• Skip navigation
  • Skip to navigation
  • Skip to the bottom
Simulate organization breadcrumb open Simulate organization breadcrumb close
IT Security Infrastructures Lab
  • FAUTo the central FAU website
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science
  • Campo
  • UnivIS
  • Jobs
  • Map
  • Help
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science

IT Security Infrastructures Lab

Navigation Navigation close
  • Research
    • Forensic Computing Group
    • Human Factors in Security and Privacy Group
    • Multimedia Security
    • Security Education Development Group
    • System Security Group
    • Archive
    • Funded Projects
    • Publications
    Portal Research
  • Lab
    • Staff & Research Groups
    • Alumni
    • Partners
    Portal Lab
  • Teaching
    • Courses
    • Hinweise zu den Lehrveranstaltungen
    • Notes on Examinations
    • eTeaching
    • Theses
    • Writing a Thesis at Informatik 1
    Portal Teaching
  • How to reach us
  1. Home
  2. Research
  3. System Security Group
  4. N26

N26

In page navigation: Research
  • Forensic Computing Group
    • DiOS: Dynamic Privacy Analysis of iOS Applications
    • Fingerprinting Mobile Devices Using Personalized Configurations
    • Selective Deletion
  • Human Factors in Security and Privacy Group
    • Antivirus Usability
    • Browser Fingerprinting
    • IoT Security Update Labels
    • Phishing Susceptibility
    • Security Experts
    • ZigBee Security Research
  • Multimedia Security
    • Image & Video Forensics
    • Image Analysis & Enhancement
    • X-ray Phase Contrast
    • Blog
    • Code and Data
      • Copy-Move Forgery Detectors and Ground Truth Generator
      • Image Manipulation Dataset
    • Colloquium
  • Security Education Development Group
    • Open C3S Overview
    • Open-C3S-Projektergebnisse
    • Ulix – a Literate OS
  • System Security Group
    • AppAuth: On App-based Matrix Code Authentication in Online Banking
    • AppTAN (In)Security: (In)Security of App-based TAN Methods in Online Banking
    • AVX Crypto: AVX Instructions to Accelerate Crypto Primitives
    • Bispe: A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory
    • Centroid
    • CPU-bound Encryption (TRESOR, TreVisor, ARMORED)
    • FROST: Forensic Recovery Of Scrambled Telephones
    • How Android’s UI Security is Undermined by Accessibility
    • HyperCrypt: Hypervisor-based Encryption of Kernel and User Space
    • N26
    • Nomorp
    • One Key to Rule Them All: Recovering the Master Key from RAM to break Android’s File-Based Encryption
    • RamCrypt: Kernel-based Address Space Encryption for User-mode Processes
    • ReFuzz — Structure Aware Fuzzing of the Resilient File System (ReFS)
    • RISCoT – Security Analysis of Trusted Execution Environments on RISC-V
    • SED (In)Security: Hardware-based Full Disk Encryption (In)Security
    • SGX-Kernel: Isolating Operating System Components with Intel SGX
    • SGX-Timing: Cache Attacks on Intel SGX
    • SoK: The Evolution of Trusted UI on Mobile
    • Soteria: Offline Software Protection within Low-cost Embedded Devices
    • STARK / MARK: Tamperproof/Mutual Authentication to Resist Keylogging
    • TEEshift: Protecting Code Confidentiality by Selectively Shifting Functions into TEEs
    • VMAttack: Deobfuscating Virtualization-Based Packed Binaries
  • Archive
    • ContrOWL: A new security app based on crowed intelligence
    • Ext4 File Recovery
    • Forensic Email Visualization
    • Forensic RAID Recovery
    • Forensig²: File System Images for Training Courses in Forensic Computing
    • Mobile Hotspots
    • Mobile-Sandbox & ADEL: Automated Malware Analyses / Mobile Phone Forensics
    • Privacy Aspects of Forensic Computing
    • PyBox – A Python Sandbox
    • TrustedPals: Framework to Help Establish Security in a Mutually Untrusted Distributed System
    • VirMA: Windows NT pagefile.sys Virtual Memory Analysis
    • Win Vista/7/8/10 Thumbnails Analyzer
  • Funded Projects
  • Publications
    • Technische Berichte in Digitaler Forensik

N26

Vincent Haupert

Dr.-Ing. Vincent Haupert

Associated Computer Security Researcher

Department of Computer Science
Chair of Computer Science 1 (IT Security Infrastructures)

  • Phone number: +4991618758323
  • Email: vincent.haupert@cs.fau.de
  • Website: https://vincent-haupert.de
  • Twitter: Page of Vincent Haupert
  • GitHub: Page of Vincent Haupert

Shut Up and Take My Money!
The Red Pill of N26 Security

Speaker: Vincent Haupert (System Security and Software Protection Group)
Occasion: 33rd Chaos Communication Congress (33c3) in Hamburg
Recording: CCC-TV (December 27, 2016, 16:45, Hall 1)
Material: Slides (PDF), Transaction Manipulation (Video), Unpairing (Video), Expose Customers (Video), Siri Transactions (Video)

Abstract

FinTechs increasingly cut the ground from under long-established banks’ feet. With a “Mobile First” strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions—even without credit.

Description

Over the last few years, smartphones have become an omnipresent device that almost everybody owns and carries around all the time. Although financial institutions usually react conservatively to new technologies and trends, most established banks today offer their customers banking apps and app-based second-factor authentication methods. Fintechs, technology startups in the financial sector, pressure the tried and trusted structure of established banks, as they highlight the customer’s smartphone as the hub of their financial life. This business model is especially appealing to younger customers. FinTechs, however, also play an important role in the advancing downfall of important conceptual security measures. While the latter can be understood as the next step in the decay process of second-factor authentication, which was started with the introduction of app-based legitimization methods, FinTechs also reveal limited insights into conceptual and technical security. We have encountered severe vulnerabilities at the Berlin-based FinTech N26, which offers their smartphone-only bank account to many countries throughout Europe. Entirely independent of the used device, we were not only able to reveal N26 customers and to manipulate transactions in real-time but also to completely take over a victim’s bank account.

Details

All vulnerabilities have been disclosed responsibly to N26 on September 25, 2016. For a detailed description of all the uncovered vulnerabilities, please consult our paper.

As of December 13, 2016, to the best of our knowledge, all vulnerabilities that we have reported to N26 are closed. Therefore, we are confident that the 33c3 talk will not do damage to any N26 customer. We want to emphasize and commend the responsive and friendly contact with N26.

Last update on November 9, 2018 at 14:22

Lehrstuhl für Informatik 1
Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)

Martensstrasse 3
91058 Erlangen
  • Impressum
  • Datenschutz
Up