How I Hacked a Bank Using Pen & Paper

the next talk presented by ground one two three four is how i hacked a bank by pair torsion okay hello everyone my name is piertozen you know me as the founder of passwordscon and i'm really happy to you know talk to you again i'm really sorry this is not happening live in las vegas we're at the b-sides conference i really hope to see a lot of you all of you uh next year in 2022 in vegas but for now this is virtual so what i'm going to talk about is this talk how i hacked a bank using a paper form and uh you know as the title says uh there's uh there's a fun story in this i couldn't

really decide for the title you know whether i'm talking about social engineering if i'm talking about issues with power of attorney concepts if i'm talking about digital identity solutions and so on but the title is oneness anyway here is me in front of my car or my previous car but the license plate is a word in norwegian which only lacks a w to make it the english equivalent you can probably guess what this and i'm really proud of saying that some time ago on on twitter i tweeted that i have a reputation to maintain that i have it durably from col mccurley he's a researcher at microsoft research with a witness present that uh he's

interested in passwords while i'm obsessed with it and i asked cormac if he could confirm that statement and he responded saying confirm i have a healthy curiosity while tulsa is pathologically obsessed and this is something that i'm actually really proud of having that from comic early but again back to the talk so some background information i mean depending on whether you are in the us or canada or uk or japan or australia or the cayman islands or in norway uh some background information is necessary because again this talk is about specific uh stuff that you can find only in norway at the moment first of all everyone does online banking in norway almost every single adult from age

15 and upwards are using online banking be it usually using apps on android or ios but also those of course they're using just a web browser on a normal computer to log into online bank and in norway we also have a solution called bank id which is used by everyone it's a common authentication an electronic signature solution it's an identity solution and in full disclosure i now work for vips in norway the company who is the developer and sells the bank id solution as well as some other solutions i started working for them on march 1st 2021 but there is a situation in norway not everyone is actually online there are some people that for different reasons they could be old

they could be disabled or they are just you know a bit too paranoid and they are not using or they are not willing to be online they don't want to use online banking as an example so for a few cases we need all the banks in all we need to support them in other ways than just having a web page or an app for a phone so for several years we have had something called disposition in norwegian with norwegian banks i tried to find you know an exact translation of this intimately english and the best way to describe it is to provide power of eternity to somebody else to handle your bank account so if say you're blind you're all

disabled or you're just truly paranoid and you want somebody else to handle your business in your online bank you will provide a power of attorney to somebody else and when you're using bank id it's a two-factor authentication solution where you have a username you have a password and you also have an otp that you will provide and of course the banks have been saying since day one with bank id that you should never share your otp with anyone and obviously you should never share your password with anyone either now if you are as me entry in into into passwords you do know that quite a few people will share uh their passwords and also those that will

share their otp tokens with other people as well it's a you know it's a matter of trust but at least for this case in norway the banks say you should never share these secrets with anyone including you know boyfriend girlfriend wife spouse you know whoever it is now looking at this especially you know do not share these secrets that was actually a red flag to me like you know i'm i'm getting annoyed by this because i know that people are sharing passwords kids do it teenagers do it as a you know sign of trusting each other and i know that adults do it as well so i wanted to look into how this stuff actually works especially

the power of attorney part so i looked at the largest bank in in norway dnb uh it's uh it's a you know it's not just the the biggest bank in norway but but you know by far it's a lot bigger than the second biggest bank in norway and usually when you use bank id this is completely online and you log in using bank id you transfer money you pay your mortgage you pay your rent you pay money to people in the us and you do that all online and you never have to visit the bank physically actually in most cases now you will never visit your bank and in the very near future there will be no need ever

to visit the bank physically again everything will be handled online including the process of signing up to become a customer of a bank or to get a mortgage as an example with a bank no need to to visit the bank physically but for the power of journey concept it's very simple when you go online you can register a new person that will be given access to your account to handle your business on your behalf doing that online is a very easy process you have to type in the social security number which is basically our usernames in norway and say that this person will be given access to my bank account that person needs to be a member or you

know a customer of this bank specifically at the time of sign up uh the person needs to be 18 years of age or older or in order to be allowed access to manage your bank accounts and that's basically it click and click click and go and you're set but i wanted to look into the alternatives for this because as i said not everyone is online and can do this online so dmb as one out of several banks provide an alternate option you can use a paper form and send it by postal mail to the bank because bank id let's just say that bank id is you know perfect it's secure so i was curious about okay and so you

