Wakeup call for Denmark: NemID under attack

Posted on Updated on

Some weeks ago the central Danish online authentication, NemID, which protects Danish Internet Banking, online tax system, health records, etc. got hacked and 700’000 Kroner was taken from 8 customers at Danske Bank.

Here are some issues I find interesting:

  1. The bank did not discover the attack as it had lower the security mechanisms because it trusted NemID.
  2. Apparently, it was the business customer Simon Jonassen, the guy behind Roust IT, that discovered the irregularity and alerted the bank on 6 February 2012. Simon ran as admin user on a Microsoft Windows XP SP2
  3. Nets DanID first alerted the public on the 10 February. Four days after they received the alert from Simon Jonassen
  4. The attack was real-time phishing where a trojan, now termed BankTexeasy, made an extra popup-window during netbanking session that would fool the unsuspecting user to type in the one-time pad an extra time.
  5. The trojan was newly developed running under the radar of antivirus software and it was apparently only distributed to Denmark.
  6. The customers who got the trojan had apparently visited a legitimite web-site that was infected. They did not get it from a suspicious website or from following a link in a spam mail.
  7. The software used three different vulnerabilities. (I think they were not zero-day vulnerabilities)
  8. The trojan emptied the bank account.
  9. The trojan also harvested passwords.
  10. After the attack the trojan would erase files on the computer, essentially breaking the system.
  11. Two months ago a banker told Poul Henning Kamp that “Denmark was all too small for anyone to bother writing a trojan to NemID”. This was utter hubris.
  12. If you get hacked and loose money the bank may not refund you if your account is for business and not a privat account. This probably also applies for zero-day attacks.

In summary: A central Danish IT-system has been attacked by a trojan specifically crafted to attack the system. Your antivirus won’t detect it. You may get it from legitimate websites. It will empty your bank account. It will break your computer. You might not get refunded.

The case shows that Denmark is not a too small country for hackers to care about.

To counter the attack a simple suggestion put forward was to keep you computer system updated. This might have saved the hacked customers in this case, but not for future zero-day attacks, – if the criminals bother to “waste” zero-day attacks on the Danes.

Another suggestion was that the banks shouldn’t allow simultaneous sessions from different computers. It is unclear for me whether this is of any use in future attacks. Might the attacker simply not use the trojaned computer as a proxy?

Another suggestion put forward is never to key in login name, password and one-time pad in a popup-window (as the trojan exposed). This is a good suggestion but it is unclear whether the rule suffices. My guess is that a trojan may be able to attack as the user starts the NemID session by manipulating the DNS, meaning that the user need to be alert on the HTTPS and the certificant. But I suppose that a sufficiently nasty attack could change the browser executable making it impossible for the user to see any difference between a phishing website and the genuine website.

Extra check of transactions by two-way mobil phone text messaging (SMS) may help on the bank transaction security as two systems may be needed to be controlled. However, NemID will get applications for smartphones, meaning that “only” the smartphone needs to be hacked.

Another attack I could imaging is a trojan that watches via the webcam that many people have on their laptops. The trojan would open the webcam once the person uses NemID and try to capture a climpse of the NemID one-time pad sheet. It may be a bit optimistic given the poor resolution on laptop webcams. Try to see if you can read the code shown at around 00:23 in this tv news story. Some superresolution research may come in handy there.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s