The login procedures• Online banking password – With One Time Password (OTP) by SMS – Or from a code card• BankID – BankID password – OTP from code card• BankID mobile – Pin entered on mobile phone 3
Traditional Trojans• Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication)• High security sites have introduced OTPs to counter this threat (others follow) 5
More recent Trojans• Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
More recent Trojans II• More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
Modern Trojan threat• Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement• Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok• We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
Combined PC/mobile Trojan threat• Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile• Some attacks reported in Europe – This is an upcoming threat• We haven’t seen any of these attacks in Norway yet 13
Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
Combined PC/mobile Trojan threat II• Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk• Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
Our security design• Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID• Required for: – Payments to new recipients – Payments over a certain threshold• Hampered attacks from traditional Trojans• Balanced usability/security 17
The OTPs• Generated securely – Infeasible to guess them• Short lived, 15 mins• You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack• OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
Recent security adjustments• We’ve done some important security design changes to our online bank to deal with the modern threats• Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs• The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
Avoiding the attack?Look for mismatch betweenaccount/amount in onlinebank and mobile phone 22
The standard countermeasures• These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
Thank you!• You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen• I don’t want to be your Facebook friend• Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.