Online banking trojans
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Online banking trojans

  • 732 views
Uploaded on

Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011

Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
732
On Slideshare
732
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Online banking TrojansRecent developments and countermeasuresDND, ISF, ISACA member meeting 02. May 2011André N.KlingsheimIT security specialist, PhD
  • 2. Outline• Skandiabanken’s login procedures• ”Traditional” Trojans• Recent developments• Recent security adjustments 2
  • 3. The login procedures• Online banking password – With One Time Password (OTP) by SMS – Or from a code card• BankID – BankID password – OTP from code card• BankID mobile – Pin entered on mobile phone 3
  • 4. Login procedures figure 4
  • 5. Traditional Trojans• Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication)• High security sites have introduced OTPs to counter this threat (others follow) 5
  • 6. More recent Trojans• Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
  • 7. More recent Trojans II• More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
  • 8. Modern Trojan threat• Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement• Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok• We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
  • 9. Zeus example (original page) 9
  • 10. Zeus example (modified page) 10
  • 11. Zeus config 11
  • 12. It gets worse... 12
  • 13. Combined PC/mobile Trojan threat• Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile• Some attacks reported in Europe – This is an upcoming threat• We haven’t seen any of these attacks in Norway yet 13
  • 14. Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
  • 15. Combined PC/mobile Trojan threat II• Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk• Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
  • 16. Countermeasures 16
  • 17. Our security design• Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID• Required for: – Payments to new recipients – Payments over a certain threshold• Hampered attacks from traditional Trojans• Balanced usability/security 17
  • 18. The OTPs• Generated securely – Infeasible to guess them• Short lived, 15 mins• You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack• OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
  • 19. Stopping the attack at the client 19
  • 20. Recent security adjustments• We’ve done some important security design changes to our online bank to deal with the modern threats• Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs• The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
  • 21. OTP via SMS, with context 21
  • 22. Avoiding the attack?Look for mismatch betweenaccount/amount in onlinebank and mobile phone 22
  • 23. The standard countermeasures• These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
  • 24. Thank you!• You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen• I don’t want to be your Facebook friend• Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24