Your Bank's Digital Side Door

Video thumbnail (Frame 0) Video thumbnail (Frame 1761) Video thumbnail (Frame 3993) Video thumbnail (Frame 6001) Video thumbnail (Frame 6952) Video thumbnail (Frame 8053) Video thumbnail (Frame 9392) Video thumbnail (Frame 11703) Video thumbnail (Frame 14315) Video thumbnail (Frame 15280) Video thumbnail (Frame 20244) Video thumbnail (Frame 23233) Video thumbnail (Frame 26070) Video thumbnail (Frame 30457) Video thumbnail (Frame 31657) Video thumbnail (Frame 36398) Video thumbnail (Frame 37426) Video thumbnail (Frame 38629) Video thumbnail (Frame 42637) Video thumbnail (Frame 47934) Video thumbnail (Frame 50573) Video thumbnail (Frame 54042) Video thumbnail (Frame 56103) Video thumbnail (Frame 57807) Video thumbnail (Frame 59167) Video thumbnail (Frame 60746) Video thumbnail (Frame 62987) Video thumbnail (Frame 64421) Video thumbnail (Frame 66202) Video thumbnail (Frame 67842) Video thumbnail (Frame 69302) Video thumbnail (Frame 70867) Video thumbnail (Frame 72794)
Video in TIB AV-Portal: Your Bank's Digital Side Door

Formal Metadata

Title
Your Bank's Digital Side Door
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Why does my bank's website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank's website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month. Answering these questions led me to deeply explore the 20 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks' digital side doors. Now I'd like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We'll watch them flow over the wire and learn about the jumble of software your bank's IT department deploys to provide them. We'll discuss how secure these systems are, that keep track of your money, and we'll send a few simple packets at several banks and count the number of security WTFs along the way. Lastly, I'll demo and release a tool that fingerprints an OFX service, describes its capabilities, and assesses its security.
Spreadsheet Validity (statistics) Decision theory Multiplication sign Shared memory Digital signal Musical ensemble Information security Information security
Web page Trail Domain name Context awareness Server (computing) Divisor Memory card Token ring Database transaction Client (computing) Database transaction Data management Process (computing) Software Term (mathematics) Password Video game Software testing Website Communications protocol Information security Writing Physical system
Mobile app Link (knot theory) Service (economics) Information Memory card Electronic mailing list Database transaction Emulation Product (business) Direct numerical simulation Type theory Pointer (computer programming) Password Right angle Selectivity (electronic) Quicksort Information security Hacker (term) Category of being Form (programming)
Touchscreen Expression Mobile app Computer file Robot File format Client (computing) Web 2.0 Type theory Query language Directed set Data structure Communications protocol Expression Database transaction Connected space Type theory Structured programming Data management Software Query language Website Quicksort Musical ensemble Information security Communications protocol
Purchasing Expression Service (economics) Server (computing) Mobile app Service (economics) Touchscreen Computer file Direction (geometry) Software developer Expression Token ring Plastikkarte Maxima and minima Cartesian coordinate system Connected space Web 2.0 Type theory Term (mathematics) Different (Kate Ryan album) Directed set Information security Form (programming)
Game controller Mobile app Touchscreen Chemical equation Password Neuroinformatik Connected space Zugriffskontrolle Web application Software Password Authorization Information security Computer architecture
Email Complex (psychology) Group action Client (computing) Database transaction Perspective (visual) Medical imaging Mathematics Web service Different (Kate Ryan album) Probability density function Email Computer-generated imagery Sound effect Database transaction Open set Type theory Message passing Configuration space Right angle Quicksort Information security Probability density function Web page Slide rule Implementation Server (computing) Functional (mathematics) Mobile app Dependent and independent variables Motion capture Content (media) Latent heat Term (mathematics) Operator (mathematics) Energy level Directed set Data type Dependent and independent variables Standard deviation Uniqueness quantification Length Content (media) Plastikkarte Counting Cartesian coordinate system Uniform resource locator Function (mathematics) Password Read-only memory Synchronization Statement (computer science) Musical ensemble Communications protocol
Dataflow Server (computing) Dependent and independent variables Code Token ring Set (mathematics) Electronic mailing list Client (computing) Mereology Database transaction Element (mathematics) Number Revision control Mechanism design Profil (magazine) Authorization Energy level Information Message passing Error message Dependent and independent variables Email Information Block (periodic table) Uniqueness quantification Closed set State of matter Electronic mailing list Standard Generalized Markup Language Bit Database transaction Formal language Parsing User profile Graphical user interface Password Revision control Statement (computer science) Right angle Quicksort Information security Communications protocol
Web page Server (computing) Group action Dependent and independent variables Heat transfer Client (computing) Revision control Money <Programm> Goodness of fit Spreadsheet Internet forum Profil (magazine) Internetworking Communications protocol Information security Address space Authentication Scripting language Email Dependent and independent variables Information Weight State of matter Sound effect Message passing Data management Software Website Quicksort Musical ensemble Information security Communications protocol
