back

Shut Up and Take My Money!

The Red Pill of N26 Security

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:30:50
Language
English
Abstract
FinTechs increasingly cut the ground from under long-established banks’ feet. With a "Mobile First" strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions—even without credit.

Over the last few years, smartphones have become an omnipresent device that almost everybody owns and carries around all the time. Although financial institutions usually react conservatively to new technologies and trends, most established banks today offer their customers banking apps and app-based second-factor authentication methods. Fintechs, technology startups in the financial sector, pressure the tried and trusted structure of established banks, as they highlight the customer’s smartphone as the hub of their financial life. This business model is especially appealing to younger customers. FinTechs, however, also play an important role in the advancing downfall of important conceptual security measures. While the latter can be understood as the next step in the decay process of second-factor authentication, which was started with the introduction of app-based legitimization methods, FinTechs also reveal limited insights into conceptual and technical security. We have encountered severe vulnerabilities at the Berlin-based FinTech N26, which offers their smartphone-only bank account to many countries throughout Europe. Entirely independent of the used device, we were not only able to reveal N26 customers and to manipulate transactions in real-time but also to completely take over a victim’s bank account.

Talk ID
7969
Event:
33c3
Day
1
Room
Saal 1
Start
4:45 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
Vincent Haupert
Talk Slug & media link
33c3-7969-shut_up_and_take_my_money

Talk & Speaker speed statistics

Very rough underestimation:
127.3 wpm
718.3 spm
131.4 wpm
744.2 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
127.3 wpm
718.3 spm
n26laughteraccountappapplausephonetransfercodepairedtransactionvincenttalklogintransactionssecuritycertificatequestionsendemailusermastercardpasswordthingtimecredentialsinsideeurodevicetokenchangebankingnumbercontactun-pairingaccessprocessturnsapiyearopenmobilelaughsattackprettyappsun-pairstartcustomersdominikmoney
Vincent Haupert:
131.4 wpm
744.2 spm
n26accountlaughterappphonetransfercodetransactionpairedtransactionsapplauseloginsenduserpasswordsecurityemailthingmastercardinsideeurocredentialstalkcertificatechangeaccessun-pairingtokendevicetimecustomersopenturnsprettystartprocessun-pairbankingissuespairattackdominiksteplinkresetphishingvalidcontactcardonline