The research paper has shown the existence of a vulnerability in the German eID scheme, posing a significant risk to all services relying on the eID, especially those handling sensitive data such as insurances, banks, and government services.
The vulnerability has the CVE-ID CVE-2024–23674 and a CVSS rating of 9.7 (Critical)
A bank account has been successfully opened in the name of a victim at a major German bank.
Is this unexpected? When your PIN input and transaction confirmation device is untrusted, about the only thing a smart card can protect against is key exfiltration, and maybe rate limiting signature/authentication attempts (I believe the German protocol sends trusted timestamps from the remote reader which would allow that).
Tapping your card and entering your PIN in a compromised app/on a compromised device has the same (and to me expected) result as tapping it on a fraudster’s device directly and providing them the PIN.
Yeah, this is a phishing attack replacing the terminal with a compromised one.
The terminal used the PIN for three transactions: The original sign-in process, the attacker's ID verification process for the bank, and a "Selbstauskunft" which essentially is an echo service that returns data read from the card back to the user.
It's not a very performant process and needs to happen near real time.
When using a PC, isn't one supposed to use a hardware RFID reader[^1]
with a physical numpad to enter the key? Then, the PC never gets a hold of the PIN.
Ideally, the hardware reader has a display to show
1. which data is sent to
2. which site/authority that is asking for it.
So on a phone, with every layer of the communication in just software, not hardware, that is inheritly unsafe?
(On e.g. Apple phones a security chip could work to increase security, but if a prompt is faked, the PIN can still be exfiltrated.)
[1]: Free RFID USB readers were given out at every local agency in germany, but those were the cheap models, without a numeric input.
Yes, but realistically, nobody is going to get a hardware CCID reader with the required security level and connect it to their computer anymore (assuming they even have one – for more and more people, their smartphone is their main and sometimes only computing device they own).
What might work today is a Bluetooth-capable smartcard reader with a PIN pad and display for secure transaction confirmation ("enter your PIN to open a bank account with bank xyz" vs "enter your PIN to confirm that you own a valid driver's license for the purpose of renting a car" etc.), but even that is a stretch and will probably only ever see very low adoption.
It would be great to have it as an option supported by the official reader app, though!
6 comments
[ 2.8 ms ] story [ 21.4 ms ] threadThe vulnerability has the CVE-ID CVE-2024–23674 and a CVSS rating of 9.7 (Critical)
A bank account has been successfully opened in the name of a victim at a major German bank.
Tapping your card and entering your PIN in a compromised app/on a compromised device has the same (and to me expected) result as tapping it on a fraudster’s device directly and providing them the PIN.
The terminal used the PIN for three transactions: The original sign-in process, the attacker's ID verification process for the bank, and a "Selbstauskunft" which essentially is an echo service that returns data read from the card back to the user.
It's not a very performant process and needs to happen near real time.
So on a phone, with every layer of the communication in just software, not hardware, that is inheritly unsafe? (On e.g. Apple phones a security chip could work to increase security, but if a prompt is faked, the PIN can still be exfiltrated.)
[1]: Free RFID USB readers were given out at every local agency in germany, but those were the cheap models, without a numeric input.
What might work today is a Bluetooth-capable smartcard reader with a PIN pad and display for secure transaction confirmation ("enter your PIN to open a bank account with bank xyz" vs "enter your PIN to confirm that you own a valid driver's license for the purpose of renting a car" etc.), but even that is a stretch and will probably only ever see very low adoption.
It would be great to have it as an option supported by the official reader app, though!