Hackers Can Hack Smartphone Bank Transactions

The transferring of TAN Numbers on the phone for the online banking is apparently much less secure than previously thought. After has become just known that scammers have captured more than one million euros with chopped TAN number, two attest Erlanger security researchers tested procedure for safety deficiencies.

Hackers Can Hack Smartphone Bank Transactions
Demolished plate of a savings bank in Berlin: Online Banking on your Smartphone is not as safe as expected if the TAN numbers generator on your Smartphone. Two researchers at the example of banking APP demonstrated that.

The bank customer no longer has large selection if he wants to use online banking. Either he settles to a TAN numbers device, which communicates with the server of the Bank on the Internet and schließelich a TAN indicates upper but it uses the cell phone. Many banks are pushing their customers to online banking on the Smartphone in the app-based push-TAN method. A special app that is only there to generate a transaction number for each transfer, it adds the actual banking app on your Smartphone. Two apps on a device to banking by on the road safely and comfortably make.

“You receive TANs on the go on your Smartphone or Tablet anytime, anywhere”, touts the Sparkasse in the Internet for mobile banking in the so-called ‘pushTAN procedure’. However, this procedure is not that certain apparently think the two security researchers Vincent Haupert and Tilo Müller of the Friedrich-Alexander University in Erlangen-Nuremberg. The problem is that both apps are often stored on the same device.

Hackers Can Hack Smartphone Bank Transactions_
Scene from a promotional movie of the Sparkasse Allgäu: is online banking with SMS-TAN is described as absolutely sure.

The TAN app generates the transaction number (TAN) for a referral or other action… This TAN in turn is used to confirm a transaction which is carried out with the actual banking app. Both apps can thus be on the same device: “You need only one device, to access your account and transfer money,” Sparkasse describes the convenience factor of the process. And that is the gateway for hackers.

Check the Trojans both apps on the same machine

If a transfer on the same device will pay, the also manages the generation and reception of TANs, this procedure could not protect in principle from banking Trojans, the two researchers warn. A banking Trojan, which runs with system privileges and thus in a higher level of privilege than the used apps themselves, is always in a position to circumvent any protection mechanisms.

To verify the security of such app-based TAN procedure, Erlanger researchers have developed an attack on push-TAN method of the savings bank and realized. He succeeded in placing malicious software on the Android Smartphone of a fictional victim, to manipulate transactions via banking app and to confirm these manipulated transactions per app. For demonstration purposes, they increased a transfer sum of 10 cents to €13.17 and changed the receiver of the transfer, without that it would have been apparent to the victim.

The researchers with the “S-pushTAN-app” and “Sparkasse” banking app worked for their demonstration. However, other banks like the Volksbanken, Raiffeisenbanken, Hypo Vereinsbank, the DKB and the ING-DiBa would have appropriate apps on sale, inform Haupert and Müller and assume that other German banks will follow.

Savings Banks Hold Procedure

The two researchers had been working with an older version of the S-pushTAN app for Google Android, takes position to the manipulation of Deutsche Bank. The attack is not possible with the current version 1.0.5 of pushTAN app. It goes on to say, that have the attack opportunity presented by the researchers without result, “that it will come also to actual fraud against customers. The implementation of full atacks has an extremely high degree of complexity.”

Hackers Can Hack Smartphone Bank Transactions__
Two researchers succeeded a transfer for test manipulation. It is possible if banking APP and the APP generating the TAN are on the same Smartphone. (most banks use this solution)

In principle however does not conceptual weakness, pointing out the Erlanger researchers. Security in online banking will neglected in favor of convenience when held the so-called “two-factor authentication” on one device and no additional devices are required like other TAN procedure.

So is the chip-TAN procedure the TAN produced by an extra device, the TAN-generator, and entered in the banking software on a computer. And the mTAN procedure, a TAN, which was sent to a mobile device, confirmed the transaction in the PC application. An attacker must bring two independent devices for these two procedures so under his control – actually happen as in the recently known hack of the mTAN procedure for mobile customers of Telekom and possibly other.

Otherwise the app-based TAN procedure: “The conscious renunciation of stand-alone hardware for transaction triggering and confirmation makes the procedure for malicious software to easy prey”, determine the Erlanger Researchers. It was all the more frightening the TÜV have classified the new procedure, despite its obvious design weaknesses, as a particularly safe and certified.