Mass flow rate State of matter Code Multiplication sign 1 (number) Client (computing) Neuroinformatik Smart card Information security Multiplication Formal grammar Personal identification number NP-hard Public key certificate Token ring Mechanism design Right angle Authorization Quicksort Information security Row (database) Point (geometry) Server (computing) Implementation Personal identification number Freeware Divisor Numerical digit Token ring Authentication Password Maxima and minima Plastikkarte Code Twitter Revision control Goodness of fit Latent heat Software Authorization Musical ensemble Divisor Form (programming) Authentication Addition Validity (statistics) Key (cryptography) Information Server (computing) Forcing (mathematics) Plastikkarte Client (computing) Computer hardware String (computer science) Password Public-key infrastructure FAQ Musical ensemble Communications protocol
Revision control Email Implementation Goodness of fit Frequency Revision control Information security Theory
Digital photography Memory card Branch (computer science)
Server (computing) Service (economics) Multiplication sign Maxima and minima Number Web 2.0 Business object Internetworking Different (Kate Ryan album) God Execution unit Link (knot theory) Server (computing) Uniqueness quantification Plastikkarte Bit Database transaction Price index Flow separation Software Internet service provider Video game Quicksort Information security Spacetime
Point (geometry) Implementation Server (computing) Service (economics) Transport Layer Security Archaeological field survey 1 (number) Client (computing) Number Product (business) Telephone number mapping Web 2.0 Uniform resource locator Direct numerical simulation Web service Bit rate Internetworking Software Flag Physical system Chi-squared distribution World Wide Web Consortium Adventure game Scripting language Server (computing) Archaeological field survey Transport Layer Security Client (computing) Database Flow separation Connected space Proof theory Uniform resource locator Software Auditory masking Direct numerical simulation Configuration space Website Video game Musical ensemble Quicksort Information security Spacetime
Server (computing) Dependent and independent variables Multiplication sign Client (computing) Number Element (mathematics) Telephone number mapping Revision control Web 2.0 String (computer science) Message passing Error message World Wide Web Consortium Email Server (computing) Transport Layer Security Java applet State of matter Database Cartesian coordinate system Parsing User profile Message passing Googol Error message Software framework Hill differential equation Convex hull Quicksort Information security Communications protocol Spacetime
Computer program Server (computing) Dependent and independent variables Code Token ring Combinational logic Price index Client (computing) Mereology Telephone number mapping Mathematics Sign (mathematics) Profil (magazine) String (computer science) Information Message passing Error message Physical system World Wide Web Consortium Authentication Addition Email Information Server (computing) Length Transport Layer Security Electronic mailing list Code Internet service provider Parameter (computer programming) Database transaction Total S.A. Line (geometry) Equivalence relation User profile Error message Personal digital assistant Query language String (computer science) Password Revision control Right angle Quicksort Information security Physical system Fingerprint Spacetime
Complex (psychology) Empennage Server (computing) Implementation Service (economics) Dependent and independent variables Combinational logic Password Mathematical analysis Login Mereology Subset Military operation Operator (mathematics) Core dump Square number Diagram Process (computing) Configuration space Information Message passing Error message Physical system Mobile Web Stapeldatei Information Server (computing) Core dump Database Error message Software Password Configuration space Remote procedure call Information security Asynchronous Transfer Mode
Server (computing) Mobile app Installation art Binomial coefficient Code Software developer Open source Data storage device Electronic mailing list Sound effect Design by contract Mereology Telebanking System call Cuboid Musical ensemble Information security Communications protocol Installable File System
Web page Pairwise comparison Enterprise architecture Server (computing) Enterprise architecture Structural load Sound effect XML Software FIS Informationssysteme und Consulting GmbH Software Website Information security Computing platform
Server (computing) Stapeldatei Email Server (computing) Software developer 1 (number) Plastikkarte Database transaction XML Stack (abstract data type) Flow separation Front and back ends Goodness of fit Process (computing) Frequency FIS Informationssysteme und Consulting GmbH Different (Kate Ryan album) Internet service provider Data center Right angle Information security Information security
Complex (psychology) Server (computing) Algorithm Web page Debugger Sound effect Web browser 8 (number) Mathematics FIS Informationssysteme und Consulting GmbH Energy level Information security Compilation album Vulnerability (computing)
Email Server (computing) Multiplication sign Web page Electronic mailing list Enumerated type Front and back ends Cross-site scripting Uniform resource locator Uniform resource locator Error message Software Revision control Software framework Right angle Musical ensemble Information security Exception handling Communications protocol Personal identification number (Denmark)
Common Language Infrastructure Group action Server (computing) Authentication Password Maxima and minima Parameter (computer programming) Software Software testing Divisor Communications protocol Multiplication Execution unit Server (computing) Tomcat <Programm> Mathematical analysis Product (business) Uniform resource locator Error message Software Query language Revision control Software framework Musical ensemble Quicksort Information security Fingerprint
Server (computing) Service (economics) Authentication Heat transfer Number Revision control Web 2.0 Uniform resource locator Profil (magazine) Software Software framework Software testing Divisor Multiplication Address space Fingerprint Email Information File format Server (computing) Tomcat <Programm> Heat transfer Sound effect Product (business) User profile Error message Software Internet service provider Revision control Software framework Software testing Quicksort Figurate number Fingerprint Window Computer worm
