Phishing in the middle of the stream today s threats to online banking
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

“Phishing in the middle of the stream” Today’s threats to online banking PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

“Phishing in the middle of the stream” Today’s threats to online banking. Candid Wüest Security Response Engineer November 2005. Agenda. Introduction Local attacks Protection methods used today Anti-Phishing tools SMS authentication Image verification PKI based solutions

Download Presentation

“Phishing in the middle of the stream” Today’s threats to online banking

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Phishing in the middle of the stream today s threats to online banking

“Phishing in the middle of the stream”Today’s threats to online banking

Candid WüestSecurity Response EngineerNovember 2005


Agenda

Agenda

  • Introduction

  • Local attacks

  • Protection methods used today

    • Anti-Phishing tools

    • SMS authentication

    • Image verification

    • PKI based solutions

  • Attacks against the weak points

  • Questions? & Answers!


Introduction

Introduction

  • Online banking is popular

  • But many people fear that it is insecure

  • Wherever money is involved, bad guys appear trying to steal it!

  • Several known cases of online thefts:

    • June 2005 in Korea Damage: ~ US$ 50’000

    • February 2005 in USADamage: ~ US$ 90’000


Evolution

Evolution

  • Not only phishing emails with obscured links anymore

  • Targeted malware attacks are increasing

    Trojans targeting financial services:

  • Increased in numbers: 20 variants in May 2003

    >2000 variants in November 2005

  • PWSteal.Bancos.T (April 2005)

    • Monitors 2764 different URLs

    • On 59 different top-level domains


Local attacks ssl

Local attacks – SSL

“But my session was SSL encrypted, I’m safe, right?”

  • Information is intercepted before it gets encrypted:

    • Browser Helper Objects (BHO)

    • Process injection

    • DLL modules

    • Layered service providers (LSP)

    • Rootkits

    • Screenshots (for virtual keyboards)

    • Fake Pop-ups


General attack scenario

General attack scenario

Assumptions: Malicious code running on the system.

  • Install rogue certification authority (CA)

    • No SSL certification warnings

  • Redirect specific/all traffic to the attacker:

    • Can be done with Hosts file, LSP, rootkits,…

    • Attacker can send fake traffic to user


Sms challenge code

Logon to the web site:

Send username

Send OneTimePass

to registered mobile

Complete logon:

Send OneTimePass

SMS challenge code

  • 2-factor authentication using the mobile phone

  • The same applies to RSA tokens, iTANs, scratch lists


Attacks on sms challenge code

Logon to the fake

web site of attacker:

Send username

Logon to the real web

site using gathered

data: Send username

Send fake web answer

Send OneTimePass

to registered mobile

Complete the logon

on the fake web site:

Send OneTimePass

Complete the logon:

Send OneTimePass

ACCESS GRANTED

Send fake error answer

Attacks on SMS challenge code

  • Countermeasure: Send transaction details in SMS for checking

  • Downside: Sends sensitive information in clear text message


Image verification

John Doe

Image verification

  • Personalize logon with custom image and personal text

  • Configuration saved on bank server

  • Only send your password if you see your image & text

PassMark system


Image verification1

Logon to the web site:

Send username

Send registered image & text

Verify image & text

Send password

Image verification


Attacks on image verification

Logon to the faked

web site of attacker:

Send username

Logon to the real web

site using gathered

data: Send username

send a fake web site

with image & text

Send registered

image & text

Verifies image & text

Send password

Complete logon:

Send password

ACCESS GRANTED

Send fake error answer

Attacks on image verification

  • Other attacks: Replay attack

  • Countermeasure: Not without serious changes


Pki based software solutions

Initial setup: registering public key

PIN code for service (not saved on client)

Verification through different channel (phone)

Logon: send encrypted SVR{UserID,PIN}

Generate ticket: send encrypted USR{OneTimePass}

Complete logon: send OneTimePass

ACCESS GRANTED

PKI based software solutions

  • Use cryptography to authenticate and protect the session

  • Example: WiKID open source solution


Attacks on pki based software solutions

Initial setup: registering public key

PIN code for service (not saved on client)

Verification through different channel (phone)

1.Logon: send encrypted SVR{UserID,PIN}

Generate ticket: send encrypted USR{OneTimePass1}

Send intercepted PIN

and private & public keys

2.Logon: send SVR{UserID,PIN}

send USR{OneTimePass2}

Attacks on PKI based software solutions

  • Countermeasure: Block hooking or boot clean OS (Knoppix)

  • Downside: Who protects anti-hooking tool? Ring0 Trojans?

    Additional token (CD-ROM)


Pki based hardware token

PKI based hardware token

  • Use external hardware tokens with PKI

    • Smartcards with PKI application

    • External reader with keypad and display (class 3)

    • Connected to PC on USB or serial cable

  • HBCI; already in use for years in Germany


Pki based hardware token1

Unlock smartcard with PIN

request logon web page

Verify Java Applet signature

Send signed Java Applet

Initiate mutual SSL

Send username

Send challenge CH1

Enter challenge CH1

Display response RS1

Enter transaction

send transaction & (T1)

Display & sign (T1)

PKI based hardware token

Enter response RS1


Attacks on pki based hardware token

Attacks on PKI based hardware token?

  • Transaction can not be manipulated, as the transaction is signed on external hardware

  • Signing is only accessible from the external reader and can not be triggered by a Trojan

  • Downside: - Not easy portable (Internet café)

    - More expensive then other solution

    - Not so convenient for end user


Summary

Summary

  • Malware targeting financial services exists and increases in number. Why? There is money involved!

  • Software running on compromised systems can be targeted and must protect itself wisely or it will be rendered useless.

  • Most solutions today can solve the phishing problem but not man-in-the-middle attacks with Trojan horses.

  • There are possibilities to protect, so don’t give up the fight!


Phishing in the middle of the stream today s threats to online banking

Questions?


Thank you for your attention

Thank you for your attention !

Candid [email protected]


  • Login