SlideShare a Scribd company logo

Online banking trojans

A
Andre N. Klingsheim

Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011

TechnologyEconomy & Finance
1 of 24
Download to read offline
Online banking Trojans Recent developments and countermeasures DND, ISF, ISACA member meeting 02. May 2011 André N.Klingsheim IT security specialist, PhD
Outline • Skandiabanken’s login procedures • ”Traditional” Trojans • Recent developments • Recent security adjustments 2
The login procedures • Online banking password – With One Time Password (OTP) by SMS – Or from a code card • BankID – BankID password – OTP from code card • BankID mobile – Pin entered on mobile phone 3
Login procedures figure 4
Traditional Trojans • Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication) • High security sites have introduced OTPs to counter this threat (others follow) 5
More recent Trojans • Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
More recent Trojans II • More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
Modern Trojan threat • Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement • Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok • We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
Zeus example (original page) 9
Zeus example (modified page) 10
Zeus config 11
It gets worse... 12
Combined PC/mobile Trojan threat • Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile • Some attacks reported in Europe – This is an upcoming threat • We haven’t seen any of these attacks in Norway yet 13
Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
Combined PC/mobile Trojan threat II • Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk • Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
Countermeasures 16
Our security design • Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID • Required for: – Payments to new recipients – Payments over a certain threshold • Hampered attacks from traditional Trojans • Balanced usability/security 17
The OTPs • Generated securely – Infeasible to guess them • Short lived, 15 mins • You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack • OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
Stopping the attack at the client 19
Recent security adjustments • We’ve done some important security design changes to our online bank to deal with the modern threats • Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs • The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
OTP via SMS, with context 21
Avoiding the attack? Look for mismatch between account/amount in online bank and mobile phone 22
The standard countermeasures • These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list  • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
Thank you! • You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen • I don’t want to be your Facebook friend • Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24

Recommended

Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
Two-Steps to Owning MFA
Two-Steps to Owning MFATwo-Steps to Owning MFA
Two-Steps to Owning MFASherrie Cowley & Dennis Taggart
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
ONLINE BANKING
ONLINE BANKINGONLINE BANKING
ONLINE BANKINGdeepa
 
Online banking
Online bankingOnline banking
Online bankingPreet Raj
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet BankingChiheb Chebbi
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking pptVishnu V S
 

More Related Content

Viewers also liked

Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...IOSR Journals
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Internet Banking
Internet BankingInternet Banking
Internet Bankingsnehateddy
 
java Project report online banking system
java Project report online banking systemjava Project report online banking system
java Project report online banking systemVishNu KuNtal
 
Internet Banking PPT
Internet Banking PPTInternet Banking PPT
Internet Banking PPTayush goyal
 

Viewers also liked (6)

Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
 
Project on E-banking
Project on E-bankingProject on E-banking
Project on E-banking
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
java Project report online banking system
java Project report online banking systemjava Project report online banking system
java Project report online banking system
 
Internet Banking PPT
Internet Banking PPTInternet Banking PPT
Internet Banking PPT
 

Similar to Online banking trojans

Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Korea University
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Emerging Threats and Trends in Online Security
Emerging Threats and Trends in Online SecurityEmerging Threats and Trends in Online Security
Emerging Threats and Trends in Online SecurityAVG Technologies AU
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
The Future of ATO
The Future of ATOThe Future of ATO
The Future of ATOpm123008
 

Similar to Online banking trojans (20)

Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever Alone
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Emerging Threats and Trends in Online Security
Emerging Threats and Trends in Online SecurityEmerging Threats and Trends in Online Security
Emerging Threats and Trends in Online Security
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
The Future of ATO
The Future of ATOThe Future of ATO
The Future of ATO
 

Recently uploaded

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Recently uploaded (20)

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Online banking trojans

  • 1. Online banking Trojans Recent developments and countermeasures DND, ISF, ISACA member meeting 02. May 2011 André N.Klingsheim IT security specialist, PhD
  • 2. Outline • Skandiabanken’s login procedures • ”Traditional” Trojans • Recent developments • Recent security adjustments 2
  • 3. The login procedures • Online banking password – With One Time Password (OTP) by SMS – Or from a code card • BankID – BankID password – OTP from code card • BankID mobile – Pin entered on mobile phone 3
  • 5. Traditional Trojans • Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication) • High security sites have introduced OTPs to counter this threat (others follow) 5
  • 6. More recent Trojans • Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
  • 7. More recent Trojans II • More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
  • 8. Modern Trojan threat • Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement • Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok • We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
  • 13. Combined PC/mobile Trojan threat • Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile • Some attacks reported in Europe – This is an upcoming threat • We haven’t seen any of these attacks in Norway yet 13
  • 14. Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
  • 15. Combined PC/mobile Trojan threat II • Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk • Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
  • 17. Our security design • Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID • Required for: – Payments to new recipients – Payments over a certain threshold • Hampered attacks from traditional Trojans • Balanced usability/security 17
  • 18. The OTPs • Generated securely – Infeasible to guess them • Short lived, 15 mins • You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack • OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
  • 19. Stopping the attack at the client 19
  • 20. Recent security adjustments • We’ve done some important security design changes to our online bank to deal with the modern threats • Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs • The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
  • 21. OTP via SMS, with context 21
  • 22. Avoiding the attack? Look for mismatch between account/amount in online bank and mobile phone 22
  • 23. The standard countermeasures • These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list  • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
  • 24. Thank you! • You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen • I don’t want to be your Facebook friend • Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24