Security Trends eBanking
September 25th 2008 Walter Sprenger
[email protected] Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil
Tel.+41 55-214 41 60 Fax+41 55-214 41 61
[email protected] www.csnc.ch
Security Trends::Once upon a time Our eBanking is secure: We use 128 bit SSL Encryption Digital Server Certificate Threefold Security System: Username, Password and Strike List
Nur Sie haben Zugriff auf Ihre Konto- und Depotdaten. Die Anmeldung erfolgt mittels dreifachem Sicherheitssystem: Vertragsnummer, Passwort und Streichlisten-Code. Dank der 128-Bit-Verschlüsselung ist ein sicherer Datentransfer gewährleistet. “Your Bank” adopts the latest in encryption technology along with a host of constantly updated security measures and protocols that ensure your online banking experience remains fast, efficient and 100% secure, giving you absolute peace of mind at all times.
© Compass Security AG
www.csnc.ch
Page 2
Security Trends::Quo Vadis
eBanking Security – Quo Vadis?
Is eBanking still safe? What are the security trends in eBanking? What can we learn from eBanking trends for other online applications?
© Compass Security AG
www.csnc.ch
Page 3
Security Trends::Agenda
g
eBanking Attacks
g
Security Measures
g
Outlook / Thesis
© Compass Security AG
www.csnc.ch
Page 4
eBanking Attacks
Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil
Tel.+41 55-214 41 60 Fax+41 55-214 41 61
[email protected] www.csnc.ch
Security Trends::eBanking Attacks Target of Attacks
Customer
Phishing Attacks Trojan Attacks
© Compass Security AG
Transmission
Pharming DNS Spoofing Network Interception
www.csnc.ch
Bank
Web Application Attacks Attacking Server
Page 6
Security Trends::Client Attacks Most promising attack on the client: g
Phishing Motivate user to enter confidential information on fake web site
g
Simple Trojans
g
Limited to a handful of eBanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account
Generic Trojans In the wild since 2007, but still in development Can attack any eBanking (and any web application) New configuration is downloaded continously
© Compass Security AG
www.csnc.ch
Page 7
Security Trends::Generic Trojans Generic Trojans: g
Infection of client with user interaction
g
Email attachments (ZIP, Exe, etc.) Email with link to malicious web site Links in social networks Integrated in popular software (downloads) File transfer of instant messaging/VoIP/file sharing CD-ROM/USB Stick
Infection of client without user interaction
Malicious web sites (drive by) Infection of trusted, popular web sites (IFRAME …) Misusing software update functionality (like Bundestrojaner) Attacks on vulnerable, exposed computer (network/wireless)
Note: About 1% of Google search query results point to a web site that can lead to a drive by attack. © Compass Security AG
www.csnc.ch
Page 8
Security Trends::Generic Trojans Features of Generic Trojans
Hide from security tools (anti-virus/personal firewall) Inject code in running processes / drivers / operating system Capture/Redirect/Send data Download new configuration / functionality Remote control browser instance
Features useful for eBanking attacks
Send web pages of unknown eBanking to attacker Download new patterns of eBanking transaction forms Modify transaction in the background (on the fly) Collect financial information
© Compass Security AG
www.csnc.ch
Page 9
Security Trends::Generic Trojans Tips and Tricks Every Trojan binary is unique (packed differently) Not detectable by Anti Virus Patterns Trojan code is injected into other files or other processes Personal Firewall can not block communication Bot Net Server
Installs in Kernel Full privileges on system Invisible
Proxy Bot Bots
Bot Networks
Bots Bot Net Server Bot Net Operator
Bots
© Compass Security AG
www.csnc.ch
Page 10
Security Trends::Generic Trojans Traded Goods
Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
© Compass Security AG
www.csnc.ch
Page 11
Security Measures
Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil
Tel.+41 55-214 41 60 Fax+41 55-214 41 61
[email protected] www.csnc.ch
Security Trends::Security Measures Security Measures Attack Detection Second Channel / Secured Channel Secure Client
Customer
Secure Client
© Compass Security AG
Transmission
Second Channel Secured Channel www.csnc.ch
Bank
Attack Detection
Page 13
Security Trends::Security Measures Attack Detection Detect session hijacking attacks Monitor and compare request parameters Identify SSL Session and IP address changes Transaction verification / user profiling Statistic about normal user behaviour Compare transaction with normal user behaviour White list target accounts Limits on transaction amount
© Compass Security AG
www.csnc.ch
Page 14
Security Trends::Security Measures Second Channel Send verification using another channel Another application on the client computer Another medium like mobile phones (SMS)
Secured Channel Enter data on an external device External device can not be controlled by Trojan Externel device contains a secret key
© Compass Security AG
www.csnc.ch
Page 15
Security Trends::Security Measures Secure Platform A computer that is only used for eBanking Bootable CD-ROM, Bootable USB Stick Virtual Machine eBanking Laptop
Secure Environment Start an application (eg Browser) that protects itself from Trojans Downstripped Browser Proprietary Application (fat client) Verify environment before login is possible
