G1234! - Breaking Smart [Bank] Statements - Manuel Nader

thank you hello everyone welcome today I'll be presenting breaking smart bank statements how to read a bank statement without a password this will be the agenda for today a little bit of context the analysis of the file analysis of the JavaScript a brief talk about rc4 demo the analysis after the fix conclusions and Q&A so Who am I I work as a security researcher Trustwave spider lots that's the shirt on I previously work as an in the offensive side of security as an ethical hacker and before that I work on the defensive side as a network security monitor as I really like web attacks all web related like defense and offense on them denial of services it's also a very

very interesting topic how can a few people or a few servers can bring huge things down that's really interested if anyone is interested we can discuss both of them for hours other things that I really like and we can discuss for a lot of time our dogs and tacos like I can definitely talk about them for a lot a lot of time there's my twitter handle if someone one follows me and context so this research I did it last year it's half here most of those banks are really really big because we only have like 20 banks in the whole country like 10 of them are the big ones and five are really big this is the disclosure

timeline so I disclose this to a spider lab research intelligence team on March 21st last year the next day they contacted the vendor the intelligence team is it's an internal team there are some spider labs they helped us with all the responsible disclosure they helped us contact the vendor do it properly and help us as researchers with a lot of time the vendor responded I prefer it and July 19 they confirm all they tell us it was fixed and I took a look and it was indeed fixed who's the bank the name is CD Banamex is one of the largest banks in Mexico according to Forbes Mexico is the third biggest bank and it's part of Citigroup which is one

of the biggest groups in the world in Mexico it's possible to get your monthly bank statement via email usually you get like their steamy like I receive every month more or less I get it if you see closely there's the attachment in the bottom and there is the Mexico banking and security regulator that's part of Mexico Central Bank they are they have legal faculty to regulate banks they have a very big document which the name is circular única wonk area which is like a legal precept or or a legal standard so it's not exactly a lot but it's really something important like they must follow that because the institution has enough power to tell how

the rules are like if you don't follow that big document they could even close a bank like it has never really happened that I know of but they have enough power to say like a bank like you can no longer do business in Mexico so everyone every bank really take this serious in that document chapter 5 now title 5 chapter 10 section 2nd article 3 1/3 it's a very big document it says that banks can send bank statements via email but security mechanisms must be in place so any unauthorized third party must not read it and it also states that the communicate a bank statement must be encrypted it's a legal document so it's not very technical but there is a

requirement to do it and to do it properly so this is like this is really important in Mexico most banks send your bank statement either a zip file or a PDF both are encrypted and this started like 8 or 10 years ago every bank started to do it electronically it's cheaper and it's supposed to be safer and it's easier

City Banamex uses two types of bank statement the encrypted PDF which is used for most accounts like debit accounts payable accounts etc and this merge statement they only use send r12 like the highest branch of credit cards the gold prestige and beyond they had these frequently asked questions and it's really fun like if the smart statement is safe and their official answer was like yeah it has the highest security protocols worldwide which is why it's just a safe as your PDF account statement every time I read things like highest security protocols or world worldwide or military-grade encryption that's definitely something like as a researcher you should take a look you know you should start digging

like why do they say highest security protocols like how are they so sure I'll start analyzing the file this is the HTML file they send you as an attachment every month it's a very simple file so you just open it and it says welcome your name last three digits of your credit card please input your password at X well a password field and a submit button if you put an incorrect password it says password is incorrect try again if you put the correct password the whole page changes and it says like welcome to your smart statement are you ready for an improve experience with your bank statement and then there's all the bank statement it's I think that's

also a little bit different because the bank statement has a lot of private information like there's your full name I cover my name but there's your full legal name there's your full address there is your fiscal number and there is also the credit card number all of that is seen that file also like all the money you move where do you spend it bla bla bla so this kind of information you definitely don't want anyone to see it that's why the law requires that there are important security mechanisms in place I started looking at the file it's a simple HTML it's around 2 or 3 Megas depends on how much you spend that month it contains a lot of JavaScript more

than 90% there is a little bit of styling and very very few HTML that hTML is just the thing that we saw two slides again that it's welcome and input text and that's it I open the file with a text editor and I saw a lot of unreadable data like if you see the one in the right that's like a lot a lot a lot of data like that there is no distinguishable format so my next step was to start analyzing JavaScript like more than 90 percent is JavaScript there must be something fun in there and it has a lot of variables it has 31 functions and a lot of variables some of those variables are very easy and very

like it's very easy to relate they have something in common and they have a very similar name like X script 0 X script 1 X cubed - X group 3 etc so there's definitely something going in there one variable is very interesting the name is validate password and after understanding the JavaScript and the flow the logic is the following the user submits the password then a sha-1 hash is calculated I know and that one stored as hash type password a second hash is obtained and it's compared against the variable validate password if they are equal they start decrypting the message passing as a parameter the first hash so this is the first time I see a flow like

