part – iii - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/10160/12/12_part 3.pdf ·...
Post on 20-Aug-2018
214 Views
Preview:
TRANSCRIPT
3. MATERIALS & METHODS
3.1 COMMON HACKING TECHNIQUES
3.1.1 Preface
3.1.2 Classic Attacks
3.1.2.1 Password Guessing
3.1.2.2 Brute-Force Attack
3.1.2.3 Eaves Dropping
3.1.2.4 Shoulder Surfing
3.1.3 New Attacks
3.1.3.1 Off-Line Credential-Stealing Attack
3.1.3.1.1 Phishing Or Carding Or Brand Spoofing
3.1.3.1.2 Spear Phishing
3.1.3.1.3 Vishing
3.1.3.1.4 Malware
3.1.3.1.5 Pharming
3.1.3.1.6 Skimming
3.1.3.1.7 Spoofing
3.1.3.1.8 Credit Card Frauds
Common Hacking Techniques 51
3.1.3.2 On-Line Credential-Stealing Attack
3.1.3.2.1 Spyware / Key loggers / Keystroke
Logging Worms
3.1.3.2.2 Trojans / Back-Door Trojans
3.1.3.2.3 In Session Phishing Attacks
3.1.3.2.4 Hacking Tricks toward Security On
Network Environments Through –
Instant Messaging
3.1.3.2.5 Distributed Deny Of Service Attack
Of Botnet
3.1.3.2.6 Payment Recipient Scams
3.1.1 PREFACE
The role of banking is redefined; customers are also becoming more discerning and
demanding. To meet customer expectations, banks will have to offer a broad range of
deposit, investment and credit from a mere financial intermediary to service provider of
various financial services under one roof acting like a financial supermarket with
maximum security. Thus the customer-oriented demand on internet banking is increasing
continuously because e-banking provides various transactional facilities to its users 24X7
but at the same time banks as well as customers are expected to be aware towards various
types of hacking techniques. However, it also brings new possibilities for thieves. This is
mainly because we have not completely solved the growing problem of computer viruses
and Trojans that can act on our computers against our will. In this chapter we have
discussed about common hacking techniques by classifying these techniques into two
categories classical attacks and new attacks; where examples of classical attacks are
password guessing, brute-force attack, eaves dropping and shoulder surfing.
Common Hacking Techniques 52
New attacks we have categorized into two categories off-line credential-stealing attack
and on-line credential-stealing attack. Examples of offline credential-stealing attacks are
phishing or brand spoofing, spear phishing, vishing, malware, pharming, skimming and
credit card frauds etc; whereas in the category of online attack examples are spy ware or
key loggers or keystroke logging, worms, Trojans or back-door Trojans, in session
phishing attacks, hacking tricks toward security on network environments through -
instant messaging, distributed deny of service attack of botnet and payment recipient
scams. All the banks, which have implemented core banking systems, offer e-banking
and mobile banking facilities. But with these facilities always there is a question of
security i. e. protection of personal information from the thieves. Computer damages
have been classified as [13]:
1. Computer Frauds; and 2. Computer Crimes
COMPUTER FRAUDS The latest fraud which is considered as the safest method of crime without making
physical injury is the Computer Frauds in Banks. Computer frauds are those involve
misuse or defalcations achieved by corrupting with computer data record or program.
COMPUTER CRIMES
Computer crimes are those committed with a computer that is where a computer acts as a
medium. The difference is however academic only. A few of the methods adopted by
fraudsters are: Phishing, Skimming spoofing, credit card frauds etc.
Common Hacking Techniques 53
Fig 3.1.1: Computer Crimes (Source-www.antifishing.org)
The prevalence of e-commerce in today’s digital world opens a door for various cyber
crimes that we have never seen before. Viruses can he written from, and spread on
virtually any computer platform.
VIRUS ATTACK
Attacks are getting more and more aggressive against computers and servers all around
the net. Computer viruses are nothing more than computer programs and therefore can do
virtually anything the programmer wants on the computers they infect. During the last
decades we have witnessed an exponential growth of the number of computer viruses,
and the real fact is that a virus can make thousands of copies of itself in our computer, but
the wide range of things they can do with the data stored or processed in it. One field in
which this fact should be considered with special care is e-banking. These online services
are normally accessed from personal computers with low protection.
Common Hacking Techniques 54
The operating systems used on these computers have a tendency to sacrifice the security
on behalf of the commodity of the user. Under such circumstances, its very easy for an
attacker to implement a man-in-the-middle attack. This way an attacker could end up
controlling the money in our bank accounts [47]. Virus can also attack and used for
automating maintenance tasks on the computer, can delete all the data on the hard disk,
and encrypt it so that the owner has to pay to get the data restored to its original form, and
even steal private data such as documents, system passwords and cryptographic keys
[31].
ATTACK TO THE PC BANK SYSTEMS
Actual PC banking systems rely mostly on the use of password authentication systems,
jointly with strong cryptographic communication systems. The problem is that these
methods are not always robust enough for Internet banking applications. Introducing a
login and a password on a secure Web page for authentication is equivalent to keeping
the door-key under the doormat, as any program executing on our computer like viruses,
Trojans and malwares etc can have access to them.
We could think that a system such as UNIX, where only the operating system can access
all the memory, limiting each program to its own memory space, is immune to such an
attack. This is definitively wrong. A virus could infect the browser program inserting in it
code that steals that information from memory. The operating system cannot distinguish
“good” code from “malicious” code, so it will never notice it. Even more, sometimes it is
enough to steal the file where the critical information is stored and the password(s) used
to secure it. All we need is a virus that waits until the user introduces the password to
access the critical information and then send it over the network with the file where the
secret keys are stored.
Common Hacking Techniques 55
Even more, sometimes the access password is so simple that we can break it using a
dictionary attack. In the following figure password snatching attack to a generic internet
banking application has been shown [31]:
Fig 3.1.2: Password Snatching Attack
Common Hacking Techniques 56
VIRUSES AND ANTMRAL TECHNIQUES
Viruses can be written to work under any known operating system and there are also
viruses that can be written on macros such as MS Word macros and java script (a web-
based language which allows the introduction of code in web pages). Viruses normally
can only be executed with the operating system for which it was created. But even though
there are operating systems which are more difficult to attack, such as UNIX, not even
these systems are completely safe. Even though it is true there are fewer viruses for these
systems, it is also true that they exist and with them the possibility to expose critical
information to he leaked without our permission [31].
3.1.2 CLASSIC ATTACKS
Here we describe common well known attacks widely used in history and presence.
3.1.2.1 Password Guessing
Guessing or password guessing is usually dictionary based attack, where attacker is
trying to guess our password. Usually, dictionary of a lot of common passwords is used.
When attack remains unsuccessful after applying predefined set of password, than is
redirected to another user.
3.1.2.2 Brute-Force Attacks
Thorough search known as brute-force attack is based on trying a large number (all) of
possibilities of password or secret key. In the following figure a model of simple brute-
force attack on a Norwegian internet bank has been shown.
Common Hacking Techniques 57
As it is clear from the following figure, a hacker selects any Social Security
Number(SSN) from the list of customers SSN numbers and then attempts to login using
any randomly chosen Personal Identification Number until the correct password is
acquired or the attack is detected[33]-
Fig 3.1.3: Brute-Force Attack Model
3.1.2.3 Eavesdropping
Eavesdropping is listening without the speaker’s knowledge. It’s usually used for Man-
In-The-Middle (MITM) attack.
Common Hacking Techniques 58
3.1.2.4 Shoulder Surfing
One of the oldest and most common threats to our online banking security is "shoulder
surfing". This is as simple as having an unauthorized person watching over account
holder shoulder as user conduct his online banking session. If this person can view user’s
keyboard, they will be able to see the IDs and passwords used to access the system [16].
In this method unauthorized people keeps an eye on that user who is busy in performing
their account operations and try to see the IDs and passwords.
3.1.3 NEW ATTACKS
On the basis of the resistance all internet banking authentication methods can be
classified into two common attacks-
1) Off-Line Credential-Stealing Attack And
2) On-Line Credential-Stealing Attack
3.1.3.1 Off-Line Credential-Stealing Attack
In this type of attack hackers try to steal user’s private information from those clients
PC’s who have insufficient protection for PC [36]. As it is clear from the following figure
that hackers use malicious software’s such as Trojan horse or by tactfully getting user’s
identification through phishing and pharming or by combining phishing with
pharming[35]-
Common Hacking Techniques 59
Fig 3.1.4: Offline Credential Stealing Attack Scenario
3.1.3.1.1 Phishing / Carding / Brand Spoofing
The word “Phishing” first appeared in 1996. It is a variant of ‘fishing’, and formed by
replacing the ‘f’ in ‘fishing’ with ‘ph’ from phone. It means tricking users of their money
through e-mails [46]. It is a form of online identity theft that aims to steal sensitive
information from users such as online banking passwords and credit card information
from users. The last years have brought a dramatic increase in the number and
sophistication of such attacks. Attackers are employing a large number of technical
spoofing tricks such as URL obfuscation and hidden elements to make a phishing web
site look authentic to the victims.
