Due to increased phishing attacks against banks with bad security procedures, banks have been forced to re-think their situation. To be fair, the Swedish branch of Nordea fixed their internet bank procedures somewhat after these problems.

Anyway, my bank (Nordea) recently sent me a Todos Argos Mini II USB smartcard reader, to be used with the Nordea internet bank. It’s actually quite simple to use.

This is how it works:

• Plug in the EMV-chip equipped card (which is tied to the account),
• input to the card reader the challenge from the internet bank, “666 42″
• type in the card PIN - “1234″,
• get a response from the card reader, “808 303″
• type in this response to the internet bank form,
• you are now in.

In order to enter the Internet bank, the user has to enter their personal ID number. This is not a secret. Also, any reader works with any card. The only requirement is that the card used is tied to the account - I can’t try to login to your account with my card. Therefore, the security lies with:

• something you have, i.e. the card
• something you know, i.e. the card PIN

Since the same “secret” PIN is used with EMV-chip equipped cards everywhere; grocery shops, kiosks, restaurants, etc., it is not impossible to find out this PIN. One way to do this is to simply queue behind some person. The next step, after the PIN is obtained, would be to steal their wallet. This will with almost certain probability give access to the person-number as well.

After this there are two options for the attacker:

• start emptying the account via an ATM, taking small sums at a time
• log into the internet bank and move bigger sums away - if the transfer is done within the same bank, the transfers are instantaneous

If the attacker is lucky, and the bank has crappy security, the transfers succeed for long enough for the attacker to do something more sinister, such as sending the money outside the country. For example, in Europe sending money to another country is quite snappy nowadays with the introduction of SEPA.

My suggestion would to add another “secret” value to the bank login, like the traditional Nordea internet bank login has. In the traditional OTP-based login, this number is called a “personal code number”, but it’s not the same as the person ID. This number is not known by anyone else except the user.

This would make it impossible to log in to the internet bank just by learning the PIN code by queuing behind a person and then stealing e.g. driver’s license or the whole wallet (assuming the person doesn’t write it down). I.e. purely physical attack would not be possible.

While the small smartcard gadget is advanced and prevents phishing attacks, it doesn’t really act as a security panacea as the balance will now be tilted more towards non-phishing, physical attacks. Compared to the old-skool OTP-login with the personal code number, the new system has 2 secret items; the card itself and the PIN. Although phishing doesn’t get you anywhere anymore, if the attacker can get your hands on your card and the PIN, you lose.

PS. If you found this post an interesting read, have a look at “A note on Scandinavian phishing” too.