online banking trojans
DESCRIPTION
Talk on online banking trojans at joint DND/ISACA/ISF member meeting, in Bergen on May 2, 2011TRANSCRIPT
Online banking Trojans Recent developments and countermeasures
DND, ISF, ISACA member meeting 02. May 2011
André N.Klingsheim
IT security specialist, PhD
Outline
• Skandiabanken’s login procedures
• ”Traditional” Trojans
• Recent developments
• Recent security adjustments
2
The login procedures
• Online banking password
– With One Time Password (OTP) by SMS
– Or from a code card
• BankID
– BankID password
– OTP from code card
• BankID mobile
– Pin entered on mobile phone
3
Login procedures figure
4
Traditional Trojans
• Most simplistic Trojans
– Are essentially keyloggers
– Record your usernames and passwords
– Sends the data to some drop site on the Internet
– Attacker later picks up the data from drop site
– Will compromise traditional username/password
schemes (single factor authentication)
• High security sites have introduced OTPs to counter
this threat (others follow)
5
More recent Trojans
• Not so simplistic Trojans
– Target two-factor authentication
– Target systems employing reauthentication
• Means you need to supply new OTPs to
perform sensitive operations
– Attempt to steal OTPs
– Have functionality to show malicious webpages
to the user, to confuse the user into giving
several OTPs
– Requires user interaction 6
More recent Trojans II
• More advanced Trojans
– Target two-factor authentication
– Performs attack in realtime
• Overcomes short lived OTPs
• Overcomes singular OTPs
– Requires user interaction
7
Modern Trojan threat
• Advanced Trojans can conceal rogue payments:
– Rewrite payment registry
– Rewrite account statement
• Can make the attack undetectable for the user
– There are no visual indications that something is
wrong, i.e. the account statement looks ok
• We’ll have a look at the Zeus Trojan
– Screenshots stolen from Symantec video (9 mins
worth watching!)
– www.youtube.com/watch?v=CzdBCDPETxk 8
Zeus example (original page)
9
Zeus example (modified page)
10
Zeus config
11
It gets worse...
12
Combined PC/mobile Trojan threat
• Trojans on pc attempt to install mobile Trojan
– Ask customer to install ”App” during login
– Steal username/password on pc, OTP on mobile
• Some attacks reported in Europe
– This is an upcoming threat
• We haven’t seen any of these attacks in Norway yet
13
Zeus combined mobile Trojan
14•www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
Combined PC/mobile Trojan threat II
• Mobile platforms are consolidated
– iOS (iPhone), Android, Windows Mobile 7
– Makes mobile Trojans scale better
– Increases ROI for attackers, increases our risk
• Installing the mobile Trojan still requires user
participation
– User must supply phone model and maker
– User must accept installation on the phone
15
Countermeasures
16
Our security design
• Payment authorization
– By an OTP (reauthentication)
– Or by signature, BankID/BankID
• Required for:
– Payments to new recipients
– Payments over a certain threshold
• Hampered attacks from traditional Trojans
• Balanced usability/security
17
The OTPs
• Generated securely
– Infeasible to guess them
• Short lived, 15 mins
• You can only have one valid OTP at any given
moment
– Requesting a new OTP invalidates the previous
– Forces real time attack
• OTP is tied to the operation you perform
– Login/payment/changing personal information etc18
Stopping the attack at the client
19
Recent security adjustments
• We’ve done some important security design
changes to our online bank to deal with the modern
threats
• Most noteworthy (and visible to our customers)
– Introduced contextual information with our OTPs
• The effect:
– Faced with a Trojan attack, all attempted rogue
transactions are detectable for the customer
20
OTP via SMS, with context
21
Avoiding the attack?
22
Look for mismatch between
account/amount in online
bank and mobile phone
The standard countermeasures
• These are the usual suspects
– Surveillance of Trojan activity (through partner)
– IDS/firewall/etc
– Payment monitoring
– This is not an exhaustive list
• In addition
– Tight collaboration with other Norwegian banks
– Information sharing (extremely important)
– Security collaboration, not competition23
Thank you!
• You’ll find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
• I don’t want to be your Facebook friend
• Note: Skandiabanken participates with two lightning
talks at the upcoming Roots conference
24