|Authors||Y. Espelid, L. Netland, A. Klingsheim and K. Hole|
|Title||A Proof of Concept Attack against Norwegian Internet Banking Systems|
|Afilliation||, Communication Systems|
|Publication Type||Proceedings, refereed|
|Year of Publication||2008|
|Conference Name||12th International Conference on Financial Cryptography and Data Security (FC08)|
|Volume||Volume 5143 of the series Lecture Notes in Computer Science|
The banking industry in Norway has developed a new secu- rity infrastructure for conducting commerce on the Internet. The initia- tive, called BankID, aims to become a national ID infrastructure sup- porting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a practical man-in- the-middle attack against online banking applications using BankID. The attack gives an adversary access to customer bank accounts in two dif- ferent online banking systems. Proof of concept code has been developed and executed to demonstrate the seriousness of the problem.