SlideShare a Scribd company logo
Online banking Trojans
Recent developments and countermeasures

DND, ISF, ISACA member meeting 02. May 2011

André N.Klingsheim
IT security specialist, PhD
Outline
•   Skandiabanken’s login procedures
•   ”Traditional” Trojans
•   Recent developments
•   Recent security adjustments




                                       2
The login procedures
• Online banking password
   – With One Time Password (OTP) by SMS
   – Or from a code card
• BankID
   – BankID password
   – OTP from code card
• BankID mobile
   – Pin entered on mobile phone

                                           3
Login procedures figure




                          4
Traditional Trojans
• Most simplistic Trojans
   – Are essentially keyloggers
   – Record your usernames and passwords
   – Sends the data to some drop site on the Internet
   – Attacker later picks up the data from drop site
   – Will compromise traditional username/password
     schemes (single factor authentication)
• High security sites have introduced OTPs to counter
  this threat (others follow)
                                                        5
More recent Trojans
• Not so simplistic Trojans
  – Target two-factor authentication
  – Target systems employing reauthentication
      • Means you need to supply new OTPs to
        perform sensitive operations
  – Attempt to steal OTPs
  – Have functionality to show malicious webpages
    to the user, to confuse the user into giving
    several OTPs
  – Requires user interaction                       6
More recent Trojans II
• More advanced Trojans
  – Target two-factor authentication
  – Performs attack in realtime
     • Overcomes short lived OTPs
     • Overcomes singular OTPs
  – Requires user interaction




                                       7
Modern Trojan threat
• Advanced Trojans can conceal rogue payments:
   – Rewrite payment registry
   – Rewrite account statement
• Can make the attack undetectable for the user
   – There are no visual indications that something is
     wrong, i.e. the account statement looks ok
• We’ll have a look at the Zeus Trojan
   – Screenshots stolen from Symantec video (9 mins
     worth watching!)
   – www.youtube.com/watch?v=CzdBCDPETxk                 8
Zeus example (original page)




                               9
Zeus example (modified page)




                               10
Zeus config




              11
It gets worse...




                   12
Combined PC/mobile Trojan threat
• Trojans on pc attempt to install mobile Trojan
   – Ask customer to install ”App” during login
   – Steal username/password on pc, OTP on mobile
• Some attacks reported in Europe
   – This is an upcoming threat
• We haven’t seen any of these attacks in Norway yet




                                                   13
Zeus combined mobile Trojan




    •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
                                                                                              14
Combined PC/mobile Trojan threat II
• Mobile platforms are consolidated
   – iOS (iPhone), Android, Windows Mobile 7
   – Makes mobile Trojans scale better
   – Increases ROI for attackers, increases our risk
• Installing the mobile Trojan still requires user
  participation
   – User must supply phone model and maker
   – User must accept installation on the phone

                                                       15
Countermeasures




                  16
Our security design
• Payment authorization
   – By an OTP (reauthentication)
   – Or by signature, BankID/BankID
• Required for:
   – Payments to new recipients
   – Payments over a certain threshold
• Hampered attacks from traditional Trojans
• Balanced usability/security

                                              17
The OTPs
• Generated securely
   – Infeasible to guess them
• Short lived, 15 mins
• You can only have one valid OTP at any given
  moment
   – Requesting a new OTP invalidates the previous
   – Forces real time attack
• OTP is tied to the operation you perform
   – Login/payment/changing personal information etc
                                                   18
Stopping the attack at the client




                                    19
Recent security adjustments
• We’ve done some important security design
  changes to our online bank to deal with the modern
  threats
• Most noteworthy (and visible to our customers)
   – Introduced contextual information with our OTPs
• The effect:
   – Faced with a Trojan attack, all attempted rogue
     transactions are detectable for the customer

                                                       20
OTP via SMS, with context




                            21
Avoiding the attack?
Look for mismatch between
account/amount in online
bank and mobile phone




                            22
The standard countermeasures
• These are the usual suspects
   – Surveillance of Trojan activity (through partner)
   – IDS/firewall/etc
   – Payment monitoring
   – This is not an exhaustive list 
• In addition
   – Tight collaboration with other Norwegian banks
   – Information sharing (extremely important)
   – Security collaboration, not competition
                                                         23
Thank you!
• You’ll find me online:
   – andre.klingsheim (at) skandiabanken (dot) no
   – Blog: www.dotnetnoob.com
   – Twitter: @klingsen
• I don’t want to be your Facebook friend
• Note: Skandiabanken participates with two lightning
  talks at the upcoming Roots conference


                                                        24

More Related Content

Viewers also liked (6)

Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
 
Project on E-banking
Project on E-bankingProject on E-banking
Project on E-banking
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
java Project report online banking system
java Project report online banking systemjava Project report online banking system
java Project report online banking system
 
Internet Banking PPT
Internet Banking PPTInternet Banking PPT
Internet Banking PPT
 

Similar to Online banking trojans

Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
DCIT, a.s.
 
