Security Trends eBanking

September 25th 2008 Walter Sprenger [email protected] Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch

Security Trends::Once upon a time Our eBanking is secure:
We use 128 bit SSL Encryption
Digital Server Certificate
Threefold Security System: Username, Password and Strike List

Nur Sie haben Zugriff auf Ihre Konto- und Depotdaten. Die Anmeldung erfolgt mittels dreifachem Sicherheitssystem: Vertragsnummer, Passwort und Streichlisten-Code. Dank der 128-Bit-Verschlüsselung ist ein sicherer Datentransfer gewährleistet. “Your Bank” adopts the latest in encryption technology along with a host of constantly updated security measures and protocols that ensure your online banking experience remains fast, efficient and 100% secure, giving you absolute peace of mind at all times.

© Compass Security AG

www.csnc.ch

Page 2

Security Trends::Quo Vadis

eBanking Security – Quo Vadis?


Is eBanking still safe?
What are the security trends in eBanking?
What can we learn from eBanking trends for other online applications?

© Compass Security AG

www.csnc.ch

Page 3

Security Trends::Agenda

g

eBanking Attacks

g

Security Measures

g

Outlook / Thesis

© Compass Security AG

www.csnc.ch

Page 4

eBanking Attacks

Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch

Security Trends::eBanking Attacks Target of Attacks

Customer

Phishing Attacks Trojan Attacks

© Compass Security AG

Transmission

Pharming DNS Spoofing Network Interception

www.csnc.ch

Bank

Web Application Attacks Attacking Server

Page 6

Security Trends::Client Attacks Most promising attack on the client: g

Phishing
Motivate user to enter confidential information on fake web site

g

Simple Trojans





g

Limited to a handful of eBanking applications Steal username, password and one time password Steals session information and URL and sends it to attacker Attacker imports information into his browser to access the same account

Generic Trojans
In the wild since 2007, but still in development
Can attack any eBanking (and any web application)
New configuration is downloaded continously

© Compass Security AG

www.csnc.ch

Page 7

Security Trends::Generic Trojans Generic Trojans: g

Infection of client with user interaction







g

Email attachments (ZIP, Exe, etc.) Email with link to malicious web site Links in social networks Integrated in popular software (downloads) File transfer of instant messaging/VoIP/file sharing CD-ROM/USB Stick

Infection of client without user interaction





Malicious web sites (drive by) Infection of trusted, popular web sites (IFRAME …) Misusing software update functionality (like Bundestrojaner) Attacks on vulnerable, exposed computer (network/wireless)

Note: About 1% of Google search query results point to a web site that can lead to a drive by attack. © Compass Security AG

www.csnc.ch

Page 8

Security Trends::Generic Trojans Features of Generic Trojans






Hide from security tools (anti-virus/personal firewall) Inject code in running processes / drivers / operating system Capture/Redirect/Send data Download new configuration / functionality Remote control browser instance

Features useful for eBanking attacks





Send web pages of unknown eBanking to attacker Download new patterns of eBanking transaction forms Modify transaction in the background (on the fly) Collect financial information

© Compass Security AG

www.csnc.ch

Page 9

Security Trends::Generic Trojans Tips and Tricks
Every Trojan binary is unique (packed differently)
Not detectable by Anti Virus Patterns
Trojan code is injected into other files or other processes
Personal Firewall can not block communication Bot Net Server


Installs in Kernel
Full privileges on system
Invisible

Proxy Bot Bots


Bot Networks

Bots Bot Net Server Bot Net Operator

Bots

© Compass Security AG

www.csnc.ch

Page 10

Security Trends::Generic Trojans Traded Goods

Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf

© Compass Security AG

www.csnc.ch

Page 11

Security Measures

Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch

Security Trends::Security Measures Security Measures
Attack Detection
Second Channel / Secured Channel
Secure Client

Customer

Secure Client

© Compass Security AG

Transmission

Second Channel Secured Channel www.csnc.ch

Bank

Attack Detection

Page 13

Security Trends::Security Measures Attack Detection
Detect session hijacking attacks
Monitor and compare request parameters
Identify SSL Session and IP address changes
Transaction verification / user profiling
Statistic about normal user behaviour
Compare transaction with normal user behaviour
White list target accounts
Limits on transaction amount

© Compass Security AG

www.csnc.ch

Page 14

Security Trends::Security Measures Second Channel
Send verification using another channel
Another application on the client computer
Another medium like mobile phones (SMS)

Secured Channel
Enter data on an external device
External device can not be controlled by Trojan
Externel device contains a secret key

© Compass Security AG

www.csnc.ch

Page 15

Security Trends::Security Measures Secure Platform
A computer that is only used for eBanking
Bootable CD-ROM, Bootable USB Stick
Virtual Machine
eBanking Laptop

Secure Environment
Start an application (eg Browser) that protects itself from Trojans
Downstripped Browser
Proprietary Application (fat client)
Verify environment before login is possible

© Compass Security AG

www.csnc.ch

Page 16

Security Trends::Security Trends Current client security approaches: A) Secured Application/Virtualization





Hardened Browser on USB stick Application to secure the client Virtual operating system on host system Bootable CD-ROM/USB stick