this it's really interesting because they get two hashes they don't do any salting so that's like a little bit of a warning sign like this there could be an attack in here in terms of a rainbow table or something but I mean I didn't consider it strong enough to say like this is just bad like just the approach is interesting they get one hash they do another hash and they compare it and clearly and the next step will be to follow what dot what does the function they think does it receive us as an argument the first hash so if we look at the function it's basically like two steps the first step is they create an array

and they push the result of the function decrypt and then they replace the content of the window which is are the last five lines of code if we see with a little bit more detail we see they're calling the function decrypt a lot of times always using as the first argument hash type password which is the shy one of the password the user submits and the second argument is the base64 of x cubed zero six script one hook script two etc so the next obvious question is what was the function decrypt us and that's a function decrypt I remember when I was doing this research I put that function like in my desktop I start analyzing a

lot I at first I didn't know what it was like I literally print the paper and I was just looking at it then I asked some guys in the spider lab research team like hey do you have any feeling or any idea what this function is and one guy Dan cuts thanks Dan he told me like hey it looks like rc4 why don't you start digging on that one and it does look like rc4 the only significant difference or the only real difference is line eighteen they're missing the plus one operation if anyone knows cryptography and knows what does that affects the algorithm I'll be really happy to talk about it because I didn't see anything in practice that it

changes but I'm sure there is a reason to have that operation rc4 is a stream cipher it's very old it has more than twenty years today is not considered a strong encryption algorithm and the most important is it receives two arguments like the first one is the key the second one is the encrypted text and if we remember from the previous slide there using the same key a lot a lot of times for all the messages they're using the same key that's really bad you should never ever do that in any stream cipher let's talk a little bit about rc4 it's an eternal algorithm there are some attacks but they're not very simple like they usually require

you have a lot of packages and a lot of messages in order to do this attack Thursday like all the attacks on web are because of these there's the birthday attack there are a lot of other attacks but it requests that you have a lot of messages this was definitely not the case because we only have one bank statement or two bank statements or whatever the important thing is that any stream cipher you should never use the same key more than what's here they're using it about 30 times to encrypt 30 different messages and we also know that the desired output is always an HTML because if you remember they like the correct flow once you put your password

it will show you an HTML so we can do a known plaintext attack any stream cipher in particular rc4 for each byte the encrypted text equals the key string XOR the plaintext message that equals to the key string is equal to the encrypted text XOR the plaintext message and this will be the base of the attack so that equation especially the second one is really important for us because once we have the key stream and encrypt our message we can also get the plaintext message we have to encrypt their messages it split in about 30 variables for our convenience as an attacker the next question is can we get the plaintext and it looks like we can

because they're splitting the message like the whole message in 30 little messages and since the result is on HTML the first part of message will always be the same it will always have the HTML tags the head tags and since the idea of these bank statement is to have all these like fancy functions of you click something and you get some graphics and if you click another do they order the data by spending blah blah blah they use JavaScript for that so every bank statement will have the same JavaScript functions in the same order this is very beneficial for us so the basic idea behind the attack is we will have the plaintext the first part of the of the

bank statement is a plaintext then we will get the key stream as with a simple XOR of the plaintext and the first encrypted message once we have the key stream we will just decrypt the rest of the messages using the key stream so now we go for the demo I already pray for the demo gods so I hope they're happy I will show you two files one is my bank statement and the other one is the bank statement of a friend because when I did this research I was like my bank statement is good but I also know the password so it's like not the best attack so I call up a couple of friends

and say like hey do you have a bank account with these guys and two of them said yes I have and I asked their for their statements but I didn't ask for their password so I literally have no idea of their passwords

so here's the this is the result of opening the file if we put any password it will say incorrect password try again so we will use our exploit this is the basic exploit I put it's a basic Exorcism ajik happens and this is my attack function it's a very simple exertion and the encrypted text this is the first this is the plain text of the message and here is I get the keystream here I get the exploit function and this is just some phone call some small code to hide my data because I don't want to show my credit card that stuff so I copy the extra function

and the attack function is this one

so now you get the keystream with an XOR of the plaintext and they first encrypted message okay so this is just the attack function and then a little bit of hiding and rewriting so there it is you can see the bank statements so in order to be a full demo I have to test it with another file this is the file of someone like a friend but I have no idea what their password is so I try something random it doesn't work and I use the very same exploit so I define the extra function

and I'm using the same plaintext because let's remember like this is an HTML and the same function the same part of the HTML will be the same for every user this is what we will use as the base of our attack and here I'll just put another name because it's number thanks to it and use and that's it we use the same attack and we open two different bank statements so like yeah they're good if you look into the details like the amount of credit and then expenses etcetera are different because we're two different people but I think it's not required to go into those details also I'll show you quickly the content of this HTML file so this is what I show in