Mobile app Tomcat <Programm> Server (computing) Digitizing Authentication Password Maxima and minima Product (business) Twitter Uniform resource locator Web application Password Software Revision control Software framework Divisor Communications protocol Information security Multiplication Fingerprint
Server (computing) Service (economics) State of matter Weight Transport Layer Security Planning Insertion loss Open set Information privacy Public key certificate Planning Word Message passing Googol Systems integrator Musical ensemble Communications protocol Middleware
all right so Stephen has been doing some research into banking how many people out there use things like quicken and things like that to to fill out the spreadsheet for you yeah okay this is a security conference so you all fail you can turn your mother's maiden name at the desk on your way out that stuff's always kind of giving me the creeps that's why I use redacted and I fill everything in by hand and Sue validates that decision let's give a big hand to Stephen take a quick drink of Pepsi so I want to say first off this is my seventh Def Con my first time on stage I am super excited to be giving back to this community finally and share some share some knowledge what I've been working on for for about six months all told [Music] so packing banks because that's where
the money is what was my motivation I think there's a lot of community overlap with me with the tech geeks and finance geeks a lot of people I work with are finance geeks as well I like to hack things that I I used so I like the hack things in my own backyard I want to make my life safer and and then you know improve the world around me through making my life saver and I don't write banking software I'm a pen tester bite by by job so I'm just a guy with curl and Python and some curiosity and I'll kind of walk you through how I went from zero through this talk in in the last six months sit at home I'm using quicken I am security aware I've got to factor in all my accounts I load up my bank account and quicken the password doesn't work with a two-factor well Shirley typing the password without two factors that's not gonna work nope it does so what's going on here just plain text password is there a separate server is there a separate protocol how is quicken and other other desktop software talking to my bank that's not just going through the webpage so let's
talk about Quicken quicken is one of what the financial industry calls a personal financial management software you've probably seen these names everyone a lot of people raise their hand mint comes very popular pfm is the industry term I'll start throwing that around I have a bunch of bank accounts some people collect credit cards sorry I collect credit cards some people's like baseball cards some people have way too many domain names I have way too many bank accounts I they give you bonuses when you sign up and I know I like I like understanding like from a practical real sense how how financial system works so I've got let's say less than a hundred more than twenty bank accounts that I I want to manage and that becomes a pain so I want I want some simple aggregator clients they don't have to write myself that'll just keep track of my transactions every month I use Quicken personally it's the devil I know it's terrible I love to hate it I don't recommend it I don't recommend any of these I wish I wish there was one I could recommend you so
let's start from the users experience this is the quicken UI on the left hand side I've got your list of bank accounts it also does loans and credit cards on the right hand side you've got a big transaction list everything you you bought you paid what you paid when pretty pretty standard for balancing your checkbook so you first install a program like quicken and this is what happens you have to enter in your account info first you tell it what kind of account you have it's quite a quite a large selection of banking products that we all use then you pick your bank name and
it does basically a name the sort of URL lookup a DNS like lookup that's called the branding service then you pick out how you want to connect users there's just one way sometimes there's multiple ways we'll go into that then you type in your credentials into this totally not your bank's website form where you put your plain text password it somehow finds your accounts you pick the one that you want to interact with in the app and voila starts downloading your
transactions that's what the user sees
so what's going on in the background there are three ways in which quicken and in sort of other financial management software talk to your bank the quick and these are the Quicken brand names once called web connect web connect is a fancy way for saying you go to your website you type in your creds you go download a file and you manually import it into the app it web connects easier to say Express web connect is Quicken has a bot that does that for you it's all manual direct connects what we're going to talk about it's a programmatic structured query language based on the ofx protocol that talks directly between your client and your bank [Music]
so again in picture form you are the middleman on web connect and Intuit servers the middleman on Express web connect and Direct Connect is you actually talking directly with your bank it's the minimal amount of trust relationship financial institution here is also the industry term for bank or credit card or investment account or 401k I'll start saying fi or financial institution from here on out and now that you're in with the banker lingo with me another step here is account
aggregators these are important to understand so every bank if you have to actually connect and go download a file well they all do it a little differently so someone realized that there was a business here creating one unified API their own proprietary API and then screen scraping as a service to all these other banks so there's a couple these are the big names in account aggregation Yodlee is the biggest they've actually been around for like 20 years they also clean and normalize the data so you know so your your the names of like the companies that you bought stuff from and what type of purchase it is all gets all gets canonicalized across multiple institutions they they provide a good service and to the end-user application developer they provide a consistent API so like if you want to write your own banking app you don't have to talk to thousands of different banks individually but they also add yet
