• No results found

ONLINE BANKING ATTACKS LEARNING THE LESSONS

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "ONLINE BANKING ATTACKS LEARNING THE LESSONS"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)
(2)

Richard Martin

Business Security Consultant

Payments Council

(3)

About The Payments Council

• Voice of the payments industry

• Payment scheme management – we run BACS, CHAPS, Faster Payments, cheques, cash…

– The schemes we manage processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion)

• Protecting the integrity of UK payments systems

(4)
(5)

The world we live in

Internet is a major channel for banks and payments

Challenges

– Internet is not secure

– Customer PCs are not secure – But customers love it, and banks

love it 0 5 10 15 20 25 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 M illions

(6)

What’s the problem?

Net loss to banks from online banking fraud, 2004-10

0 10 20 30 40 50 60 70 2004 2005 2006 2007 2008 2009 2010 £m FY H1 H2 (Est)

(7)

What is being attacked?

• Not the bank (so much)

• The customer (Social Engineering)

– “Hacking the Human”

– Static authentication credentials & card details, “data that never changes” – And can therefore be stolen, copied or

given away

• The customer’s computer (Technical attacks)

– Exploitable OS

– Exploitable browsers

– Exploitable 3rd party software,

extensions and add-ins

– Exploitable network components – Etc…

(8)

Don’t discount phishing

0 1000 2000 3000 4000 5000 6000 7000 8000 Jan-09 Feb-09 Mar-09 Apr-09 May-09 Jun-09 Jul-09 Aug-09 Sep-09 Oct-09 Nov-09 Dec-09 Jan-10 Feb-10 Mar-10 Apr-10 May-10 Jun-10 Jul-10 Aug-10 Sep-10 Oct-10 M o n th ly i n ci d en ts

(9)

Its still here

Because it works!

2004 2006 2008 2009

Would ignore / delete a phishing email 65% 50% 57% 59%

Would ask bank for advice 28% 39% 31% 31%

“Would act on it” 4% 3.8% 4% 6%

Under 24 year-olds who “would act on

it” 12% 12% 12% 13%

(10)

Malware

• Some names to remember: Torpig, Zeus (aka z-Bot,

Sinowall),SpyEye,PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon…

• Controlled distribution: targeted, low infection numbers, quiet operation • VERY LOW AV DETECTION – IN SOME RECENT CASES 0%

• Bullet proof hosting of C&C is the professional’s choice • Two factor authentication is now a target

• Man In The Browser is the new Man In The Middle • Scripting: Automated payment injection

• They work but:

– Difficult to industrialise

– Their effect can be detected (odd GET and POST data, old/nonexistent fieldnames, unusual browser headers etc…)

(11)

Malware features: Zeus

• Probably the most significant identity theft malware in existence (but

may be about to go into decline)

• Nicely written, regularly updated, full technical support for customers

• Targets two-factor authentication

• Man in the browser, html injection, etc etc

• Some banks using out of band authentication with mobile phones as

a means of combating MITB.

• Customers are sent a one-time passcode or a challenge via SMS or

voice

(12)

Mobile phones for two-factor

• Out of band authentication • Good in principle

– Increases challenge of interception

• Practical challenges:

– Ensuring all customers have a phone – That it is switched on & in range

– SMS delivery is not guaranteed or SLAd

– Bringing other parties into the authentication loop - don’t ignore the risks

• Attacks in Turkey, South Africa, Australia, Spain and UK

– Account takeover, redirection of replacement SIMs – Phone call redirection

(13)

Zeus SMS

• Zeus-infected victim as asked to provide their mobile model and number

• SMS containing link to “a new security certificate” sent to phone

• Victim clicks on link and malware installs • For Symbian devices, the bad guys

obtained a genuine developer certificate, since revoked (but Nokia don’t use

OCSP!)

• Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C

• Incoming SMS from C&C number used to issue commands

• Malware can create/delete entries in the phonebook

• C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom)

Calling

(14)

Making a difference - Zeus arrests

• 11 Arrests in UK (mainly mules)

• 38 in USA (ditto)

• 5 in Ukraine

• Consequences: Zeus the subject of a “takeover” by SpyEye coder,

with functionality to be migrated to SpyEye

(15)

Where are the real vulnerabilities?

OS

– 95% of customers use Windows

– 90% of Windows installs ARE up to date

– Browsers – ditto for the most part, although Firefox can be a mess

Ubiquitous 3

rd

Party Software

– 80% of Adobe Flash installs are NOT up to date – 84% of Adobe Acrobat installs are NOT up to date

– “Trusted” software does not always act in the users’ best interests: some of the most popular iPhone games contain spyware

(16)

“Reaction time is a factor”

• If you have something of interest & value to a criminal, expect their

full attention

• They may not be after you – but they will be after your customers

• Don’t assume that your challenge ends at the perimeter – that is

where it begins

• Criminal gangs react very quickly to new defences

• Banks have learned a lot over the last few years – what happens

when the bad guys move on to easier targets?

(17)

Expect the unexpected

(18)

References

Download now ( PDF - 18 Page - 0.96 MB )

Related documents

Guided Resource Inquiries: Integrating Archives into Course Learning and Information Literacy Objectives

The GRI provides primary source literacy instruction via online resources such as websites, guides, and digital learning objects (DLOs) that help students identify primary sources,

Is Frozen Fecal Microbiota Transplantation as Effective as Fresh Fecal Microbiota Transplantation via Colonoscopic Versus Nasogastric Tube Administration in Treating Adults with Clostridium Difficile Infection?

Study Type # of Pts Age (yrs) Inclusion Criteria Exclusion Criteria W/D Interventions Youngster (2014) (4) Randomized, open-label, controlled pilot study 20 58.6 +

Reaching the Tipping Point for Two-Factor Authentication

Quest Defender ( www.quest.com/defender ) is specifically designed to extend Active Directory to support a variety of two-factor authentication schemes, including hardware tokens..

Wind environment evaluation on major town of Malaysia

The Northeast Monsoon brings heavy rainfall, particularly to the east coast states of Peninsular Malaysia and western Sarawak, whereas the Southwest Monsoon normally

How To Grow A Plum

A cultivar found to be yielding fairly regularly under organic orchard condi- tions was ‘Yellow Afaska’, but the trees of this cultivar came into bearing fruit

Effects of Selected Plant Growth Regulators on Regeneration of Mangosteen (Garcinia Mangostana L.) Using Tissue Culture Technique

This study was carried out with the follow i n g objectives: ( 1 ) to determine the most suitable concentration and combination of plant growth regulators for in

The Australian Lung Foundation PO Box 847 Lutwyche QLD 4030

▪ Eighty-two percent of PRCs where a program is available indicate they refer patients to maintenance following pulmonary rehabilitation.. - ‘Community based’ maintenance

District Rotary Youth Exchange Manual

abide by the rules and conditions of exchange provided by the host district. Parents or legal guardians must not authorize any extra activities directly to you. Any