Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Nur Sie haben Zugriff auf Ihre Konto- und Depotdaten. Die Anmeldung erfolgt mittels dreifachem Sicherheitssystem: Vertragsnummer, Passwort und Streichlisten-Code. Dank der 128-Bit-Verschlsselung ist ein sicherer Datentransfer gewhrleistet. Your Bank adopts the latest in encryption technology along with a host of constantly updated security measures and protocols that ensure your online banking experience remains fast, efficient and 100% secure, giving you absolute peace of mind at all times.
Compass Security AG
www.csnc.ch
Page 2
Is eBanking still safe? What are the security trends in eBanking? What can we learn from eBanking trends for other online applications?
Compass Security AG
www.csnc.ch
Page 3
Security Trends::Agenda
g g g
Compass Security AG
www.csnc.ch
Page 4
eBanking Attacks
Customer
Transmission
Bank
Compass Security AG
www.csnc.ch
Page 6
Phishing
Motivate user to enter confidential information on fake web site
Simple Trojans
Limited to a handful of eBanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account
Generic Trojans
In the wild since 2007, but still in development Can attack any eBanking (and any web application) New configuration is downloaded continously
Compass Security AG
www.csnc.ch
Page 7
Note: About 1% of Google search query results point to a web site that can lead to a drive by attack.
Compass Security AG www.csnc.ch Page 8
Bots
Compass Security AG
www.csnc.ch
Page 10
Compass Security AG
www.csnc.ch
Page 11
Security Measures
Customer
Transmission
Bank
Secure Client
Attack Detection
Compass Security AG
Page 13
Compass Security AG
www.csnc.ch
Page 14
Secured Channel
Enter data on an external device External device can not be controlled by Trojan Externel device contains a secret key
Compass Security AG
www.csnc.ch
Page 15
Secure Environment
Start an application (eg Browser) that protects itself from Trojans Downstripped Browser Proprietary Application (fat client) Verify environment before login is possible
Compass Security AG
www.csnc.ch
Page 16
B) Transaction Signing
Transaction details and unlock code on mobile (SMS) External device with SmartCard Read information from screen and decrypt on external device
Compass Security AG
www.csnc.ch
Page 17
Enter Payment
SmartCard Reader
IBM ZTIC
IBM ZTIC
Kobil mIDentity
Compass Security AG
www.csnc.ch
Page 20
Outlook / Thesis
Applied to eBanking
Only required amount of money accessible by eBanking Move savings to other accounts / banks Set limit in payment height per month Insurance for eBanking losses?
Compass Security AG
www.csnc.ch
Page 22
Big/medium companies
Separate computer only for eBanking and finance work No connections to Internet except for eBanking
Compass Security AG
www.csnc.ch
Page 23
Compass Security AG
www.csnc.ch
Page 24
Compass Security AG
www.csnc.ch
Page 25
eBanking is safer as old style payment methods! Users have to learn the threats and precautions with the new technology!
Compass Security AG
www.csnc.ch
Page 26
Security Trends::References
Cheap-Laptops for 75 Dollar http://www.pressetext.de/pte.mc?pte=080111021 Symantec SilentBanker Trojaner description http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-100999&tabid=2 Google Research about distribution of malware http://research.google.com/archive/provos-2008a.pdf Malware distribution by Compass Security http://www.csnc.ch/misc/files/publications/verbreitung_malware_v1.0.pdf Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf Brgerkarte, SmartCard fr Jede und Jeden in sterreich http://www.buergerkarte.at/ MELANI Halbjahresbericht II/2007 http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=de
Compass Security AG
www.csnc.ch
Page 27
Security Trends::References
g
Risk analysis of austrian banks http://www.a-sit.at/pdfs/20080613_studie_sicherheit_im_ebanking_nach_feedback_durch_die_wko_tcm14-86337.pdf Internet threat level Q1 2008, BSI Deutschland http://www.bsi.bund.de/literat/lagebericht/2008_Q1_Internetlagebild.pdf Kobil mIDentity http://www.kobil.com/index.php?id=49&type=7 CLX Stick by Crealogix/EISST http://www.crealogix.com/de/ResourceImage.aspx?raid=5141 IBM ZTIC (Zurich Trusted Information Channel) http://www.zurich.ibm.com/ztic/ ESS von Telekurs http://www.telekurs-card-solutions.com/ebanking.asp EMV CAP bei PostFinance http://www.ergonomics.ch/isrm/page-projects-isrm/page-projects-postfinance.htm The Internet Passport von Axsionics http://www.axsionics.ch/
Compass Security AG
www.csnc.ch
Page 28
Compass Security AG
www.csnc.ch
Page 29