Common Hacking Techniques 60
Phishing attacks use a combination of social engineering and technical spoofing
techniques to convince users into giving away sensitive information (e.g., using a web
form on a spoofed web page) that the attacker can then use to make a financial profit
[42]. A method in which hackers capture the trusted brands of well known financial
institutions and tactfully asking users personal identification through false/fake website
forms.
These kinds of attacks were harmless so long as user ignored and deleted the e-mail. But
if user responded, then they would try their best to get users account information. So we
can define it as “The act of convincing users to provide personal identification
information, such as social security numbers or bank information, for explicit illegal
use” [37].
Among all the cyber crimes targeting e-banking systems, phishing attack has become one
of the most serious threats. In the main form of phishing attack, the criminals (called
phishers) setup fake e-banking/e-payment web sites, and then send phishing emails to
potential victims, who may be lured to access the phishing sites and expose their sensitive
credentials to the phishers. The credentials harvested by the phishers normally include
bank account numbers, passwords or PIN numbers, e-banking TAN numbers, credit card
numbers and security codes, social security numbers, and so forth. With the collected
credentials, the phishers can login the genuine e-banking/e-payment system to steal the
victim’s money.
Common Hacking Techniques 61
There are also many other more advanced forms of phishing attack, such as the following
[44]:
• Phishers get phishing sites indexed by some search engines (via some Search Engine
optimization tricks) and then wait for victims to visit them;
• Phishers use cross-site-scripting (XSS) to inject links of phishing sites to legitimate
sites;
• Spy-phishing (or malware-based phishing): phishers depend on Spyware / malware like
trojan horses and keyloggers to collect sensitive credentials;
• Pharming: phishers misdirect potential victims to phishing sites through DNS
poisoning.
Phishers can also tailor the contents of the phishing mails and even those of the phishing
sites for targeted victims, which is called spear phishing or context-aware phishing. This
kind of phishing attack becomes much easier nowadays, because more and more personal
information is publicly available at online social networks. In the following diagram
information flow of a typical phishing attack has been shown [44]:
Common Hacking Techniques 62
Fig 3.1.5: Information flow of a typical phishing attack
In the above figure we can see seven different steps that can be cut down to stop a
phishing attack [44].
Common Hacking Techniques 63
TYPES OF PHISHING ATTACKS:
i) Spoofing E-Mails and Web Sites
Phishing attacks fall into several categories like [42]:
a) By Spoofing Emails
We can define Phishing as a method that exploits people’s sympathy in the form of aid-
seeking e-mails; the e-mail act as attraction. These e-mails usually request their readers to
visit a link that seemingly links to some charitable organization’s website; but in truth
links the readers to a website that will install a Trojan program into the reader’s
computer. Therefore, users should not forward unauthenticated charity mails, or click on
unfamiliar links in an e-mail. Sometimes, the link could be a very familiar link or an
often frequented website, but still, it would be safer if you’d type in the address yourself
so as to avoid being linked to a fraudulent website. Phishers cheats people by using
similar e-mails mailed by well-known enterprises or banks; these e-mails often asks users
to provide personal information, or result in losing their personal rights; they usually
contain a counterfeit URL which links to a website where the users can fill in the required
information. One must also be careful when using a search engine to search for donations
and charitable organizations [46]. Perhaps the most common and nasty phishing attack
was the Nigerian General's widow e-mail, asking for your cooperation to transfer a huge
sum into users account. Today, the attack has been modified and user would actually
receive an e-mail from some bank asking users/customers to update their account
information. If user had an account with that bank, then this could have easily been
fooled by it and would have clicked on the bank's URL.
Common Hacking Techniques 64
Unfortunately this takes users to a phony website, which was created by the sender of the
e-mail, and after entering bank account details like username and password, user would
be busy in thinking that he may have entered details incorrectly, the fake site was busy
gathering his username and password.
These kinds of attacks were harmless as long as user ignores and deletes the e-mail. But
if user responds, then his account information could be stolen [16]. The earliest form of
phishing attacks were e-mail based and they date back to the mid 90’s. These attacks
involved spoofed e-mails that were sent to users where attackers tried to influence the
victims to send back their passwords and account information. Although such attacks
may be successful today, the success rate from the point of view of the attackers is lower
because many users have learned not to send sensitive information via e-mail. A possible
reason is that many security-sensitive organizations such as banks do not provide
interactive services based on e-mail where the user has to provide a password. Most
organizations, obviously, use their web sites for providing interactive services because
they can rely on encryption technologies such as SSL. Hence, many phishing attacks now
rely on a more sophisticated combination of spoofed e-mails and web sites to steal
information from victims. Such attacks are the most common form of phishing attacks
today.
b) By Websites
Phishers can write a web browser script to open a new browser window with no address
bar at all. Phishers then uses simple, “HTML form elements, style sheets, and Java Script
to create very real, functional imitations of the browsers address bar”. In an even less
complicated scheme than a spoofed address bar, Phishers registers a cousin domain name
for a fraudulent web site. A cousin domain name looks exactly like the domain name of a
legitimate institution but with a slight modification. For example a Phishers could register
www.eastern-bank.com to impersonate www.easternbank.com.
Common Hacking Techniques 65
Malware attacks cover the installation and execution of malicious software on a victim's
personal computer. [41]. In a typical attack, the attackers send a large number of spoofed
e-mails that appear to be coming from a genuine organization such as a bank to random
users and urge them to update their personal information. The victims are then directed to
a web site that is under the control of the attacker. This site looks and feels like the
familiar online banking web site and users are asked to enter their personal information.
Because the victims are directly interacting with a web site that they believe they know,
the success rates of such attacks are much higher than e-mail only phishing attempts.
c) By Instant Messaging Systems
Attackers have also started to use instant messaging systems such as ICQ or
infrastructures such as Internet Relay Chat (IRC) to try to convince and direct users to
spoofed web sites. Once the victim follows a spoofed link, in order not to raise suspicion
and to present the phishing web site as authentic as possible, attackers are employing
various techniques. For example
i) Use of URLs and host names that are confused and modeled so that
they look valid to inexperienced users.
ii) Another example is the use of real logos and corporate identity
elements from the valid web site. Some attacks also make use of
hidden frames and images as well as Java script code to control the
way the page is rendered by the victim’s browser.
Common Hacking Techniques 66
ii) Exploit-Based Phishing Attacks
Some phishing attacks are technically more sophisticated and make use of well-known
vulnerabilities in popular web browsers such the Internet Explorer to install malicious
software i.e., malware that collects sensitive information about the victim. For example a
key logger, might be installed that logs all pressed keys whenever a user visits a certain
online banking web site. Another possibility for the attacker could be to change the proxy
settings of the user’s browser so that all web traffic that the user initiates passes through
the attacker’s server to perform a typical man-in-the-middle attack. Exploit-based
phishing attacks as well as other security threats that are directly related to browser
security such as worms, Trojans and spyware, browser manufacturers need to make sure
that their software is bug-free and that users are up to date on the latest security fixes.
A real-world spoofed web site-based phishing attack example: On February 18th
2005, a mass e-mail was sent to thousands of Internet users asking them to verify their
Huntington online banking account details. The e-mail claims that the bank has a new
security system and that account verification is necessary. The attackers have supposedly
inserted a legitimate URL https://onlinebanking.huntington.com/login.asp to the bank’s
online banking web site. However, the link actually points to a spoofed page on the
server with the IP address 210.95.56.101. The aim of the attack is to steal the victim’s
account credentials, credit card information, and personal information such as the social
security number. Once the victim enters the requested information, the phishing site
redirects to the legitimate bank’s web site [42].
3.1.3.1.2 Spear Phishing
Spear phishing attacks are focused to selected organization. Target can be financial
benefit, compromising of confident information or loss of confidence.
Common Hacking Techniques 67
Substantial difference against ordinary phishing is the source of fake message. In case of
spear phishing, sender is authentic and victims usually have confidence in his/her. The
fraudster collects information on the victim from social networking websites and other
resources and uses it to generate a highly creditable email [45]. Attacker takes advantage
of public available data, which subsequently misuse during socio-technical attack.
Structure of these attacks is as follows:
Attacker chooses organization concerned in valuable information. He gains information
about personal structure, employees and procedures in organization during analysis of
web pages. Personal pages or discussion forums can be used for acquiring detailed
information about employees.
In next step, fake message is created, whose form, contents and appearance imitate real
internal communication in organization. In fake message, employees are asked for
entering sensitive information usable for access to internal computer network. Reason
might be for example testing of new information system. There is of course a URL
leading to this new information system for user comfort. Information about personal
structure is used for increasing credibility. Usually, member of IT department figures as
sender. Trusting employees enter their information into fake web page created by attacker
and make him capable to access to real system. Detection of targeted attack is
problematic particularly because of using mutual relations between sender of fake
message and its receiver. Attackers utilize authority of sender’s position together with
legitimacy and competence of requests. Well organized terrorist organizations were
usually hidden behind spear phishing attacks. They are part of espionage in industry,
military and governmental organizations. Hackers as individuals are usually not engaged
it this kind of attack.
