Security Trends eBanking

September 25th 2008 Walter Sprenger walter.sprenger@csnc.ch

Compass Security AG Glrnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Security Trends::Once upon a time

Our eBanking is secure:
We use 128 bit SSL Encryption Digital Server Certificate Threefold Security System: Username, Password and Strike List

Nur Sie haben Zugriff auf Ihre Konto- und Depotdaten. Die Anmeldung erfolgt mittels dreifachem Sicherheitssystem: Vertragsnummer, Passwort und Streichlisten-Code. Dank der 128-Bit-Verschlsselung ist ein sicherer Datentransfer gewhrleistet. Your Bank adopts the latest in encryption technology along with a host of constantly updated security measures and protocols that ensure your online banking experience remains fast, efficient and 100% secure, giving you absolute peace of mind at all times.

Compass Security AG

www.csnc.ch

Page 2

Security Trends::Quo Vadis

eBanking Security Quo Vadis?

Is eBanking still safe? What are the security trends in eBanking? What can we learn from eBanking trends for other online applications?

Compass Security AG

www.csnc.ch

Page 3

Security Trends::Agenda

g g g

eBanking Attacks Security Measures Outlook / Thesis

Compass Security AG

www.csnc.ch

Page 4

eBanking Attacks

Compass Security AG Glrnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Security Trends::eBanking Attacks

Target of Attacks

Customer

Transmission

Bank

Phishing Attacks Trojan Attacks

Pharming DNS Spoofing Network Interception

Web Application Attacks Attacking Server

Compass Security AG

www.csnc.ch

Page 6

Security Trends::Client Attacks

Most promising attack on the client:
g

Phishing
Motivate user to enter confidential information on fake web site

Simple Trojans
Limited to a handful of eBanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account

Generic Trojans
In the wild since 2007, but still in development Can attack any eBanking (and any web application) New configuration is downloaded continously

Compass Security AG

www.csnc.ch

Page 7

Security Trends::Generic Trojans

Generic Trojans:
g

Infection of client with user interaction

Email attachments (ZIP, Exe, etc.) Email with link to malicious web site Links in social networks Integrated in popular software (downloads) File transfer of instant messaging/VoIP/file sharing CD-ROM/USB Stick

Infection of client without user interaction

Malicious web sites (drive by) Infection of trusted, popular web sites (IFRAME ) Misusing software update functionality (like Bundestrojaner) Attacks on vulnerable, exposed computer (network/wireless)

Note: About 1% of Google search query results point to a web site that can lead to a drive by attack.
Compass Security AG www.csnc.ch Page 8

Security Trends::Generic Trojans

Features of Generic Trojans
Hide from security tools (anti-virus/personal firewall) Inject code in running processes / drivers / operating system Capture/Redirect/Send data Download new configuration / functionality Remote control browser instance

Features useful for eBanking attacks

Send web pages of unknown eBanking to attacker Download new patterns of eBanking transaction forms Modify transaction in the background (on the fly) Collect financial information
Compass Security AG www.csnc.ch Page 9

Security Trends::Generic Trojans

Tips and Tricks
Every Trojan binary is unique (packed differently) Not detectable by Anti Virus Patterns Trojan code is injected into other files or other processes Personal Firewall can not block communication Installs in Kernel Full privileges on system Invisible Bot Networks
Bot Net Operator Bot Net Server Proxy Bot Bots

Bots Bot Net Server

Bots

Compass Security AG

www.csnc.ch

Page 10

Security Trends::Generic Trojans

Traded Goods

Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf

Compass Security AG

www.csnc.ch

Page 11

Security Measures

Compass Security AG Glrnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Security Trends::Security Measures

Security Measures
Attack Detection Second Channel / Secured Channel Secure Client

Customer

Transmission

Bank

Secure Client

Second Channel Secured Channel

www.csnc.ch

Attack Detection

Compass Security AG

Page 13

Security Trends::Security Measures

Attack Detection
Detect session hijacking attacks Monitor and compare request parameters Identify SSL Session and IP address changes Transaction verification / user profiling Statistic about normal user behaviour Compare transaction with normal user behaviour White list target accounts Limits on transaction amount

Compass Security AG

www.csnc.ch

Page 14

Security Trends::Security Measures

Second Channel
Send verification using another channel Another application on the client computer Another medium like mobile phones (SMS)

Secured Channel
Enter data on an external device External device can not be controlled by Trojan Externel device contains a secret key

Compass Security AG

www.csnc.ch

Page 15

Security Trends::Security Measures

Secure Platform
A computer that is only used for eBanking Bootable CD-ROM, Bootable USB Stick Virtual Machine eBanking Laptop

Secure Environment
Start an application (eg Browser) that protects itself from Trojans Downstripped Browser Proprietary Application (fat client) Verify environment before login is possible

Compass Security AG

www.csnc.ch

Page 16

Security Trends::Security Trends

Current client security approaches: A) Secured Application/Virtualization
Hardened Browser on USB stick Application to secure the client Virtual operating system on host system Bootable CD-ROM/USB stick

