Reverse engineering Internet banking

Abstract

This paper presents a security analysis of the online banking system of one of the most important banks of the Netherlands. New security devices have been designed in order to authorize transactions in a handy and user- friendly way. In doing so, it has been attempted to strengthen the online authentication system using hand-held smartcard readers connected by a USB-cable to a PC. These USB-connected smartcard readers are devices with a small display and numeric keyboard with two additional keys in order to accept or deny operations. The customers of Internet banking can perform any operation in a ¿secure way¿ with such devices. In this document we will discuss different USB-connected smartcard readers from several Dutch banks. For ABN-AMRO we will discuss the smartcard reader called the e.dentifier2 made by Gemalto, which we will principally focus on it in more detail, and for ING the reader DigiPass 850, made by VASCO. We will focus on reverse engineering the ABN-AMRO¿s readers. We will verify that last attack [1] on those devices is not working in the new version of the e.dentifier2 and we will also reverse engineer some additional func- tionalities,which were not considered in earlier research about ABN-AMRO e.dentifier2 reverse engineering [2], and currently do not seem to be used in ABN-AMRO¿s internet banking website. These additional functionalities [6] could be used for authentications and transactions in Internet banking in the future.