B) Transaction Signing
Transaction details and unlock code on mobile (SMS)
External device with SmartCard
Read information from screen and decrypt on external device

© Compass Security AG

www.csnc.ch

Page 17

Security Trends::Security Trends A) Secured Application/Virtualization Browser

Apps

Browser

Apps

Browser

Apps

Browser

Apps

API

API

API

API

OS

OS

API

API

OS

OS

OS

HW

HW

HW

No virtualization

Application Protection

Application and API Protection

HW Virtual Machine

Solutions (some examples):
Portable Apps, Thinstall
CLX Stick, Kobil mIdentity
Browser Appliance (eg VMWare, VirtualPC, etc.) © Compass Security AG

www.csnc.ch

Page 18

Security Trends::Security Trends B) Transaction Signing Device

User

Computer

Enter Payment

eBanking Browser sends Payment

Encrypted Unlock-Code Unlock-Code on Second Channel

Amount: CHF 455.00 Account: 84-1234-5 Unlock-Code: ABCD

Read Transaction Compare with entered payment Enter Unlock-Code

Browser sends Unlock-Code

Devices (some examples):
Mobile phones
IBM ZTIC, EVM CAP, Axsionics
Tricipher © Compass Security AG

www.csnc.ch

Page 19

Security Trends::Security Trends Axsionics Internet Passport

SmartCard Reader

IBM ZTIC

TriCipher Armored Transactions

Crealogix CLX Stick

© Compass Security AG

IBM ZTIC

Kobil mIDentity

www.csnc.ch

Page 20

Outlook / Thesis

Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch

Security Trends::Outlook / Thesis Personal Risk Management! g

How do we manage our personal financial risk?





g

Only as much money we need at home or in the wallet Different bank accounts for different purposes Limits on bank accounts or ATM cards Insurances for damages we can not afford

Applied to eBanking





Only required amount of money accessible by eBanking Move savings to other accounts / banks Set limit in payment height per month Insurance for eBanking losses?

© Compass Security AG

www.csnc.ch

Page 22

Security Trends::Outlook / Thesis We need different solutions for different clients! g

Big/medium companies
Separate computer only for eBanking and finance work
No connections to Internet except for eBanking

g

Small companies / Private people
Secure Applications/Virtualization
Transaction Signing

© Compass Security AG

www.csnc.ch

Page 23

Security Trends::Outlook / Thesis Other Ideas! g

Computer only for eBanking
Cheap laptops ($100) only for eBanking
Boot from USB Stick or CD-ROM

g

Pool for eBanking claims
Take the model of the credit card industry
Cover claims with insurance

© Compass Security AG

www.csnc.ch

Page 24

Security Trends::Outlook / Thesis What‘s going on in the future More Trojans will be installed on client computers The banks will deliver secure devices / secured applications The criminals will focus on weaker eBankings in the beginning They will eventually attack the eBankings with secure devices / secure applications. Especially the social engineering attacks will be improved
Attacking other applications may become more interesting.





Like in reality: where the money is,

© Compass Security AG

there are the thiefs.

www.csnc.ch

Page 25

Security Trends::Outlook / Thesis Is eBanking still safe? Alternatives:
Retrieve your money at the bank and pay at the post office
Fill out a payment order and send it to your bank by snail mail
Send your bank a fax/letter with a payment order

eBanking is safer as old style payment methods! User‘s have to learn the threats and precautions with the new technology!

© Compass Security AG

www.csnc.ch

Page 26

Security Trends::References

g

Cheap-Laptops for 75 Dollar http://www.pressetext.de/pte.mc?pte=080111021

g

Symantec SilentBanker Trojaner description http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-100999&tabid=2

g

Google Research about distribution of malware http://research.google.com/archive/provos-2008a.pdf

g

Malware distribution by Compass Security http://www.csnc.ch/misc/files/publications/verbreitung_malware_v1.0.pdf

g

Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf

g

Bürgerkarte, SmartCard für Jede und Jeden in Österreich http://www.buergerkarte.at/

g

MELANI Halbjahresbericht II/2007 http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=de

© Compass Security AG

www.csnc.ch

Page 27

Security Trends::References g

Risk analysis of austrian banks http://www.a-sit.at/pdfs/20080613_studie_sicherheit_im_ebanking_nach_feedback_durch_die_wko_tcm14-86337.pdf

g

Internet threat level Q1 2008, BSI Deutschland http://www.bsi.bund.de/literat/lagebericht/2008_Q1_Internetlagebild.pdf

g

Kobil mIDentity http://www.kobil.com/index.php?id=49&type=7

g

CLX Stick by Crealogix/EISST http://www.crealogix.com/de/ResourceImage.aspx?raid=5141

g

IBM ZTIC (Zurich Trusted Information Channel) http://www.zurich.ibm.com/ztic/

g

ESS von Telekurs http://www.telekurs-card-solutions.com/ebanking.asp

g

EMV CAP bei PostFinance http://www.ergonomics.ch/isrm/page-projects-isrm/page-projects-postfinance.htm

g

The Internet Passport von Axsionics http://www.axsionics.ch/

© Compass Security AG

www.csnc.ch

Page 28

© Compass Security AG

www.csnc.ch

Page 29