Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

E banking security


Published on

this slide describe security issues in ebanking..

Published in: Technology
  • Earn $500 for taking a 1 hour paid survey! read more... ♣♣♣
    Are you sure you want to  Yes  No
    Your message goes here
  • free free download this latest version 100% working.
    download link-
    Are you sure you want to  Yes  No
    Your message goes here

E banking security

  1. 1. E-banking security<br />ImanRahmanian<br />NooreTouba University – Iran<br />Advisor: Dr Sekhavati<br />Dec 2010<br />
  2. 2. eBanking Security – Quo Vadis?<br />Is eBanking still safe?<br />What are the security trends in eBanking?<br />What can we learn from eBanking trends for other online applications?<br />
  3. 3. agenda<br />eBanking Attacks<br />Security Measures<br />Secure Communication<br />Implementations<br />Outlook / Thesis<br />
  4. 4. eBanking Attacks<br />
  5. 5. Target of Attacks<br />Phishing Attacks <br />Trojan Attacks<br />Pharming<br />DNS Spoofing<br />Network Interception<br />Web Application Attacks<br />Attacking Server<br />
  6. 6. Client Attacks<br />Most promising attack on the client:<br />Phishing<br /><ul><li>Motivate user to enter confidential information on fake web site</li></ul>Simple Trojans<br /><ul><li> Limited to a handful of eBanking applications
  7. 7. Steal username, password and one time password
  8. 8. Steals session information and URL and sends it to attacker
  9. 9. Attacker imports information into his browser to access the same account</li></ul>Generic Trojans<br /><ul><li> In the wild since 2007, but still in development
  10. 10. Can attack any eBanking (and any web application)
  11. 11. New configuration is downloaded continously</li></li></ul><li>Generic Trojans<br />Infection of client with user interaction<br /><ul><li> Email attachments (ZIP, Exe, etc.)
  12. 12. Email with link to malicious web site
  13. 13. Links in social networks
  14. 14. Integrated in popular software (downloads)
  15. 15. File transfer of instant messaging/VoIP/file sharing
  16. 16. CD-ROM/USB Stick</li></ul>Infection of client without user interaction<br /> Malicious web sites (drive by)<br /> Infection of trusted, popular web sites (IFRAME …)<br /> Misusing software update functionality (like Bundestrojaner)<br /> Attacks on vulnerable, exposed computer (network/wireless)<br />Note: About 1% of Google search query results point to a web site that can lead to a drive by attack.<br />
  17. 17. Generic Trojans<br />Features of Generic Trojans<br /> Hide from security tools (anti-virus/personal firewall)<br /> Inject code in running processes / drivers / operating system<br /> Capture/Redirect/Send data <br /> Download new configuration / functionality<br /> Remote control browser instance<br />
  18. 18. Generic Trojans(cont)<br />Features useful for eBanking attacks<br /> Send web pages of unknown eBanking to attacker<br /> Download new patterns of eBanking transaction forms<br /> Modify transaction in the background (on the fly)<br /> Collect financial information<br />
  19. 19. Generic Trojans(cont)<br />Tips and Tricks<br /> Every Trojan binary is unique (packed differently)<br /> Not detectable by Anti Virus Patterns<br /> Trojan code is injected into other files or other processes<br /> Personal Firewall can not block communication<br /> Installs in Kernel<br /> Full privileges on system <br /> Invisible<br />Bot Networks<br />
  20. 20. Traded Goods<br />Symantec Internet Security Threat Report July-December 2007<br /><br />
  21. 21. Security Measures<br />
  22. 22. Security Measures<br />Attack Detection<br /> Second Channel / Secured Channel<br /> Secure Client<br />Second Channel<br />Secured Channel <br />Secure Client<br />Attack Detection<br />
  23. 23. Attack Detection<br /> Detect session hijacking attacks<br /> Monitor and compare request parameters<br /> Identify SSL Session and IP address changes<br /> Transaction verification / user profiling<br /> Statistic about normal user behaviour<br /> Compare transaction with normal user behaviour<br /> White list target accounts<br /> Limits on transaction amount<br />
  24. 24. Security Measures(cont)<br />Second Channel<br /> Send verification using another channel<br /> Another application on the client computer<br /> Another medium like mobile phones (SMS)<br />Secured Channel<br /> Enter data on an external device<br /> External device can not be controlled by Trojan<br />Externel device contains a secret key<br />
  25. 25. Security Measures<br />Secure Platform<br /> A computer that is only used for eBanking<br /> Bootable CD-ROM, Bootable USB Stick<br /> Virtual Machine<br />eBanking Laptop<br />Secure Environment<br /> Start an application (eg Browser) that protects itself from Trojans<br />Downstripped Browser<br /> Proprietary Application (fat client)<br /> Verify environment before login is possible<br />
  26. 26. Security Trends<br />Current client security approaches:<br />A) Secured Application/Virtualization<br /> Hardened Browser on USB stick<br /> Application to secure the client<br /> Virtual operating system on host system<br /> Bootable CD-ROM/USB stick<br />B) Transaction Signing<br /> Transaction details and unlock code on mobile (SMS)<br /> External device with SmartCard<br /> Read information from screen and decrypt on external device<br />
