Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 24 Nov 2009 13:57:22 +0100


Thank you for the information.

MITM  is  used  rather  vaguely  in  this  paper.  Are  the proposed
techniques  working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?

The  paper  afaik  applies  to  systems  that  are  already compromised
by an attacker, i.e where malware has been installed.

If this is the case what rights (Account acl) does the malware require
in order to perform the mentioned attacks ?

This  brings  me  to  an  interesting more general discussion,
can one define malware infected workstations  and the attacks they
perform locally as MITM ? Technically they inject themselves between
the client and the server, however they need to be installed prior to
be able to do so. Furthermore they have  access  to  a  lot  more
information  and possibilities then an attacker that is, say in the
middle of a network connection.

For  sake  of  allowing  proper risk  assessment by technically less
trained persons - one should coin a better term than classical mitm -
but maybe I am mistaken? what about MITMa (man in the machine)

All: What's your opinion ?

#1 and #2


RPG> Abstract
RPG> ========
RPG> ChipTAN comfort is a new system which is supposed to securely authorise online
RPG> banking transactions by means of a trusted device. It is assumed that chipTAN
RPG> comfort specifically protects against man-in-the-middle attacks. Such attacks are
RPG> currently putting bank customers who are using the iTAN system at risk. RedTeam
RPG> Pentesting examined chipTAN comfort and showed that even when using this sys-
RPG> tem, man-in-the-middle attacks can compromise online banking security.

RPG> The full paper is available in German and English at

RPG> http://www.redteam-pentesting.de/publications/MitM-chipTAN-comfort

Thierry Zoller

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]