Advertisement
Check these out next
Online banking trojans
Apr. 24, 2012•0 likes•893 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Economy & Finance
Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011
Andre N. KlingsheimFollow
Self employed consultantAdvertisement
Online banking trojans
- Online banking Trojans Recent developments and countermeasures DND, ISF, ISACA member meeting 02. May 2011 André N.Klingsheim IT security specialist, PhD
- Outline • Skandiabanken’s login procedures • ”Traditional” Trojans • Recent developments • Recent security adjustments 2
- The login procedures • Online banking password – With One Time Password (OTP) by SMS – Or from a code card • BankID – BankID password – OTP from code card • BankID mobile – Pin entered on mobile phone 3
- Login procedures figure 4
- Traditional Trojans • Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication) • High security sites have introduced OTPs to counter this threat (others follow) 5
- More recent Trojans • Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
- More recent Trojans II • More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
- Modern Trojan threat • Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement • Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok • We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
- Zeus example (original page) 9
- Zeus example (modified page) 10
- Zeus config 11
- It gets worse... 12
- Combined PC/mobile Trojan threat • Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile • Some attacks reported in Europe – This is an upcoming threat • We haven’t seen any of these attacks in Norway yet 13
- Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
- Combined PC/mobile Trojan threat II • Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk • Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
- Countermeasures 16
- Our security design • Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID • Required for: – Payments to new recipients – Payments over a certain threshold • Hampered attacks from traditional Trojans • Balanced usability/security 17
- The OTPs • Generated securely – Infeasible to guess them • Short lived, 15 mins • You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack • OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
- Stopping the attack at the client 19
- Recent security adjustments • We’ve done some important security design changes to our online bank to deal with the modern threats • Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs • The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
- OTP via SMS, with context 21
- Avoiding the attack? Look for mismatch between account/amount in online bank and mobile phone 22
- The standard countermeasures • These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
- Thank you! • You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen • I don’t want to be your Facebook friend • Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24
Advertisement