How I hacked the largest bank in Norway

so hi my name is uh stepping in as a backup speaker here um my talk is titled hacking a bank using a paper form um this is not so technical talk but there are things in here that i think should be of interest to anyone that are you know designing during development are interested into security and so on so my name is per i think some people may know me from at least from online and here's the license plate of my car which is pretty easy to understand in in norwegian and i also have a statement from komakurli a famous researcher at microsoft research that he has a healthy curiosity into passwords while i am

pathologically obsessed this was on twitter in in january in 2018 which i'm pretty proud of having from him so i don't think i have to tell you much about you know bank id uh in norway but everyone in in norway is essentially doing online banking and i do say everyone quotes that because some people don't and the vast majority of us also use a mobile banking so we are using dedicated mobile apps on our smartphones to do our online banking and we do see as far as i know our decline in people sitting on their computer doing their online banking you just do it on your smartphone and bank id which i am one of the

security and governance managers for at vips is used by everyone for doing authentication and electronic signatures of course this is for banks but it's not just but for the banks it's also being used by norwegian government by insurance companies uh you know health services and so on you know even if you want to go to uh a place to get a sun tan uh you can prove your age by verifying yourself using bank id these days but as i said not everyone is online and not everyone is capable of or actually want to use smartphones and computers and stuff elderly people disabled people incredibly paranoid people and so on and there are quite a few of

those around and we need to give them options for doing banking as well so what i did back in in what i saw like two years ago in 2018 2019 and also in the beginning of of last year in 2020 i saw a lot of campaigns and ads and articles online from banks and so on especially banks saying that you should never share your bank id you should be using what's called dispositions in norwegian instead english giving their power of attorney to somebody else it's basically giving access to your account to somebody else but you don't do that by sharing your otp codes that you get from your you know bank id hover token and you never share

your password you essentially do not allow somebody to log in using your credentials now i thought it was interesting because you know have i shared my bank id with somebody before yes i have have i used other people's bank id before yes i have is that a violation of the agreement that i have signed yes it is but honestly i didn't know that there were any other options available until i heard about this campaign and you know the term disposal so when i read about this that was kind of like you know i gotta look into this because i want to see if this is a secure way of doing it and i was also interested to

see if this is usable you know can this act as a replacement for just you know borrowing your bank id token and password from your grandmother because you're going to help her pay some bills online as an example so i set out doing that along with a few other friends of mine and the majority of this work was being done in august uh last year august 2020 and we also remained in contact with the relevant parties until while essentially until today to be honest and we saw that when you want to give this power of attorney you know this position to somebody else you can do that by logging into your online bank using bank id and then provide access

you know type in the social security number of the person or the persons how you would like to give access to your account to act on your behalf and you know just let's say for now that bank id is 100 secure well just pretend at least it is there's absolutely no way can be hacked or abused in any way but the other thing we found was that you could also in some banks you could also fill out a paper form and submit that by posting email by postal mail to the bank in order to provide access to your account for somebody else and this is basically the say backup solution for those that don't use bank id that don't use online

banking are you know they don't want to or they're not capable of doing so so we wanted to look into this to see if this you know stone age type of give providing access could have some security flaws connected with it so with the biggest bank in norway dmb we saw that one of the [Music] caveats that they had is that if you are a customer of dmb and you want to provide access to your account for somebody else to act on your behalf that other person must already be a customer of dmb and that applies to all the other banks as well if you want to help your grandmother using a dispositional step you have to be a customer of her

registered back which in some cases can be fine but i make the assumption we made the assumption that in most cases that just might not be true which is you know you can become a customer for free but do you want to is your need for it and so on and more interesting is that we found that even though dmb said that the person getting access must be a customer we prove that that wasn't actually necessary so dmb had a paper form looking like this it's a single page a4 where the account owner let's say that's me i have to fill in my name my address my social security number and my bank account number

and those that information is really not much of a secret so we'll get back to here so i'm the victim here and i will uh all you know the the the criminals here in this case will fill out this uh paper form with my information and then they need a person that will gain access to my account that would be a monomial that would be some criminal person uh most probably in norway that will be put into the form here name social security number address and so on and third this needs to be signed by the account owner which is me and the person getting access and i was like okay well yeah okay so we

use paper signature still but i mean i i've been signing checks and bills and everywhere for a long time you know writing donald duck or just selling an x and nobody has reacted to that for you know years so i was sort of curious will dnb actually make a verification of any kind of these signatures and last but not least you need two witnesses to confirm the validity of the document in accordance with the wishes of the account owner which is me and witnesses cannot be spouse part not parents kids or grandchildren of the account owner and there's an interesting legal question connected to this can witnesses be held accountable if this paper form is being submitted and

