Online banking Trojans
Recent developments and countermeasures
DND, ISF, ISACA member meeting 02. May 2011
André N.Klingsheim
IT security specialist, PhD
The login procedures
• Online banking password
– With One Time Password (OTP) by SMS
– Or from a code card
• BankID
– BankID password
– OTP from code card
• BankID mobile
– Pin entered on mobile phone
3
Traditional Trojans
• Most simplistic Trojans
– Are essentially keyloggers
– Record your usernames and passwords
– Sends the data to some drop site on the Internet
– Attacker later picks up the data from drop site
– Will compromise traditional username/password
schemes (single factor authentication)
• High security sites have introduced OTPs to counter
this threat (others follow)
5
More recent Trojans
• Not so simplistic Trojans
– Target two-factor authentication
– Target systems employing reauthentication
• Means you need to supply new OTPs to
perform sensitive operations
– Attempt to steal OTPs
– Have functionality to show malicious webpages
to the user, to confuse the user into giving
several OTPs
– Requires user interaction 6
More recent Trojans II
• More advanced Trojans
– Target two-factor authentication
– Performs attack in realtime
• Overcomes short lived OTPs
• Overcomes singular OTPs
– Requires user interaction
7
Modern Trojan threat
• Advanced Trojans can conceal rogue payments:
– Rewrite payment registry
– Rewrite account statement
• Can make the attack undetectable for the user
– There are no visual indications that something is
wrong, i.e. the account statement looks ok
• We’ll have a look at the Zeus Trojan
– Screenshots stolen from Symantec video (9 mins
worth watching!)
– www.youtube.com/watch?v=CzdBCDPETxk 8
Combined PC/mobile Trojan threat
• Trojans on pc attempt to install mobile Trojan
– Ask customer to install ”App” during login
– Steal username/password on pc, OTP on mobile
• Some attacks reported in Europe
– This is an upcoming threat
• We haven’t seen any of these attacks in Norway yet
13
Zeus combined mobile Trojan
•www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
14
Combined PC/mobile Trojan threat II
• Mobile platforms are consolidated
– iOS (iPhone), Android, Windows Mobile 7
– Makes mobile Trojans scale better
– Increases ROI for attackers, increases our risk
• Installing the mobile Trojan still requires user
participation
– User must supply phone model and maker
– User must accept installation on the phone
15
Our security design
• Payment authorization
– By an OTP (reauthentication)
– Or by signature, BankID/BankID
• Required for:
– Payments to new recipients
– Payments over a certain threshold
• Hampered attacks from traditional Trojans
• Balanced usability/security
17
The OTPs
• Generated securely
– Infeasible to guess them
• Short lived, 15 mins
• You can only have one valid OTP at any given
moment
– Requesting a new OTP invalidates the previous
– Forces real time attack
• OTP is tied to the operation you perform
– Login/payment/changing personal information etc
18
Recent security adjustments
• We’ve done some important security design
changes to our online bank to deal with the modern
threats
• Most noteworthy (and visible to our customers)
– Introduced contextual information with our OTPs
• The effect:
– Faced with a Trojan attack, all attempted rogue
transactions are detectable for the customer
20
The standard countermeasures
• These are the usual suspects
– Surveillance of Trojan activity (through partner)
– IDS/firewall/etc
– Payment monitoring
– This is not an exhaustive list
• In addition
– Tight collaboration with other Norwegian banks
– Information sharing (extremely important)
– Security collaboration, not competition
23
Thank you!
• You’ll find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
• I don’t want to be your Facebook friend
• Note: Skandiabanken participates with two lightning
talks at the upcoming Roots conference
24