Monday, November 19, 2007

Two factor authentication bypassed

It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.

Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.

I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??

I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.

The Hacka Man

9 comments:

mitmwatcher said...

Hi
Can I be of any Help writing the Exploit.Can you share more details without infringing your NDA like Is it a server exploit or Algorithm weakness or a Implementation attack or a Client Side Attacks

Regards
mitmwatcher

Anonymous said...

The exploit was written. Everything was done nicely. Thanks for the offer mitmwatcher, however, without knowing the client and viewing their site, there is no way you would know what is happening.

hackathology

Anonymous said...

hey man,

how come u r the one? should have leave me the credit. is not nice to just take the credit of my work

:)

Anonymous said...

hi,

for whoever know this project, and the bank, I did not disclose any of the above information. The blog was not written by me. if you need clarification, you can contact me.

Anonymous said...

goto http:\\www.pulseSecure.com
to see the story on 2FA. By the actual guy that did the work :)

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.

每当遇见你 said...

Here’s a list of tools you will need to start: Jewelers’ pandora jewellery wire cutters - If you can only afford one pair, get memory wire shears. pandora charms These are designed to make clean cuts on tough memory wire, so can also be used for pandora charms uk softer wires. Chain-nose pliers sometimes called cheap pandora charms needle-nose pliers – Very versatile for picking up and grasping small items, pandora charms sale bending eye pins, closing jumps rings, even closing crimp beads. discount pandora charms Round-nose pliers – Used for creating loops on beaded head and eye pins. Can also be used for winding your own jump rings and as the second pliers you’cheap pandora ll need for closing jump rings. Optional pliers – Wire-looping pliers which have several graduated circumferences to allow you to form perfectly uniform jump rings and loops in place of the pandora discount uk round-nose pliers mentioned above. Crimping pliers which have little notches to allow you to both flatten a crimp bead and then bend it to form a rounded finished look instead of the flat crimp you pandora uk get using the chain-nose pliers. As for materials, I recommend some assortment packs of beads in coordinating colors, some decorative metal spacers, seed beads in both silver and gold These can serve as spacers and beautifully set off pandora sale your other beads., tube-shaped crimp beads Buy the best you can find – these are what hold it all together!, head and eye pins. Other than that, let your choice of project be your guide. You might want some silver or pewter charms.

Anonymous said...

I am Glad i found this website.Added hackathology.blogspot.com to my bookmark!

ipad app developer said...

I really appreciate this post. I have been looking everywhere for this! Thank goodness I found it on Bing. You’ve made my day! Thank you again. BlackBerry Application Development