can fill in a paper form and send that physically to the bank and by doing that you can provide somebody else with access to your bank account and that access will then be you know digital interesting concept let's look into it so dmb the biggest bank had this paper form it was a one page paper form looking like this it's a norwegian so sorry about that but i will explain a bit for you so first of all there is the owner of the account that's me i'm the victim in this case and i will have to or an attacker will have to fill in my name my address which is publicly available information my social security number which is

sort of a secret but it was never meant to be a secret when the algorithm was designed and my bank account number now banks in norway are not allowed to disclose to anyone basically your affiliation with the bank you know if your customer your bank account number and so on uh but you know in a way it's not much of a secret really which bank are you using what is your bank account number and so on if somebody is to pay your money they need to know your bank and your bank account number and then there's information about the person that i'm providing powerful attorney access for and that is in this case going to be the

attacker and i don't know this because the attacker will be filling in this paper form by themselves it will not be done by me so here you have the name and address the social security number of the attacker that needs to be fill in into this paper form this could be the attacker or it could be also a money mule which is again somebody basically being tricked into doing something illegal without actually understanding what they are doing and then you need a fiscal signature from the account owner and i don't know about the us if you're using checks with signatures and you if you actually do signature checks uh still uh but in norway it's

you know fiscal signature what the hell i it's that's you know that's something we were doing when i was as a child and i'm gonna be 50 now uh and wherever you go if you're asked to sign on anything you you know you just put an x and nobody cares anywhere so i was curious about when we fill this out will anyone actually do a signature verification at all because i do know that the bank does have my signature on file and then we also need two witnesses and these witnesses that will you know testify to the uh to you know this form being correct and this is something that i the account owner has done

um you know willingly and i do understand the consequences of doing this so they will confirm the validity of the document in accordance with the wishes of the account owner and witnesses cannot be the spouse partner parents kids or grandchildren of the account owner and i was curious also about in this case whether these witnesses can actually be held accountable for signing of this document as witnesses and i've asked lawyers about that and they say that probably not actually in case something bad happens that is so first of all i said the norwegian social security numbers are not really supposed to be a secret and that's true but the funny thing is a lot of

norwegians still think that their social security number is a secret and they try to keep it secret and what's even worse is that a lot of businesses are still using the social security number as a secret when it's not supposed to be used that way the algorithm for generating our social security numbers is not a secret at all it's a it's public information it's 11 digits it's my date of birth from mine is 10 0 9 71 so september 10 1971 and five more digits and these last five digits uh the middle one of them is a gender indicator so odd numbers are men and even numbers of women so you need to find uh my birthday which

again is september 10 1971 and then you can use the generator to find all the possible uh social security numbers for a man born on september 10 1971 and that's approximately 100 numbers maybe a little bit more and when you have generated those 100 numbers you need to find a service that will allow you to verify the validity of the number meaning first of all is the number actually being used by a real existing person male person today which is alive and then you need to figure out if that person is me or if it is somebody else another man born on the same day that process isn't really hard so in order to validate these we will

look to looking around because i did this as a project with three good friends of mine so we looked around and it's a known fact among especially you know security people and hackers that there have been time and again there have been services online which will allow you to verify the validity of a norwegian social security number so we are not disclosing any names or logos or countries in in this but we did find a service that allowed us to do that unauthenticated no rate limiting at all and i just have a picture of her of the swedish chef without any other explanation but we managed to verify and and ensure that numbers were valid and

we could also find that the specific number used by me belong to me using a specific service that we found on the internet so then we have a social security number and the last thing that the attacker needs is to figure out my bank account number i did talk to the super financial authority of the norwegian government and they said well your account bank account member is you know is not a secret it's not supposed to be a secret and in many cases you have to give it to others if they are to pay money to you or transfer money to you and you know for some weird reason while doing this little research project

i actually sold the camera lens for one of my dslr cameras to somebody else in norway and i was going to send the camera lens by uh by fiscal mail to them and it's cash on arrival so they go to the post office they have to pay for the lens at the post office before getting the package and when they get the package and they make the payment uh to the norwegian post and norwegian post will then transfer the money to my account and i never actually thought about it before but filling out the information that goes on the package i also actually have to include my bank account number on the package so not only will the