another layer of trust so now my plaintext password goes from my computer to personal capital web application pfm to Yodlee and then to my financial institution where they do some screen scraping or maybe make that direct connection to ofx for me i have to trust that every one of these hops has my own financial best interest in mind and that they are all competent enough to protect a secret the first is easier to believe than the latter
so hopefully you're seeing as I did that this whole architecture is is lacking in least privileged and this is like these are our banks these are these are our these are our money why do I have to give full read/write access to third-party software to to just you know balance my checkbook every month and trust some you know the latest financial app who's then giving my readwrite password to a third party and then to another third party what's definitely needed here is some kind of oo auth tokenized at based access control where I can say hey quicken you can you know you can go to you can go to my Bank of America account if you only have read-only access and only for 30 days and then talk to me after 30 days and I'll read up your privileges that's what we need that is not what we have in 2018 in banking personal finance so that's the end user
perspective let's get technical I'm going to start at the specification level walk you guys through how things could work and then we'll talk about implementations and deployments and how things actually work the effects protocol is an open spec there is a group of companies that build it it's freely available for download and perusal and implementation you can go grab this spec right now and read along with me if you'd like [Music]
oh if X is this proto web service it was actually invented in 1997 so it's before like we even had rest as a term but it passes passes messages that are structured over HTTP sends a request gets back a response it can do pretty much anything that a normal consumer would want to do with their bank you can you know checking savings account your IRA credit card transactions you can do bill pay those those first three on the Left they're kind of read-only operations on the right writable operations wiring money to foreign banks transferring between counts accounts at your bank transferring to accounts at different banks it's up to each financial institution to sort of decide how much of the spec and the protocol that they they implement and no one really implements them all as as we'll see it also does taxes and it really research into that too much but TurboTax that I use and a lot of people use also pulls a lot of data through this protocol and then that's kind of the data path and then there's sort of a config path within the protocol and other interesting side things so initial enrollment and password change can be done through effects messaging from the bank to you notifications from you to the bank and lots of functionality that's sort of obviously there to help transition a small Bank traditional bank into the digital age so you can download images and PDFs like within the protocol sort of meant as like a scan of your bank statement instead of sending it to them to you in the mail you know it's a an obvious like first step getting away from mailing you but it's just scanning a PDF and sending you the exact same thing this protocol is complex it's got a 650 page specification and it's actively developed growing with that complexity we all know comes insecurities I mentioned it goes over HTTP so here we're gonna actually look at some some captures of sorts this is the standard HTTP header you're doing a post request to a well-known URL [Music] request response as I said that URL is almost always just some kind of base path and then and then server handler you remember CGI that's it's it was definitely based off that there's a unique content type application X o FX and some servers not all servers do user agent filtering so I'm I'm using the Intuit client app user agent here in these examples so I the same slide I
just dropped those HTTP headers to make the text a little bigger when we can look at the real protocol it's got a header that mostly remains static it tells us the version number which is the most interesting part and then the body it looks like HTML right you've got we've got elements and tags nested within each other we got span elements we got block level elements it's actually sgml which if you've never heard of neither a tie HTML was invented after HTML but before XML so they were like you know a little bit of rigidity so that you can parse it well but not not a lot still still some wiggle room you you can tell us not you can tell it's sgml because there's no closing tags on the span elements those those become required in XML it's hard to get in sgml parser today Python deprecated it in 2.6 which was years and years ago so that's that's interesting note and and you'll notice plain text user ID it's basically HTTP basic auth every one of your requests sends your username and password plain text in every request all over TLS so it's not it's not stiff TLS is required but no challenge response no no session token there is there is a session token mechanism of sorts I have not seen it used and there's this financial ID that's sort of optional sometimes you need to specify the the numeric value for the bank sometimes sometimes you don't and on the response there's a status code inside every block saying success or or unique error message so pretty pretty easy to parse very human readable and all outlines in a decently written spec so typical
protocol flow we saw this in GUI this is the same thing over the wire the client makes a profile request which can be made anonymously gets a bunch of capabilities from the server hey do you support banking the support investment then it sends a account info request getting the list of accounts that one has to be authenticated so it can look up your accounts then it sends a statement request getting all of your transactions here's an example the
