Digipass Instrumentation for Fun and Profit presented at Hacktivity 2012

by Adrian Furtuna,

Tags: Security

Summary : Several Internet Banking applications are vulnerable to the so called rounding attacks. This is a well known type of attack which takes advantage of automatic rounding made by some applications when a user performs currency exchange transactions. When performing several micro-transactions, a user is able to exchange money at a much better exchange rate than the official one.
However, the banks seem to be aware of the issue but they consider it non-risky mainly because a user must approve a transaction with the digipass (manually enter a challenge code and input the response into the Internet Banking app) and doing lots of transactions in a short time is not feasible.
In this presentation I show a method of automating the challenge typing and response reading from a digipass that can be used for automating internet banking transactions. I present a machine (mechanics + electronics + software) that is controlled by the computer and is able to automatically press digipass
buttons (enter challenge code) and read the response as image (using a web cam) and interpret it in order to extract response digits.
In the second part of the presentation I will make a demo of the machine.