Common Hacking Techniques 68
3.1.3.1.3 Vishing
Vishing (Voice Phishing) is a new kind of attack similar to phishing in the way it tricks
the victim to give away sensitive information. Vishing is a social engineering attack
based on the bank-services through the telephone system. Vishers use a war dialer
configured to dial all numbers in a given area. The person answering is informed that
his/her credit card is fraudulent used and are encouraged to dial a given number. If the
victim dials the number, they are instructed to enter their credit card number, three digit
CVV security code and other identification credentials. After a complete call the visher
has all the information needed to use the victim’s credit card [29]. Vishing sometimes
uses fake caller-ID data to give the appearance that calls come from a trusted
organization [39].
3.1.3.1.4 Malicious Code / Malware
A malware attack is more harmful than other forms of information security (IS)
vulnerabilities in that its impact is generally not limited to one or a few entities; rather, it
is normal for a large number of organizations to be affected at once, to a substantial
degree. As we have mentioned malware is short for malicious software and is typically
used as a catch-all term to refer to the class of software designed to cause damage to any
device, be it an end-user computer, a server, or a computer network. The term Malware is
a compound of the words malicious and software. The expression is generally used by
computer professionals to describe a variety of hostile, intrusive, or annoying software.
Software is considered as a malware based on the perceived intent of the creator rather
than any particular features. Malware includes computer viruses, worms, Trojan horses,
most root kits, spyware, dishonest adware, and other malicious and unwanted software.
Malware should not be confused with defective software, that is, software which has a
legitimate purpose but contains harmful bugs [37].
Common Hacking Techniques 69
Malware is Software that fulfills the harmful intent of an attacker. Current systems to
detect malicious code (most prominently, virus scanners) are largely based on syntactic
signatures. A program is declared malware when one of the signatures is identified in the
program’s code. Recent work has demonstrated that techniques such as polymorphism
and metamorphism are successful in prevention commercial virus scanners. The reason is
that syntactic signatures are ignorant of the semantics of instructions [39]. The number of
Malware has increased since its breakthrough in 1986 due to new technologies specially
the internet. The time taken by Virus to become prevalent over years has been shown in
the following table [43]:
Table 3.1.1: Time taken by Virus to become prevalent over years
(Source: Orshesky, 2002)
Common Hacking Techniques 70
Malware And Phishing
It is a combination of malware and phishing. In this attack information gained by
malware can be used for increasing credibility of phish pages as well as malware can
affect targeted computer itself.
3.1.3.1.5 Pharming
It can be defined as a method in which a misuse of DNS server software openness
redirects web sites traffic to a fake site. This form of attack doesn't give the user any prior
intimation. The user simply enters the URL of his bank's website, but instead of being
taken to the bank's website, he's automatically redirected to the fake site.
Thus in pharming, scammers never have to access the users' machines in any way [16].
User can protect their information and transactional activities by regular installation of
antivirus and anti-hacking software.
Diff between Phishing and Pharming
Phishing involves attracting the target to a particular website through an e-mail, while
pharming is even more dangerous as it doesn't even let the target know that an attack is in
progress [16].
Process of redirecting somebody automatically to another site through DNS
poisoning: If the hacker can gain access to a user's DNS server, and exchange the
IP address of the bank's website with his own web site IP address, then the user will
automatically be redirected to the fake website instead of the original one. So the humble
DNS server, which nobody suspects of doing anything, has actually become the target of
attack in pharming. The technique is called DNS poisoning.
Common Hacking Techniques 71
Many broadband service providers use simple Ethernet cables, hubs, and switches to
extend Internet access to their subscribers. In such a setup, it's very easy for one
subscriber to be able to see others. Someone with malicious intent can use DNS spoofing
software to redirect requests for specific websites to somewhere else. This can even
happen on corporate networks [16].
Process of redirecting somebody automatically to another site through hosts: There's
another easier way of taking the user automatically to a fake bank website. It's done by
infecting a tiny file that sits on most desktop machines, known as hosts. It's nothing but a
file that maps IP addresses to URLs. So whenever we try to access a website, the machine
first checks the hosts file to see if it can find the URL's IP address there and if someone
were to map a fake IP address to a bank's website in the hosts file then user maybe
redirected to another fake website. For example Trojan 127.0.0.1 IP address doesn't let us
update our anti-virus software. It has simply mapped the URLs of all the anti-virus
software sites to 127.0.0.1, which is our own local machine. This kind of Trojan can
come as an attachment in a nicely written e-mail [16].
Fake Bank Sites Are Easy To Create
After redirecting users to another IP address, the scamsters just have to ensure that they
have a website that looks and functions exactly like the original bank's website. All
websites are created using various Web technologies like HTML, ASP, JSP, XML, etc.
Another factor that helps scamsters in creating the fake site is the fact that they can view
the source code of all the bank's web pages. For example in Internet Explorer, source
code can be seen by clicking on the View Menu and choose Source. This will show you
the source code for the entire Web page, irrespective of whether it's using plain old HTTP
or the secure HTTPS i. e. in HTTPS “s” stands for security then too we can see source
code of the web site.
Common Hacking Techniques 72
Another method by which web pages can easily be saved and hosted on another Web
server, using a simple tool such as FrontPage or even Notepad. In a few minutes, the
scamster now has to do is to ensure that the script for the login button extracts the
username and password and sends it to another destination. Thus, the entire process
of redirecting the request for a URL to another location is not difficult and the saddest
part is that it can all be done using freely available tools [16]
3.1.3.1.6 Skimming
A skimmer is a card – swipe device that reads the information on a consumer’s ATM
card. The skimmer catches the PIN through a small camera mounted on the ATM.
Scammers insert onto an ATM, ready to swipe information from unsuspecting customers.
Fraudsters make imitation ATM cards using scammers. They take a blank card and
encode all the information from an ATM card when they swipe [13].
3.1.3.1.7 Spoofing
The attacker creates a false context to trick users into making an inappropriate security –
relevant decision. For example, false ATM machines have been set up. Once they have
the PIN number they have enough information to steal from the account [13].
3.1.3.1.8 Credit Card Frauds
Credit card fraud is widespread as a means of stealing from banks, merchants and clients.
A credit card is made of three plastic sheet of polyvinyl chloride. The central sheet of the
card is known as the core stock. These cards are of a particular size and many data are
embossed over it. But credit cards fraud manifest in a number of ways as discussed below
[13]:
Common Hacking Techniques 73
• Genuine cards are manipulated
• Genuine cards are altered
• Counterfeit cards are created
• Fraudulent telemarketing is done with credit cards.
• Genuine cards are obtained on fraudulent applications in the names / addresses of
other persons and used.
3.1.3.2 On-Line Credential-Stealing Attack
In this type of attack hackers attack in session credentials through interception as they
move between the client Personal computer and banking server. Online channel-breaking
attack scenario is shown in the following figure [36]:
Common Hacking Techniques 74
Fig 3.1.6: Online Channel-Breaking Attack Scenario
3.1.3.2.1 Spyware / Key loggers / Keystroke Logging Worms
This is the most known kind of attack, in this method hackers attempt to place an
unauthorized program on to user’s computer that will record all users’ keyboard strokes
as user type. Then this captured information is sent to an unauthorized person, who then
scans the information for user’s online banking details [16].
Common Hacking Techniques 75
Thus Key loggers are malicious software designed to record user input events and
activities. Executing as a device driver, a key logger monitors keyboard and mouse input
[41].
3.1.3.2.2 Trojans / Back-Door Trojans
This is another kind of attack and the purpose of these threats is to place an unauthorized
program on to user’s computer that will enable a remote hacker to gain unauthorized
access to user’s computer. The unauthorized scammer then has the ability to monitor
everything user does via user’s computer whilst it remains infected [16].
3.1.3.2.3 In Session Phishing Attacks
This technique is a sophisticated and highly effective next generation phishing attack
technique that is carried out while a user is in an active session with a secure banking,
brokerage, or other sensitive web application. Various utilities allow fraudsters to copy
the login page of any bank and set up a fraudulent website within minutes. Once the
website is up and running the criminals can start inviting people to “login”, usually using
emails pretending to be sent by the targeted bank. The biggest challenge phishers now
face is convincing users to open these malicious email messages and click on the links
that lead to the fraudulent websites. Users are growing more sensitive to security threats
and are more suspicious of emails from the “bank”. An in-session phishing attack occurs
while the victim is logged onto an online banking application and therefore is much more
likely to succeed. A typical attack scenario would occur as follows. A user logs onto their
online banking application to perform some tasks. Leaving this browser window open,
the user then navigates to other websites.
Common Hacking Techniques 76
A short time later a popup appears, allegedly from the banking website, which asks the
user to retype their username and password because the session has expired, or complete
a customer satisfaction survey, or participate in a promotion, etc. Since the user had
recently logged onto the banking website, he/she will likely not suspect this popup is
fraudulent and thus provide the requested details. In order for in-Session phishing attacks
to succeed the following conditions are required [45]:
1. A base website must be compromised from which the attack can be launched.
2. The malware injected on the compromised website must be able to identify which
website the victim user is currently logged on to The first condition is easily achieved,
since more than two million legitimate websites are known to be compromised by
criminals, and hundreds more are being compromised every day. Each one of them can
be used as a base for this attack. Once the website is compromised, the attacker injects
code into the website. This code does not change the appearance of the website and does
not download malware to the user’s PC. Therefore it is very hard to detect. This code is
designed to search for online banking websites that visitors are currently logged onto, and
present them with a popup that claims to be from the banking website they are logged on
to. These pop ups ask for login and personal information.
