German FinTech company N26 has been exposed as having serious security problems after Vincent Haupert – a security research associate at Friedrich-Alexander University Erlangen-Nürnberg in Germany – gave an eye-opening presentation at the 33rd Chaos Computer Congress (33C3) on the dangers he uncovered after hacking into N26’s apps.
Among the findings: the security paradigm of two-factor authentication is now under threat as both are now on just one device. Furthermore, the ease of use with new channels like Apple’s Siri voice assistant opens new channels of attack.
In his presentation (https://youtu.be/Qo2gfhJrBto), Haupert explained how N26, the mobile-first darling of German FinTech (which was just awarded a European banking license in the middle of 2016) had serious design flaws in its security structure. Haupert demonstrated how he was able to not just identify N26 users, but gain control of their accounts and take money from the accounts, as well as apply for an overdraft loan – all of which, by and large, went totally unnoticed by the bank.
N26 uses a number of security layers, including TLS, username/password, PIN, a “MasterCard” code (a number printed on the front of the bank’s debit card) and secure SMS-OTP pairing with a single phone at any given time.
However, while the app used a secure transport layer, N26 did not pin the certificate in the app, meaning that it was possible (and easy) to conduct a man-in-the-middle (MITM) attack, which meant that anyone who could gain access to the DNS servers of an ISP could launch an attack. Just by manipulating data on the fly with an MITM, he successfully hijacked one transaction and changed the amount from 2 to 20 euros without it being obvious to the app.
N26 also supports Siri voice commands, and by studying the traffic it became apparent that while most transactions needed to be from the paired phone, Siri voice commands to send money did not. Haupert successfully used the Siri API to initiate 2,000 0.01 Euro transactions in the space of 30 seconds to a friend – this went unnoticed for three months by N26 security. Worse, they contacted the recipient of the funds rather than the sender and threatened to terminate his bank account. Haupert likened it to being threatened with deletion of a Gmail account for receiving too much spam.
Recovering a password broke the two-factor authentication model as anyone with access to the user’s email account could set a new password. But that was not the worst of it. Changing the paired phone required the password and the code off the bank card. However, that same code was used to prefix most transactions, so it was there in plain sight for anyone who could snoop on client-server traffic.
Because of its mobile-first social-oriented nature, N26 offers instant transfers between fellow N26 users. Emails and phone numbers from a user’s contacts are uploaded in plain text to N26’s servers in order to find fellow users. The researchers tried using the leaked Dropbox email list (all 68 million addresses) and ran it against N26’s servers to identify other N26 users – of which there were 33,000. There was no rate limiting in the system and it only seemed that he was a very popular person with 68 million friends.
Worse, even answers to security questions to change a phone number were sent in plain text to the server.
As for the SMS confirmation code, he was able to brute-force attack it, as there was no rate limiting.
In a demo, he showed a script that made it possible to get an email to reset the password and gain full control of the account in around 12 seconds.
Haupert said that even for those who did not use the account much, it was possible to apply for a 2,000 Euro overdraft and empty that. He ridiculed N26 for its approach to security and questioned the diligence of the German banking regulator who granted the license, accusing the FinTech startup of destroying the goodwill that banks had built up over the years.
On a more fundamental level, Haupert warned how the mobile-first paradigm had broken the two-factor authentication model. In the past, people would initiate a banking transaction on a PC and get the second factor authentication by SMS on their phone. With phone apps, the two are now on the same device and many banks now do away with it entirely, choosing to trust the phone’s security features instead, prioritizing ease of use over traditional separation of initiation and confirmation.
All the vulnerabilities were disclosed to N26 and all have been fixed by mid-December before the presentation took place.