Cyber crime and cyber security
Cyber crime and cyber  securityCyber crime and cyber  security
Cyber crime and cyber security
Keshab Nath
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
Korea University
 

Similar to Online banking trojans (20)

Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Cyber crime and cyber security
Cyber crime and cyber  securityCyber crime and cyber  security
Cyber crime and cyber security
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever Alone
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Emerging Threats and Trends in Online Security
Emerging Threats and Trends in Online SecurityEmerging Threats and Trends in Online Security
Emerging Threats and Trends in Online Security
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
The Future of ATO
The Future of ATOThe Future of ATO
The Future of ATO
 

Recently uploaded

Recently uploaded (20)

IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 

Online banking trojans

  • 1. Online banking Trojans Recent developments and countermeasures DND, ISF, ISACA member meeting 02. May 2011 André N.Klingsheim IT security specialist, PhD
  • 2. Outline • Skandiabanken’s login procedures • ”Traditional” Trojans • Recent developments • Recent security adjustments 2
  • 3. The login procedures • Online banking password – With One Time Password (OTP) by SMS – Or from a code card • BankID – BankID password – OTP from code card • BankID mobile – Pin entered on mobile phone 3
  • 5. Traditional Trojans • Most simplistic Trojans – Are essentially keyloggers – Record your usernames and passwords – Sends the data to some drop site on the Internet – Attacker later picks up the data from drop site – Will compromise traditional username/password schemes (single factor authentication) • High security sites have introduced OTPs to counter this threat (others follow) 5
  • 6. More recent Trojans • Not so simplistic Trojans – Target two-factor authentication – Target systems employing reauthentication • Means you need to supply new OTPs to perform sensitive operations – Attempt to steal OTPs – Have functionality to show malicious webpages to the user, to confuse the user into giving several OTPs – Requires user interaction 6
  • 7. More recent Trojans II • More advanced Trojans – Target two-factor authentication – Performs attack in realtime • Overcomes short lived OTPs • Overcomes singular OTPs – Requires user interaction 7
  • 8. Modern Trojan threat • Advanced Trojans can conceal rogue payments: – Rewrite payment registry – Rewrite account statement • Can make the attack undetectable for the user – There are no visual indications that something is wrong, i.e. the account statement looks ok • We’ll have a look at the Zeus Trojan – Screenshots stolen from Symantec video (9 mins worth watching!) – www.youtube.com/watch?v=CzdBCDPETxk 8
  • 13. Combined PC/mobile Trojan threat • Trojans on pc attempt to install mobile Trojan – Ask customer to install ”App” during login – Steal username/password on pc, OTP on mobile • Some attacks reported in Europe – This is an upcoming threat • We haven’t seen any of these attacks in Norway yet 13
  • 14. Zeus combined mobile Trojan •www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication 14
  • 15. Combined PC/mobile Trojan threat II • Mobile platforms are consolidated – iOS (iPhone), Android, Windows Mobile 7 – Makes mobile Trojans scale better – Increases ROI for attackers, increases our risk • Installing the mobile Trojan still requires user participation – User must supply phone model and maker – User must accept installation on the phone 15
  • 17. Our security design • Payment authorization – By an OTP (reauthentication) – Or by signature, BankID/BankID • Required for: – Payments to new recipients – Payments over a certain threshold • Hampered attacks from traditional Trojans • Balanced usability/security 17
  • 18. The OTPs • Generated securely – Infeasible to guess them • Short lived, 15 mins • You can only have one valid OTP at any given moment – Requesting a new OTP invalidates the previous – Forces real time attack • OTP is tied to the operation you perform – Login/payment/changing personal information etc 18
  • 19. Stopping the attack at the client 19
  • 20. Recent security adjustments • We’ve done some important security design changes to our online bank to deal with the modern threats • Most noteworthy (and visible to our customers) – Introduced contextual information with our OTPs • The effect: – Faced with a Trojan attack, all attempted rogue transactions are detectable for the customer 20
  • 21. OTP via SMS, with context 21
  • 22. Avoiding the attack? Look for mismatch between account/amount in online bank and mobile phone 22
  • 23. The standard countermeasures • These are the usual suspects – Surveillance of Trojan activity (through partner) – IDS/firewall/etc – Payment monitoring – This is not an exhaustive list  • In addition – Tight collaboration with other Norwegian banks – Information sharing (extremely important) – Security collaboration, not competition 23
  • 24. Thank you! • You’ll find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen • I don’t want to be your Facebook friend • Note: Skandiabanken participates with two lightning talks at the upcoming Roots conference 24