Identifying websites to which the user is currently logged onto is harder to achieve, but
not impossible. For example, in 2006 this blog
http://ha.ckers.org/blog/20061108/detecting-states-ofauthentication-with-protected-
images/ discussed one method that attempts to load images that are only accessible to
logged-in users. If the offensive website code is capable of loading the image, this
confirms the user is logged on. If it fails, then the user is not logged on. However, most
websites do not protect images with login. Instead they are stored on a different server
that does not require authentication.
Common Hacking Techniques 77
Recently Trustier CTO Amit Klein and his research group discovered vulnerability in the
JavaScript engine of all leading browsers - Internet Explorer, Fire fox, Safari, and
Chrome – which allows a website to check whether a user is currently logged onto
another website. The source of the vulnerability is a specific JavaScript function. When
this function is called it leaves a temporary footprint on the computer and any other
website can identify this footprint. Websites that use this function in a certain way are
traceable. Many websites, including financial institutions, online retailers, social
networking websites, gaming, and gambling websites use this function and can be traced.
To protect themselves from in-session phishing attacks, Trustier recommends that users
[45]:
1. Deploy web browser security tools
2. Always log out of banking and other sensitive online applications and accounts before
navigating to other websites
3. Be extremely suspicious of pop ups that appear in a web session if you have not
clicked a hyperlink.
One example of phishing mail has been shown in the following fig [45]:
Common Hacking Techniques 78
Fig 3.1.7- Recent Phishing Email
3.1.3.2.4 Hacking Tricks Towards Security On Network Environments
Hacking tricks when successfully carried out could cause considerable loss and damage
to users. Hacking tricks into three categories [46]:
(1) Trojan programs that share files via instant messenger like eavesdropping and Denial
of Service (DoS)
(2) Phishing or fraud via e-mails.
(3) Fake Websites.
Common Hacking Techniques 79
3.1.3.2.5 Distributed Deny Of Service Attack Of Botnet
Online criminals can use a virus to take control of large numbers of computers at a time,
and turn them into "zombies" that can work together as a powerful "botnet" to perform
malicious tasks. Botnets, which can control huge number of zombie computers, can
distribute spam e-mail, spread viruses, attack other computers and servers, and commit
other kinds of crime and fraud. According to a report from Russian-based Kaspersky
Labs, botnets currently pose the biggest threat to the Internet. The computers that form a
botnet can be programmed to redirect transmissions to a specific computer, such as a
Web site that can be closed down by having to handle too much traffic - a Distributed
Denial-of-Service (DDoS) attack [29].
3.1.3.2.6 Payment Recipient Scams
The criminals who carry out online fraud require payment recipients and bank accounts
through which they can direct funds and launder their money. Innocent parties have been
deceived into assisting the fraudsters to carry out these crimes in several ways, such as:
Advertisements are placed with employment agencies for financial or account
staff. After applicants have been notified of their appointment to the role, they are
asked to receive and distribute funds on behalf of the company via their personal
accounts.
People have been approached via email or chat rooms where they have been
asked to facilitate international funds transfers, due to costs or restrictions on
doing these transactions overseas, and in return receive a percentage of these
funds.
Common Hacking Techniques 80
Thus Money laundering is a serious crime and people involved in these scams can be
held personally liable for lost funds as well as being prosecuted [45]. To fight against
various types of attacks several methods are being used but none can be considered 100%
effective. In the following diagram status of all kind of attacks as compare to security has
been shown [35]:
Fig 3.1.8: Status of Various Attacks as Compare to Security
Common Hacking Techniques 81
3. MATERIALS & METHODS
3.2 SECURITY MEASUREMENT STRATEGIES
3.2.1 Preface
3.2.1.1 Key Components for E-Banking
3.2.1.2 Security Mechanism Towards E-Banking
Authentication Methods
3.2.3 Antivirus Techniques
3.2.3.1 Virus Scanning
3.2.3.2 Behavior Checkers
3.2.3.3 Integrity Checkers
3.2.3.4 Firewalls
3.2.3.5 Intrusion Detection System (IDS)
3.2.3.6 Intrusion Prevention System (IPS)
3.2.3.7 Honey Pots
3.2.3 Anti-Phishing Approach
3.2.3.1 Browsers Alerting Users to Fraudulent Websites
3.2.3.1.1 PwdHash
3.2.3.1.2 Spoof Guard
3.2.3.1.3 VeriSign
Security Measurement Strategies 82
3.2.4 Common Strategies Used For Secured Authentication
3.2.4.1 Authentication Using Passwords
3.2.4.2 One Time Password (OTP) Generators
3.2.4.3 Challenge / Response (C / R) Calculators
3.2.4.4 Two Factor Authentications
3.2.4.5 Smartcard System
3.2.4.6 Chip Card Readers
3.2.4.7 Conventional Encryption Schemes
3.2.4.8 Public Key Encryption
3.2.4.9 Digital Signature
3.2.4.10 Secure Socket Layer (SSL)
3.2.4.11 Secure Electronic Transaction (SET)
3.2.4.12 Pretty Good Privacy (PGP)
3.2.4.13 Kerberos
3.2.4.14 Cryptographic Authentication
3.2.4.15 Public Key Infrastructure (PKI)
Security Measurement Strategies 83
3.2.4.16 Public-Key Cryptosystems (PKC)
3.2.4.16.1 Elliptic Curve Discrete Logarithm
Systems / Elliptic Curve Crypto
Systems
3.2.4.16.2 Elliptic Curve Cryptography (ECC)
3.2.4.17 Biometric
3.2.4.18 MeCHIP
3.2.5 Comparison Between Hardware-Based System Solution And
Software Based System Solution
3.2.1 PREFACE
The statistics do not lie as there are more and more people who are doing only e-
banking. When it comes to the future of banking, there is a variety of predictions. The
majority of individuals predict consumers with imbedded chip implants. By using these
chip implants customer simply walks into the store, swipes and views his balance
instantaneously. To provide safe and secured e-banking many banks have adopted
various technologies for encryption so that users personal information can be prevent
from unauthorized access. In the introductory part of this chapter we are introducing key
components for e-banking and security mechanism towards e-banking authentication.
Then in the second part of the chapter we are talking about antivirus techniques like virus
scanning, behavior checkers, integrity checkers, firewalls, IDS, IPS and honey pots.
Security Measurement Strategies 84
Then in the third part we have discussed about anti-phishing approaches like Browsers
used to alert users against fraudulent websites by mentioning PwdHash, Spoof Guard and
VeriSign. In the fourth part of this chapter we have thrown some light on common
strategies used for secured authentication for example authentication using passwords,
OTP generators, C / R calculators, two factor authentications, smartcard system, chip
card readers, conventional encryption schemes, PKE, Digital Signature, SSL Technique,
SET Technique, PGP, Kerberos, Cryptographic Authentication, PKI, PKC, Elliptic Curve
Discrete Logarithm Systems / Elliptic Curve Crypto Systems, ECC, Biometric and
MeCHIP. Finally we will end the chapter with the comparison between hardware based
system solutions and software based system solutions.
3.2.1.1 KEY COMPONENTS FOR E-BANKING
Each authentication method has its strengths and weaknesses, which need to be weighed
by the bank, including the impact on customers. Key components that will help to
maintain a high level of public confidence in an open network environment include [8]:
1. Security
2. Authentication
3. Trust
4. Non-repudiation
5. Privacy
6. Availability
1. Security: It is an issue in Internet banking systems. Hardware or software “sniffers”
can obtain passwords, account numbers, credit card numbers, etc. without regard to the
means of access. National banks therefore must have a sound system of internal controls
to protect against security breaches for all forms of electronic access.
Security Measurement Strategies 85
A sound system of preventive, detective, and corrective controls will help assure the
integrity of the network and the information it handles. Firewalls are frequently used on
Internet banking systems as a security measure to protect internal systems and should be
considered for any system connected to an outside network. Firewalls are a combination
of hardware and software placed between two networks through which all traffic must
pass, regardless of the direction of flow. They provide a gateway to guard against
unauthorized individuals gaining access to the bank’s network. The simple presence of a
firewall does not assure logical security and firewalls are not impenetrable: firewalls must
be configured to meet a specific operating environment and they must be evaluated and
maintained on a regular basis to assure their effectiveness and efficiency.
2. Authentication: It is another issue in a Internet banking system. Transactions on the
Internet or any other telecommunication network must be secure to achieve a high level
of public confidence. Banks typically use symmetric (private key) encryption technology
to secure messages and asymmetric (public/private key) cryptography to authenticate
parties. Asymmetric cryptography employs two keys; a public key and a private key.
These two keys are mathematically tied but one key cannot be deduced from the other.
