Eliminating Man-in-the-Browser Threats in Internet Banking 2 www.tectia.comWHY YOU SHOULD BE CONCERNED?The increase in the popularity of Internet banking hasseen a corresponding rise in methods for stealingpersonal and banking data. The cyber criminals haverefined their techniques to match the growingsophistication of modern security solutions.One of the first methods of cyber crime was to usesoftware for logging the keystrokes made by the user.This was followed by more elegant mechanisms, suchas phishing and pharming where users are directed to afalse web site to obtain their secure information as theyunsuspectingly provide it.The latest critical threat is known as Man-in-the-Browser,a completely invisible and hard to detect attack thatallows cyber criminals to hijack web browserconnections and gather and alter users’ secureinformation and transaction details.As banks have enhanced their authentication systems,phishing attacks have become less and less effective.Conversely Man-in-the-Browser attacks are set toincrease, heavily affecting consumers, businesses, andfinancial institutions, and resulting in large financiallosses and litigation.A recent FBI study highlighted that potential losses fromTrojans and other attacks against financial institutionshave already exceeded $ 100 million . The Anti-Phishing Working Group (APWG) recently reported morethan 56,000 unique phishing sites in August 2009 alone,along with extremely rapid growth in malware variants.WHAT IS A MAN-IN-THE-BROWSERATTACK?The “Man-in-the-Browser” is a Trojan horse that infectsthe user’s web browser and has the ability to modifypages, modify transaction content or insert additionaltransactions, all in a completely covert fashion invisibleto both the user and host application.Since the Man-in-the-Browser attack happens at theapplication layer, the attack will be successful regardlessof whether security mechanisms such as SSL/PKI and/ortwo or three factor authentication solutions are in place.For example, as described in Figure 1, in online bankingtransactions the customer is shown, via confirmationscreens, the correct payment information as entered intothe browser. The bank, however, will receive atransaction with altered instructions, a differentdestination account number and possibly a differentamount. The use of strong authentication or transactionauthentication numbers through the web-browserinterface simply creates a false sense of security for boththe customer and the bank that the transaction is secure.
Eliminating Man-in-the-Browser Threats in Internet Banking 3 www.tectia.comBecause of its silent and invisible nature, most traditionaldefenses are rendered completely ineffective. It operatesbetween the web-browser security protocols and theinput of the user which makes it very difficult to detectthrough traditional virus-scanning methods. Examples ofwell-known man-in-the-browser attacks include Zeusand Silentbanker Trojans, each of which have beensuccessfully installed on millions of PCs around theworld, and which have a proven record of successfulfraud. One example is an uncovered Zeus 3-drivenattack that defrauded customers of a major UK bank ofmore than £ 600,000. HOW TO ELIMINATE THE THREAT?What to do if the traditional virus scanners and tools, oreven the strongest authentication methods cannot beeffectively used to eliminate this threat?USER-BEHAVIOR-BASED FRAUD DETECTIONOne approach to solving this problem is to monitor andanalyze real-time user behavior on the applicationinterface. These kinds of fraud detection tools analyze alluser activity, how the pages are accessed, whether ornot the user is navigating too quickly or if there are anysuspicious page navigation patterns.Passive safeguards are attractive because they areinvisible to end users and do not require any changes inthe end user systems or user experience. However,these solutions may not necessarily scale to largeenvironments because of the amount of data that mustbe analyzed. In addition, they may cause false alerts andinterruptions or even worse, may not prevent fraudattempts.Figure 1: Man-in-the-Browser attack changing the web-site content
Eliminating Man-in-the-Browser Threats in Internet Banking 4 www.tectia.comISOLATING THE WEB BROWSER OR SYSTEMOne way to ensure that your web browser cannot beinfected is to install the browser executable on a USBstick and set the stick to read-only mode. This mayprotect the web browser from infection, but whathappens if the USB stick browser is run on an alreadyinfected system? Advanced Trojans and worms may hi-jack the web connection even if the browser itself isstored on a read-only USB stick. Furthermore, applyingthis model to a large environment may become anightmare of USB stick management and browserupgrades. Finally, many organizations have disabledUSB ports, making the deployment of this method evenmore challenging.SIGNATURE-BASED TRANSACTION VERIFICATIONAnother option is to use a one-time password (OTP)device that can electronically sign transaction details.When the transaction takes place, the user is promptedto enter the transaction details and the signature code iscalculated by the device. In this model a specialhardware unit must be provided to every user. This maybe very challenging for large Internet bankingenvironments and the operating costs of managing,distributing, and supporting this hardware are very high.OUT-OF-BAND TRANSACTION VERIFICATIONOne of the most effective methods in defeating a Man-in-the-Browser attack is through an out-of-band (OOB)transaction verification process. Out-of-band verificationovercomes the Man-in-the-Browser Trojan by verifyingthe transaction details, as received by the host (bank), tothe user (customer) over a channel other than the webbrowser, typically an automated telephone call, SMS textmessage or a mobile application.In the transaction verification process, the user is notonly sent a confirmation code or one-time password, butalso a summary of the transaction: ”Money transfer€1,087.00 from account 12345678 to 87654321.Confirmation code 193713”. In this way the user cancheck the transaction details and continue only if theinformation is correct.To further enhance the security of this approach, out-of-band transaction verification can also be used to acceptconfirmation codes only through the out-of-bandchannel, for example by replying to the SMS textmessage, making any kind of transaction modificationvirtually impossible.Figure 2: Out-of-band transaction verificationOut-of-band transaction verification is ideal for largedeployments since it leverages devices already in thepublic domain (e.g. landline, mobile phone, etc) andrequires no additional hardware devices.Some out-of-band transaction verification solutions canalso be used to provide strong two- or three-factor userauthentication and transaction signing capabilities. Thisalso makes them ideal for combating other Internetbanking threats such as phishing, pharming or othertypes of account misuse and connection hijackingattempts.