B) Transaction Signing
Transaction details and unlock code on mobile (SMS) External device with SmartCard Read information from screen and decrypt on external device

Compass Security AG

www.csnc.ch

Page 17

Security Trends::Security Trends

A) Secured Application/Virtualization
Browser API OS HW No virtualization Apps Browser API OS HW Application Protection Apps Browser API OS HW Application and API Protection Apps API Browser API OS HW Virtual Machine Apps API OS

Solutions (some examples):

Portable Apps, Thinstall CLX Stick, Kobil mIdentity Browser Appliance (eg VMWare, VirtualPC, etc.)
Compass Security AG www.csnc.ch Page 18

Security Trends::Security Trends

B) Transaction Signing
Device User Computer Browser sends Payment eBanking

Enter Payment

Amount: CHF 455.00 Account: 84-1234-5 Unlock-Code: ABCD Read Transaction

Encrypted Unlock-Code Unlock-Code on Second Channel

Compare with entered payment Enter Unlock-Code

Browser sends Unlock-Code

Devices (some examples):

Mobile phones IBM ZTIC, EVM CAP, Axsionics Tricipher
Compass Security AG www.csnc.ch Page 19

Security Trends::Security Trends

Axsionics Internet Passport

SmartCard Reader

IBM ZTIC

TriCipher Armored Transactions

IBM ZTIC

Crealogix CLX Stick

Kobil mIDentity

Compass Security AG

www.csnc.ch

Page 20

Outlook / Thesis

Compass Security AG Glrnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Security Trends::Outlook / Thesis

Personal Risk Management!
g

How do we manage our personal financial risk?

Only as much money we need at home or in the wallet Different bank accounts for different purposes Limits on bank accounts or ATM cards Insurances for damages we can not afford

Applied to eBanking
Only required amount of money accessible by eBanking Move savings to other accounts / banks Set limit in payment height per month Insurance for eBanking losses?

Compass Security AG

www.csnc.ch

Page 22

Security Trends::Outlook / Thesis

We need different solutions for different clients!
g

Big/medium companies
Separate computer only for eBanking and finance work No connections to Internet except for eBanking

Small companies / Private people

Secure Applications/Virtualization Transaction Signing

Compass Security AG

www.csnc.ch

Page 23

Security Trends::Outlook / Thesis

Other Ideas!
g

Computer only for eBanking

Cheap laptops ($100) only for eBanking Boot from USB Stick or CD-ROM

Pool for eBanking claims

Take the model of the credit card industry Cover claims with insurance

Compass Security AG

www.csnc.ch

Page 24

Security Trends::Outlook / Thesis

Whats going on in the future
More Trojans will be installed on client computers The banks will deliver secure devices / secured applications The criminals will focus on weaker eBankings in the beginning They will eventually attack the eBankings with secure devices / secure applications. Especially the social engineering attacks will be improved Attacking other applications may become more interesting.

Like in reality: where the money is,

there are the thiefs.

Compass Security AG

www.csnc.ch

Page 25

Security Trends::Outlook / Thesis

Is eBanking still safe? Alternatives:
Retrieve your money at the bank and pay at the post office Fill out a payment order and send it to your bank by snail mail Send your bank a fax/letter with a payment order

eBanking is safer as old style payment methods! Users have to learn the threats and precautions with the new technology!

Compass Security AG

www.csnc.ch

Page 26

Security Trends::References

Cheap-Laptops for 75 Dollar http://www.pressetext.de/pte.mc?pte=080111021 Symantec SilentBanker Trojaner description http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-100999&tabid=2 Google Research about distribution of malware http://research.google.com/archive/provos-2008a.pdf Malware distribution by Compass Security http://www.csnc.ch/misc/files/publications/verbreitung_malware_v1.0.pdf Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf Brgerkarte, SmartCard fr Jede und Jeden in sterreich http://www.buergerkarte.at/ MELANI Halbjahresbericht II/2007 http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=de

Compass Security AG

www.csnc.ch

Page 27

Security Trends::References
g

Risk analysis of austrian banks http://www.a-sit.at/pdfs/20080613_studie_sicherheit_im_ebanking_nach_feedback_durch_die_wko_tcm14-86337.pdf Internet threat level Q1 2008, BSI Deutschland http://www.bsi.bund.de/literat/lagebericht/2008_Q1_Internetlagebild.pdf Kobil mIDentity http://www.kobil.com/index.php?id=49&type=7 CLX Stick by Crealogix/EISST http://www.crealogix.com/de/ResourceImage.aspx?raid=5141 IBM ZTIC (Zurich Trusted Information Channel) http://www.zurich.ibm.com/ztic/ ESS von Telekurs http://www.telekurs-card-solutions.com/ebanking.asp EMV CAP bei PostFinance http://www.ergonomics.ch/isrm/page-projects-isrm/page-projects-postfinance.htm The Internet Passport von Axsionics http://www.axsionics.ch/

Compass Security AG

www.csnc.ch

Page 28

 Compass Security AG

www.csnc.ch

Page 29