For example, to authenticate that a message came from the sender, the sender encrypts
the message using their private key. Only the sender knows the private key. But, once
sent, the message can be read only using the sender’s public key. Since the message can
only be read using the sender’s public key, the receiver knows the message came from
the expected sender.
Internet banking systems should employ a level of encryption that is appropriate to the
level or risk present in the systems. Thus, a national bank should conduct a risk
assessment in deciding upon its appropriate level of encryption. A common asymmetric
cryptography system is RSA, which uses key lengths up to 1,024 bits.
Security Measurement Strategies 86
By using the two forms of cryptography together, symmetric to protect the message and
asymmetric to authenticate the parties involved, banks can secure the message and have a
high level of confidence in the identity of the parties involved. Biometric devices are an
advanced form of authentication. These devices may take the form of a retina scan, finger
or thumb print scan, facial scan, or voice print scan. Use of biometrics is not yet
considered mainstream, but may be used by some banks for authentication. Examiners
should evaluate biometric activities based on management’s understanding of risks,
internal or external reviews, and the overall performance of these devices.
3. Trust: It is another issue in Internet banking systems. A trusted third party is a
necessary part of the process. That third party is the certificate authority. A proper mix of
preventive, detective, and corrective controls can help protect national banks from these
pitfalls. Digital certificates may play an important role in authenticating parties and thus
establishing trust in Internet banking systems.
4. Nonrepudiation: It is the undeniable proof of participation by both the sender and
receiver in a transaction. It is the reason public key encryption was developed, i.e., to
authenticate electronic messages and prevent denial or repudiation by the sender or
receiver.
5. Privacy: Privacy is a consumer issue of increasing importance.
6. Availability: Availability is another component in maintaining a high level of public
confidence in a network environment. All of the previous components are of little value if
the network is not available and convenient to customers. Users of a network expect
access to systems 24 hours per day, seven days a week.
Security Measurement Strategies 87
3.2.1.2 SECURITY MECHANISM TOWARDS E-BANKING AUTHENTICATION
METHODS
System for remote authentication should at least consider few of the following security
mechanisms [63]:
I) User Secure Authentication (Identity Proof): System should provide secure
identification and user authentication by using password or other mechanism. Users’
unique account access and transaction capabilities are provided by user authentication.
II) Safe Confidentiality of Transferred Data: Eavesdropping of the communication
between client and his bank is avoided by confidentiality mechanism.
II) Integrity of Transferred Data: Providing integrity mechanism ensures that
information transferred between bank and its client can't be forged or modified by an
attacker.
IV) Undeniable Responsibility For Transactions Made: This mechanism ensures that
message sender is responsible for message he has sent and this sender can't deny that he
has sent this message. Typical use of this mechanism is in active transactions, where
client sends message of transaction into his bank. Receiver of message of transaction
(bank) can easily proof that this message was created and sent by the specific client and
this client can't deny responsibility for this message. Most common way to ensure this
mechanism is electronic signature.
Security Measurement Strategies 88
Modern ways of authentication, such as smart cards, authentication calculators,
biometrical authentication and cryptographic authentication should remove the
weaknesses of authentication by password. Some of them are called as systems with one
time password. For example smart card or authentication calculator generates the
challenge, which is used instead of password. Authentication calculator, or smart card,
cooperates with workstation and generated challenge is unique for each authentication.
That is why this challenge is useless for an attacker [63].
The second problem related to the identity is problem, which can be solved just after the
authentication is solved. This problem is called expression of will. In some application is
needed to maintain and clearly express the will of user, by which the user express his will
to provide some transaction. This expression of will must be [63]:
Clear in identity and attributes
Capable of representation will of the user
Auditable and un-impugn-able
One of the main problems noticed here is huge difference between human non digital
communication and computer communication. Human non digital communication uses
different mechanism for identification and for will expression like name, password,
handwritten contract etc, than the electronic or digital communication. The electronic or
digital communication uses for identification and will expression different means such as
digital signature or other authentication methods mentioned in this article.
Other Security Measures
Most Internet banks offer other protective measures to ensure your information is kept
safe and secure. Some examples of other security measures in place include:
Security Measurement Strategies 89
Secure Logins: You will create your own online access account number and code that
you will need each time you log in.
Limited Logins: Many banks limit the number of times you can attempt to log in per day
and lock you out if you exceed this. That way someone can't attempt to break your login
code easily.
Limited Sessions: Most banks offer limited sessions that require you to re-login after
you have been inactive for a period of time preventing anyone from viewing your
information if you leave your computer for too long.
When exploring towards solutions users can minimize risk by improving password
complexity; implementing security measures such as personal firewalls, anti-spyware,
anti-phishing features and up-to-date antivirus application; and installing the most current
client software, browsers and operating system patches and updates.
As technology evolves, end users will be able to minimize risk through trusted federated
directory structures and stronger authentication and cryptographic applications. The
solutions to the security issues require the use of software-based systems or hardware-
based systems or a hybrid of the two. Due to the need of fighting against money
laundering, nowadays most financial institutes are maintaining AML (anti-money
laundering) software as part of the e-banking system to monitor transactions and detect
suspicious money laundering activities [44]. In the coming sections we have discussed
some antivirus techniques to locate and eliminate viruses but none of these has proven to
be 100% effective and therefore, there is actually no way to know if our system is free of
viruses [31].
Security Measurement Strategies 90
3.2.2 ANTIVIRUS TECHNIQUES
Antivirus software has been the chief defense mechanism since the creation of viruses
started. Most antivirus solutions are comprehensive security solutions that can be
centrally monitored. They can also be configured to remove administrative rights from
client machines. Antivirus programs normally manage the life cycle of viruses in four
steps [43]:
1. Prevention or avoidance of virus outbreak;
2. Suppression or control of virus outbreak;
3. Reinstallation of the affected nodes; and
4. Reporting and alerting all the complementing perimeter security systems.
3.2.2.1 VIRUS SCANNING
Scanning for viruses is the oldest and most popular method for locating viruses. In this
method scanners search for specific code which is believed to indicate the presence of a
virus. Scanners have an important advantage over other types of virus protection in that
they allow one to catch a virus before it ever executes in our computer. Depending on the
virus type, the anti-viral software will search only in .COM files, or .EXE files, in the
boot sector. But long back in the late 1980’s, when there were only a few viruses floating
around, it was easy to write a scanner. In the present days, with thousands of viruses, and
many being written every year, keeping a scanner up to date is a major task. Another
major problem is that, from the moment the virus is created to when the antiviral software
is able to detect it; it can spread and cause a lot of damage [31].
Security Measurement Strategies 91
3.2.2.2 BEHAVIOUR CHECKERS
A behavior checker is a memory resident program that a user loads in the autoexec.bat
file and then it sits in the background looking for unusual behavior for virus-like activity,
and alerts user when it takes place. But even this is not enough to detect all possible
viruses [31].
3.2.2.3 INTEGRITY CHECKERS
Integrity checkers simply monitor for changes in files. Typically, an integrity checker
will build a log that contains the names of all the files on a computer and some type of
characterization of those files. That characterization may consist of basic data like the file
size and date time stamp, as well as checksum, CRC, or cryptographic checksum of some
type. Each time the user examines each file on the system and compares it with the
characterization it made earlier. An integrity checker will catch most changes to files
made on your computer, including changes made by computer viruses. But there could be
thousands of viruses in our computer and integrity checker would never tell us as long as
those viruses did not execute and change some other file. Moreover the problem is that
this method does not assure that the software has not been infected on its way from the
programmer’s computer to the final user’s computer. Therefore, it is a good system for
controlling the reproduction of viruses but it cannot do a thing against programs that are
installed infected from the first moment. Moreover a virus installed as a Trojan horse can
modify the code of the antiviral so it will not detect any virus and we will think that the
system is free of viruses [31].
Security Measurement Strategies 92
Thus Antivirus is a good way to protect against viruses, but as we know that signatures
are used with the antivirus database that means that antivirus is unable to discover new
attacks until and unless we will remedy the database of existing antivirus by updating it
periodically. Beside this antivirus stays helpless against different kinds of attacks like
hijacking, Denial of Service etc. Therefore we need other software’s also along with the
use of antivirus and there are a variety of tools that can be used for this purpose like
firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), honey
pots etc [32].
3.2.2.4 FIREWALLS
Firewalls stops any suspicious data before it enters in our system; there are three kinds of
firewall and two architectures based on it named DMZ (De Materialized Zone).
Firewall offers great advantages in the field of security but still has its limits: the main
reason is that it can never close its port totally. Certainly it must have even one open port
to communicate with the Internet and this single port can be considered as a door for
attacks. This means that anytime our computer maybe under attack [32].
3.2.2.5 INTRUSION DETECTION SYSTEM (IDS)
Intrusion Detection System is used to detect the presence of an attack in our system. The
alarm of IDS is launched when an intrusion / interference have break in/enter the system.
There are two types of IDS: HIDS and NIDS. HIDS is more reliable way as compare to
NIDS because it can detect illegal access easily but at the same time HIDS delivers all the
collected information to a central computer .