Eliminating Man-in-the-Browser Threats in Internet Banking 5 www.tectia.comHOW CAN TECTIA HELP?Tectia Security Solutions provide the fastest track toreal-time information security. We help our customerssecure, automate, manage, and share real-timeinformation in large enterprise environments, both in theintranet and extranet, with little or no modification to theirexisting infrastructure and no disruption to business.PREVENTING MAN-IN-THE-BROWSER AND OTHERINTERNET BANKING THREATSTectia MobileID, a key product of Tectia ShareSolutions, is a strong two-factor authentication andtransaction verification solution that utilizes a widevariety of easy and fast to deploy out-of-bandmechanisms such as SMS text messaging, mobilephone applications and e-mail. A typical deployment ofTectia MobileID in a banking environment is described inthe diagram below:1. The user connects to the online banking serviceusing a web browser and logs in using hiscredentials. The user checks his bank accountdetails and makes an online payment; €50 toaccount 234567 of an electricity company.The banking service sends the transaction detailsto the user via the web browser.2. Before executing the payment, the online bankingservice also sends a transaction summary toTectia MobileID Server.3. Tectia MobileID Server sends an SMS textmessage containing the transaction summary tothe user over the mobile phone network.4. The user receives the transaction summary on hismobile device, checks that the summary matchesthe transaction he made (€50 to account 234567)and confirms the transaction either using themobile device or the web browser (using theconfirmation code given in the SMS message).Figure 3: Deployment of Tectia MobileID
Eliminating Man-in-the-Browser Threats in Internet Banking 6 www.tectia.comBut what if the user’s web browser is infected and Man-in-the-Browser Trojan is active? A simplified example ofa Man-in-the-Browser attack and how it can be detectedand eliminated using Tectia MobileID is described below:1. The user connects to the online banking serviceusing a web browser and logs in using hiscredentials.a. Because a Man-in-the-Browser Trojan hastaken over the web browser, all theinformation the user types, username,password and strong authenticationcredentials, passes through the Trojan and iscompletely invisible to the user or the onlinebanking service.b. Because there is no indication of anythingstrange, the user checks his bank accountdetails and makes the online payment; €50 toaccount 234567 of an electricity company.c. Before the information is submitted to thebanking service, the Man-in-the-BrowserTrojan changes the amount and bankaccount, and submits the modified form; €150to account 176671.d. The banking service sends the transactiondetails to the user via the web browser (€150to account 176671).e. Again, the Man-in-the-Browser Trojanmodifies the information so that it matchesthe information the user entered (€50 toaccount 234567). Without out-of-bandverification the user is completely unawarethat the actual transaction the bank willexecute is something completely differentfrom what he intended.2. Because the bank has out-of-band transactionverification in use, the transaction summary is alsosent to the Tectia MobileID Server.3. Tectia MobileID Server sends an SMS textmessage containing the transaction summary tothe user over the mobile phone network.4. Before confirming the transaction the user doublechecks the summary and notices the differenceFigure 4: Tectia MobileID prevents a man-in-the-browser attack
Eliminating Man-in-the-Browser Threats in Internet Banking 7 www.tectia.combetween what he entered (€50 to account 234567)and what is displayed on the mobile phone (€150to account 176671).The user realizes something is wrong and cancelsthe transaction.5. The bank is informed of the Man-in-the-Browserattempt, either by the user calling customer serviceor responding to the text message summary.By using Tectia MobileID and out-of-band transactionverification, Man-in-the-Browser attacks can berecognized and eliminated, and customer transactionssafeguarded.Furthermore, the same solution can be used to providestrong two-factor authentication to minimize phishingattempts, Man-in-the-Middle attacks and accountmisuse.CUT COSTS AND ACTIVATE NEW USERS QUICKLYAND EFFORTLESSLYThe Tectia solution uses the most readily available andeasy to use authentication device, the end user’sexisting mobile phone. Since there is no need for anyadditional hardware, the costs related to distribution,maintaining, and replacing security tokens or otherdevices are completely eliminated. Tectia MobileID is atokenless solution offering the easiest and fastest routeto secure two-factor authentication and transactionverification.TECTIA MOBILEID FITS ALL CORPORATE NEEDSThe capabilities of Tectia MobileID and the TectiaSolution are not limited to securing Internet bankingapplications. Tectia MobileID can be used to secure allcorporate services where strong authentication isneeded, such as VPN access, partner portals, remotesystem administration or web mail access.ABOUT TECTIATectia is a modern, sales-driven, customer-orientedorganization. Our core focus is on understandingcustomer problems and on proposing relevant solutionsto address their information security challenges whilemeeting business targets.We help customers choose the right solutions to addresstheir organizational information security needs across avariety of complex environments, in the public andprivate sectors in multiple industries worldwide.Our suite of information security solutions address fourmain areas of business and are named accordingly:Secure, Automate, Manage, and Share.Our customers can be confident that our solutionsprovide:• Fast, flexible and secure real-time informationexchange and communication• Visibility and control of vital data exchanges• Confidence in meeting and maintaining auditrequirements and beyond• Reduced cost and risk• Solid customer loyalty and brand integrityTectia solutions ensure that our customers can create aCircle of Trust in which all of their stakeholders canshare information and conduct business confidently andsecurely. As we say: Your People. Your Secrets.Protected.REFERENCES Compromise of Users Online Banking Credentials TargetsCommercial Bank Accounts, Internet Crime Complaint CenterNov 3, 2009. Phishing Activity Trends Report, Anti-Phishing WorkingGroup, Q3 2009. Major UK banks online customers hit by £600 000-plus byZeus 3 fraud