1 / 19

“Phishing in the middle of the stream” Today’s threats to online banking

“Phishing in the middle of the stream” Today’s threats to online banking. Candid Wüest Security Response Engineer November 2005. Agenda. Introduction Local attacks Protection methods used today Anti-Phishing tools SMS authentication Image verification PKI based solutions

krysta
Download Presentation

“Phishing in the middle of the stream” Today’s threats to online banking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Phishing in the middle of the stream”Today’s threats to online banking Candid WüestSecurity Response EngineerNovember 2005

  2. Agenda • Introduction • Local attacks • Protection methods used today • Anti-Phishing tools • SMS authentication • Image verification • PKI based solutions • Attacks against the weak points • Questions? & Answers!

  3. Introduction • Online banking is popular • But many people fear that it is insecure • Wherever money is involved, bad guys appear trying to steal it! • Several known cases of online thefts: • June 2005 in Korea Damage: ~ US$ 50’000 • February 2005 in USA Damage: ~ US$ 90’000

  4. Evolution • Not only phishing emails with obscured links anymore • Targeted malware attacks are increasing Trojans targeting financial services: • Increased in numbers: 20 variants in May 2003 >2000 variants in November 2005 • PWSteal.Bancos.T (April 2005) • Monitors 2764 different URLs • On 59 different top-level domains

  5. Local attacks – SSL “But my session was SSL encrypted, I’m safe, right?” • Information is intercepted before it gets encrypted: • Browser Helper Objects (BHO) • Process injection • DLL modules • Layered service providers (LSP) • Rootkits • Screenshots (for virtual keyboards) • Fake Pop-ups

  6. General attack scenario Assumptions: Malicious code running on the system. • Install rogue certification authority (CA) • No SSL certification warnings • Redirect specific/all traffic to the attacker: • Can be done with Hosts file, LSP, rootkits,… • Attacker can send fake traffic to user

  7. Logon to the web site: Send username Send OneTimePass to registered mobile Complete logon: Send OneTimePass SMS challenge code • 2-factor authentication using the mobile phone • The same applies to RSA tokens, iTANs, scratch lists

  8. Logon to the fake web site of attacker: Send username Logon to the real web site using gathered data: Send username Send fake web answer Send OneTimePass to registered mobile Complete the logon on the fake web site: Send OneTimePass Complete the logon: Send OneTimePass ACCESS GRANTED Send fake error answer Attacks on SMS challenge code • Countermeasure: Send transaction details in SMS for checking • Downside: Sends sensitive information in clear text message

  9. John Doe Image verification • Personalize logon with custom image and personal text • Configuration saved on bank server • Only send your password if you see your image & text PassMark system

  10. Logon to the web site: Send username Send registered image & text Verify image & text Send password Image verification

  11. Logon to the faked web site of attacker: Send username Logon to the real web site using gathered data: Send username send a fake web site with image & text Send registered image & text Verifies image & text Send password Complete logon: Send password ACCESS GRANTED Send fake error answer Attacks on image verification • Other attacks: Replay attack • Countermeasure: Not without serious changes

  12. Initial setup: registering public key PIN code for service (not saved on client) Verification through different channel (phone) Logon: send encrypted SVR{UserID,PIN} Generate ticket: send encrypted USR{OneTimePass} Complete logon: send OneTimePass ACCESS GRANTED PKI based software solutions • Use cryptography to authenticate and protect the session • Example: WiKID open source solution

  13. Initial setup: registering public key PIN code for service (not saved on client) Verification through different channel (phone) 1.Logon: send encrypted SVR{UserID,PIN} Generate ticket: send encrypted USR{OneTimePass1} Send intercepted PIN and private & public keys 2.Logon: send SVR{UserID,PIN} send USR{OneTimePass2} Attacks on PKI based software solutions • Countermeasure: Block hooking or boot clean OS (Knoppix) • Downside: Who protects anti-hooking tool? Ring0 Trojans? Additional token (CD-ROM)

  14. PKI based hardware token • Use external hardware tokens with PKI • Smartcards with PKI application • External reader with keypad and display (class 3) • Connected to PC on USB or serial cable • HBCI; already in use for years in Germany

  15. Unlock smartcard with PIN request logon web page Verify Java Applet signature Send signed Java Applet Initiate mutual SSL Send username Send challenge CH1 Enter challenge CH1 Display response RS1 Enter transaction send transaction & (T1) Display & sign (T1) PKI based hardware token Enter response RS1

  16. Attacks on PKI based hardware token? • Transaction can not be manipulated, as the transaction is signed on external hardware • Signing is only accessible from the external reader and can not be triggered by a Trojan • Downside: - Not easy portable (Internet café) - More expensive then other solution - Not so convenient for end user

  17. Summary • Malware targeting financial services exists and increases in number. Why? There is money involved! • Software running on compromised systems can be targeted and must protect itself wisely or it will be rendered useless. • Most solutions today can solve the phishing problem but not man-in-the-middle attacks with Trojan horses. • There are possibilities to protect, so don’t give up the fight!

  18. Questions?

  19. Thank you for your attention ! Candid Wüestcandid_wueest@symantec.com

More Related