This is a guide in how one could easily get dirty money - and probably caught by the cops - exploiting security vulnerabilities in e-banking systems.
First of all, this is for educational purposes only. This means that I do not encourage anyone to try this at home (or at any other place :P). If you want to leave any feedback be most welcome to do so. I’ll be focusing on MBNet, a Portuguese system with 200 thousand users (about 2% of the Portuguese population) that deals with over 1,700,000€ per month - a small share compared to the global Web business, but still significant.
The concept behind MBNet is simple: due to the large (and growing!) number of stolen credit cards on the Internet, SIBS - the company behind the ATM network in Portugal - came up with the fantastic idea of creating temporary, throw-away, virtual credit cards for use in Internet shopping. The MBNet system provides the following features:
- Create as many VISA-like (16 digit number that passes the Luhn algorithm validation) virtual credit cards as you wish. The expiration date and CVV2 are also provided.
- For each virtual credit card, a max amount of money must be set. If you try to pay for something that is more expensive than the amount you defined, the card will not work.
- After you’ve used your virtual credit card it’s destroyed and cannot be used again.
So far so good, but lets examine the way in which someone may register for a MBNet account more deeply:
- A person (whose name is, lets say, Pedro Costa Sarmento) goes to the ATM and inserts his credit or debit card into the machine.
- Pedro picks the MBNet option and inserts a 6 digit number - that’s going to be his MBNet password.
- His MBNet username is going to be a alphanumeric combination with eight characters - the first 6 characters are always going to be the first 3 letters of his first name plus the first 3 letters of his last name - all in uppercase. (Please note that the name I’m referring to is the name printed on the card, not necessarily the persons name.)
- The last two characters are going to be digits, representing how many MBNet usernames exist with the same first six characters.
- In this example Pedro would have PEDSAR01 as the username and a password with 6 digits he chose.
I’ll now explain what’s wrong with this system and how one could take advantage of it.
With the help of a list containing common (first and last) Portuguese names it’s fairly easy to create another list of potential MBNet usernames where the 01 appendix is highly likely to be taken. A quick search returned me this Wikipedia entry of common Portuguese first names, but I know for a fact that you can get far more better ordered lists (for both first and last names) with a more exhaustive search and generate about 100,000 good candidates with only 100 common first names and other 100 common last names.
On to the password: the password can and must only contain 6 digits, from 000000 to 999999, that gives us exactly 1,000,000 unique possible combinations. Testing all the possible passwords with a brute force attack (using Hydra or some other tool - or even writing your own code) is easy, in fact one could easily test over 10 passwords per second. If you do some math you can find out that:
1,000,000 passwords / 10 passwords per second / 60 seconds / 60 minutes = 27.78 hours
That’s about the time it should take (at max!) to crack into a MBNet account and get as many credit cards as you want. But if you take into account that most persons choose passwords that are related to some special date (birthday, weeding, so on..), and most of those dates start with 19xx then you can bring the average cracking time (if you do sequential brute force, of course) to about 1/10 or 3 hours per account.
What can be done to solve this (in-)security problem?
- Limit the number of login attempts per IP address - this can be bypassed by using proxies, but at least slows down the process.
- Limit the number of login attempts per username - a more complex code could rotate between a set of several probable usernames. That should make the login attempt lock down expire before the next attempt, without wasting computational cycles.
- Make the password bigger and check its strength - a 8 digit password would take almost 4 months to crack.
Final note:
I’ve informed MBNet and SIBS about this security issue, I haven’t got any feedback yet and I’ve no idea if any efforts are being made in order to solve this security problem. Again, this is a do-not-do guide, and serves only for the purpose of education. I do not take any responsibilities for your own actions.
And I thought this was supposed to be a safe way to shop online! -.- Seriously, how do you come up with these crazy ideas?
They come to me when I’m in bed.
I’m off to sleep! Long trip “tomorrow”.
You also warned those other two banks on those on-line flaws, but it was a while ago… at least they answered.
They have forward my email to their tech department already.
Indeed, it took only 3 hours for one of the banks (BES) to contact me by phone (and in the same day they fixed their XSS vulnerabilities!), for the other one (BPI) it took about 2 weeks to contact me… This shows how concern some companies are about the security flaws in their software.
Please, don’t you forget to post when this problem is fixed!
I’d be pleased to have a more secure service before I subscrive to it…
Could you explain then how to use MBNet to buy at the PlayStation Network and at the iTunes Store (I think iTunes Store always asks for the same card…)?
Thanks!
Sorry… I forgot to ask one thing:
I’ve been noticing on the web (in forums…) a strange thing - I keep reading about ps3 owners that, when [buying something on the ps store / putting money on the ps store wallet], are “charged” (I think that’s the word) in one $/euro with no reason (some gamers try to explain it, but who really knows what’s that $/euro destiny??)…
The fact is that some of those people (if not all) use MBNet to make that payment.
So, what I’m asking you is this: could you “investigate” this and tell me if that $/euro is natural to be “charged”, and if so, why??
Thanks for the help (I hope you can answer).
Please post here soon!…
Hi Joâo!
I’m not familirilazed with the iTunes Store nor with the PlayStation Network so I cannot help you much with that, but I’m pretty sure you can use a virtual MBNet credit card in all websites that accept VISA credit cards… That 1€ is natural to be charged, normally it serves for transaction costs (such as verifing the veracity of your credit card, if you have the amount of money to buy the item you ordered, and so on) - usually it’s a little bit cheaper (arround 0.3€) but I guess some companies don’t mind making a proffit out of it as well…
Regarding the MBNet insecurity issue, I’ve recieved two e-mails from MBNet itself and SIBS - as I said in a previous comment - apart from thanking me for warning them about this issue they just said that they have fowarded it to their tech departments - but this is Portugal.. I doubt it’s already solved or even if they are already working on a solution.
Thanks for your questions!
Hi João! Like Alix said, that extra buck or € is the transaction cost.
Usually its cheaper, but I never bought at PS3 online store, although I already bought at Nintendo Wii online store!
I bought myself an old Genesis game I used to play. I believe the transaction cost was cheaper but I’ll check it next time and post it here.
Alix I doubt that SIBS will do something soon or ever, last time I called to SIBS they passed my call more than 14 times and I waited almost 2 hours, finally I quited and ended up knowing exactly the same: nothing.
SIBS has tons of cash flowing trough them! The least they could do is having a better phone assistance service, they have more than enough people to pass the call around and doing nothing.
Hi I can tell you, at least for me is very secure because my homebanking pltaform inputs a limit per day to spend on mbnet, it only takes to change that value to 0 (zero), and no money will be withdraw.