Best Security Practices Online Banking
-
Upload
amirsaheed -
Category
Documents
-
view
222 -
download
0
Transcript of Best Security Practices Online Banking
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 1/13
BEST SECURITYPRACTICES IN ONLINEBANKING PLATFORMS
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 2/13
www.easysol.net 2
TABLE OFCONTENTS
Home banking platforms have been implemented as an ever more ecient
channel through for banking transactions. However these web-based
applications are exposed over the Internet making their users a very
appealing target for mal-intentioned individuals.
BEST SECURITY PRACTICES 1
Easy Solutions recommends implementing robust authentication strategies
to strengthen the authentication process, not only for pressure in meeting
with regulations, but also for the high exposure of e-banking platforms to
attacks.
EASY SOLUTIONS’ FOCUS ON PROTECTION 2
DetectID is the only authentication platform that combines the potentiality
of detecting malicious processes during the authentication process with
the objective of shielding the authentication cycle from malware.
DetectID 3
Easy Solutions is the only security vendor focused exclusively on fraud
prevention; providing anti-phishing services and research, multifactor
authentication and anomaly transaction detection.
ABOUT EASY SOLUTIONS, INC 4
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 3/13
www.easysol.net 3
1BEST SECURITYPRACTICES
Evolution of Threat
Increasing Sophistication
Increasingly Personalized
Shift towards blended
malware attacks
TREND:
The evolution history of these attacks began more than 7
years ago initiating what quickly became known as
phishing. Its sophistication has increased on par with the
new security technologies adopted by the bank industry
intended to mitigate the problem.
The following graph shows the evolution of the security
problem aecting the e-banking platforms over the last
years.
For several years now, electronic banking platforms have
been implemented as an ever more ecient channel
through which banking transactions can be done without
having to leave the house or oce.
In the end, however, these home banking platforms are
web-based applications that are exposed over the Internet
making their users a very appealing target for
mal-intentioned individuals. These are some reasons why
e-banking platforms are such an alluring objective for
criminals to attack:
E-banking Platforms are openly exposed over the
Internet;
The users are very appealing, since ultimately their
intention is to carrying out a nancial transaction;
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 4/13
BEST SECURITYPRACTICES
www.easysol.net 4
1
The authentication GAP, which is the technical term
commonly used for referring to the intrinsic vulnerability
of the authentication process. In highly exposed environ-
ments, such as the e-banking platforms, this GAP is
reected in the little or total lack of control the authenti-
cating institution (nancial institution) has on the
authenticating elements (users) since no control exists on
the medium (the Internet and computer connection used
in accessing the home banking platform);
In its report of April 2, 2009 "The War on Phishing is Far From
Over", Gartner shows the results of this attack methodology
on the U.S. population where 5 million consumers lost
money due to phishing or its variants through the end of
September 2008.
For Easy Solutions, some of the issues that make us
conclude the war against Phishing is far from over are the
following:
The authentication schemes currently in use base their
robustness on the end-user’s decisions, which make
them entirely vulnerable to social engineering attacks.
For example, in authentication schemes based on One
Time Password (OTP), the end-users should determine
that they're connected to the right website and conse-
quently log in using their OTP;
Poisoning the hosts le to add re-directing entries as
shown in the following graph
This opened the doors to malicious people who carry out
attacks against e-banking platforms, who focus their eorts
on pharming attacks + malware that allows:
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 5/13
BEST SECURITYPRACTICES
www.easysol.net 5
1
The user enters into the real home bankingplatform through the Man-in-the-Middle Proxy
Credentials entered by the user in the browser
Next, a hypothetical example is presented that shows the
process of stealing credentials in this type of attack.
More sophisticated attacks involving malware+pharming
+man-in-the-middle Proxy, in which the targeted
e-banking sites are re-directed to the loopback address
127.0.0.1 or local host; where a man-in-the-middle Proxy
is running listening to the communications between the
client and the server which enables the attacker to modify
the messages in real time.
The following graph shows a real case in Latin America of
a hosts le modied by an attack of this nature.
Once the user enters his/her credentials, the Man-in-the-
Middle Proxy captures them, as shown in the following
graph.
