ciso-platform-annual-summit-2013-Man in browser(veena, citi bank)

2,108 views
1,990 views

Published on

Presented by Veena Srinivasan, Business Information Security Officer, Citi Bank at CISO Platform Annual Summit, 2013. Veena is responsible for information security compliance across consumer finance business in Citi bank for India and to implement a strategy for measuring, mitigating and managing risk.

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,108
On SlideShare
0
From Embeds
0
Number of Embeds
99
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 2Factor authentication does not workMalware waits for user to establish connection with banks websiteAnd then it piggybacks on legitimate connection and modifies the transaction
  • OB confirmation works only if the mobile is not compromised.
  • ciso-platform-annual-summit-2013-Man in browser(veena, citi bank)

    1. 1. Man in the browser (MIB) An introduction and Defending against MIB The views/opinions expressed in this presentation are solely those of the author and do not necessarily reflect the views or policies of Citibank N.A. (Citi), or its Board of Directors, or any of its associates, advisers, agents or officers or the governments they represent. Citi does not guarantee the accuracy or reliability of the data or information included in this presentation and accepts no responsibility for any consequences of their use. It is understood that the material in this paper is intended for general information only and should not be used in relation to any specific application without independent examination and verification of its applicability and suitability by professionally qualified personnel.
    2. 2. What is a Man-in-the-Browser Attack? Man in the browser is a security attack where the perpetrator installs a Trojan on a victim's computer that's capable of modifying that user's Web transactions as they occur in real time. Who is the target Financial institution
    3. 3. Inject Fake transaction Transfer $1000 to XXX Transfer $100 to John $100 transferred to John $1000 transferred to XXX Encrypted SSL channel Bank
    4. 4. Well Known Good Advice Necessary but not Sufficient • • • • • Strong password Run current antivirus software Stay up to date on patches Two factor authentication. SSL client side encryption MITB malware can intercept the password from the browser directly or wait till user is authenticated.
    5. 5. Countermeasures Out of band confirmation Ex user might receive SMS, email or phone call Modify the web page Fraud detection that monitors user behavior
    6. 6. Conclusion MIB is focused advanced attack on Banking Continuous monitoring and security awareness is required.

    ×