|Authors||Y. Espelid, L. Netland, A. Klingsheim and K. Hole|
|Title||Robbing Banks with Their Own software—an Exploit against Norwegian Online Banks|
|Afilliation||, Communication Systems|
|Publication Type||Proceedings, refereed|
|Year of Publication||2008|
|Conference Name||23rd International Information Security Conference (SEC 2008)|
|Volume||Volume 278 of the series IFIP – The International Federation for Information Processing|
The banking industry in Norway has developed a new security infrastruc- ture for conducting commerce on the Internet. The initiative, called BankID, aims to become a national ID infrastructure supporting services such as authentication and digital signatures for the entire Norwegian population. This paper describes a man-in-the-middle vulnerability in online banking applications using BankID. An exploit has been implemented and successfully run against two randomly chosen online banking systems to demonstrate the seriousness of the attack.