That thing about pwning N26

I have recently put this up as a tweetstorm, but as I regularly delete my tweets I thought I’d re-publish it here on a more permanent basis. I should add that the video referenced here is from December 2016 (issues being supposedly fixed) so it is not quite fresh, but I had not come across it before. And quite frankly, I don’t think it got the attention it deserved…

The Tweetstorm

1/ tweetstorm incoming; @jonathanalgar just pointed out this video how a whitehat pwned N26 bank, and it is hilarious

link to CCC talk

2/ and when I am saying <hilarious emoji> I really mean <scary emoji>

link to tweet where I point out that tweet below referencing N26

3/ first step: N26 was doing json over https, but with no protection against MitM attacks, so it was easy listening in

4/ reasonably sensible password policy BUT password reset via simply email, so you are only as secure as your email (later more on this)

5/ how do you know who has N26 accounts? simple, just ask N26 (he tested 68m emails from the dropbox hack, identified 33k customers via API)

6/ N26 support Siri transactions, but only from the verified phone, correct? Radio Eriwan: in principle yes, but it is checked at device level

(I want to explain this a bit further: on the paired device you can simply make transactions via Siri — no need to enter anything or even open the app; however, iirc all those checks are done on a device level, so the Siri payment API which can be operated independently allows to completely bypass the regular authentication process)

7/ so by manually operating the API, the researched could send 2000 Siri transactions within 30 minutes — no questions asked fast speaker, hein?

8/ now N26 security heavily relies on your paired device, so unpairing it is the key to pwning an account; in principle a tough process

9/ but errors at every step of the implementation: (1) the emailed link was also returned in the API, so no email access necessary

10/ (2) skip (3) the mastercard id is not only printed on the card, it is also in many API responses

11/ back to (2) the transfer code required can be reset using only the card id obtained in step (3)

12/ (4) the PIN code sent via SMS is only 5 digits, and the API has no brute-force protection; simply gotta catch’em all… (takes avg 5min)

13/ live demo of this unpairing process 20:45 to 20:58 — managed here with automated script in 15 seconds!

link to video

14/ and voila, you can now pair a new phone with the account and start spending the instant overdraft you just asked for…

(as explained in the video, even if there is no money on the account, one can simply ask for an overdraft of up to €2,000 that is instantly approved, or not of course)

15/ to be a bit more stealth, you can also call customer support; you need three pieces of information, two of which you already have

16/ fortunately the ever polite API can serve you the last missing piece of information you need to identify with support

17/ so a big <clap emoji> to @veehaitch and the CCC — this is an amazing job (well, also shooting fish in the barrel, but hey…)

18/ anyway, this concludes our broadcast of how N26’s banking API was completely and utterly pwned


It was pointed out to me that I should have used more emojis, like in the tweetstorm:

I fully agree but Medium kinda renders them badly…

2/ and when I am saying

I really mean

Like what you read? Give Oscar D Torson a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.