mailing list archives
Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 24 Nov 2009 13:57:22 +0100
Thank you for the information.
MITM is used rather vaguely in this paper. Are the proposed
techniques working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?
The paper afaik applies to systems that are already compromised
by an attacker, i.e where malware has been installed.
If this is the case what rights (Account acl) does the malware require
in order to perform the mentioned attacks ?
This brings me to an interesting more general discussion,
can one define malware infected workstations and the attacks they
perform locally as MITM ? Technically they inject themselves between
the client and the server, however they need to be installed prior to
be able to do so. Furthermore they have access to a lot more
information and possibilities then an attacker that is, say in the
middle of a network connection.
For sake of allowing proper risk assessment by technically less
trained persons - one should coin a better term than classical mitm -
but maybe I am mistaken? what about MITMa (man in the machine)
All: What's your opinion ?
#1 and #2
RPG> ChipTAN comfort is a new system which is supposed to securely authorise online
RPG> banking transactions by means of a trusted device. It is assumed that chipTAN
RPG> comfort specifically protects against man-in-the-middle attacks. Such attacks are
RPG> currently putting bank customers who are using the iTAN system at risk. RedTeam
RPG> Pentesting examined chipTAN comfort and showed that even when using this sys-
RPG> tem, man-in-the-middle attacks can compromise online banking security.
RPG> The full paper is available in German and English at
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/