Abstract
The banking industry in Norway has developed a new security infrastructure for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a practical man-in the- middle attack against online banking applications using BankID. The attack gives an adversary access to customer bank accounts in two different online banking systems. Proof of concept code has been developed and executed to demonstrate the seriousness of the problem.
Short paper version, Feb. 21st, 2008.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kent, S.T., Millett, L.I. (eds.): IDs—Not That Easy: Questions About Nationwide Identity Systems. National Academies Press, Washington (2002)
Hole, K.J.: Tjφstheim, T., Moen, V., Netland, L., Espelid, Y., Klingsheim, A.N.: Next generation internet banking in Norway. submitted to IEEE Security & Privacy (2007), http://www.nowires.org/Papers-PDF/BankIDevaluation.pdf
The Norwegian Banks’ Payment and Clearing Centre: BankID FOI white paper (Release 2.0.0) (in Norwegian) (2006)
Adams, C., Lloyd, S.: Understanding PKI—Concepts, Standards, and Deployment Considerations, 2nd edn. Addison-Wesley, Reading (2003)
Chikofsky, E.J., Cross II, J.H.: Reverse engineering and design recovery: A taxonomy. IEEE Software 7(1), 13–17 (1990)
Hole, K.J., Moen, V., Tjφstheim, T.: Case study: Online banking security. Case study: Online banking security. IEEE Security & Privacy 4(2), 14–20 (2006)
Hole, K.J., Moen, V., Klingsheim, A.N., Tande, K.M.: Lessons from the Norwegian ATM system. IEEE Security & Privacy 5(6), 25–31 (2007)
Anderson, R.: Why cryptosystems fail. In: ACM 1st Conference on Computer and Communication Security, Fairfax, VA, USA (1993)
Berkman, O., Ostrovsky, O.M.: The unbearable lightness of pin cracking. In: Financial Cryptography and Data Security (FC), Lowlands, Scarborough, Trinidad/Tobago (2007)
Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic processors—a survey. Technical Report 641, University of Cambridge (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Espelid, Y., Netland, L., Klingsheim, A.N., Hole, K.J. (2008). A Proof of Concept Attack against Norwegian Internet Banking Systems. In: Tsudik, G. (eds) Financial Cryptography and Data Security. FC 2008. Lecture Notes in Computer Science, vol 5143. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85230-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-85230-8_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85229-2
Online ISBN: 978-3-540-85230-8
eBook Packages: Computer ScienceComputer Science (R0)