NETWORK ISSUES IN BANKING1.MAN-IN-THE MIDDLE ATTACKSMan-in-the-middle attacks typically are attacks on online banking systems. The fraudster is nestling himself in the communication flow between the customer and the bank with the aim of manipulating the transaction data to his own advantage leaving the bank and the customer unaware. Technically speaking, man-in-the-middle attacks can take two forms: remote man-in the-middle attacks local man-in the-middle attacksREMOTE MAN-IN THE-MIDDLE ATTACKSWith remote man-in-the-middle attacks, the fraudster will use a various of techniques, such as phishing and pharming, to lure the banking customer to a rogue website. When the banking customer logs onto his account to make a transaction, the rogue website is obtaining the password and transaction details, such as the beneficiarys bank account number and the monetary amount of the transaction. The transaction details often will be altered and used by the fraudsters on the real banking website to their financial benefitLOCAL MAN-IN THE-MIDDLE ATTACKSA local man-in-the-middle attack is carried out by malicious software that is installed on the end-users computer. This software, also called spyware or crimeware, typically infects the computer through downloads or e-mail attachments. Once the software is installed, it tracks which websites the end-user visits. When the crimeware detects that the end-user is visiting an online banking website, it waits for the user to be logged on and then initiates or alters financial transactions without the user knowing.HOW CAN BANKS AND CUSTOMERS PROTECT THEMSELVES? The customer should learn to behave securely when banking over the Internet, just as he should do with other applications such as buying goods online. It is therefore very important that the customer becomes familiar with the Internet street smarts and be able to assess the risks involved in visiting strange websites and downloading illegal software. He should also be decently equipped before setting foot on the Internet, and have anti-virus, anti-spam and anti-spyware software installed on his computer. Banks should take precautions as well, and strengthen access control to their online banking applications by means of authentication technology. Strong authentication mechanisms come in two important flavors: 1. One-time passwords and2. Electronic signatures. One-time passwords are used for the authentication of the end-user when he logs onto the application. One-time passwords are generated based on a variable parameter, such as the time or a random number. They are valid for only a limited amount of time (typically in the range of minutes) and can only be used once. The strength of one-time passwords lies in the fact that they narrow down the window of opportunity for a fraudster to perform an attack. Hence, it becomes more difficult to perform fraudulent activities, especially when compared to the possibilities to perform fraudulent action when using static passwords. One-time passwords, however, do not provide protection against the injection of or alteration to financial transactions. In order to resolve this problem electronic signatures should be used. Electronic signatures, the second type of authentication mechanism, authenticate the financial transactions. E-signatures allow the bank to verify whether a transaction was initiated by the genuine end-user and was not altered in transit. It prevents the fraudster from submitting transactions or modifying existing transactions. As a result e-signatures offer the ideal security control against both local and remote man-in-the-middle attacks.

HOW DOES IT WORK? When the end-user wants to make a financial transaction using e-signature, a Message Authentication Code (MAC) will be calculated over the transaction. The calculation uses the original transaction and a secret key as input. The secret key is something the end user shares with the bank and which is only known by them. The result of the calculation is the so-called MAC, or e-signature. The end-user electronically submits the transaction and the corresponding MAC to the bank. Upon receipt, the bank computes the MAC over the transaction with the secret key. It then compares the calculated MAC with the MAC it received from the end-user. If both are the same, the bank is sure that the genuine end-user submitted the transaction, and that the transaction was not modified in transit. As a result, the financial transaction can then be processed. If there is no match, the bank knows that either a crook submitted the transaction, or the transaction data was altered in transit. In that case, the bank rejects the transaction.

2. WATERING HOLEWatering hole attacks are considered an evolution of spear phishing attacks. They consist of injecting malicious code onto the public web pages of a website that that a small group of people usually visit.In a watering hole attack scenario, the attackers wait for victims to visit the compromised site instead of inviting them with phishing messages. The efficiency of the method could be increased with exploitation of zero-day vulnerabilities in many large-use software programs such as Internet Explorer or Adobe Flash Player.Cyber criminals could easily compromise an improperly configured or updated website using one of the numerous exploit kits available on the black market. Usually attackers hack the target site months before they actually use it for an attack.The methods are very efficient. Its very difficult to locate a compromised website. Watering hole is a considerably surgical attack that allows hackers to hit only specific community, comparatively, classic phishing is less noisy. Targeting a specific website is much more difficult than merely locating websites that contain vulnerability. The attacker has to research and probe for a weakness on the chosen website. Indeed, in watering hole attacks, the attackers may compromise. Once compromised, the attackers periodically connect to the website to ensure that they still have access Symantec One of the most interesting cases of watering hole attacks against a financial institution was discovered in late 2012 by RSAs First Watch research team.The campaign was called VOHO attack, and compromised a regional bank in Massachusetts using the tactic of crafting a watering hole. The majority of the redirection activity occurred because of JavaScript elements on two specific websites, one of a regional bank in Massachusetts and the other a local government serving Washington DC suburbs:

