Man in the Browser attacks on online banking transactions

2,843 views

Published on

What is Man in the Browser(MITB) ?
How MITB can steal your money?
How can you be safe from MITB ?
Mitigation Strategies for Banks, Financial Institutions and other Application Owners

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,843
On SlideShare
0
From Embeds
0
Number of Embeds
181
Actions
Shares
0
Downloads
134
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Man in the Browser attacks on online banking transactions

  1. 1. © iViZ Security Inc 0Apr 2013 Nilanjan De, CTO, iViZ Security Inc. Man in the Browser on Online Transactions & Prevention Strategies
  2. 2. © iViZ Security Inc 1Apr 2013 Overview • What is Man in the Browser(MITB) ? • How MITB can steal your money? • How can you be safe from MITB ? • Mitigation Strategies for Banks, Financial Institutions and other Application Owners
  3. 3. © iViZ Security Inc 2Apr 2013 Man in the Browser
  4. 4. © iViZ Security Inc 3Apr 2013 History • Initially demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds" • The name man-in-the-browser was coined by Philipp Gühring in 2007 • Study by Sharek et.al in 2008 finds that most Internet users (73%) cannot distinguish between real and fake pop up warning messages. Shows that users are soft targets • 2008 – Trojans like Clampi, Torpig, Zeus surface which have inbuilt MITB capabilities.
  5. 5. © iViZ Security Inc 4Apr 2013 Man in the Browser • Classic “Man in the Middle” attack – Typically in a “Man in the Middle” attack, the attacker or its agent lies between the victim client and the server. – can be defeated by encrypting traffic e.g., using SSL. • Compromised host with trojan/rootkit – Attacker typically exploits victim’s system and installs trojan to maintain full access to the OS and monitor activities of the user including logging keystrokes. – Cannot be defeated using encryption, however, it can be defeated using multi-factor authentication, eg, OTP or Biometric • Man in the browser – Deadly combination of the above two attacks – the agent/trojan installs itself as part of the victim’s client itself (ie, the browser) – Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active- X Controls/Browser Extension/Add-on/Plugin. – Neither encryption nor OTP can defeat MITB attacks.
  6. 6. © iViZ Security Inc 5Apr 2013 MITB Transfer $1000 to Dad Transferred $1000 to Dad Alice Bank transfers $1000 to Dad
  7. 7. © iViZ Security Inc 6Apr 2013 MITB Transfer $1000 to Dad Transfer $1000000 to Hacker Alice Transferred $1000 to Dad Transferred $1000000 to Hacker Bank transfers $1000000 to HackerMITB Sends Trojan to infect Alice’s Browser
  8. 8. © iViZ Security Inc 7Apr 2013 Why MITB is dangerous? • It can read your identity, bank balance, banking passwords, debit/credit card numbers, session keys. • It can modify details of the transactions that you initiate • It can change your password or lock you out of your account • It bypasses all forms of multi-factor authentication or captcha or other forms of challenge response authentication
  9. 9. © iViZ Security Inc 8Apr 2013 As an end-user, how can I protect against MITB?
  10. 10. © iViZ Security Inc 9Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Use strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Basic Security Awareness, keep OS, Browser updated. Maybe Chances of getting infected by Malware is lower though still high if using vulnerable OS/Browser Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti- virus/Anti-malware Sometimes Depends on detection capability of anti- virus. Less likely to protect if the malware is new or is targeted.
  11. 11. © iViZ Security Inc 10Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Hardened Browser in an USB drive Moderate Malware has less chance to infect the browser though not impossible. Recently there was news of a 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Only do online banking with those banks who are aware of this threat and have implemented counter- measures. In the worst case, do not use online banking at all High
  12. 12. © iViZ Security Inc 11Apr 2013 Mitigation Strategies for Banks
  13. 13. © iViZ Security Inc 12Apr 2013 Safeguards How? Effectiveness against MITB Why? Enforce strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Using Encryption, eg, SSL or client side encryption of password/transaction details Not effective Malware can intercept and modify the request/response Multi-factor authentication, eg, Biometric/OTP/Smart Card Not effective Malware can simply wait till the user has authenticated himself. CSRF Tokens, Frame- buster, Challenge response/captcha, etc Not effective
  14. 14. © iViZ Security Inc 13Apr 2013 SafeguardsHow? Effectiveness against MITB Why? Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication Moderate Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect. OTP token with Signature Yes User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request. However, it is inconvenient. OOB transaction details confirmation with OTP Yes Out of bank confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.
  15. 15. © iViZ Security Inc 14Apr 2013 Passive Safeguards How? Effectiveness against MITB Why? IP Location tracking Not effective This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile. Device profiling Not effective Fraud Detection based on Transaction type and amount Sometimes Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack. Fraud Detection based on user behavior Good User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.
  16. 16. © iViZ Security Inc 15Apr 2013 Conclusion • Man-in-the-browser attacks can be very dangerous • Security Awareness and best practices is required to protect oneself against getting infected with malware • Safeguards – Out of Band transaction verification containing transaction details along with OTP. Users need to be alert while doing transactions. – Fraud detection based on User behavior profiling.
  17. 17. © iViZ Security Inc 16Apr 2013 Questions?
  18. 18. © iViZ Security Inc 17Apr 2013 Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/

×