remote post office get my bank account number but the recipient of the package will also get my bank account number and there you go so if you sell anything by postal mail that people are supposed to pay for when they receive it they will also get your bank off number so it's sort of easy actually but in our case we went with a bit of social engineering we wanted to see if we could convince a customer representative at dmv to provide my social security number to an attacker now a good friend of mine who's a specialist in social engineering he does a lot of pen testing in that area here in norway he took on the

challenge and he called the customer service of dmb now you can probably guess the outcome of this but some of the interesting things that norwegian banks are doing they do security questions and security questions is a topic that we have been talking about the passwords com previously as well and in my simple mind there are two types of security questions you have static security questions where the answer is kind of fixed you know it doesn't change in the future like mother's maiden name name of first pet name of first school and so on and a lot of times you can probably google your way to the answers to these questions about most people especially if you have

facebook of course but then you also have dynamic security questions which can be maybe a little bit more tricky to bypass it can be something like name someone you made a payment to during the last few days as an example or they could be asking how much money approximately do you have in in account number one two or three that you have in our bank right now that can probably change for some people it's just zero constantly i don't know but again it's a question about how good entropy do these security security questions have when they are supposed to be dynamic like and well i always have zero in my account so it's rather you know it's

not that high entropy anyway we completed the paper form and sent it by paper mail to the bank on tuesday afternoon and then we just waited to see what happened boom that happened we actually hit jackpot on this and we discovered that well for the first of all for the paper form there were insufficient insufficient controls not only did we fill out the paper form but we used several colored ink pens to fill out a paper form we had several different people write in the information so you have should i say different fonts or writing styles on the document the two witnesses were just two random people at a cafe 18 and 19 years old and i can promise

you they did not understand what they sign up for as witnesses and only one of them asked to see some id and really didn't look at our id at all i would i would say even more concerning is the fact that me as the account owner and also the person that i provided power of attorney privilege is for which is a good friend of mine but in the scenario this is attacker none of us were notified by the bank that power of attorney access have now been granted and the person can now log on and use your bank account for almost anything they want that was that was that was like that was mind-blowing shocker to me and to everybody else as

well i mean it's somebody get that gets access to your account and nobody notifies you all the person that actually gets a access to your account that's insane and not only that but the person got full access meaning that you can do everything except you can't get a mortgage or you know uh put me into more depth by having this access as an attacker and you cannot pay my bills for me even if i'm receiving my bills electronically and in norway most bills are received electronically inside your bank but the person with power attorney privileges can't see them and can't make the payment but the person can see my entire payment history 10 years back in time which is sort of

crazy in some cases we also found that this palm attorney access you know there are legal agreements on this but they are different from bank to bank it's not standardized between the banks the way you order power attorney access the overview you know the way you can look at you know the setup of this and it changes to make you make it because you can give a powerful attorney access to several people if you like or 100 people maybe we don't know how many you can actually give it to the use of it the logging alerting and removal of access are all different and in almost all cases where we checked it was very hard

to figure out what's going on who's got access what have they done what have they seen and there are no controls for me as an account owner to set up you know any limitations on what they can do or cannot do which was crazy and we as you know just as one example we found that one of the legal agreements for this power attorney access had hard coded december 31 year 99 as the expiry date and you couldn't change that at all in the contract with the bank so once you sign it it they will have access into eternity or pretty much uh or until you again say that well i'm cutting the agreement i don't want to do this anymore

and also again another shocker when i logged on using either the web version or the ios app version of the bank online bank app there was you know in the in the main screen of the bank online banking screen there's no information there that somebody now have access to your bank account nothing you can't see it you have to go into several sub menus before you can find the fact that somebody else has access to your bank account which again is a shocker really so of course this had to be this needs to be fixed and i did talk of course to the bank i'll get back to that but one of the things that we found is

that while using time uh to do rate limiting uh and using time to add uh to our advantage is very important in this case and to the disadvantage of for criminals so if you've got an iphone maybe you have entered the wrong pin code a couple of times and you've seen messages like this you know iphone is disabled try again in five minutes or ten minutes or one hour or a thousand years i don't know that system is not really that much applied to these systems as of you know even today we also saw that there was an absolute complete lack of granularity of access either you give full access uh apart from you know you the attacker or

