论文信息 - A Proof of Concept Attack against Norwegian Internet Banking Systems

A Proof of Concept Attack against Norwegian Internet Banking Systems

The banking industry in Norway has developed a new security infrastructure for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a practical man-in the- middle attack against online banking applications using BankID. The attack gives an adversary access to customer bank accounts in two different online banking systems. Proof of concept code has been developed and executed to demonstrate the seriousness of the problem.

Kjell Jørgen Hole | Lars-Helge Netland | Yngve Espelid | André N. Klingsheim

[1] Kjell Jørgen Hole,et al. Lessons from the Norwegian ATM System , 2007, IEEE Security & Privacy.

[2] Ross J. Anderson. Why cryptosystems fail , 1994, CACM.

[3] Mike Bond,et al. Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[4] Lars-Helge Netland,et al. Next Generation Internet Banking in Norway , 2008 .

[5] K. C. White,et al. IDs—Not that Easy: Questions About Nationwide Identity Systems , 2002 .

[6] Lynette I. Millett,et al. IDs -- Not That Easy: Questions About Nationwide Identity Systems , 2002 .

[7] Omer Berkman,et al. The Unbearable Lightness of PIN Cracking , 2007, Financial Cryptography.

[8] Kjell Jørgen Hole,et al. Case study: online banking security , 2006, IEEE Security & Privacy.

[9] Carlisle Adams,et al. Understanding PKI: Concepts, Standards, and Deployment Considerations , 1999 .

[10] James H. Cross,et al. Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.