The Paper-Based Backdoor: Bypassing Digital Banking Security with Analog Fraud

TLDR: Researchers at DEF CON 2024 demonstrated how to gain full, unauthorized access to Norwegian bank accounts by exploiting the disconnect between secure digital authentication and lax, manual verification of paper-based power-of-attorney forms. This attack bypasses multi-factor authentication and digital identity systems entirely by leveraging social engineering and the inherent trust placed in physical documentation. Pentesters should look for similar gaps in any organization that bridges high-security digital portals with low-security, manual administrative processes.

Digital security often feels like a fortress built on sand. We spend our careers obsessing over OAuth flows, hardening API endpoints, and hunting for Broken Access Control vulnerabilities in web applications. Yet, the most effective way to compromise a high-value target is often to ignore the code entirely and attack the human-in-the-loop processes that support it. The research presented by Cecilie Wian and Per Thorsheim at DEF CON 2024 is a masterclass in this reality. They didn't find a zero-day in a banking app; they found a structural failure in how banks verify identity when the digital layer is bypassed.

The Anatomy of the Analog Bypass

The core of this research centers on the "Power of Attorney" (PoA) process in Norwegian banking. In a highly digitized society, these banks have robust, secure digital identity systems. However, they must also accommodate individuals who cannot use these systems due to age, disability, or other circumstances. This creates a secondary, manual path for account access.

The attack flow is deceptively simple. An attacker obtains the target's basic personal information—name, address, and national identity number—which are often publicly available or easily scraped. They then fill out a physical PoA form, which requires the signature of the account holder and a witness. The researchers discovered that the verification of these physical documents is often cursory at best. By forging these signatures and submitting the paper form, they were able to grant themselves full, granular access to the victim's bank account.

Crucially, this access was not limited or monitored. Once the bank processed the paper form, the attacker’s digital identity was linked to the victim’s account. They could view ten years of transaction history, move funds, and manage the account as if they were the owner. The most alarming part of the research is that the victim received no notification of this change. The bank’s internal systems treated the manual PoA as a legitimate administrative update, completely bypassing the digital security controls that would normally flag unauthorized access attempts.

Why This Matters for Pentesters

For those of us conducting red team engagements or bug bounty research, this is a vital reminder to look beyond the application layer. When you are scoping an engagement, you are likely looking at the web interface, the mobile app, and the API. You are looking for Identification and Authentication Failures. But what happens when you ask the client about their "emergency" or "manual" account recovery processes?

Every organization has a "break-glass" procedure. Whether it is a bank, a cloud service provider, or a SaaS platform, there is almost always a manual process designed to help users who have lost access to their primary authentication methods. These processes are the weakest link. They are often handled by customer support staff who are incentivized to be helpful rather than suspicious.

During a test, map out these administrative backdoors. If you can identify a process that allows a user to bypass MFA or gain account access through a support ticket, a physical form, or a phone call, you have found a high-impact vulnerability. The goal is to document the lack of verification controls. Does the bank verify the signature against a database? Do they send a confirmation email or SMS to the account holder before granting access? If the answer is no, you have a finding that is far more dangerous than a reflected XSS.

The Defensive Reality

Defending against this is difficult because it requires a fundamental shift in how organizations view trust. The researchers noted that the banks they tested were essentially operating on an "all-or-nothing" trust model. Once the paper form was accepted, the attacker was treated as a trusted user.

To mitigate this, organizations must implement strict notification and confirmation loops for any change in account access. If a PoA is added, the account holder must be notified immediately through multiple channels—email, SMS, and push notification—with a clear, one-click option to reject the change. Furthermore, access granted via manual processes should be restricted by default. There is no reason a power of attorney needs full, unrestricted access to ten years of transaction history or the ability to transfer large sums of money without additional, real-time authorization from the account owner.

Moving Forward

The research highlights a critical blind spot in our industry. We have become so focused on securing the digital perimeter that we have neglected the analog processes that underpin it. As we continue to push for more secure authentication, we must ensure that our manual recovery and administrative processes are not left behind.

If you are a researcher, start asking questions about these manual paths. If you are a founder or a security lead, audit your support and administrative workflows with the same rigor you apply to your production code. The next major breach might not come from a sophisticated exploit chain, but from a piece of paper that was never properly verified. Investigate your own organization's "break-glass" procedures today, because if you haven't tested them, you can be certain that someone else eventually will.