the powerful attorney person will not be able to uh give you more debt but they can do anything else so it's either you give full access or there's no access at all and we said well seriously uh there should be a more granular level here like you can pay my bills up to a certain amount or you can only transfer money within norway you can't send them off to the cayman islands or to aruba or to the himalayas or anything like that but no there's nothing like that it's full access or no access at all i do know that the banks are now working on trying to look into what they can do about this

but one of the things that i told the bank is that while the norwegian government in norway has a portal where i can log in and see information about my you know one person company that i operate here in norway and they have many many many levels of granularity where you have a lot of different roles that you can assign to different people within your own company organization or to other people to your auditor to your accountant and and so on and i send the banks to the banks that well shouldn't you be able to do something similar as well to provide grammar access for different people whenever you want to grant powerful attorney privileges

to somebody else to handle your situation for you and of course i did this in a responsible or as i prefer to say the disclosure away with the norwegian bank dnb we did this work last year in 2020 for a couple of months the majority of work was being done in month of august and we talked to the bank in in september in 2020 and continue to do so for several months allowing them to look into and comment on verify and eventually also fix the vulnerabilities that we found and on march 1st this year 2021 um i talked to the norwegian broadcasting comparision nrk here in norway and they did a story on this which was

put online on march 1st and that was actually the same day as i started working for the company vips who is the owner and developer of the bank id and dnb the biggest bank in norway is also one of the biggest owners of the company vips so i did talk to the bank i did talk to my new employer and they were fine with this information going public with the broadcasting corporation in norway and it said that you know i could hijack a bank account just using a simple one-page paper form which again became more shocker to a lot of people but the funny thing is i got a lot of questions a lot of feedback after this

and obviously people were shocked that oh wow that's way too easy anyone can basically fill out this paper form with the information that is you know almost completely publicly available send it in and they will have access to your account and you will not receive information no notification at all that they have gained access to your account that that's that's crazy but nobody asked me why did you go to the media with this story i mean you reported to the bank they fixed it or they are fixing it why would you break the story like this you know is it just you know for the fame because you don't trust me there's no fortune at the end

of this you don't get rich you don't get paid anything to do this and it's an interesting question and i will explain that because i did this because we found that then dmb is not the only bank in norway that provides this kind of paper form but there are i don't know 100 200 banks in norway and i can't i just can't i do not have the time or the interest in checking all the banks because all do it differently and i didn't want to spend time trying to check every single one so we told the financial super authority of norway we told the bank we told several other banks and so on that you

need to check this before we go public with this story because when the story goes public it will get easier to exploit this if this is a solution that you provide you know giving power of attorney by paper and that's the simple explanation of this of course additional takeaways on this you know the standard 90 days to fix limitation from google whenever they find some serious security flaws and they have also expanded this to uh 30 additional days before any details are released about zero day export that they find in in any products uh it's a growing bug industry of bug bounty programs i'm gonna say i'm not really a fan of big bounty programs i think that

the um you know it's to me it's a little bit questionable uh whether you know our people participating in this to to fix problems or are they participating in this to make money uh i'm the kind of guy who prefer to fix problems and i also talk to the bank of course and internally advice as well about iso 29-147 about vulnerability disclosure and also iso 3111 about vulnerability handling processes if you haven't read these you should uh it's interesting read it's a good thing to try to see if your organization is compliant or should be compliant with these standards or at least implement programs to work you know in accordance with these standards for vulnerability disclosure and

availability handling internally in your own organization in this case of course we found these vulnerabilities with dnb and it took six months before they said that well we think it we got it under control you can now release the new survey and there's still more work to do on this but again six months is a lot more than google would have sort of allowed if this was a zero day in some online software as an example and at lips we also have our own uh vulnerability disclosure policy available at libs.now security it's a version one and we're also interested of course in knowing what you think about this policy uh we do not provide any bug bounty

program at the moment but if you should find something of interest with us please let me know and contact me directly of course and maybe i have a cup or a t-shirt for you but that's what we have today so what's next then because we found this and and now you know the issue is supposed to be handled and the problem is not there well dimby is so big of a bank that they have to provide this powerful attorney option on paper for people again because there are some elderly people some disabled people and also a few paranoids that just don't want to do this online so they want to provide profit to earn access by paper

