This Money Making Machine Exploits Currency Trades in Banking Apps

A Romanian security researcher has built a machine that can exploit the tiny bit of money you gain when trading currencies through online banking apps. By bypassing a secure authentication device, it was able to conduct thousands of transactions a day and watch the fractions of pennies add up.

Adrian Furtuna, a penetration tester at KPMG Romania, talked through his hack in a presentation at the ZeroNights 2013 conference earlier this month (which was picked up by the BBC). Essentially, it works by exploiting the way banking apps round small amounts up or down in some online transactions. Furtuna noticed that when he changed Romanian leu for euros, he sometimes gained a very small amount of money and sometimes lost a very small amount, depending on the exact value he was transferring. That’s because the amount exchanged was always rounded to two decimal figures—so if he transferred €8.3436 to his account, it was rounded down to €8.34 and the bank “won” €0.0036; but if he transferred €8.3478, it was rounded up to €8.35, and he “won” €0.0022.

They sound like tiny amounts, and they are; the most you could make from one such transaction is the less-than-pocket-change sum of €0.005. But by building a machine capable of conducting 14,400 transactions over 24 hours, Furtuna could generate up to €68 a day. Not bad for a day’s work—if you’re a machine, anyway.

The problem Furtuna’s machine had to solve was automating the authorisation process needed to conduct transactions through the banking app he used. The app usually required him to first enter his PIN into a security device, and then input another code generated by the device to sign off on transactions. His machine overcame the need for human input, however, by actually reading the code and pressing the buttons itself. “It actually simulates the human behaviour when interacting with such a device,” he explained in his presentation.

It first entered his PIN by pressing down weights arranged over the number keys on the security device. A web cam positioned over the device’s screen read the sign-off code, which it interpreted using optical character recognition (OCR). The weights then pressed the correct number keys and voilà, after just six seconds, the transaction was complete. If you skip to around 29.14 minutes in Furtuna’s presentation, you can see a quick video of the machine in action.

In his presentation documents, Furtuna hinted at what this system could do if it was expanded. “What about doing in parallel (on multiple bank accounts)?” he wrote. “Money-making machine?” His work wasn’t a for-profit exploit and was only tested in the lab, not a live banking system—but if it was put into practice, it could swipe around €2000 a month.

Furtuna did offer some solutions for banks wishing to protect their apps against this vulnerability. He suggested they could limit the number of transactions a person could conduct in a certain period, set a minimum amount that was allowed to be transferred, or introduce a small fee for currency exchange. They could also monitor for suspiciously numerous transactions of small amounts and make that illegal. According to a security engineer quoted in the BBC report, banks’ current anti-fraud systems would likely already challenge someone trying to make thousands of small transactions.

While Furtuna declined to reveal which bank’s system he tested his hack on, he said, “I have found this problem in multiple banking applications, in banks that are known in several countries.”