the first lights this is this is the file so in create the text we got no idea of knowing what's in here and there's very little HTML and very little CSS so most of the things is this encrypted text continue

so once the bank notify us that this was fixed I start analyzing the new file I receive every month and it looks like they did fix it like right now they're using crypto GS the version on three one two they're using this specific modules of AES and sha-256 the decrypt function now uses AES so that's that's good that's way better than using rc4 before decrypting they're putting all the encrypted messages together and they're joining the text before decrypting for the hash they're using shut 256 it's better than sha-1 it's a little bit harder in terms of computing so for brute-force attacks that'll be better and they they also it's a good idea they changed the hash

because if they will leave sha-1 there will be an issue because they will give you the key to the crypt previous messages all of these disclosure was transparent to the clients like as a client I didn't get any message like we're changing the security or we're changing anything so it's good they did it this way because they help their customers be safer and they didn't break the security in the in the meantime so a little bit of conclusions I think I run a little bit fast but you will have more time and every time you roll a new security product it's always important to have a security review like if you're in any business and management or

leadership decided to roll a new product try to be like strong on the idea of having a proper security with you especially if your product has an obligation to fulfill certain laws or certain precepts and you are required by law if you are doing complicated things like cryptography hire specialists if your team doesn't have the proper skill set cryptography in general like I think it's it's harder especially for developers like I mean if you are not a cryptography expert and you googled stuff you may read some stuff online that's not a hundred percent true right like Stack Overflow and and similar websites may have an answer that kinds of works but it's not the safest I mean

here they did cryptography and it kind of work but it wasn't very safe so that's why you should hire specialists hire people that really know their cryptography there are a lot of smart people in the world in this city right now there's a lot a lot of very smart people so you should hire them always use cryptography algorithms that are consider safe never use all algorithms never use algorithms that are you know like not the best at the moment because that will be an issue if not an issue today definitely an issue in the near future never ever roll your own cryptography algorithms nor implement a cryptography algorithm differently like unless you're designing a capture the flag challenge

don't don't do this like especially for production environments never use the same key more than once in a stream cipher and this is cryptography 101 but as a security people we must have these very clear especially because sometimes we check the work of developers and they're not security people and that's good like they know how to do their thing and they know how to do it very good on their things on their side they do amazing code and they don't know our side so we have to help them get desired we have to give them these very few tips like never use the same key more than once in a stream cipher use good encryption algorithms etc if possible

especially if you work in a bank try to have a simple safe and clear way of communicating security issues this is something that's unfortunately not as easy or as common like I've done a lot of disclosure thankfully the spider lab research intelligence team has helped me they're an amazing team but I know that if they weren't on my side these will be really hard like this disclosure in particular it was hard for them because the bank doesn't have like you know like a very simple website like hey give us a message here if you find anything most of them don't have it so if you work in an organization like please check if you have a way to

receive box and if you don't start doing the process and I start talking with the people especially with leadership or management so you start getting this process and you have a clear way of getting things there's a blog post in the spiral apps lab blog if you want to read it it's basically the same but a little bit shorter and as a security researcher I also have a few tips for the people who do research every time you get a new product every time you see something new like try to hack it even if you say like oh no this is this was made from this big company they should definitely have some good security in there try to hack

it you know read the code understand what's going on you may be surprised I was very surprised like this is a big bank they have millions of customers I was pretty sure they did like their proper review the proper security review but at the end I also understand there's always a business need to release faster to release cheaper to release like code generally goes like very fast so that levels that gives us an opportunity as security researchers to find fun stuff and don't try and to do stuff that's legal also be careful with that one and questions does anyone have any question do you have any idea how much yeah I I remember I send this to intelligence

team and like the next day they told me like oK we've already sent an email and I go with them like a week later and I said like hey do you got any news and they told me like we've email a couple of people and a couple of public emails but got no answer and then I I said like okay let's wait a couple more days they send more emails and they got no answers so at some point that told me like they're not answering like we don't know if we're hitting the proper people we don't know if we should go to city we don't know what to do so I asked a former colleague and she worked

in City for a while and I said like hey I got an issue do you know who I can talk to and she referred me to this person and she advised me like this is not the guy who will solve your issue but at least he will read it and he will know with hood forward it so it was definitely a few emails like going back going forth and there were also some NDA agreements so they were like the intelligence team did an awesome work but I think this process was too hard like if I would do it personally I I wouldn't finish because it's it's very exhausting and it's it's hard to communicate properly with certain

