RedTeam

RedTeam is on TV again:

Sunday, 22. November 2009, SAT1 Planetopia: Gefährliches Onlinebanking (Dangerous Online Banking)

Online banking is still a hot topic, with all the new systems cropping up after the traditional PIN/TAN and the more recent PIN/iTAN (indexed TAN) systems.

We already showed in 2005 that Man-in-the-Middle attacks on iTAN-based systems are possible and predicted that we will start to see MitM attacks as soon as the majority of the banks switch to iTAN. Which promptly happened (German, second link is a PDF).

Today, systems like chipTAN/chipTAN comfort or sm@rtTAN plus/sm@rtTAN optic try to improve on iTAN by providing a little device which theoretically shows you at least part of the transfer data you’re about to acknowledge on its built-in screen. For a simple cash transfer, this is normally the amount of money and the account number you’re going to send the money to.

The idea behind this procedure is that you authorise transfers using a trusted device an attacker can’t compromise (unlike your computer). Sounds familiar? Yep, HBCI/FinTS with a card reader send a greeting from the past.

This month we were asked by Planetopia, a German TV magazine, if we could show again how to break iTAN systems and to check for potential flaws in the chipTAN comfort system. Sure we could :). And we got interesting results. So please honour the two coding sprees late into the night and the long day filming everything and watch the show ;).

We will also publish the full details about all attacks on Monday, 23rd Nov. 2009. They will be available on our website under “Publications”.