Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Online banking trojans

Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011

  • Login to see the comments

Online banking trojans

  1. 1. Online banking TrojansRecent developments and countermeasuresDND, ISF, ISACA member meeting 02. May 2011André N.KlingsheimIT security specialist, PhD
  2. 2. Outline• Skandiabanken’s login procedures• ”Traditional” Trojans• Recent developments• Recent security adjustments 2
  3. 3. The login procedures• Online banking password – With One Time Password (OTP) by SMS – Or from a code card• BankID – BankID password – OTP from code card• BankID mobile – Pin entered on mobile phone 3
  4. 4. Login procedures figure 4
  5. 5. Traditional Trojans• Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication)• High security sites have introduced OTPs to counter this threat (others follow) 5
  6. 6. More recent Trojans• Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
  7. 7. More recent Trojans II• More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
  8. 8. Modern Trojan threat• Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement• Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok• We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – 8
  9. 9. Zeus example (original page) 9
  10. 10. Zeus example (modified page) 10
  11. 11. Zeus config 11
  12. 12. It gets worse... 12
  13. 13. Combined PC/mobile Trojan threat• Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile• Some attacks reported in Europe – This is an upcoming threat• We haven’t seen any of these attacks in Norway yet 13
  14. 14. Zeus combined mobile Trojan • 14
  15. 15. Combined PC/mobile Trojan threat II• Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk• Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
  16. 16. Countermeasures 16
  17. 17. Our security design• Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID• Required for: – Payments to new recipients – Payments over a certain threshold• Hampered attacks from traditional Trojans• Balanced usability/security 17
  18. 18. The OTPs• Generated securely – Infeasible to guess them• Short lived, 15 mins• You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack• OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
  19. 19. Stopping the attack at the client 19
  20. 20. Recent security adjustments• We’ve done some important security design changes to our online bank to deal with the modern threats• Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs• The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
  21. 21. OTP via SMS, with context 21
  22. 22. Avoiding the attack?Look for mismatch betweenaccount/amount in onlinebank and mobile phone 22
  23. 23. The standard countermeasures• These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
  24. 24. Thank you!• You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: – Twitter: @klingsen• I don’t want to be your Facebook friend• Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24