Online banking Trojans Recent developments and countermeasures

DND, ISF, ISACA member meeting 02. May 2011

André N.Klingsheim

IT security specialist, PhD

Outline

• Skandiabanken’s login procedures

• ”Traditional” Trojans

• Recent developments

• Recent security adjustments

2

The login procedures

• Online banking password

– With One Time Password (OTP) by SMS

– Or from a code card

• BankID

– BankID password

– OTP from code card

• BankID mobile

– Pin entered on mobile phone

3

Login procedures figure

4

Traditional Trojans

• Most simplistic Trojans

– Are essentially keyloggers

– Record your usernames and passwords

– Sends the data to some drop site on the Internet

– Attacker later picks up the data from drop site

– Will compromise traditional username/password

schemes (single factor authentication)

• High security sites have introduced OTPs to counter

this threat (others follow)

5

More recent Trojans

• Not so simplistic Trojans

– Target two-factor authentication

– Target systems employing reauthentication

• Means you need to supply new OTPs to

perform sensitive operations

– Attempt to steal OTPs

– Have functionality to show malicious webpages

to the user, to confuse the user into giving

several OTPs

– Requires user interaction 6

More recent Trojans II

• More advanced Trojans

– Target two-factor authentication

– Performs attack in realtime

• Overcomes short lived OTPs

• Overcomes singular OTPs

– Requires user interaction

7

Modern Trojan threat

• Advanced Trojans can conceal rogue payments:

– Rewrite payment registry

– Rewrite account statement

• Can make the attack undetectable for the user

– There are no visual indications that something is

wrong, i.e. the account statement looks ok

• We’ll have a look at the Zeus Trojan

– Screenshots stolen from Symantec video (9 mins

worth watching!)

– www.youtube.com/watch?v=CzdBCDPETxk 8

Zeus example (original page)

9

Zeus example (modified page)

10

Zeus config

11

It gets worse...

12

Combined PC/mobile Trojan threat

• Trojans on pc attempt to install mobile Trojan

– Ask customer to install ”App” during login

– Steal username/password on pc, OTP on mobile

• Some attacks reported in Europe

– This is an upcoming threat

• We haven’t seen any of these attacks in Norway yet

13

Zeus combined mobile Trojan

14•www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication

Combined PC/mobile Trojan threat II

• Mobile platforms are consolidated

– iOS (iPhone), Android, Windows Mobile 7

– Makes mobile Trojans scale better

– Increases ROI for attackers, increases our risk

• Installing the mobile Trojan still requires user

participation

– User must supply phone model and maker

– User must accept installation on the phone

15

Countermeasures

16

Our security design

• Payment authorization

– By an OTP (reauthentication)

– Or by signature, BankID/BankID

• Required for:

– Payments to new recipients

– Payments over a certain threshold

• Hampered attacks from traditional Trojans

• Balanced usability/security

17

The OTPs

• Generated securely

– Infeasible to guess them

• Short lived, 15 mins

• You can only have one valid OTP at any given

moment

– Requesting a new OTP invalidates the previous

– Forces real time attack

• OTP is tied to the operation you perform

– Login/payment/changing personal information etc18

Stopping the attack at the client

19

Recent security adjustments

• We’ve done some important security design

changes to our online bank to deal with the modern

threats

• Most noteworthy (and visible to our customers)

– Introduced contextual information with our OTPs

• The effect:

– Faced with a Trojan attack, all attempted rogue

transactions are detectable for the customer

20

OTP via SMS, with context

21

Avoiding the attack?

22

Look for mismatch between

account/amount in online

bank and mobile phone

The standard countermeasures

• These are the usual suspects

– Surveillance of Trojan activity (through partner)

– IDS/firewall/etc

– Payment monitoring

– This is not an exhaustive list

• In addition

– Tight collaboration with other Norwegian banks

– Information sharing (extremely important)

– Security collaboration, not competition23

Thank you!

• You’ll find me online:

– andre.klingsheim (at) skandiabanken (dot) no

– Blog: www.dotnetnoob.com

– Twitter: @klingsen

• I don’t want to be your Facebook friend

• Note: Skandiabanken participates with two lightning

talks at the upcoming Roots conference

24