Attacking of Smart Card-Based Banking Applications with Java']Java Script-Based Rootkits

Due to recent attacks on online banking systems and consequent soaring losses through fraud, different methods have been developed to ensure a secure connection between a bank and its customers. One method is the inclusion of smart card readers into these schemes, which come along with different benefits, e.g., convenience and costs, and endangerrnents, especially on the security side. We give a review on a security concept and its implementation deployed as an online banking solution, which consists of a USB smart card reader and a customized browser. We propose a thread model and an attack vector exploiting the limited capabilities of the class one smart card reader. Furthermore a proof of concept malware is presented, which utilizes the primary vulnerability, i.e., class one reader, and otherwise supporting vulnerabilities, to show how transactions may be manipulated.