profile requests that last one we looked at was just the simplest authentication now we actually are asking for some data back in the body this profile requests anonymous sign-in prof. RQ you don't really have to pass any data at all and you get back a lot you get back a lot of interesting info from a server sitting on the internet that anyone can query with anonymous credentials about what it what it supports this example we've got the bank message set it's telling me checking accounts and savings accounts likely are available this x4 prof tells me that I can do money transfers to different accounts that's that's interbank money transfers and then also in the profile is information about the bank 1997 most banks didn't have websites yet so this was sort of seen as like the way you were going to talk to your bank and they might not have a website so the you know physical address of the bank and email so you can you can talk to someone at the bank that all fit all comes back with this profile request so a timeline
1997 Microsoft who was making Microsoft money into it who's making quick in and check free who since got bought out and it's not a common name all collaborated to make this protocol they each have their own proprietary protocol which your client had to use to talk to the bank presumably it was hard getting a bank to implement even one so they merged together and and and put their combined weight to get the banks to actually run one of these ofx servers 2005 the FDIC sees a lot of banks are going online and says okay we should we should make sure the security here is is up to snuff so FDIC the US federal government Deposit Insurance Corporation I will make you know who has to pay out when when banks lose lose money says ok guidance all banks should not must but strongly should use multi-factor authentication for any of their online access so in response to that a new version of the spec comes out 2006 called 103 with MF a which will go into they transition it to XML 2007 brand-new beautiful spec with OAuth came out in November it's 8 months old no one has implemented it that is not in the wild yet I'm hopeful and you might notice there's a big gap here in 2006 and 2017 pure speculation but 2009 Microsoft decides that Microsoft money their premier personal financial management software it's not worth it they they drop it they team stops developing it and and two things happen into it now sort of being the only player in town gets lazy and starts charging people a hundred dollars a year for the exact same version of Quicken 2010 2011 2012 no no software improvements whatsoever because they have no competition and they don't need to try but on the good side there's this whole community effort because people loved Microsoft money and so a lot of geeks started like posting on forums and putting up web pages in finding these finding out about Oh effects and writing clients and that's what all my work is built on is has these guys in sort of 2009 through 2011 who wanted to replace Microsoft money with a bunch of Python scripts and Excel spreadsheets [Music]
so let's talk about MF a quick refresher that most everyone knows in this room multi-factor authentication something you know something you have and or something you are the point is to remove the brute force password attack or theft of your password as valid attacks against against your account things that individuals are quite susceptible to banks have been doing two-factor authentication for 50 years with your ATM card you have your card you have your PIN number something you have something you know they're good at this
[Music] in addition to multi-factor sort of security community has has finally settled on the name 2-step authentication better than than one factor but not as good as multi-factor we see this a lot we see this a lot in banks we still see it with Twitter getting an SMS code instead of instead of something you physically have some sideband channel of information again better it better than one than one factor but not as good as as two so 2006 MFA is should not must by FDIC what is what is the protocol the protocol implementers do they have four different solutions in the specification one is this user cred one is this MFA challenge they're both basically the asking questions about your mother's made a name that you all know and love in fact the second one is hard-coded in the spec these are the questions that you will ask as a server to the client 20:18 we all realize these are both something you know these are things that are somewhat obvious or easily available to learn about a person and Muro I have the like I have the cheat sheet before the tests right okay I need to find out these 20 things about this person and then I can definitely log into their account you know there's zip code the other two forms a little better client UID auth token I'll start on the right auth token server generated sort of gooood that sends the client client us to send it back every time it's sort of key value ish it could be used to hold like TOTP like one time password codes but they don't they don't do that nobody uses it client UID is what everyone is sort of standardized on as the second factor it is client generated gooood client sends it the first time server records it every time henceforth the client has to send that same UID otherwise the server will stop trusting them so it's tofu it's trust on first use but actually people have like more than one computer and this is recognized in the spec and in the implementation guidelines like people will have a desktop and a laptop people have phone so it's actually trust on first four uses sometimes too but yeah so like if you see it you've never seen this client and they make up an ID well as long as you don't have more than like one or two already stored sure they're also the same person and that is the state of the art in multi-factor authentication within the protocol that passes your money but I have good news cuz that's in version 103 and no one's