and one of the things that the bank did was to update the paper form so now it's two pages and they require more documentation and one of the things that we've done or are working on doing is to use the new version of the paper form to see if we can still gain access even though we're not supposed to and that's basically it from me about this story for this time and if there are any questions i'm open for that now thank you

uh okay so uh good to go excellent so okay i'll get back again too to to to decaf here so uh my first question to decaf and this sorry decaf again it's kind of weird that i'm asking you questions here but i'm curious about this because again for the uh change notification you know if if you or on a hacker uh gives but you know another person access to your account uh yes there will be a notification to the account or not but how do they do that do they do they don't do that online do they call you do they send you a physical uh letter uh do they uh send you a text

message and so on because different notifications can have different security levels and some of them can be blocked or they won't make it in time and so on and the second is also of this no trice signature because again a notarized signature is well i hear you you need to go to somebody who is allowed to do this stuff but can they be bribed uh can you fake their seal and their name and signature uh will those will those signatures and so on ever be um checked uh because it's part of a sort of a physical world and the issues that we found here was part of a physical world using a paper form while the uh standard way to do is is to

do everything digital using bank id which is identity and authorization and you know at least for the background for this talk we could say the bank id is you know secure so that's sort of my questions so decaf it says it depends i've got emails text and fiscal letters on changes sometimes all of them won't change okay that's interesting uh you know i'm like you know i i i can't i can't totally guarantee but i can tell you i swear my life i do want to go back to las vegas next year to do passport con together with b-sides live in las vegas next year i'll i'll do the password song i'll do the password

dance i will you know do all kinds of crazy stuff to make it happen and i hope to see lots of you people there on decaf i'm going to buy you a decaf coffee and i would like to talk more to you but are there any more questions looking here in the channel now so let's have a look sometimes all of them for one change from decaf yes it's probably possible to forge a notary through bribing but it would be traceable and random and prison likely okay yep that sounds good the the concept of notary has you know it has at least existed here in norway as well if you are a student and you are going

to you know well a long time ago when i was no longer a student and i was going to apply for jobs they would ask for copies of my you know certifications and degrees and and and and so on from from school and so on and what i would have to do then i would have to go to as an example a postal office and have somebody there make copies of my original papers and they would sign them and they would stamp them and say that yes we are sort of on notary it's the official uh postal mail of norway certifying that these copies are correct now of course you could trick with that as well it wasn't really

that hard it's just paper copies but today um it's you know i i don't know of cases more or less where you use this kind of concept anymore it's it's it's digital digital except in in this particular case where we have witnesses signing off and they are clueless on what they actually sign on to uh and very much up to a meet at some point very interesting topic okay yeah thank you thanks decaf uh interesting okay um is there anything more to say um not sure and also time is is of course running we still have well we still have 10 to 12 minutes i think are there any cultural factors that make this example unique

from nirvan a good question um when i've been doing passwords con i've done it norway in sweden i've done it in germany i've done in the uk and not in the us i've been doing talks in many other countries as well about passwords and so on and i've been getting increasingly more interesting in the should i say even psychological but that's these at least social and cultural differences that do exist um here in norway there is um there's sort of a saying not only in the security community but you know the norwegian population at large is that we tend to be naive we trust each other we trust the norwegian government we trust our prime minister we

you know we even we even trust uh the tax authorities uh you know the government does our taxes for us and they tell us whether we have to pay additional taxes or if we get some money back and almost all norwegians they would just receive the results from the government's tax office and they will just sign off yep that's fine uh they don't even check the numbers and if that makes us incredibly naive i you would probably say that yes that makes us very naive um but we are you know we we are a country where we trust each other and that is a good thing for us but we are also aware of the fact that they can

be abused which is something that we do see in some cases of cyber crime as an example and i do know from other countries where i've been that people they just looked at me and like you you norwegians you're you're freaking crazy you you i mean you got to be kidding me you trusted tax authorities and we do for this case uh it's a bit more interesting because i i did ask dmv and also other banks about these paper forms and they said that well yeah i i you know thank you for finding this and and um yeah it's you know we still have them because there are some people who needs them but we haven't really given

it a second thought for years and years and years because it's it's now close to 20 years since we started using bank id here in norway and it's 10 15 years ago since pretty much everyone used bank id so you know still doing stuff by paper form with banks is you know you don't do that in everyday life so it's it was basically like oh yes oh wow there's a paper form and you know we just completely forgot about that we haven't updated the technology in like a decade or more that was sort of the thing in this case

