One of the largest Dutch banks, the Postbank, has acknowledged today that a major component of their online banking system has been insecure for months, and possibly even years. To explain the vulnerability, I’ll first give a short introduction about their authorization system:

  • To log on to your account, you need a login name and password
  • Once logged on, you can access all your account details, including bank statements and credit card information
  • To transfer money to other accounts, you need a TAN code (Transaction Authorization Number)
  • Once you submit a money transfer, a TAN code is sent to your mobile phone in a text message
  • After entering the TAN your transaction is approved

At first glance, this seems to be a very secure system. To successfully empty someone’s account, you need both their login information and their mobile phone. There are, however, a number of problems:

  • Login and password are easily found via phishing or keyloggers
  • Once logged in, the bank shows both the name of the account owner and 6 out of the 10 numbers of the users mobile phone number which is used for receiving the TAN codes
  • With this data, it’s trivial to get the complete phone number, either via a directory service or social networking sites

Once you have the user’s phone number, getting the TAN code was (until today) trivial. The bank provided a phone line where you could retrieve your TAN code when the text message didn’t arrive, and the only authentication that was performed on this service was a caller-ID check. So if you spoofed the right phone number, you received the correct TAN code. This spoofing is trivial; you can even use services like Voipbuster for this. Fortunately the phone line is now closed.