running 103 they're running 102 80% of the implementations in the wild are not running are running the version that was written in 1997 20% are running the version that in theory can support multi-factor and no one is running the oauth version good news so let's talk
about the financial institutions these banks we love we all know these big
names most of us thought we have an account somewhere here these are from like the top 20 by assets of US banks Citigroup JP Morgan Wells Fargo American Express for credit cards ofx is used is used by these guys ofx is also used by
Yolo you only live once Federal Credit Union this is me participating in Bank branch tourism I flew to California and then drove two hours to get this photo for you I have a lot of bank accounts
I know that's not enough why don't you guys start a bank Jack Henry will help you are you ready to start a bank we have tips and advice Jack Henry's one the major software providers of ofx more banks there are the more money they make the more software they sell start a bank say if anyone wants to start a bank like with me after this we can we'll see if we can hack it out tonight so I learned there are a lot of banks
like a lot US and Canada other countries are much more restrictive but they are there are according to intuit fifteen thousand F eyes financial institutions about according to oh F X consortium seven thousand banks at one time have deployed a no FX server my personal scanning shows about two thousand unique institutions on the internet right now that compresses down to four hundred unique servers because there's actually a lot of service providers sort of like web hosting Oh FX hosting companies in this space but there are a lot of banks in the US and Canada many of these are the same company like when you have a target branded credit card that's an fi when you have like a you know the Quiznos branded credit card that's considered a financial institution so that's it's not purely like separate business entities there is some indication that that difference between the 7000 number and the two thousand number is a decrease in popularity of people running ofx servers which is sad but also good because because it's insecure as a quick aside I got banned for life from capital one [Applause] it's another story for another time but I was doing like these large cash transactions there was some Bitcoin in retrospect maybe it looked like money laundering or very successful drug-dealing totally legit though I tried opening an account it's been five years I'm still banned for life and I was a little worried like I was a bit like oh my god I don't have a bank account and had I known like there's this four thousand nine hundred ninety nine other people who are willing to take my money so don't don't worry about getting banned from your bank so let's go into my my
investigation this now we're gonna go into implementation and deployment I [Music]
wanted to do a survey I loved show Dan I love just like surveying the Internet I want to like you know I want to find out how big is the problem how big is the problem space I want to ask these two questions you know what financial solutions are even running these servers and what what software are they running two simple questions to ask here's the point where I say my research was only reconnaissance I am sending packets at live production fortune 500 company systems I do not want to even accidentally take one down or or gain unauthorized access so I did very simple recon like numerating the host and sending get requests a new rating the host this that's the tricky part up front but this is great o FX community who is sort of kept a database of these servers for several years o FX home org is the best one they've got a they've got a great website this is where you can find out how to talk to your bank directly I can do cash keep stuff is you know you google you google and you'll find them but ofx that home home is that is the best commercial clients quicken they have what they call the branding service you put in a name and it sends it off to their server and sends you back a URL for that for that bank name and the you I look like that up at the top usually a sub-domain then some subdirectory in the path and then some some server handler interestingly this is this is hard to mask and like it's hard to script this because you're not looking for a port you're looking for a web service at a path and that path can be anything so I haven't haven't come up with a good way of you know sort of finding these out of the ether you sort of have to know they already exist or you know call the bank and ask them so after I numerated a large number of hosts we just do a proof of life like just just make a TLS connection and see if that thing's even alive a lot of data stale is from 2011 so it's kind of a archeology adventure talking to servers you know set up five ten years ago what I find from a TLS connection steal DNS two hundred and thirty two are still listed in DNS but the IP doesn't doesn't accept a TCP connection not a big deal like no exploit but it's sort of like hinting at neglect hinting at okay so someone you know didn't clean out their DNS how long is that going to live there fifteen that will accept the TLS connection but tell you that their cert is bad and expired for years so we got fifteen hosts that have assumedly my data still on them but that no one's looking at no one is maintaining these these servers bigger red flag i've connected let's send get slash and see what we get like you know web server profiling 101 I get a lot of banners sure okay so not the best you know configuration didn't turn off that you're using I is start
getting ofx banners yes this is handy this is the ofx server version thanks build number version number data was at least time it was built very useful for me to start planning my attack more the same anybody noticed something weird about that build date 2007 okay their
