Banking Security

The NoWires Research Group has analyzed the security in Norwegian banking systems in five papers. The first paper studies the previous generation of Norwegian Internet banks.

• K. J. Hole, V. Moen, and T. Tjøstheim, “Case Study: Online Banking Security,” IEEE Security & Privacy, March/April 2006. (Copyright notice at bottom of page.)

The second paper discusses the ATM system during the '90s.

• K. J. Hole, V. Moen, A. N. Klingsheim, and K. M. Tande, “Lessons from the Norwegian ATM System,” IEEE Security & Privacy, November/December 2007. (Copyright notice at bottom of page.)

The third paper evaluates BankID, a new national public-key infrastructure owned by the Norwegian banks.

• K. J. Hole, A. N. Klingsheim, L.-H. Netland, Y. Espelid, T. Tjøstheim, and V. Moen, “Risk Assessment of a National Security Infrastructure,” IEEE Security & Privacy, January/February 2009. (Copyright notice at bottom of page.)

The fourth paper describes a practical attack exploiting vulnerabilities in BankID. Countermeasures were introduced in November 2007 according to the Norwegian BankID community.

• Y. Espelid, L.-H. Netland, A. N. Klingsheim, and K. J. Hole, “A Proof of Concept Attack against Norwegian Internet Banking Systems,” presented at 12th International Conference on Financial Cryptography and Data Security (FC08), Cozumel, Mexico, January 28-31, 2008. Published in Lecture Notes in Computer Science.

• FC08 presentation

The fifth paper analyzes the proof of concept attack in more detail. It also gives a brief description of a modified proof of concept attack. Countermeasures to the second attack were introduced in January 2008.

• Y. Espelid, L.-H. Netland, A. N. Klingsheim, and K. J. Hole, “Robbing Banks with Their Own software---an Exploit against Norwegian Online Banks,” in Proc. 23rd International Information Security Conference (SEC 2008), Milan, Italy, September 8-10, 2008.

• SEC 2008 presentation

Last updated 28.05.10. Webmaster KJH