Monday, November 19, 2007

Two factor authentication bypassed

It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.

Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.

I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??

I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.

The Hacka Man

7 comments:

Anonymous said...

Hi
Can I be of any Help writing the Exploit.Can you share more details without infringing your NDA like Is it a server exploit or Algorithm weakness or a Implementation attack or a Client Side Attacks

Regards
mitmwatcher

Anonymous said...

The exploit was written. Everything was done nicely. Thanks for the offer mitmwatcher, however, without knowing the client and viewing their site, there is no way you would know what is happening.

hackathology

Anonymous said...

hey man,

how come u r the one? should have leave me the credit. is not nice to just take the credit of my work

:)

Anonymous said...

hi,

for whoever know this project, and the bank, I did not disclose any of the above information. The blog was not written by me. if you need clarification, you can contact me.

Anonymous said...

goto http:\\www.pulseSecure.com
to see the story on 2FA. By the actual guy that did the work :)

Anonymous said...

I am Glad i found this website.Added hackathology.blogspot.com to my bookmark!

ipad app developer said...

I really appreciate this post. I have been looking everywhere for this! Thank goodness I found it on Bing. You’ve made my day! Thank you again. BlackBerry Application Development