web servers let's talk to the ufx servers what's the simplest possible like valid protocol it with inspect that I can send an empty and empty tag an empty you know base tag let's start setting that error java.lang nullpointerexception okay parser error not handling not handling not getting the elements that you think are always there that's worth looking into this is like a three-fer the header is like it starts but then it stops writing the header and then the message has two spaces because I didn't send I didn't send a financial ID so it's doing some sort of printf you know string replacement of data that I sent in and it's gonna reflect it back to me this database error quick google tell Google search tells you it's it's an IBM db2 database that returns that error you know straight from the database into the application server back to the client no scrubbing woo stacktrace this is what I
was looking for [Applause] gettin warmer stacktrace with a full qualified path on the local system to where the code is and what line of the code failed yes that was like I mean I sent nothing I sent I sent a header and eight characters so let's switch now I want like real data like I want it I don't want to cause errors I'd wanted to just give me a profile just tell me about yourself like you know first first question on a first date send the profile requests first part of every transaction that quicken is going to do and here's that here's that session session token of sorts that I talked about I'm signing in his anonymous so first addition have given me a session token but it did and then it's a year long so this this server gives out year long session tokens if I ever steal one then I can read your account you know password equivalent for for a year the profile responds thankfully tells me all about the password policy of that server because I have to send passwords so the client has to know how to validate this one minimum four characters maximum four characters not case-sensitive no special characters allowed no spaces I'll do the math for you it's about a million and a half total combinations if you could check 10 a second online take you about two days to brute-force the entire key space that is possible for all usernames at this Bank thankfully I don't remember what bank that is so I can't tell you I was
just asking for anonymous information third and last sort of query I did was give me an account list for anonymous user which is you know specified in the spec you can send this anonymous user this well-known string I should definitely get an error right I should get either another thing you know authentication failed or no accounts found simple easy to program to to error cases here is what that request looks
like this is the entire request very small just asking for account info and here is the error message or error messages same request sent to about 2,000 different servers this is a subset of the error messages I got back how many different implementations are running out there how many different configurations what sign on invalid on supported operation for anonymous general error user ID password combination incorrect how many how many ways of this a like I failed login so let's talk about the
financial vendors who's who's building this software and how many implementations are there this is a this is a great little chart not mine it's from one of the financial software vendors explaining Bank software three parts you need to know on the left you have what they call the core the core is a database and batch processing it makes sure the bank knows how much money it has at the end of every day in the middle is middleware that's every bank service customer facing service that you're familiar with bill pay and remote deposit and dealing with your ATM and then use your experienced mobile web on the right three pieces every square on this diagram can be provided by a single vendor or the same vendor in the financial software world imagine the combinations of complexity within the bank IT system when and this definitely happens every one of these squares is a different vendor these are not shrink
wrap boxes or apt-get install Zoar you know app stores these are a high-touch call to talk to sales negotiated deals for online banking solutions a lot of these servers don't even have names they're just the solution provided by the company and no effects is one very small part of this ecosystem often a deployment like this involves custom development per Bank not custom deployment custom development like code written just for bank a and then different code written just for Bank B because you know abstraction doesn't exist I mean it's vendor lock-in obviously it's a way it's a way for the vendor to to assure they'll be they'll get their reopen the next contract
here's a list from Intuit on the banks that support us are the vendors that support ofx this is their official list I found nine more not on this list assumingly they're no longer like you know preferred partners or somesuch so we've got 30-plus different vendors of this singular protocol [Music]
these are the big guys I didn't have enough data unfortunately to give you like who's the biggest apples-to-apples comparison just a couple names FIS and Fiserv they're multi-billion dollar companies though the Microsoft and the Google's of banking software and Enterprise Engineering and q2 they're there so the up and comers they've they've established themselves as seeing a lot more servers with advertising themselves as as these two companies it's a little small but the enterprise engineering logo says the name to trust for financial data solutions I don't want to make fun of them but it's on
their website which is not over HTTP and they forgot to pay their Google platform API bill you can go there right now it still looks like this we all have bad IT days like the people who build a website are not the people who build the effects software I know but if you put the trusted name and financial software on every webpage you should not have this page can't load Google Maps correctly also there and then there's the hosting