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 6/13
1BEST SECURITYPRACTICES
The capture platform provides the attacker with all the
necessary information to: hijack the session, using the
session cookie, and the access credentials including the
OTP, with which they'll have 30 to 60 seconds to use it
before it expires.
A point worth mentioning is that this same platform allows
the attacker to manipulate the data moving between client
and server. That way the attacker can wait for the moment a
transaction takes place in order to manipulate the data of
the account receiving the funds while the transaction is on
its way to the e-banking platform.
Since December 3 of 2008, when the rst great password
stealing malware appeared as a Mozilla plug-in that stole
information sent out to 100 nancial sites including
anz.com, bankofamerica.com, lloydstsb.co.uk and PayPal,
the evolution of these types of attacks has been unparal-
leled.
Gartner, in its report New Bank-Targeted Trojan via Firefox
Saps Consumer Condence, considers that these types of
attacks will be copied and improved as criminals continue
innovating on unauthorized access to nancial accounts.
www.easysol.net 6
Credentials captured by the Man-in-the-middle Proxy
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 7/13
www.easysol.net 7
Easy Solutions recommends implementing robust authentication strategies to strengthen the authentication process not only
for pressure in meeting with regulations but also for the high exposure of e-banking platforms to phishing and pharming
attacks which can compromise the organization’s image and produce nancial losses.
When dening authentication strategies, it is important to keep in mind the dierent vectors of phishing and pharming
attacks. Some are presented here:
From all of the above, it can be concluded that there is not any single strategy that covers all the dierent dangers threatening
the e-banking platforms. On the contrary, focusing on a multi-layer protection approach is the best alternative for massive
authentication processes of applications that are highly exposed on the Internet, including a mix of dierent factors that allow:
FOCUS ON PROTECTIONEASY SOLUTIONS’
2
Social Engineering attacks that mislead the end user.
Man in the Middle attacks that listen the communication
between client and server.
Man in the Browser attacks that re-direct the end-user to
counterfeit sites with the intention of stealing the end
user credentials
Malware attacks that poison the hosts le and/or DNS to
re-direct the user to counterfeit sites with the intent of
stealing the end user's credentials;
Trojan Proxy that installs a http redirector running in the
local address 127.0.0.1 that re-directs all of the browser’s
trac to this Proxy making a copy of the messages and
sending them to the attacker;
Shielding the authentication cycle from malicious processes that can aect the end user's station;
Providing user-to-site authentication strategies which allow the end-user to verify that the connection is indeed established
with the correct site;
Implementing authentication factors that eliminate user decisions from the authentication equation;
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 8/13
DetectID
www.easysol.net 8
Easy Solutions' Total Fraud Protection (ETFP) combines dierent technologies that allow it to stop a fraud attack during any
phase.
To summarize, it is important to dene an authentication strategy which grows on the foundation of a platform that can add
multiple security factors and/or methods for the authentication of applications exposed on the Internet.
The dierent products that make up the protection strategy involve a focus on multi-level protection as described below.
FOCUS ON PROTECTIONEASY SOLUTIONS’
2
ComputerExploit
RootList
$ $$
Attack Planning
Attack Setup
Attack Mass Mailers
$$$ $$$
SHUTDOWNSERVICES
Attack Setup & Launch
EASY SOLUTIONS TOTAL FRAUD PROTECTION
CredentialCollection Cashing
$$$$ $$$$$$
AUTHENTICATIONRISK BASED
Cashing
MONITORING SERVICEDETECT
MONITORING SERVICEDETECT
Implementing authentication factors based on knowledge (what the bank knows about the end-user);
Implementing authentication factors based on something that the user has (OTP, USB Device, etc);
Oering complementary protection for the end-user's station;
Communicating the occurrence of potential transaction frauds to the end-user;
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 9/13
www.easysol.net 9
DetectID is the only authentication platform that combines the potentiality of detecting malicious processes during the
authentication process with the objective of shielding the authentication cycle from malware.
The following graph shows how DetectID keeps a registry of the processes running in the end-device while a session of online
banking is taking place.
3DetectID
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 10/13
www.easysol.net 10
DetectID allows taking the user out of the authentication equation by means of its powerful device authentication engine,
which through the use of hardware allows truly authenticating a device.
DetectID implements the user-to-site authentication concept by means of IdentiSite® which allows each user to dene a secret
image with the bank to identify when he/she is truly connected with the entity.