Security Measurement Strategies 93
This means that in an internal network if we have a big number of machine with HIDS
then it may be risky because big flow of information could diminish the performance of
the system, that’s why NIDS is preferred in that kind of network even that he could miss
some illegal access that HIDS can see.
3.3.2.6 INTRUSION PREVENTION SYSTEM (IPS)
We need something that prevents the attacks before it happens. IPS identifies and stops
the malicious codes before they penetrate in our system; this type of software’s provides
the 4‘h layer of protection shield to the system.
It is advisable that user should not eliminate the firewall from our system even if it has
limited capacities compared to IPS or IDS, because a firewall reduces the amount of the
bad traffic that can reach the IPS and IDS, which will reduce the alarms and the
suspicious data [32].
3.2.2.7 HONEY POTS
One major objective of honey pot is to gather as much information as possible.
Generally, such information should be done silently without alarming an attacker. All the
gathered information leads to an advantage on the defending site and can therefore be
used on productive systems to prevent attacks. All the methods of detecting and
preventing are based on known facts, and known attack patterns. By knowing attack
strategies, countermeasures can be improved and vulnerabilities can be fixed. Another
purpose of the honey pot is to divert hackers from productive systems or catch a hacker
while conducting an attack.
Security Measurement Strategies 94
Compared to IDS, honey pots have the big advantage that they do not generate false alert
as each observed traffic is suspicious, because no productive components are running on
the system. Compared to an IPS a honey pot doesn’t prevent any attack, at the opposite
sometimes it pushes hackers to attack a system, by deceiving them or by faking them that
this system is easy to penetrate [32].
3.2.3 ANTIPHISH APPROACH
AntiPhish is an application that is integrated into the web browser. It is a novel browser
extension and it is free for public use with the intension to protect inexperienced users
against spoofed web site-based phishing attacks. AntiPhish tracks the sensitive
information of a user and generates warnings whenever the user attempts to transmit this
information to an untrusted web site.
Main Functionality of AntiPhish: The development of AntiPhish was inspired by
automated form-filler applications. Most browsers such as Mozilla or the Internet
Explorer have integrated functionality that allows form contents to be stored and
automatically inserted if the user desires. This content is protected by a master password.
Once this password is entered by the user, a login form that has previously been saved,
for example, will automatically be filled by the browser whenever it is accessed. Anti
phish takes this common functionality one step further and tracks where this information
is sent [55].
Security Measurement Strategies 95
3.2.3.1 BROWSERS ALERTING USERS TO FRAUDULENT WEBSITES
Another popular approach to fighting phishing is to maintain a list of known phishing
sites and to check websites against the list. Microsoft's IE7 browser, Mozilla Fire fox 2.0,
Safari 3.2, and Opera all contain this type of anti-phishing measure. Fire fox 2 used
Google anti-phishing software. Opera 9.1 uses live blacklists from Phish Tank and Geo
Trust, as well as live white lists from Geo Trust. Some implementations of this approach
send the visited URLs to a central service to be checked, which has raised concerns about
privacy. According to a report by Mozilla in late 2006, Fire fox 2 was found to be more
effective than Internet Explorer 7 at detecting fraudulent sites in a study by an
independent software testing company [56]. Following similar, browser-based plug-in
solutions were provided by Stanford University to mitigate phishing attacks [55]:
3.2.3.1.1 PwdHash
It is an Internet Explorer plug-in that transparently converts a user’s password into a
domain-specific password so that the user can safely use the same password on multiple
web sites. A side-effect of the tool is some protection from phishing attacks. Because the
generated password is domain specific, the password that is phished is not useful. The
problem, however, is that the solution only works for protecting passwords and does not
work for sensitive information that is needed in unaltered form by a web site such as
credit card information and social security numbers.
Security Measurement Strategies 96
3.2.3.1.2 Spoof Guard
It is a plug-in solution specifically developed to mitigate phishing attacks. The main
difference between Spoof Guard and Anti Phish is that Spoof Guard is symptom-based.
That is, the plug-in looks for “phishing symptoms” such as similar sounding domain
names and masked links in the web sites that are visited. Alerts are generated based on
the number of symptoms that are detected. Anti Phish, in comparison, is user input-based
and guarantees that sensitive information will not be transferred to a web site that is un-
trusted.
3.2.3.1.3 Veri Sign
It has recently started to provide an anti phishing service. The company is crawling
millions of web pages to identify “clones” in order to detect phishing web sites. As a
solution several companies like AOL has recently announced that it is planning to
integrate black list-based anti phishing support into the Netscape browser, furthermore
black lists of phishing web sites are maintained. The browser will not allow the user to
connect to web sites that are black-listed. [55].
3.2.4 COMMON STRATEGIES USED FOR SECURED AUTHENTICATION
Financial institutions engaging in any form of internet banking should have effective and
reliable methods to authenticate their customers. These methods include, Authentication
using passwords, cryptographic authentication, digital certificates using public key
infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTP),
USB plug0-ins, transaction profile scripts, and biometric identification. Moreover, most
internet banks offer other protective measures to ensure information is safe and secure
such as secure logins, limited logins and limited sessions.
Security Measurement Strategies 97
3.2.4.1 Authentication Using Passwords
Passwords are still the most common security mechanism although it is well known that
this method alone is not good enough to provide adequate protection. These passwords
can be easily discovered by a dictionary attack. Online dictionary attacks are easy to
detect by counting the number of failed access tryouts, but offline dictionary attacks are
more complex and difficult to treat. However, there are other ways to compromise these
passwords. Capturing keystrokes has been used in some situations for compromising the
passwords introduced by the users. This method works even when using a secure
connection over SSL. The only system based on passwords that can compete with
cryptographic authentication methods is the one-time-pad (OTP) where each key is
disposed of after use, thus making it a dynamic password scheme. However, even these
authentication methods can he compromised [47].
3.2.4.2 One Time Password (OTP) Generators
This method generates codes synchronized with an application running on the server in a
way that makes it practically impossible to know the next code from the previous codes
generated. In order to do so, the OTP generator and the server application share a seed
that is used in the generation process. They are normally implemented as a small
hardware device, but sometimes it is possible to find them in software. They are a good
way to verify the identity of anyone that connects to a server. However, this is not enough
for many critical operations such as bank account transfer orders, as an attacker executing
code at the client’s computer can use this authentication information to place different
orders to the server on behalf of the client. Hardware OTP generators are more secure
than those implemented in software because they don’t have to store data on the
computer [47].
Security Measurement Strategies 98
Similarly in One-Time-Pad Scheme other banks provide their customers a login and one
or two passwords that follow a one-time-pad scheme. This way, a different code is
required for each transfer operation. For example: The customer could have a login, a
table with 80 one-time-pad passwords and another table with 18 codes. The customers
must keep track of the one-time-pad codes (by scratching them, for example) so that they
are able to authenticate a transaction. Sometimes this one-time-pad code must be
introduced to confirm a transaction after the first validation, but they are all based on the
same basic idea and require the customer to buy a hardware device (a custom piece of
hardware with a smart card) for accessing the service. This device allows the user to
navigate on the Internet and therefore connect to the bank web server [31].
Fig 3.2.1: SMS-Short Message Service, OTP-One-Time Password
3.2.4.3 Challenge / Response (C / R) Calculators
They take a challenge value and calculate the corresponding response that is different for
each user. A secret key cryptographic algorithm is normally used to generate the response
value. The knowledge of the correct response for a random challenge authenticates the
user. This challenge can he passed to the C/R calculator either manually through a
keyboard or using any other kind of communication link such as a cable connection.
Security Measurement Strategies 99
This method is equally vulnerable because the user has to rely on the computer to handle
the C/R generated making it possible for the attacker to send data to the server using the
identity of the real user [47].
3.2.4.4 Two Factor Authentications
Another strategy is the use of two passwords, only random parts of which are entered at
the start of every online banking session as well as passwords are confirmed through
tokens or SMS messages. Two factor authentications require smart card and password
and it is usable with any smart card reader. It provides strong authentication and it is non-
repudiation for sensitive application such as e-banking, electronic commerce, and other
financial transactions. One of the popular techniques is e-Token PRO smartcard
technique-which stores user’s private keys, passwords and certificates, using 1024- or
2048-bit RSA authentication and digital signature. Example of products providing two-
factor authentication, using AES (Advanced Encryption Standard) or RSA ( Rivest,
Shamir, and Adleman) technique are- key fob, card, PIN pad and USB(Universal Serial
Bus) hardware. Software tokens available for windows, pocket PC, Palm OS, Blackberry,
and Ericsson, Nokia, and NTT Do Como cell phones [35].
