(Password).sendKeys(password) findElement(ButtonOk).click()}

F.Q.A.(Faked Questions from the Audience)

def doLogin(userCode: String, password: String) = { val UserCode = By.xpath("//input[@id and @name='username']") val Password = By.xpath("//input[@name='password']") val ButtonOk = By.xpath("//button[@name='loginButton']")

findElement(UserCode).sendKeys(userCode) findElement(Password).sendKeys(password) findElement(ButtonOk).click()}

F.Q.A.(Faked Questions from the Audience)

PhantomJS

CasperJS

SlimerJS

THANX

Questions?

We’re hiring!

Top related

SSL Spoofing Man-In-The-Middle attack on SSL Duane Peifer.
 Documents
Security for 5G Mobile Wireless Networks · •Active attack (man-in-the-middle(MITM) attack, replay attack, Dos, DDos) Cryptographic techniques •Cryptography (Symmetric-key, public-key)
 Documents
Man-in-the-Middle Attack on Mobility and E-commerce Oleg Kolesnikov Georgia Institute of Technology.
 Documents
Wiretapping via Mimicry: Short Voice Imitation Man … via Mimicry: Short Voice Imitation ... ond attack, called the short voice morphing attack, ... voice, and inserts them ...Published
 Documents
Popular Protocol attack Smurf Attack Introduction: … Protocol attack!Smurf Attack!SYN attack!UDP Attack, ICMP Attack!CGI request attack!Authentication server attack!Attack using
 Documents
Games Family 3000 in 1... 115Amigo 1594Ms. Pac Attack 116Andro Dunos 1595Ms. Pac-Man 117Angel Kids 1596Ms. Pac-Man 118Anteater 1597Ms. Pac-Man
 Documents
Stealing The Internet An Internet-Scale Man In The Middle Attack Tony Kapela tk@5ninesdata.com.
 Documents
10-XX Disaster Response SO work (Newsletter) Response Staff Officers...•Nuclear attack •Radiological attack Table 1-1b. Types of man-made disasters and hazards Stafford Act Declarations
 Documents
Banks under attack: Presentation to SEB Bank Baltics management about the #FinTech revolution
 Business
Quantum man-in-the-middle attack on the calibration ...
 Documents
Man-in-the-Middle Attack on Mobility and E-commerce
 Documents
Man-in-middle-attack (MITM) - Portal
 Documents
Seculabs eBook - Wi-Fi Packet Capturing & Session Hijacking - Man in the Middle Attack
 Documents
OpenSSL Vulnerable to Man-In-The-Middle Attack and Several Other Bugs - The Hacker News
 Documents
ATTACK, ATTACK, ATTACK
 Documents
Learning-based Attacks in Cyber-Physical Systemsmjkhojas/Papers/LB-slide.pdfThe man in the middle attack types Replay attack Statistical-duplicate attack Learning-based attack 9 Y.
 Documents
Adaptive Secure Network - Cisco · attack mitigation • Integrated security service modules for high-performance threat protection and secure connectivity • Man-in-the-middle attack
 Documents
An Example of a Man-in-the-middle Attack Against Server ... · An Example of a Man-in-the-middle Attack Against Server Authenticated SSL-sessions Mattias Eriksson (mattias.eriksson@simovits.com)
 Documents
Introducing Man in the Contacts attack to trick encrypted messaging apps
 Software
Arthropods that attack man and domestic animals in British ...
 Documents

Copyright © 2022 FDOCUMENTS