it is actually a fraud so obtaining your norwegian social security modal is considered by some to sort of like be a secret or a challenge but your social security number in norway has never actually been you know it was never meant to be a secret it's a publicly known algorithm um and finding out somebody's social security number is easier than uh you would think i'm not going to give you the recipe on how to do this but there are generators online that will generate valid social security numbers for a male person born on september 10 1971 that's my date of birth and you will get approximately 200 numbers and out of those one of them

those numbers are being used by me and you need to figure out so as part of what we did in august last year we found a service in some remote country that i can't name and there is absolutely no you know reason for me to use this swedish chef in a picture on this slide at all but we found a service that allowed us to anonymously enter social security numbers and not only have the number verified as being used by a real live person but by entering the social security number we also got the full name and the current publicly known address of that person in return from that service and we could do that without rate limiting and

without any kind of authentication first and then you need to obtain the bank account number of your victim as well that goes into the paper form so i asked norwegian finance testing is it a secret and they said no not really there is no law saying that your bank account number is supposed to be a secret never was and i also by coincidence because i was selling some used gear online at findo zano i also found that when i send something by postcard in norway pay on delivery my bank account number is actually being printed onto the label that goes on the package so all the people handling that package with the postal mail in norway and the

person at the under on the other end receiving my package they will also be able to see my bank account number i can't really understand why but it's printed there but of course we have to do a little bit of of hacking in this case so we turn to just a little bit of social engineering and what we did is a good friend of mine who does social engineering and fantastic for living he called the customer service of dmb early sunday pretended to be me he already knew my name my address my phone number and my social security number and he wanted to get access to my bank account number so he called uh pretended to be me and

said hey i'm a little hungover this early sunday morning and this is kind of you know embarrassing but i have forgotten my account number and i need it because somebody's going to pay me some money and no i can't use vips and they asked him uh of course name address and social security which he already had available and they also asked him three security questions and he answered all those three questions wrong but they still provided him with my bank account number again not a big deal really because again it's not supposed to be secret information but in the process of course i'd like to talk about static security questions versus what i call dynamic security

questions static security questions which are used by a lot of services online uh include questions like mother's maiden name name of first pet name of school and the problem with these are that they don't change and you can in so many cases you can find the answers to these questions by just googling all you know searching on facebook dynamic security questions are in my opinion just a little bit better it can be something else name someone you made a payment to during the last few days or how much money do you have in your account right now or how many accounts do you have with us so the answers are not fixed they change over time

but there's also a question about is the entropy good enough like how much money do you have in your account person zero at most times so it doesn't have to be that difficult for an attacker to guess the correct answer to this so we completed this form and we did this completely legally i mean it's it's a couple of friends of mine and i asked do you want access to my account and there and the person said oh yes please are there any money in there and well like 200 chrono well well i can still do it um and we sent this on a tuesday afternoon to the bank in oslo and then we just you know sat down and waited to

see what happens and again this is not hacking per se because we have legally obtained witnesses uh two people random people at a cafe they had absolutely no clue what they were signing on to more or less but they filled in the informal they signed and they even filled in their social security number both of them into this type of form and the person getting access to my account is a friend of mine so still again nothing illegal being done here so we were interested to see what happens now well boom it was complete jackpot because my friend got access to my account we saw that there were insufficient controls because we used black red

blue pens we used the handwriting of several different people to fill in the paper form some of which was also written in using filling in a pdf and just printed printing it so there were no controls of the account or now the person getting access or the witnesses there was no control of the handwriting or anything like that as far as we could see the more scary part was that nobody got notified me as the account owner nobody i didn't get any message in my mobile bank in my banking app using sms email phone call nothing and even more interesting is also that the person getting access to my account didn't receive any notification at all

and here lies the problem with this in august last year anybody could fill in this form with the correct details and gain access to your bank account at dmb and you wouldn't notice because nobody would notify you and in the online bank you have to go into several menus to find the option saying who has access to your account right now and third which is also interesting is that uh my friend got full access to my account and the one and only thing that person could not do was to get um a credit card or get a loan from the bank in my name but that person could see 10 years of my transaction history for my accounts so

anything i spent money on using card or cash and so on for the past 10 years was visible and could also transfer money to uh to other accounts in norway uh could make payments i could also uh send money to anywhere in the world basically from the bank and again without me noticing before it's essentially too late so this concept of power of attorney this position is not standardized uh the legal agreements from bank to bank are a bit different the order process on how to you configure this the overview what it looks like on the screen and which changes made to your account any use of it logging alerting and also the process of removing somebody's

