When you go to a bank to open a checking account, it's almost a must-have to contract a fraud insurance. In a perfect world you wouldn't need it but there are different threats of using a card physically and virtually.
Focusing on virtual world, there are some threats like phishing or vulnerabilities in the bank pages that could affect us as consumers/clients. However, most interesting points of attack are the pay buttons since they can receive transactions from cards issued by any bank.
I'm going to talk about them, but not web vulnerabilities on their websites. It's about the software that they create, we run in our computers/servers and how the lack of security practices on their development install potential backdoors in our side. The Chilean Internet isn't that safe place that you think.
Economics
First, I would like to talk about my hypothesis of the problem with physical cards and how it could be interpolated to virtual world. It's a win-win for the bank industry that there are people cloning cards so easily as in Chile since it creates fear in the people so they are in the need of contracting insurances to be safe. Without fraud, nobody would contract insurances.
This could explain why the bank industry don't fight against the problem nor implement latest technology that could avoid the cloning. Now, what about the virtual world?
I think it's still in diapers in Chile. To begin, politically there's not any policy to oblige the companies to make public whether they were hacked or not and let their users know about it. There have been a lot of serious vulnerabilities found in bank sites and I think they actually don't care about security since the vulnerabilities weren't hard to find and it's an odyssey to notify the people in charge. Why will they care about security if they can just spread in the media that they were attacked by bad hackers using novel and advanced techniques in case of a problem?
Pay buttons are related to the bank industry since they make easy to shop on the Internet and pay using local or credit cards. In Chile using their services is the most common way to pay in a custom website, since bank websites offer a limited number of services. So if you want to buy something in Chile, probably you will be using one of them. This post is going to dig in two of them: Transbank and Khipu. It's a research that started in 2012 and I think it's time to make it public.
Transbank
DISCLAIMER: A client of us asked for a fast review whether it was safe to install the KCC binaries on their servers.
It's the main actor on online commerce in Chile with the biggest participation on the market.
It has been almost three years since a detailed demonstration about a vulnerability was provided to them. I won't talk about it but I can recommend you to not install KCC on your servers.
You can use some implementations in other languages like tbk gem that don't need the binaries to work. The new Transbank Developers platform aims to avoid the use of the KCC. It's good news.
Khipu
It's a new actor on the stage, trying to get a piece of the pie and according to what I've seen related to costs and ease of use, they have a good chance.
I've notified around four vulnerabilities to this company in the last year, most of the time receiving a quick reply and hot-fixes. Nowadays, software companies have to push fixes to resolve security issues, there's no time for waiting weeks because it's a production environment.
Last and most critical vulnerability that I reported was fixed a while ago (and I was never notified) so I think I can talk about it. Khipu has some applications for mobile devices, desktop and browser.
I'm always interested in analyzing binaries so I downloaded the Khipu binary for Linux and reviewed it. Nothing interesting after skimming over it then I wanted to observe how the browser plugins worked.
The browser plugins call the binary on the system with an argument related to the payment, so it was a nice spot to find vulnerabilities. I found a remote command injection vulnerability in the Mozilla Firefox plugin, where an user with the plugin installed only had to load a malicious page and the commands are executed on his machine.
The details of this vulnerability on Monday's post. Stay stuned!