Reverse Engineering A Bank’s Security Token


[Thiago]‘s bank uses a few methods besides passwords and PINs to verify accounts online and at ATMs. One of these is a ‘security card’ with 70 single use codes, while another is an Android app that generates a security token. [Thiago] changes phones and ROMs often enough that activating this app became a chore. This left only one thing to do: reverse engineer his bank’s security token and build a hardware device to replicate the app’s functionality.

After downloading the bank’s app off his phone and turning the .APK into a .JAR, [Thiago] needed to generate an authentication code for himself. He found a method that generates a timestamp which is the number of 36-second intervals since April 1st, 2007. The 36-second interval is how long each token lasts, and the 2007 date means this part of the code was probably developed in late 2007 or 2008. Reverse engineering this code allowed [Thiago] to glean the token generation process: it required a key, and the current timestamp.

[Thiago] found another class that reads his phone’s android_id, and derives the key from that. With the key and timestamp in hand, he figured out the generateToken method and found it was remarkably similar to Google Authenticator’s implementation; the only difference was the timestamp epoch and the period each token lasts.

With the generation of the security token complete, [Thiago] set out to put this code into a hardware device. He used a Stellaris Launchpad with the Criptosuite and RTClib libraries. The hardware doesn’t include a real-time clock, meaning the date and time needs to be reset at each startup. Still, with a few additions, [Thiago] can have a portable device that generates security tokens for his bank account. Great work, and great example of how seriously his bank takes account security.

Measuring the ~10 kiloamp output of a large capacitor bank

[Norman] put together a rather impressive 22,500 uF capacitor bank. In addition to find things to torture with the strong magnetic field generated by a sudden discharge, he’d like to measure the current pushed from the device. He’s found a way to do this using a digital storage oscilloscope. To protect the oscilloscope [Norman] built his own interface box that includes a 50x voltage divider, and interfaces a current sensor called a Rogowski coil. When it comes time to run the experiment, he turns the safety lock-out key on the bank charger, then discharges the stored potential with the flip of a switch.

Take a look at the video after the break to see soda cans and hard drive platters mangled by the device. The oscilloscope measures the output near 10 kA, giving [Norman] the data he set out to capture. He’s entered this project into the Tektronix contest where it’ll compete with the piano tuner and laser light show tester just to name a few.

[Read more...]