BSides Oslo 2021: Digital edition on June 8th, 2021 - How I hacked the largest bank in Norway using a 1-page paper form

How I hacked the largest bank in Norway using a 1-page paper form

  • Scheduled: 14:40 (UTC+2)
  • Recording: https://www.youtube.com/watch?v=WbCy0W3xdbg

Back in 2019-2020 banks were running a campaign saying you should never share your BankID with anyone. Never give your OTP or password to anyone. Use a “power of attorney” to give another person access to your bank account instead, to act on your behalf if needed. So Per Thorsheim got curious and started to investigate with a few friends. This is the story on how they found a way to gain access to probably any personal account at the largest bank in Norway, using a 1-page paper form from the bank itself.

This is not a technical talk, but a talk about UX, design & process flaws, and responsible disclosure.

Could this be possible with your bank?

Per Thorsheim

Per Thorsheim

Per Thorsheim is the founder of PasswordsCon, the first & only global conference dedicated to passwords and anything digital authentication. By day he works as a security & governance manager for BankID at Vipps.no in Norway. He’s been in infosec for more than 25 years, and claims to know your next password.