Fig 3.2.2 : RSA ( Rivest, Shamir, and Adleman) Technique
Security Measurement Strategies 100
3.2.4.5 Smartcard System
Smartcard System is a mechanical device which has information encoded on a small chip
on the card and identification is accomplished by algorithms based on asymmetric
sequences. Each chip on the Smartcard is unique and is registered to one particular user,
which makes it impossible for a virus to penetrate the chip and access the confidential
data. Thus Smart cards are small, portable, tamper resistant devices providing users with
convenient storage and processing capability. Because of their unique capability, smart
cards are proposed for use in a wide variety of applications such as electronic commerce,
identification, and health care. For many of these proposed applications, cryptographic
services offered by digital signatures would be required. To be practical for widespread
use, however, smart cards also need to be inexpensive. However, practical limitations in
the Smartcard system prevent it from broad acceptance for major applications such as
home banking or on-line distribution. One draw-back for the Smartcard is that it can not
handle large amounts of information which need to be decoded. Furthermore, the
Smartcard only protects the user’s private identification and it does not secure the transfer
of information. For example, when the information is keyed into the banking software, a
virus could attack the information, altering its destination or content.
The Smartcard would then receive this altered information and send it, which would
create a disaster for the user. Nevertheless, the Smartcard is one hardware-based system
that offers confidential identification [16]. The only one way to break the security of this
system is to steal the smart card jointly with the pin code, which reduces the risk to that
of an ATM [31].
Security Measurement Strategies 101
Fig 3.2.3: Cryptographic Smart Card
3.2.4.6 Chip Card Readers: A third option is providing customers with chip card readers
capable of generating single use passwords unique to the customer's chip card. Many
problems arise because of unprotected data transfer between clients and servers. For
example in systems such as NFS, AFS, and Windows NT, there is no authentication of
file contents when information is sent between the client and server [35].
Fig 3.2.4: Chip Card Reader
Security Measurement Strategies 102
3.2.4.7 Conventional Encryption Schemes
In this scheme one key is used by two parties to both encrypt and decrypt the
information. Once the secret key is entered, the information looks like a meaningless
jumble of random characters. The file can only be viewed once it has been decrypted
using the exact same key.
3.2.4.8 Public Key Encryption
In this method, there are two different keys held by the user: a public key and a private
key. These two keys are not interchangeable but they are complementary to each other,
meaning that they exist in pairs. Therefore, the public keys can be made public
knowledge, and posted in a database somewhere. Anyone who wants to send a message
to a person can encrypt the message with the recipient public key and this message can
only be decrypted with the complementary private key. The private key remains on one’s
personal computer and cannot be transferred via the Internet. This key is encrypted to
protect it from hackers breaking into the personal computer.
3.2.4.9 Digital Signature
Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University.
A digital signature transforms the message that is signed so that anyone who reads it can
know who sent it. The use of digital signatures employs a secret key (private key) used to
sign messages and a public key to verify them. The sender encrypts the message by using
the private key can only be verified by the public key and when receiving the message,
the receiver decrypts the encrypted message with sender’s public key. This ensures that
the message was actually from the appropriate person.
Security Measurement Strategies 103
Besides uniquely identifying the sender, the digital signature also ensures that the original
message was not tampered with in transit. The receiver can use the original hashing
algorithm to create a new message digest after decrypting the message and compare the
new message digest to the original digest. If they match each other, it can be sure that the
message has not been altered in transit. Because of the signature contains information are
produced by “one-way hashing algorithm”, it is impossible to duplicate a signature by
copying the signature block to another message. Therefore, it is guaranteed that the
signature is original. For example First Digital Bank is using digital signature in the e-
banking industry to provide more secured and authentic transactions [16].
A digital signature is produced by first running the message through a hashing algorithm
to come up with the message digest. Next, by encrypting the message digest with
sender’s private key, this would uniquely identify the sender of the message. Digital
signature technology requires a public key infrastructure (PKI), under which each
individual has a pair of private and public keys [58].
3.2.4.10 Secure Socket Layer (SSL) Technology
This technology has been adopted by many banks. This technology encrypts the
information that user send over the Internet. That means the data user sends from one
computer to another is encrypted to prevent it from hacking. This technology is now
accepted or compatible with most browsers including Internet Explorer and Netscape
Navigator. Usually we can see a little yellow padlock (lock//security device) in the right
lower hand corner of our screen, indicating that a page is being secured using this
technology
Security Measurement Strategies 104
3.2.4.11 Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) software system, the global standard for secure card
payments on the Internet, which is defined by various international companies such as
Visa MasterCard, IBM, Microsoft, Netscape Communications Corp., GTE, SAIC, Terisa
Systems and Veri-sign. SET promises to secure bank-card transactions online. Lockhart,
CEO of MasterCard said, “We are glad to work with Visa and all of the technology
partners to craft SET. This action means that consumers will be able to use their bank
cards to conduct transactions in cyberspace as securely and easily as they use cards in
retail stores today.” SET adopts RSA public key encryption to ensure message
confidentiality. Moreover, this system uses a unique public/private key pair to create the
digital signature. Although the public key encryption and the digital signature ensure the
confidentiality and the authenticity of the message, there is still a potential danger existed
in that the information the sender provides may not be real. For example, the sender may
encrypt a bank card number which belongs to someone else by using his/her own private
key. To ensure the true authentication, there is a need for a process of certification. A
third party who is trusted by both the sender and the receiver will issue the key pair to the
user who provides sufficient proof that he is who he claims to be. Thus SET can become
a better solution by using encryption, authentication and certification.
3.2.4.12 Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP), created by Philip Zimmermann, is a “hybrid crypto system
that combines a public key (asymmetric) algorithm, with a conventional private key
(symmetric) algorithm to give encryption combining the speed of conventional
cryptography with the considerable advantages of public key cryptography”.
Security Measurement Strategies 105
PGP is a well established privacy/authentication technique created by Philip
Zimmermann in 1991, which enables both encryption and signing of e-mails. Each user
of PGP has both a private and a public key, with the private key the user can encrypt and
sign the e-mails they send out. The receiver of a signed e-mail needs the public key of
that sender to control the signature. If companies would use a similar technique to sign
their e-mails this would make it impossible for malicious people to spoof their e-mails as
long as only the company has access to the private key. This would make it possible for
users to securely authenticate any sender of an e-mail by clicking a button [65]. The
advantage of PGP is that it does not require a trusted channel of transmitting the
encryption key to the intended recipient of our message. Furthermore, it has the ability to
sign the messages by encrypting them with sender’s private key which can not be
replaced by any other key. Once the receiver received the message, he/she can then
decrypt the message with the sender’s public key which can not be forged and represents
the true identity of the sender.
The biggest part of today’s anti phishing applications is to more clearly inform the users
of the security of the site they are visiting. Anti phishing applications most often use
“black-list” containing the URL of known phishing-sites to compare the requested URL.
But new anti phishing applications e.g. Microsoft Internet Explorer, use both “black-list“
and “white-lists” (containing known authentic URL’s) and checks remaining sites after
known phishing characteristics. This can be considered an efficient way to even discover
unknown phishing-sites and by the fact that all features are dynamic the protection can
follow phishing’s development [65].
Security Measurement Strategies 106
3.2.4.13 Kerberos
Kerberos is named after the three-headed supervisory body of Greek tradition and it is
one of the best known private-key encryption technologies. Kerberos creates an
encrypted data packet, called a ticket, which securely identifies the user. To make a
transaction, one generates the ticket during a series of coded messages by making
exchanges with a Kerberos server, which sits between the two computer systems. The
two systems share a private key with the Kerberos server to protect information from
hackers and to assure that the data has not been altered during the transmission. One
example of this encryption is Net-Cheque which is developed by the Information
Sciences Institute of the University of Southern California. Net-Cheque uses Kerberos to
authenticate signatures on electronic checks that Internet users have registered with an
accounting server.
The following four popular anti-virus applications: McAfee Anti-Virus, Kaspersky Anti-
Virus Personal, AntiVir Personal Edition, and Ikarus Virus Utilities [64].
3.2.4.14 Cryptographic Authentication
These methods provide higher security than static passwords. They are based on the idea
that it is possible to prove the identity of a person by doing some cryptographic operation
over some given information which is different for each operation. This way the access
code generated is different each time, making it worthless to steal them, as the code will
be different next time. Even if the attacker can collect hundreds or even thousands of
codes from the same user, it is still impossible to obtain the value of the cryptographic
key used to generate them. Therefore, as in all cryptographic systems, the main problem
is the protection of the keys from the attacker.
Security Measurement Strategies 107
Public key cryptography is normally used, but in cases where the communication is
established between entities that have a previous relationship (like the clients of a bank),
private key cryptography can also he used. Both, public and private key cryptography can
provide authentication, data encryption and digital signature [47].
3.2.4.15 Public Key Infrastructure (PKI)
PKI is a security architecture that has been introduced to provide an increased level of
confidence for exchanging information over the increasingly insecure internet. PKI
consists of methods, technologies and techniques that together provide a secure
infrastructure. PKI refers to the use of a public and private key pair for authenticating and
proof of content. The public key cryptography uses two pairs of mathematically related
cryptographic keys. If one key is used to encrypt the message then only the related key
can decrypt that message. Public keys are stored in digital certificates along with other
relevant information. Since the certificate is publicly available, preventing access is not
an issue; however, it should be protected from corruption, deletion or replacement.
No one should be able to access someone else’s private key, so access to private keys is
generally protected with a password of the owner’s choice. Hence, PKI’s main problem is
the management of private keys. They need to be stored somewhere like a PC, a server,
or smart cards, etc, and be protected with a password. In this manner, accessing a private
key requires knowledge of the password not being the right person, so it is vulnerable to
attacks of hackers.
