Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Engineering a Bank's Security Token

Posted by Soulskill on from the push-button-get-numbers dept.

An anonymous reader writes "An engineer from Brazil has posted a technical walkthrough of how he was able to reverse engineer his bank's code-generating security token. He found a way to accurately generate his unlock codes with some custom code and an Arduino clone. (Don't worry: his method doesn't give him access to anybody else's codes.) 'Every exception thrown by this piece of code is obfuscated, as well as many of the strings used throughout the code. That is a major roadblock, since exception messages and strings in general are a great way of figuring out what the code is doing when reverse engineering something. Luckily, their developers decided to actually show useful text when a problem occurs and an exception gets thrown, so they wrapped those obfuscated strings with a.a, presumably a decryption routine that returns the original text. That routine is not too straightforward, but it is possible to get a high level understanding of what it is doing.'"

4 of 55 comments (clear)

  1. Re:Read between the lines by russotto · · Score: 5, Insightful

    They used a standard algorithm (TOTP from RFC6238, with a Time Step X of 36 seconds and a T0 of April 1, 2007). They obfuscated it for what amounts to no good reason, but there's no loss of security. The problem of preventing someone who controls the device from obtaining the key is the DRM problem, unsolvable without specialized hardware.

  2. Re:Read between the lines by MightyYar · · Score: 4, Insightful

    This is security through obscurity at its worst,

    I don't get that impression from reading TFA. It sounds like the implementation is mostly OK. Remember that all this generator is supposed to do is verify that you possess the token. Knowing the algorithm, so long as it is sound, shouldn't be a security problem - someone would still need to get their hands on the real token in order to clone it.

    Now, had he figured out a way to divine the secret device ID from the generated codes, well now that would be bad.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  3. Tokens? by Dan+East · · Score: 4, Funny

    Does this work on Chuck E Cheese tokens too? I need to feed my skee ball addiction.

    --
    Better known as 318230.
  4. Re:Read between the lines by Bert64 · · Score: 4, Informative

    Unsolvable even with specialized hardware, you just increase the costs for both yourself and any potential attacker... Probably increasing your own costs far more than that of the attacker.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!