© Compass Security AG
www.csnc.ch
Page 16
Security Trends::Security Trends Current client security approaches: A) Secured Application/Virtualization
Hardened Browser on USB stick Application to secure the client Virtual operating system on host system Bootable CD-ROM/USB stick
B) Transaction Signing Transaction details and unlock code on mobile (SMS) External device with SmartCard Read information from screen and decrypt on external device
© Compass Security AG
www.csnc.ch
Page 17
Security Trends::Security Trends A) Secured Application/Virtualization Browser
Apps
Browser
Apps
Browser
Apps
Browser
Apps
API
API
API
API
OS
OS
API
API
OS
OS
OS
HW
HW
HW
No virtualization
Application Protection
Application and API Protection
HW Virtual Machine
Solutions (some examples): Portable Apps, Thinstall CLX Stick, Kobil mIdentity Browser Appliance (eg VMWare, VirtualPC, etc.) © Compass Security AG
www.csnc.ch
Page 18
Security Trends::Security Trends B) Transaction Signing Device
User
Computer
Enter Payment
eBanking Browser sends Payment
Encrypted Unlock-Code Unlock-Code on Second Channel
Amount: CHF 455.00 Account: 84-1234-5 Unlock-Code: ABCD
Read Transaction Compare with entered payment Enter Unlock-Code
Browser sends Unlock-Code
Devices (some examples): Mobile phones IBM ZTIC, EVM CAP, Axsionics Tricipher © Compass Security AG
www.csnc.ch
Page 19
Security Trends::Security Trends Axsionics Internet Passport
SmartCard Reader
IBM ZTIC
TriCipher Armored Transactions
Crealogix CLX Stick
© Compass Security AG
IBM ZTIC
Kobil mIDentity
www.csnc.ch
Page 20
Outlook / Thesis
Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil
Tel.+41 55-214 41 60 Fax+41 55-214 41 61
[email protected] www.csnc.ch
Security Trends::Outlook / Thesis Personal Risk Management! g
How do we manage our personal financial risk?
g
Only as much money we need at home or in the wallet Different bank accounts for different purposes Limits on bank accounts or ATM cards Insurances for damages we can not afford
Applied to eBanking
Only required amount of money accessible by eBanking Move savings to other accounts / banks Set limit in payment height per month Insurance for eBanking losses?
© Compass Security AG
www.csnc.ch
Page 22
Security Trends::Outlook / Thesis We need different solutions for different clients! g
Big/medium companies Separate computer only for eBanking and finance work No connections to Internet except for eBanking
g
Small companies / Private people Secure Applications/Virtualization Transaction Signing
© Compass Security AG
www.csnc.ch
Page 23
Security Trends::Outlook / Thesis Other Ideas! g
Computer only for eBanking Cheap laptops ($100) only for eBanking Boot from USB Stick or CD-ROM
g
Pool for eBanking claims Take the model of the credit card industry Cover claims with insurance
© Compass Security AG
www.csnc.ch
Page 24
Security Trends::Outlook / Thesis What‘s going on in the future More Trojans will be installed on client computers The banks will deliver secure devices / secured applications The criminals will focus on weaker eBankings in the beginning They will eventually attack the eBankings with secure devices / secure applications. Especially the social engineering attacks will be improved Attacking other applications may become more interesting.
Like in reality: where the money is,
© Compass Security AG
there are the thiefs.
www.csnc.ch
Page 25
Security Trends::Outlook / Thesis Is eBanking still safe? Alternatives: Retrieve your money at the bank and pay at the post office Fill out a payment order and send it to your bank by snail mail Send your bank a fax/letter with a payment order
eBanking is safer as old style payment methods! User‘s have to learn the threats and precautions with the new technology!
© Compass Security AG
www.csnc.ch
Page 26
Security Trends::References
g
Cheap-Laptops for 75 Dollar http://www.pressetext.de/pte.mc?pte=080111021
g
Symantec SilentBanker Trojaner description http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-100999&tabid=2
g
Google Research about distribution of malware http://research.google.com/archive/provos-2008a.pdf
g
Malware distribution by Compass Security http://www.csnc.ch/misc/files/publications/verbreitung_malware_v1.0.pdf
g
Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
g
Bürgerkarte, SmartCard für Jede und Jeden in Österreich http://www.buergerkarte.at/
g
MELANI Halbjahresbericht II/2007 http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=de
© Compass Security AG
www.csnc.ch
Page 27
Security Trends::References g
Risk analysis of austrian banks http://www.a-sit.at/pdfs/20080613_studie_sicherheit_im_ebanking_nach_feedback_durch_die_wko_tcm14-86337.pdf
g
Internet threat level Q1 2008, BSI Deutschland http://www.bsi.bund.de/literat/lagebericht/2008_Q1_Internetlagebild.pdf
g
Kobil mIDentity http://www.kobil.com/index.php?id=49&type=7
g
CLX Stick by Crealogix/EISST http://www.crealogix.com/de/ResourceImage.aspx?raid=5141
g
IBM ZTIC (Zurich Trusted Information Channel) http://www.zurich.ibm.com/ztic/
g
ESS von Telekurs http://www.telekurs-card-solutions.com/ebanking.asp
g
EMV CAP bei PostFinance http://www.ergonomics.ch/isrm/page-projects-isrm/page-projects-postfinance.htm
g
The Internet Passport von Axsionics http://www.axsionics.ch/
© Compass Security AG
www.csnc.ch
Page 28
© Compass Security AG
www.csnc.ch
Page 29