DetectID3
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 11/13
www.easysol.net 11
DetectID also includes a proprietary implementation of OTP (One Time Password) that allows out of band authentication
schemes via email or mobile phone. Integration with leading technologies of the physical OTP industry such as Vasco and RSA
is also possible.
The following graph compares the dierent factors and authentication methods with the security they oer and the resistance
to dierent threats that aect e-banking platforms, as shown in this study.
DetectID3
O f f e r s S t r o n g A u t h e n t i c a t i o n
R e s i s t s M a n - i n - t h e M i d d l e A t t a c k s
R e s i s t s M a n i n t
h e B r o w s e r A t t a c k s
I s e a s y t o m a n a g e
I s e a s y t o i m p l e m e n t
R e s i s t s S o c i a l E
n g i n e e r i n g A t t a c k s
I m p l e m e n t s U s e
r - t o - S i t e A u t h e n t i c a t i o n
O f f e r s M u l t i - L a y e r P r o t e c t i o n
T C O ( 1 . c h e a p e s t … 5 m o s t e x p e n s i v e )
T o t a l S e c u r i t y ( 1
. l e a s t s e c u r e … 5 . m o s t s e c u r e )
Passwords
One time Password (OTPs)
Coordination Cards
Device Authentication
Image Authentication
Challenge Questions
USB Tokens
Digital Certificates
Authentication + Malware Detection
DetectID Authentication Framework
1 1
5 3
2 2
2 4
1 1
1 1
3 3
4 3
4 5
3 5
F a c t o r s
Protection
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 12/13
Easy Solutions is simplifying the way businesses deal with and eectively deploy – security for
online transactions. We provide solutions for identifying and preventing online transaction fraud
while helping institutions comply with existing US domestic and international two factor authenti-
cation requirements. Using our advanced transaction fraud prevention solutions, we help protect
online businesses and enterprise applications from phishing attacks, online credential theft and
Internet fraud threats.
Our software solutions are simple to manage and easy to deploy. Our patent-pending technologies
provide accurate identication of devices with unprecedented accuracy while protecting users by
monitoring transaction behavior for activity associated with fraudulent activity.
By simplifying online transaction security, Easy Solutions provides consumers and online
merchants and nancial institutions the ability to focus on their business instead of worrying about
the safety of their transactions.
Online security experts with years of extensive knowledge and experience in protecting enterprises
from traditional security threats, online fraud and Internet phishing attacks developed Easy
Solutions’ intellectual property and technologies.
Working closely with the leading security companies and leading nancial enterprises with large
online customer communities, Easy Solutions continuously collect and understands the latest
methods used by online criminals.
This knowledge is combined with our patent pending behavioral monitoring that protects users on
a per transaction basis. The transaction monitoring is backed up with continuous identication of
attributes collected from end-user devices to create a unique device ngerprinting that enables
forensic identication. These capabilities are delivered in a simple eective software package
providing our customers the ability to protect sensitive customer transactions and data while
complying with business regulatory compliance issues.
ABOUTEASY SOLUTIONS
www.easysol.net 12
4
7/30/2019 Best Security Practices Online Banking
http://slidepdf.com/reader/full/best-security-practices-online-banking 13/13
4
One of the most important aspects of our solution is that no change in behavior is required on
behalf of the users and the implementation is easy for both the business and its customers. Easy
Solutions is the only security vendor focused exclusively on fraud prevention; providing
anti-phishing services and research, multifactor authentication and anomaly transaction detection.
The capacity to react to new threats in the antifraud protection eld is based on our proprietary
technology and in the methodology to face each threat in an integral way implemented through
Easy Solutions’ Total Fraud Protection Strategy.
ABOUTEASY SOLUTIONS
Copyright ©2009, Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectTA, Detect Professional Service and Detect
Monitoring Service are trademarks of Easy Solutions , Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property
of their respective owners and used in an editorial context without intent of infringement. Specications and content are subject to change without notice.
www.easysol.net 13
Headquarters:
1401 Sawgrass Corporate Parkway, Sunrise, FL 33323 - Phone: +1-866-524-4782
Latin America:
Calle 93A No. 14 – 17 Of. 506 Bogota, Colombia - Phone: +57 1- 2362455.
www.easysol.net