access is different from bank to back and also as an example one bank had a written agreement for this which had a preset date of this agreement expires in the year 9999 and you could not change that so you know they obviously think i'm going to live quite a bit longer than i think i'm gonna do uh and also the fact that you know when you log on to your bank you can't actually see that somebody else has access to your bank account before you go into several different menus and look it up specifically so you know we for that we have to fix this in some way and there are many ways we can do that

you can use time to our advantage and to the disadvantage of criminals as an example you could say that after ordering this kind of access either online or by using paper there will be a period where both the accounts owner and the person getting access has to wait for the seller process to be completed but they will be notified about lists but talking about notifications that is quite an issue today we are receiving tons of notifications in every single channel now security notifications there are users just logged on notifications there is a user has muted uh they have newton you there newton themselves you know there are all kinds of modifications where we're seeing all

the time so in this scenario it is very important than to evaluate why are we going to notify who are we going to notify when are we going to do it where in which channels and which technologies are we going to use well you may be fine a sms she would be using signal or whatsapp or facebook she will be using the integrated sort of mailbox that you have with your online banking account and so on there's also a need to look into the granularity that we have today for this position site because today this position doesn't offer any granularity at all either you give full access to someone to your account or there is no access at

all and as far as i know finance lawyer is working on something to see if we can you know well make this more granular now if you do log on to often here in norway uh you can have a look there because as a single person or especially if you have one or more roles with one or more organizations or companies they have a long range of different roles that you can give to people or revoke from people as needed you can see some of some of them here in in norwegian just for my personal company which i basically don't use for anything and this kind of granularity is what i would like to see for online banking as

well something as simple as i want to allow somebody to accept and pay my bills on time but they can't see my payment history they can't see any transaction history and they can't change the date or the amount or the account number for which the money will be paid to if i receive an invoice from as an example you know my power grid company as an example and of course we did this under responsible disclosure i was in close contact with dnb uh pretty much from the beginning i also talked to finance testing and some other artists involved as well including finance because obviously i have no intention here of being evil and they don't want

to help others be evil as well so i did my responsible i actually prefer to use the term coordinated disclosure in this case and i also said that i do have an intention of having an arcade write about and i'll write an article about this when we are sort of like done so that article came out on march 1st which coincidentally was also the first day i started working for vips who operates bank id in norway and dmb my sort of victim in this case is also one of the biggest owners of of this so i cleared this with dmb and with lips before starting in the job i have explained everything i've done and the

uh weaknesses that we demonstrated were of course fixed before make nlk wrote their article online and you know i i received comments on this you know this is good work impressive and it was sort of fascinating to see that you know oh oh my god dmv was highly insecure yeah well they were not uh dmv is really professional they have been really professional about this case uh nothing bad to say about them uh but the thing is i miss anyone asking me this question why did you go to the media with this because dmv was acting professionally they fixed it it's you know why write an article about it it's just is that just a show off of

my fantastic amazing hacking abilities no it's not because there are many banks in norway and i do not have the time or to be honest the interest in checking all banks in norway to see if they have similar paper forms and the concept of this positions that power for germany is not just with banks it is with insurance companies with health organizations and so on as well and i don't know if they have paper forms for ordering this kind of access for other people um and it would be impossible for me basically to check them all so i said to dimby and to finance knowing that this article will be coming with an okay at a date when you say

things are fixed and by that time i also hope that you have given an advance warning to all the banks in norway that if they offer the option of of ordering these positions that by using a paper form they should look into their procedures and eventually try to adjust them or fix them before the arctic article appears online and i think they did so again i just want to end off this by saying that at vips.org security we have published our version one of our uh responsible disclosure policy in case you find anything with us that you want to report to us uh preferably of course do you follow these guidelines on what you can do and

what you can't do and do it in a responsible way with us in a coordinate coordinated way i should say and to finish off some people might want to ask me the question so what are you up to next then well dnb is such a big bank that they need to keep these paper forms so they have updated the paper form now it's two pages uh it's still online available as a pdf file that you can download and have a look for yourself and of course we have talked to dmv and said that we want to fill out this form and send it in and see what happens and i can reveal to you now that

we have and what happens now is that both the account owner and the person who is going to get access will get a text message saying that we have received your order and access will be provided in 48 hours from now unless you contact the bank and say something's wrong and that message is being sent as i said both to the account owner and to the person that is getting access in very soon future so that's my talk thank you and now we'll go over to questions again

you