yeah scoops i i can imagine you would love to have the us government do your taxes for you i can understand well not naive that's decaf just not beholden to those who make money of making us all fill out all taxes ourselves in the us good point good point uh i i have let the government do my taxes for for many years and i do check some of the key numbers i have well the the the few times i have found a difference it is so small that has nearly nothing to say on whether i have to pay additional taxes or i get any money back from the government because i paid too much taxes last year so it's uh

you know i should say they do a very good job on this and again because everything is digital uh in these cases uh neon asks so this may sound like a silly question but does norway still have cash banks it's not a silly question and the honest answer is if you go to a bank in norway today they don't accept cash and they don't have any cash in the bank and they don't accept you even handing over cash and saying i want to put this into my bank account for most banks you can't do that anymore and and to the extent it's like you know well now we have the pandemic of course and kovi 19 is still

a thing here in norway as well but at least to a small extent but if you go to any store in norway today and you want to pay by cash they will give you an eye and like seriously are you sure you don't have a card okay well then but because they are obliged to to take it uh it's still mandatory to to accept cash but most places they will really really really try to not do it and banks they don't have cash as i said so this is sometimes a problem in denmark with it's really difficult to find a fiscal bank that takes money well it's fine it's difficult to find a fiscal bank office that you actually

allow to go visit because bank offices now are just administration officers it's not a bank where they handle customers in their office anymore and that's you know that even accelerated even more of course with the pandemic but even before then going to a bank office that's like why would i go to a bank office i don't you know what's what what would possibly be the point of doing that i i don't have to there's no need so dcaf how long has bank id been in common use uh and how long has norway been on digital focus banking system say 90 percent for five years bank id is i don't know uh close to 15 16 17 years old

now maybe and i should know this because i work with bad guys because honestly i i don't know the exact date but it's it's been around for a long time and and today you know the the you can essentially say that everyone aged 18 and older are using bank id period i mean the percentage that's not using bank id is very very small and not only that but also some one of the things that and this is not unique to norway this is much more common to find in europe compared to in the us but in norway you know there's a there's sort of a clearing central between the banks so transferring money from one account

in one bank to another account in another bank in norway is that easy and uh and you know a few years ago it would be overnight and it would be done electronically in all cases that's been the thing since the dawn of time as long as i can remember because we have this clearing central between the banks but the company that i work for now whips we have we have a payment solution name dips where the money is sent and received instantly within norway within anyone using dips and almost all adult norwegians again are using lips so if i want to send money to a friend of mine i would just use the lips app and two seconds later

it says ping in my friend's phone and the friend my friend has the money in his account and can use them two seconds later so that and and that is available for everyone so it's pretty awesome in norway

okay more questions around

i'm watching decaf type now i'm i'm like seriously waiting excited come on you can do it ty ty type and uh for those of you who haven't been to pastorscom before kittens is a thing um and also puppies is the thing if you go to passwords condodoll you can read a little bit more about the use of kittens and puppies but it's basically uh sort of a symbol you use on on your first the second slide of your presentations where you say that this is the background information that we sort of believe that you already know and the next slides are going to be like that advanced so that's why i have kittens this talk is basic stuff really

at least i think so and we have three more minutes of the live q a before i need to get off and leave the stage to the uh to the next speaker and the next on here on stream two okay very under pressure decaf totally fine uh i i understand been there done that well anyway thank you once again for all of those asking questions here i will of course uh stay online longer here in the channel and also the other channels as well so feel free to reach out on on the ground one two three four channel on discord you can find me on linkedin you can find me on twitter as tulsa and so on uh if you have any questions

or comments or if you'd like to you know meet up sometime for coffee and not talk about anything that has to do with digital authentication or even you know paper form authentication please reach out and hope to see you in las vegas next year thank you cool asset i love you too man [Laughter] okay uh i think that's about it nothing more uh okay nein is typing

[Laughter] blushing okay excellent thank you all uh okay yeah siri wants to help me with something uh okay thank you all again uh enjoy the rest of of b-sides i'll stick around uh today and also tomorrow uh a bit and um i really really hope to see you in las vegas next year take care everyone have fun and tada