institutions okay so compared to other customers how difficult it was in the sense of the timeline talking to people I'm assuming that other companies are more open to these kind of disclosures or fixing these problems and probably this is just like bureaucracy normal bureaucracy in a Mexican bank so I'm just curious to know how difficult it can be for let's say manufacture company or another kind of industry now that's a good question like this is the first issue I find in a bank on my so like they're not expecting the report so that's always a different treatment but I have found a couple of issues like in software like VPN software and it got a a very like a fastest response like

very very fast in comparison because when they do software like I think it's easier to patch and this one I can imagine that it had to go through a lot of teams and a lot of people are in this decision because it's a bank and it's a big big bank and there's a lot of decision-making and there's a so it was like it's very slow in comparison to others but in general I think two months is two or three months is a very good response time for a bank on Mexico yeah that's it so in your opinion how is Mexico in the banking program like have you seen many companies actually adopting this practice or it's just

something that no one hears my opinion is that it's it's an area for improvement so I mean I haven't really see big companies do it hopefully in the next years there will be more programs and more conscious in that topic but today no for this research I got nothing from the bank not even a pen or something usually it's I got authorization to talk about it so that's good thank you thank you so for the using the known plaintext did you just open up your own bank statement with your own password and then just extract the first chunk and how much of the plaintext did you need that's that's a very good question so what I did was

opening my bank statement with my normal password I grabbed a little bit more of the length that my first encrypt their messages I mean depends on how big your bank statement is how many messages they they split it on some months I got like 28 someone's I got like thirty three messages so I use like the largest one I count the beats I use the one that's large and a little bit more and the xor function I'm using will take the like whenever it's one of both messages stops like if one message is larger than the other it just stopped the function in there so it's better to have like a longer key string and I'd use it instead of missing

some bytes on having a strong result like a bad result and I I did use my bank statement like my first one and it breaks all of the bank statements of that month there is also a little situation and that's the reason well I didn't I didn't publish this tool because of two reasons one is I think it doesn't really help the good people because that's the theory of breaking it but you don't need to break something to see like it's really a like you're able to break it and number two I saw like two or three different versions I think they fix some bugs like production bugs so at some point they changed the JavaScript libraries the

attacks still able to work body as a tool you will need about two or three versions and you'll need to do some fancy things to detect if they're using version 1 or version 2 etc but yeah ok thanks

a good question you mentioned that there was a line of code missing from the from part of that algorithm and I was wondering if you determined is that a bug or is that a feature something that didn't happen so there this is the rc4 function they're using and it's just in this line the algorithm you find in Google or in Wikipedia or whatever the original algorithm here has some parentheses and it says plus one this is also a proprietary algorithm so there is no our RFC or any like official official source of the algorithm this is like a funny story I guess lots of people in this conference leave the story I didn't leave it but this algorithm was leaked

so like the leak algorithm is the one we know it's rc4 but like the official one is is you have to pay for it and this is just the line that's changing I like I did a lot of thinking and I asked some people and there is no like direct effect on negative or positive but I think there must be something somehow so if anyone knows the answer like what does this plus one does here that would be interesting it's also more of thinking exercise because this had a bad implementation so like there was a bigger issue of it than missing the align in the algorithm it's a bigger issue that they did it prop improperly

and the way they fix it was using a different type of algorithm a different instead of stream cipher they're using blocks to block cipher so yeah there is no solution on that one like no it won't really have an impact to put all this our sports it's a really fun challenge if anyone knows I can get you some stickers I got pictures of my dogs in stickers

does anyone have another question

Thanks it was really interesting especially when you know I'm from Mexico - so knowing this bring some concerns that you know if any other banks are following the same practices and like scotia bank or any other ones have you ever condos that is that's an interesting question I've looked up I don't have a bank account in all of them I have like in some of them but I have friends who have banks in most of them and they all tell me they either send their bank statement in either an encrypted PDF or an encrypted a sip file also my friends don't like to share their bank statement with me for some reason like you know I just give them

for free and I won't do anything but they have their doubts and that's like using a smart statement I've only used I've only seen silly Banamex but the idea of using encrypted PDF and encrypted sip files in all the country it's a very interesting topic because I've talked with some people and it's not the safest approach like there is every year it's easier to brute force so at some point all of the security will be outdated so that's also a very interesting place to start thinking about it there are a couple of few banks to be honest that they do it correctly I think American Express is like kind of a bank and they only send you an email

which i think is the same they do here like hey your new bank statement is ready log into the page and download it that's a little bit of pain for the user but it's way way safer because you cannot brute force Taiwan I mean you it's the window of opportunity is very very close very small yeah yeah speaking of Amex I also have them as a bank and they're the only ones I found that very like I get spam I get a phishing emails from fake Amex and Amex has a very clear way to report those emails you just forward it to certain address so it's pretty impressed with that as well yeah yeah yeah some of

them do a little bit better jobs well thank you everyone hope you enjoy it [Applause]