Now, once he writes a better app, what do you think the bank will do? Hire him (or buy the app), or fight him?
How much effort do we collectively waste because of moronic organizations that force their crap upon us, that we cannot escape from? (You can go to a different bank, but what if they all uniformly suck?)
> what do you think the bank will do? Hire him (or buy the app), or fight him?
Ignore. Most likely they didn't write the app, but rather contracted the work to some company that specialises in writing apps. There's no reason for the bank to hire him. He didn't produce any better app either.
I'm all in for a good rant about companies preventing reverse-engineering and modifications of software, but I really don't believe this is the right article for it.
Lots of apps require you flash a new ROM actually. Dropbox and Gmail to name a couple.
This is particularly obvious in the case of media companies and banks. If they provided a nice API instead of specialised webapps, there'd be beautiful and more functional applications available for free to their customers within weeks.
P.S. Consider yourself lucky to have such a bank. Here in the U.S., our major banks do not take security seriously by any stretch of the imagination (they have little incentive to).
To fix the bug you mention -- root access from phone -- perhaps you could use something like Yubikey Neo loaded with ykneo-oath. I was searching the code for ykneo-oath (it's a java applet for the small key) to see where the timestamp was used for the dates, but it appears to be part of the YubiOATH app: https://play.google.com/store/apps/details?id=com.yubico.yub... So you'd have to modify the app source (it's on github). The advantage, however, is that your secret isn't stored on your phone and vulnerable to root apps. Instead, your secret is on a mostly-offline key inaccessible from your phone. There's a YouTube video on how it uses NFC to get that OTP from the Yubikey when you need it. In case you're somewhat extremely paranoid, this might interest you. :) For the truly paranoid, you've found a way to disable account recovery methods while mixing time-based and counter authentication mechanisms ;-)
Most online banking will now require a code created per transaction that is 1. either send to you via text on your mobile phone (and is thus prone to phone malware) or 2. is generated using an external device and the chip on your banking card (a true two factor authentication). Both system will show you the exact details (target account, amount to be send) before confirming the transaction. A virus on the computer is not sufficient to hijack your account.
Just out of curiosity: What security measures do your banks employ and do they allow you to upgrade to a higher security level?
To make an online transaction with it you insert your debit card into it, enter a random sequence of digits displayed on the bank website as well as your PIN in the dongle to get a sequence of digits that you enter into the dongle again.
I found it annoying to have to carry this device everywhere in case I needed to make a bank transaction, so I went with the only bank in The Netherlands that does TAN codes, ING.
Every 6-8 months or so I'll get a sheet of 100 TAN codes in the snail mail, I'll OCR the full sheet with offline-enabled Android app whose name I forget, convert it to a text file, edit it a bit, and encrypt the text file with GPG.
Then when I need to make transfers I can ssh to a box or use my laptop to "gpg -d tan.txt.gpg | grep ^123" where 123 is the TAN code number that the online form requests.
They recently amended this system so that there's a second set of TAN codes (that comes in another snail mail) that they'll supposedly ask for if you make a transaction from a suspicious IP address, I've yet to use one of those.
It sucks a bit but I find it far better than having to carry some device on my person at all times.
In addition, the Nordea mobile app uses a request to activate a single 4..8-digit password for read only access to your information. (I may have reverse engineered the app a tiny little bit to find this out. The underlying HTTPS API is, as one might imagine from a banking app, terrible.) Beyond that, you still need the above login procedure to do writes (transactions) with the app.
And I liked that their service is not fancy for fanciness' sake. (In terms of the way the website looked and functioned)
Not anymore a customer, unfortunately.
That said though, I'm so happy Nordea finally added free TSV export of bank statement data. I rolled my own analytics script in Python based on that... :)
First, I think chipTAN is not publicly documented, and given banks' track record in security matters, I certainly would not want to trust a system that is not publicly documented, and secondly, using a card that I am supposed to carry around all day instead of putting it into my safe at home for transaction authentication doesn't sound like that bright an idea to me.
mTAN is completely braindead, of course, given the essentially non-existent security of mobile networks.
So until something better comes around chipTANs "hopefully/maybe some level of cryptographic based security" beats "sheet of paper with no verification at all" ;).
Also, how do you know that chipTAN has not been used for stealing money yet? Criminals commonly don't publish their methods, and as far as banks are concerned, the customer did something wrong and is lying unless the customer can prove that the (proprietary) security system is broken. Not exactly favourable conditions for finding out about security problems.
Also, how do you know that finding a security flaw in chipTAN/some chipTAN implementation is more difficult than finding a security flaw in your webbrowser for someone who is motivated by the monetary reward of doing so? You are aware of the gaping security holes in GSM SIM card software, for example?
I think you are making a whole lot of not particularly well-supported assumptions there.
Makes me want to ask: you really want to charge me for an SMS after all the interest you make from me leaving my money there?
But I suppose TANs are still preferred by the luddites that abound in Germany
Fresh in my mind is the Wii U controller reverse-engineering presented at 30C3, where the WPA-PSK handshake protocol was tweaked by performing bit-rotations on the resulting keys.
Especially since this is just OATH-TOTP under the hood, with a weird key provision scheme that uses SHA1 of device's ID (huh?) instead of bank- or user-provided random key.
On the contrary, I think it should be open, so anyone can audit the application.
(To do that, you would have to install a new client on the victim's device that will increment its counter and tell you the counter when you ask.)
On the other hand, counter-based tokens as you described them do exist, and it would indeed be simple to detect if one of those was cloned.
I wouldn't even call this an attack, given that you would need physical access to a rooted device to carry it out.
Apart from this, awesome read.
I suppose my bank token uses the same structure and produces a similar code (but I haven't reversed engineered it though)
Some years ago I stumbled with something similar on a webpage, posted it on reddit, and the next day the IT manager of the company called me... it was one of the most embarrassing days of my life.
Lesson: don't mess with other peoples work just because you can...
On top of that, why would you ever feel embarrassed? Perhaps if you posted something very damaging with the sole intent of harming that person, then realised they weren't responsible for the problem.
On the other hand, if anything, I exposed that they did a good job. They could have rolled out their own crypto, or some flawed form of code generation, in which case I would have disclosed it to them through proper means. But they adhered to standards (TOTP, RFC6238) and protected their data as well as possible. This article should be seen as praise.
Then again, corporations aren't always that understanding, which is why I would be happy to comply.
TOTP and co. require a private key, just like all crypto. If you have that private key, bad things happen. This is not exactly news at 11.