providers who play a big role so 2/3 of these these FIS are behind hosting providers now just like everyone's going to the Amazon Cloud and azure everyone's everyone's you know going to hosting providers but for a good reason right they can do it they can do a better job at security then your ma and pas like credit union in your town of 4,000 people their security is better not good but better than the the self hosted ones I don't fully understand all the back-end details between the ofx server because I'm just poking it from the front but a lot of these are batch jobs so like the the you know your ofx server sits in some data center and it pulls and gets you transactions like every 24 hours so that's why if you're actually using quicken or something you often you don't see your your your credit card transactions ASAP it there's a there's a batch processing in the backend a bunch of different stacks of course
across 35 development vendors this is mainly just server headers there's a lot of is but there's plenty of Apache there's a whole long tail several of these are custom HTTP servers written by the the ofx provider and there's a ton
of acquisition banks love M&A like like divestiture and an acquisition these are compilers and debuggers to banks like they just do this every day over and over again spin this company out by the company back we do this in tech to it's not it's not a bad thing but we all if you've been through an acquisition you know like sometimes the new company totally forgets about the tool you wrote and it just atrophies so there's a ton of that and this industry this this is from FIS for these names up here had you know first party of effects servers and then they got acquired and then and then things went downhill the
vulnerabilities some quick math this is not like a PhD level algorithm that I applied but across this much complexity I'm pretty sure there's a lot of vulnerabilities and I mean as you saw like none of these are 0 days and these are I got your money but from like sending a get request there shouldn't be this much smoke that it shouldn't it this shouldn't be this much bad from the level of effort that I'd have put in with a web browser and curl on the Left
that's a list of like stuff we already talked about on the right as things that I have time to talk about I have a bank that still uses my social security number as the username for ofx not for the website but for the ofx protocol I gotta use my social security number I found some unregistered URLs you can you know you can just you can you want to start a bank and reflects it reflected cross-site scripting I know it's not HTML and yet I got an XSS attack here [Music]
okay let's play along at home so
everything I did I hacked together in Python but I wanted to give it to you guys so that you could try it to professional pen testers for financial institutions for people writing the software let's like let's to build a tool let's let's make this better it's not action github it'll be there in a couple of days but it is it is real and it exists and I'll show it to you now [Music]
CLI tool that's going to go through and sort of do what what what I what I showed you take us a couple arguments the the URL the server you want to talk to optionally the financial ID if you know it's not it's not always required you get this all from ofx home org you can find your bank and and run it against it right now send some queries does some analysis scroll back up and we
sent that get to slash we sent the post
so if XPath we sent the empty ofx payload we we store those all locally and then we just scan through them from that profile data we're going to get financial institution make sure that's the real one you want to talk to their address their info we're going to get that Oh effects sort of header version information running 102 this is a
service provider land extra we're going to get the capabilities sort of in this
markdown format it's a banking server they do support transfers fingerprint it's running Apache Tomcat couldn't figure out the web framework software fingerprint finestra is the company that built the software it's called cavion figured that all out from what they told me couldn't get the version number and then a couple simple tests I fail MFA
immediately because they're run in 102 and their password policy is also not very good so I Sunday maybe I should be up if not Monday you can check my Twitter and I'll have I'll post as soon as up and available you can download and you can run it Olaf X is
your bank's digital side door it's not a back door that's like hidden and secret on the front door you know I'm that's the web app and that's that's the mobile app it's the front door but with less care and less security and less attention it's the side door we all know that attackers are gonna go for the weakest door into your finances it's a sad story I don't want
to be a downer but neglect is the word that kept like jumping into my mind it's a lack of investment I've talked to bankers I've talked to bank IT guys they I mean they they literally say we pay the system integrator they they install everything five months later I call them again they give us the upgrade that's that's the state of a lot of IT in 2018 at at your local financial institution it's an even sadder story for the consumer because this was 1997 like we had an open protocol with programmatic access to our finances no vendor lock-in like no no loss of privacy just you and your bank and it didn't it didn't go anywhere it didn't it didn't take off like it should have like how much how much better could our banking experience be today if Microsoft hadn't like you know stopped stopped competing [Music] I wish my bank would have started when it was younger but it's never too late
to plan for retirement when you set up a server like have a plan I don't know how you're gonna take it down when you deploy a TLS certificate like make a make a google calendar like message to when you when you have to update it monitor your finances monitor monitor your network know know what you're running know every service you're running not just not just the front door this is only recon one protocol one endpoint in a rat's nest of Bank middleware I had fun I'm going to keep building off of this I'm going to keep building out that tool if anyone wants to help PRS are welcome if anyone's from a bank and once the you know wants to tell me more good stories I would love to talk to you all of you please take the research build off of it and and help make our personal finances more secure thank you [Applause] you
Feedback