More Related Content


Online banking trojans

  1. Online banking Trojans Recent developments and countermeasures DND, ISF, ISACA member meeting 02. May 2011 André N.Klingsheim IT security specialist, PhD
  2. Outline • Skandiabanken’s login procedures • ”Traditional” Trojans • Recent developments • Recent security adjustments 2
  3. The login procedures • Online banking password – With One Time Password (OTP) by SMS – Or from a code card • BankID – BankID password – OTP from code card • BankID mobile – Pin entered on mobile phone 3
  4. Login procedures figure 4
  5. Traditional Trojans • Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication) • High security sites have introduced OTPs to counter this threat (others follow) 5
  6. More recent Trojans • Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
  7. More recent Trojans II • More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
  8. Modern Trojan threat • Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement • Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok • We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – 8
  9. Zeus example (original page) 9
  10. Zeus example (modified page) 10
  11. Zeus config 11
  12. It gets worse... 12
  13. Combined PC/mobile Trojan threat • Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile • Some attacks reported in Europe – This is an upcoming threat • We haven’t seen any of these attacks in Norway yet 13
  14. Zeus combined mobile Trojan • 14
  15. Combined PC/mobile Trojan threat II • Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk • Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
  16. Countermeasures 16
  17. Our security design • Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID • Required for: – Payments to new recipients – Payments over a certain threshold • Hampered attacks from traditional Trojans • Balanced usability/security 17
  18. The OTPs • Generated securely – Infeasible to guess them • Short lived, 15 mins • You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack • OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
  19. Stopping the attack at the client 19
  20. Recent security adjustments • We’ve done some important security design changes to our online bank to deal with the modern threats • Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs • The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
  21. OTP via SMS, with context 21
  22. Avoiding the attack? Look for mismatch between account/amount in online bank and mobile phone 22
  23. The standard countermeasures • These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list  • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
  24. Thank you! • You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: – Twitter: @klingsen • I don’t want to be your Facebook friend • Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24