  27. 27. A) Secured Application/Virtualization<br />Solutions (some examples):<br /> Portable Apps, Thinstall<br /> CLX Stick, KobilmIdentity<br /> Browser Appliance (egVMWare, VirtualPC, etc.)<br />
  28. 28. B) Transaction Signing<br />Devices (some examples):<br /> Mobile phones<br /> IBM ZTIC, EVM CAP, Axsionics<br />Tricipher<br />
  29. 29. Security Trends<br />
  30. 30. Secure Communication<br />Most Internet shopping sites use usernames and passwords to authenticate its users, so called 'password authentication'. They are typically more concerned with the validity of the credit card than the identity of the user. This will be our starting point.<br />
  31. 31. Password authentication<br />In our fictiousexample we have a user Alice who wishes to login to her bank. We also have a vicious attacker Eve who is trying to steal Alice's hard-earned money. The bank is using a username and password to protect<br />Alice's account but no encryption. This scheme is obviously vulnerable to a snooping attack as illustrated in below Figure. One way to improve security is by employing One-time Passwords.<br />
  32. 32. One-time Passwords<br />One-time passwords (OTPs) are, like the name suggests, passwords that are used only once.<br />A code scratch card with OTPs<br />
  33. 33. OTP implementation<br />The OTPs can be implemented using a hash-chain.<br />
  34. 34. SSL<br />SSL is an abbreviation of Secure Socket Layer and is a protocol designed to provide security and data integrity.<br />SSL supports a wide range of algorithms, some very strong and some weak. For example Handelsbanken, a Swedish bank, uses SHA-1 for signing and RSA for encryption.<br />
  35. 35. Security Tokens<br />we saw how OTPs are constructed and used.<br />We can further enhance the security by a PIN-code.<br />This two-factor authentication makes it more dificultto gain access to an account.<br />
  36. 36. Security Tokens(cont)<br />
  37. 37. Security Tokens(cont)<br />SSL connection setup<br />RSA security tokens<br />
  38. 38. Implementations<br />
  39. 39. Chip Authentication Program (CAP)<br />CAP is a relatively new protocol based on the older EMV standard.<br />It was developed by MasterCard and is based on digitally signing transactions.<br />CAP can operate in three modes: identify, respond and sign.<br />
  40. 40. RSA SecurID<br />This scheme basically works very similar to the identify-mode of CAP.<br />The 6 to 8-digit response of the SecurID tokens is computed over the PIN,thepresent time and a 128 bit key, which is unique to every token, using a variant of the AES algorithm.<br />
  41. 41. Open Authentication (OATH)<br />The open authentication initiative is an attempt at developing an open standard for 2-factor authentication which should provide means for federated authentication systems like OpenID.<br />The core of OATH is the HOTP-algorithm, which provides the OTP component.<br />
  42. 42. Response-mode of the CAP-protocol<br />
  43. 43. Outlook / Thesis<br />
  44. 44. Personal Risk Management!<br />How do we manage our personal financial risk?<br /> Only as much money we need at home or in the wallet<br /> Different bank accounts for different purposes<br /> Limits on bank accounts or ATM cards<br /> Insurances for damages we can not afford<br />Applied to eBanking<br /> Only required amount of money accessible by eBanking<br /> Move savings to other accounts / banks<br /> Set limit in payment height per month<br /> Insurance for eBanking losses?<br />
  45. 45. We need different solutions for different clients!<br />Big/medium companies<br /> Separate computer only for eBanking and finance work<br /> No connections to Internet except for eBanking<br />Small companies / Private people<br /> Secure Applications/Virtualization<br /> Transaction Signing<br />
  46. 46. Other Ideas!<br />Computer only for eBanking<br /> Cheap laptops ($100) only for eBanking<br /> Boot from USB Stick or CD-ROM<br />Pool for eBanking claims<br /> Take the model of the credit card industry<br /> Cover claims with insurance<br />
  47. 47. What‘s going on in the future<br />More Trojans will be installed on client computers<br /> The banks will deliver secure devices / secured applications<br /> The criminals will focus on weaker eBankings in the beginning<br /> They will eventually attack the eBankings with secure devices / secure <br />applications. Especially the social engineering attacks will be improved<br /> Attacking other applications may become more interesting. <br />Like in reality:<br />where the money is, there are the thiefs.<br />
  48. 48. Is eBanking still safe?<br />Alternatives:<br /> Retrieve your money at the bank and pay at the post office<br /> Fill out a payment order and send it to your bank by snail mail<br /> Send your bank a fax/letter with a payment order<br />eBanking is safer as old style payment methods!<br />User‘s have to learn the threats and precautions with the new technology!<br />
  49. 49. reference<br />
  50. 50. references<br /> banking<br /><br />APACS: Online banking usage amongst over 55s up fourfold in five years<br /> centre/press/08 24 07.html<br />APACS: APACS announces latest fraud figures<br /><br />Symantec SilentBankerTrojanerdescription<br />