hxxp://www.xxxxxxxxtrust.comhxxp://xxxxxxcountymd.govDespite that, its unknown if this method was also used to compromise the watering hole sites. Files found on one of the compromised websites indicate that the server was likely compromised with a remote buffer overflow (CVE-2008-3869/CVE-2008-3870) against the servers sadmind daemon, giving the attacker the ability to establish a remote shell.

Figure Watering Hole attackAnother famous watering hole attack against the banking sector was observed in March 2013 when several South Korean banks were hit by a widespread attack that wiped data and shut down systems. Internet banking servers went down causing an interruption of their services, including online banking.3.AUTOMATED ATTACKSFinancial malware comes in all shapes and sizes, and will often be tailored to target a single organization. The way the malware operates is normally determined by the bank's defences. This means there's no requirement for the cyber criminals to spend time creating unnecessarily complex malware. There are several methods which malware authors can use to get around banking security and harvest user information. For instance, if a bank uses single-factor authentication with a static username and passwords, it's a simple matter of capturing keystrokes. Alternatively, some banks have created dynamic keypads so that the user needs to click a 'random' pattern in order to enter his password. Malware authors use two different methods to circumvent this type of security - they can either create screen dumps when the user visits a specific site or simply gather the information being sent to the site by grabbing the form. In both cases, the stolen data is processed later.The use of Transaction Authorisation Numbers (TAN) for signing transactions makes gaining access to accounts somewhat more complex. The TAN may come from a physical list issued to the account holder by the financial organisation or it may be sent via SMS. In either case, the cyber criminal does not have access to the TAN. In most cases, malware used will capture the information entered by the user in a way similar to that described above. Once the user enters the TAN, the malware will intercept this information and either display a fake error message, or send an incorrect TAN to the financial site. This may result in the user entering another TAN. An organization may require two TANS to complete a transaction this depends on the organization and the security systems it has decided to implement. If only one TAN is required to make a transaction, the attack describe above could allow a cyber criminal to make two transactions.The success of such an attack is highly dependent on the exact implementation of the TAN system. Some systems do not set an expiry date for TANs; it's simply a case of the next TAN on the list has to be the next TAN used. If the next TAN on the list doesn't reach the bank's site then the criminal will be able to either use it immediately, or save it for later use. However, stolen TANs have a shorter lifespan than a static username and password, due to the fact that a user who is experiencing persistent problems during an online banking session is likely to call the bank to request assistance.Where TANs are sent to the account holder via SMS, a unique TAN can be issued for each unique transaction in a method somewhat similar to two-factor authentication. From this point onward cyber criminals have to start processing data in real-time, by using a Man-in-the-Middle attack.4.MOBILE MALWAREMobile phones today are no different than standard computers so mobile malwares are able to monitor data that is transmitted through the device to bank's server. The additional function of mobile malwares is capability to read user's SMS and send it to attacker's C&C server. Since many banks use OTP sent via SMS to the mobile device to authenticate logins and transactions, with this feature attacker can always use victim's mobile banking account since he has access to it. Attackers are using same social engineering techniques to infect online users like convincing them to install a newly required security application. Recently, in 2014., a new sophisticated malware has been detected, in a malicious app "Google Service Framework", called HijackRAT that is capable of: Stealing and sending SMS messages (in case of re-routing OTP token messages) stealing contacts initiating malicious app updates scanning for legitimate banking apps installed and replacing them with fakes utilities disabling any mobile security software that might be installed.In the end, there are many other types of threats which function in the same way with more or less advanced controls. Because of this, banking security must evolve and some of the security options are: Device fingerprinting: ability to look at a combination of identifiable computer or mobile hardware/software attributes and IP address. Transaction signing: requires the user to digitally sign each transaction using signing solutions such as public key infrastructure (PKI). Behavioral analytics: represents a way to detect pattern anomalies and suspicious activities by monitoring user session.

Submitted by :v.padmapriya(14301037)MBA-banking technology first year