“Safe, easy, fast”. With these words Commerzbank advertises the use of photoTAN in online banking. Scientists from Bavaria have now discovered a weak point in the process.
According to a report in the “Süddeutsche Zeitung”, two IT security researchers have managed to crack the photoTAN procedure used in mobile banking on manipulated Android smartphones. After the two researchers from the Friedrich-Alexander-Universität Erlangen-Nürnberg installed malware on the devices, they were able to redirect online transfers or create them themselves. However, the transactions could only be manipulated if the banking app and photoTAN app are installed on one device.
According to the researchers Vincent Haupert and Tilo Müller, the attacks could target the financial institutions Deutsche Bank , Norisbank and Commerzbank . “For us it is no problem at all to hide the actual transfer afterwards,” said Hauptert. As long as a customer conducts his banking transactions on the move, the manipulation remains undetected.
A one-time password is generated with the photoTAN. When the process was introduced, an image of approximately three by three centimeters was generated on the PC monitor from small dots that contains the transaction data. In this variant, this graphic is scanned with the smartphone or reader. After the photoTAN has been decrypted, the transaction data (amount and name of the recipient of a transfer) and a seven-digit transaction number with which the transfer can be approved can be seen on the screen for checking.
Apple in numbers
$ 18.4 billion – Apple’s profit for the Christmas quarter of 2015 was also the highest a publicly traded company could make to date. The company is now sitting on a mountain of $ 216 billion and is worth over $ 580 billion on the stock exchange.
68 percent – that was the share of the iPhone in Apple sales in the last quarter of 2015. The phone has become the ultimate product for Apple’s business. All in all, around a billion Apple devices are in use worldwide, most of them iPhones.
Apple had 110,000 employees at the end of the September 2015 fiscal year. Ten years earlier there were 14,800 permanent employees and a good 2,000 temporary employees.
From the researchers’ point of view, it is critical if the banking application and the photoTAN app are on the same device and the two-way authentication that is actually intended is undermined. The researchers still consider the use of a photoTAN on the PC with an external reader to be safe. The attack by the two security researchers requires that a virus-infected app must already be installed on the victim’s smartphone.
“That makes the attack more difficult, but not impossible,” says Hauptert. This is indicated by malware such as “Godless” and “Hummingbad”. This made it into the official Google app store and would have worked on 90 percent of all Android smartphones. Ten million devices were affected.
What the new 5G mobile network should achieve
Up to 100 times larger: 5G should enable completely new forms of entertainment, such as video games with virtual realities – and computer glasses for 3-D videos with lifelike 4-K resolution.
10 times more efficient: Today, electricity demand is one of the biggest cost drivers in mobile communications. In the future, infrastructure and end devices will have to consume drastically less energy – and ideally, they will have to work for up to ten years without replacing the battery.
1000 times higher: If mobile radio is to network sensors in parking meters, traffic lights or car parking spaces in the future, radio cells must be able to communicate with 1000 times the number of devices.
10 to 100 times faster: so that autonomous cars can give each other emergency braking signals in good time, the radio network has to transmit commands in less than ten milliseconds. Today’s networks need at least 100 milliseconds.
Up to 1000 times more reliable: Today, disconnections are just annoying. In the Internet of Things, it becomes an incalculable risk when the radio ticks. Then there is a risk of machines coming to a standstill or even fatal accidents with robots.
The attack scenario was demonstrated using the Google Android system. In principle, an attack is also conceivable with the iPhone system iOS. The iOS malware Pegasus showed that not only Android smartphones could be attacked. However, the security model of the Apple software is more restrictive, so that compared to Android there is less chance of catching malware.
When asked, press spokespeople from Deutsche Bank and Norisbank point out that security is being taken very seriously: “When used correctly, all legitimation procedures are secure.” Customers decide which procedure suits them best according to their own preferences. In an answer, Commerzbank will reimburse the full amount in the event of damage. The bank gives customers security instructions on its website. The bank is not aware of the attack carried out by the researchers.