This problem can be solved by using biometrics in PKI. One way of doing so is
generating the private keys directly from the biometric templates. Since private keys can
be generated dynamically from one’s biometric template, there is no need to store private
keys anymore, which solves the PKI’s private key storage problem [58].
Security Measurement Strategies 108
3.2.4.16 Public-Key Cryptosystems (PKC)
The use of public-key Cryptosystems (PKC) received considerable attention. They are
beneficial in encryption as well as signing that plays an essential role in e-banking and
financial transactions. Elliptic Curve Cryptography (ECC) is one of best public key
techniques because of its small key size and high security [34]. Public key, with the
enormous growth of the computer and communication industry, became the type of
cryptography that controls electronic mail, ecommerce and Internet. It is beneficial in
encryption as well as digital signing which plays an essential role in electronic money
transactions and identity verification. Public key systems solve the key management
problems associated with symmetric-key encryption; however, and even more
importantly, public key cryptography offers the ability to efficiently implement digital
signatures. The digital signature of a person uniquely identifies that person in a
transaction. Today, three types of systems, classified according to the mathematical
problem on which they are based, are generally considered both secure and efficient. The
systems are: Integer factorization systems (of which RSA is the best known example)
Discrete logarithm systems (such as the U.S. Government’s DSA).
3.2.4.16.1 Elliptic Curve Discrete Logarithm Systems / Elliptic Curve Crypto
Systems
Today ECC offers those looking for a smaller, faster public-key system a practical and
secure technology for even the most constrained environments. This is why ECC is well
suited for low bandwidth and low memory applications such as mobile communication
and smart cards. ECC delivers the highest strength per bit of any known public-key
system because of the difficulty of the hard problem upon which it is based.
Security Measurement Strategies 109
This greater difficulty of the hard problem - the Elliptic Curve Discrete Logarithm
Problem (ECDLP) - means that smaller key sizes yield equivalent levels of security. [34].
3.2.4.16.2. Elliptic Curve Cryptography (ECC)
ECC is a public key cryptography algorithm. In public key cryptography, each party has a
key pair (a public key and a private key) and a set of operations associated with the keys
for cryptographic operations [58]. Secure applications in smart cards present
implementation challenges particular to the platform’s memory, bandwidth, and
computation constraints. Unique properties of ECC makes it especially well suited to
smart card applications. ECC systems provide the highest strength per bit of any
cryptosystem known today. Here author presents a new method for smart card
implementation of elliptic curves explaining how ECC can not only significantly reduce
the cost, but also accelerate the deployment of smart cards in new applications. ECC
permits reductions in key and certificate size that translate to smaller memory
requirements especially for EEPROM, which represent significant cost savings. This
added functionality can play an effective role in electronic payment and online banking
technologies. The protocol described here depends on the security of the elliptic curve
primitives, e.g., key generation, signature generation, and signature verification. These
operations utilize the arithmetic of points which are elements of the set of solutions of an
elliptic curve equation defined over a finite field. The security of the protocol depends on
the intractability of the elliptic curve analogue of the discrete logarithm problem, which is
a well-known and extensively studied computationally hard problem [34].
Summarizing, ECC key size advantages afford many benefits for smart cards, and the
superior performance offered by ECC implementations make applications feasible in low
end devices without dedicated crypto hardware.
Security Measurement Strategies 110
3.2.4.17 Biometric
A biometric is a “measurable physiological and/or behavioral trait that can be captured
and subsequently compared with another instance at the time of verification”. Biometric
based systems are being used in authentication and identification of an individual by
processing his/her biometric data. A biometric identifier comes from “something the user
is” and it is created through fingerprint, retina or iris scan, hand geometry, voice patterns,
vein patterns or any other such technologies. An individual’s biometric data can then be
stored in a database. In identification by biometric based systems, individuals must first
enroll in the biometric system. A process in which their biometric data is collected by an
input device, specific to each type of biometric, and a master template is built and stored
from that data. From this point on, in each identification instance, the biometric data is
collected from the individual and a new template is created. This template is then
compared with the master template and based on a threshold of matching rate the system
decides to accept or reject the claimed identity [58].
Biometric Signatures: A biometric signature is formed by means of generating a private
key from a biometric sample and using that private key to create a digital signature.
Biometric signatures have all of the advantages of both PKI and biometrics, as well as
some additional advantages such as no storage requirement for the biometric template or
the private key. This biometric template must be swiftly recognizable and very accurate
in order to create the same private key every time. Iris scan has such a low Equal Error
Rate (ERR) (one in 1.2 million) and it seems to be a good choice for this mechanism. Iris
scan generates a 512 byte iris template for user authentication [58].
Biometric Methods: Some other authentication methods are like Biometrics: example of
this method is retina scan, fingerprints/handprints, voice prints; DNA (Deoxyribonucleic
acid), face recognition, lip movement, signature etc.
Security Measurement Strategies 111
These technologies are good but not perfect nor foolproof. Similarly online authentication
models are- one time password scratch card, one time password tokens, smart cards
(requires readers, drivers, operating system etc), OOB (Out -of –Band authentication); in
this method a telephone call will be made to complete a financial transaction. Similarly
another online authentication model is IP address and geo-location method; in this
method IP address is compared with customers known location and if the customer
informed location is questionable then this method requires additional authentication
information, another method is Mutual authentication method; this method is based upon
public-key infrastructure and uses SSL (Secure Sockets Layer) so that client and server
can exchange certificates [35].
Fig 3.2.5: Biometric Sensors Example (Out-Of-Band authentication)
3.2.4.18 MeCHIP: MeCHIP which developed by ESD is connected directly to the PC’s
keyboard using a patented connection. All information which needs to be secured is sent
directly to the MeCHIP, circumventing the client’s vulnerable PC microprocessor. Then
the information is signed and transmitted to the bank in secure coded form. A closed,
secure channel from the client to the bank is assumed in this case. All information which
is transmitted and received is logged and verified to ensure that it has not been tampered
with. If there are any deviations, the session is immediately terminated. This hardware-
based solution offers the necessary security at the personal computer to transfer
confidential information [16].
Security Measurement Strategies 112
3.2.5 COMPARISION BETWEEN HARDWARE-BASED SYSTEM SOLUTIONS
AND SOFTWARE BASED SYSTEM SOLUTION
Following are two possibilities to provide secure PC banking system are [31]:
A) Using a custom hardware platform for accessing the bank from home: This
would act as an ATM connected to the Internet: as long as the communications are
encrypted, an on-line attack is not possible nor an inside attack, as the browsing software
is stored in a ROM memory and therefore cannot he infected. This option looks better,
although it still has a high cost and most users won’t make intensive use of it for PC
banking operations. For example Argentaria bank in Spain and West Fargo bank in the
US provides a hardware Internet navigation platform for this purpose.
B) Using a PC from a ROM disk: Booting up the computer from a CD-ROM disk can
ensure that no viruses or hostile software have been introduced after it is delivered by the
bank. Under these conditions, it is perfectly safe to use a password-based authentication
system even for doing funds transferences. But it requires shutting down the computer
each time the user wants to order funds transference, hence generally not preferred.
HARDWARE BASED SYSTEM
Hardware-based systems offer a more secure way to protect information, but, it is less
portable and more expensive than software-based systems for example Smartcard and the
Me-CHIP provide better protection for the confidentiality of personal information. Thus
the hardware-based security system creates a secure, closed channel where the
confidential identification data is absolutely safe from unauthorized users.
Security Measurement Strategies 113
SOFTWARE BASED SYSTEM
Many systems today use some form of software-based protection. Software-based
protections are easily obtained at lower costs than hardware-based protection.
Consequently, software-based protection is more widely used. But, software-based
protection has many potential hazards. For software-based systems, there are four ways to
break in the system:
i) First of all, attacking the encryption algorithms is one possible approach. This
form of attack would require much time and effort to be invested to break in.
ii) A more direct approach would be using brute force by actually trying out all
possible combinations to find the password.
iii) A third possible form of attack is to the bank’s server which is highly unlikely
because these systems are very sophisticated. This leaves the fourth possible
method, which also happens to be the most likely attack.
iv) Forth method is to attack the client’s personal computers. This can be done by
a number of ways, such as planting viruses (e.g. Trojan Horse) as mentioned
above. But, unlike the traditional viruses, the new viruses will aim to have no
visible effects on the system, thus making them more difficult to detect and
easy to spread un-intentionally [16].
Security Measurement Strategies 114
In software-based security systems, the coding and decoding of information is done using
specialized security software. Encryption is the main method used in these software-
based security systems. Thus encryption is a process that modifies information in a way
that makes it unreadable until the exact same process is reversed. In general, there are
two types of encryption. Due to the easy portability and ease of distribution through
networks, software-based systems are more affluent in the market. These software-based
solutions involve the use of encryption algorithms, private and public keys, and digital
signatures to form software packets known as Secure Electronic Transaction (SET) used
by Master card and Pretty Good Privacy.
Security Measurement Strategies 115
top related