Best Security Practices Online Banking

7/30/2019 Best Security Practices Online Banking

http://slidepdf.com/reader/full/best-security-practices-online-banking 1/13

BEST SECURITYPRACTICES IN ONLINEBANKING PLATFORMS



www.easysol.net 2

TABLE OFCONTENTS

Home banking platforms have been implemented as an ever more ecient

channel through for banking transactions. However these web-based

applications are exposed over the Internet making their users a very

appealing target for mal-intentioned individuals.

BEST SECURITY PRACTICES 1

Easy Solutions recommends implementing robust authentication strategies

to strengthen the authentication process, not only for pressure in meeting

with regulations, but also for the high exposure of e-banking platforms to

attacks.

EASY SOLUTIONS’ FOCUS ON PROTECTION 2

DetectID is the only authentication platform that combines the potentiality

of detecting malicious processes during the authentication process with

the objective of shielding the authentication cycle from malware.

DetectID 3

Easy Solutions is the only security vendor focused exclusively on fraud

prevention; providing anti-phishing services and research, multifactor

authentication and anomaly transaction detection.

ABOUT EASY SOLUTIONS, INC 4



www.easysol.net 3

1BEST SECURITYPRACTICES

Evolution of Threat

Increasing Sophistication

Increasingly Personalized

Shift towards blended

malware attacks

TREND:

The evolution history of these attacks began more than 7

years ago initiating what quickly became known as

phishing. Its sophistication has increased on par with the

new security technologies adopted by the bank industry

intended to mitigate the problem.

The following graph shows the evolution of the security

problem aecting the e-banking platforms over the last

years.

For several years now, electronic banking platforms have

been implemented as an ever more ecient channel

through which banking transactions can be done without

having to leave the house or oce.

In the end, however, these home banking platforms are

web-based applications that are exposed over the Internet

making their users a very appealing target for

mal-intentioned individuals. These are some reasons why

e-banking platforms are such an alluring objective for

criminals to attack:

E-banking Platforms are openly exposed over the

Internet;

The users are very appealing, since ultimately their

intention is to carrying out a nancial transaction;



BEST SECURITYPRACTICES

www.easysol.net 4

1

The authentication GAP, which is the technical term

commonly used for referring to the intrinsic vulnerability

of the authentication process. In highly exposed environ-

ments, such as the e-banking platforms, this GAP is

reected in the little or total lack of control the authenti-

cating institution (nancial institution) has on the

authenticating elements (users) since no control exists on

the medium (the Internet and computer connection used

in accessing the home banking platform);

In its report of April 2, 2009 "The War on Phishing is Far From

Over", Gartner shows the results of this attack methodology

on the U.S. population where 5 million consumers lost

money due to phishing or its variants through the end of

September 2008.

For Easy Solutions, some of the issues that make us

conclude the war against Phishing is far from over are the

following:

The authentication schemes currently in use base their

robustness on the end-user’s decisions, which make

them entirely vulnerable to social engineering attacks.

For example, in authentication schemes based on One

Time Password (OTP), the end-users should determine

that they're connected to the right website and conse-

quently log in using their OTP;

Poisoning the hosts le to add re-directing entries as

shown in the following graph

This opened the doors to malicious people who carry out

attacks against e-banking platforms, who focus their eorts

on pharming attacks + malware that allows:



BEST SECURITYPRACTICES

www.easysol.net 5

1

The user enters into the real home bankingplatform through the Man-in-the-Middle Proxy

Credentials entered by the user in the browser

Next, a hypothetical example is presented that shows the

process of stealing credentials in this type of attack.

More sophisticated attacks involving malware+pharming

+man-in-the-middle Proxy, in which the targeted

e-banking sites are re-directed to the loopback address

127.0.0.1 or local host; where a man-in-the-middle Proxy

is running listening to the communications between the

client and the server which enables the attacker to modify

the messages in real time.

The following graph shows a real case in Latin America of

a hosts le modied by an attack of this nature.

Once the user enters his/her credentials, the Man-in-the-

Middle Proxy captures them, as shown in the following

graph.



1BEST SECURITYPRACTICES

The capture platform provides the attacker with all the

necessary information to: hijack the session, using the

session cookie, and the access credentials including the

OTP, with which they'll have 30 to 60 seconds to use it

before it expires.

A point worth mentioning is that this same platform allows

the attacker to manipulate the data moving between client

and server. That way the attacker can wait for the moment a

transaction takes place in order to manipulate the data of

the account receiving the funds while the transaction is on

its way to the e-banking platform.

Since December 3 of 2008, when the rst great password

stealing malware appeared as a Mozilla plug-in that stole

information sent out to 100 nancial sites including

anz.com, bankofamerica.com, lloydstsb.co.uk and PayPal,

the evolution of these types of attacks has been unparal-

leled.

Gartner, in its report New Bank-Targeted Trojan via Firefox

Saps Consumer Condence, considers that these types of

attacks will be copied and improved as criminals continue

innovating on unauthorized access to nancial accounts.

www.easysol.net 6

Credentials captured by the Man-in-the-middle Proxy



www.easysol.net 7

Easy Solutions recommends implementing robust authentication strategies to strengthen the authentication process not only

for pressure in meeting with regulations but also for the high exposure of e-banking platforms to phishing and pharming

attacks which can compromise the organization’s image and produce nancial losses.

When dening authentication strategies, it is important to keep in mind the dierent vectors of phishing and pharming

attacks. Some are presented here:

From all of the above, it can be concluded that there is not any single strategy that covers all the dierent dangers threatening

the e-banking platforms. On the contrary, focusing on a multi-layer protection approach is the best alternative for massive

authentication processes of applications that are highly exposed on the Internet, including a mix of dierent factors that allow:

FOCUS ON PROTECTIONEASY SOLUTIONS’

2

Social Engineering attacks that mislead the end user.

Man in the Middle attacks that listen the communication

between client and server.

Man in the Browser attacks that re-direct the end-user to

counterfeit sites with the intention of stealing the end

user credentials

Malware attacks that poison the hosts le and/or DNS to

re-direct the user to counterfeit sites with the intent of

stealing the end user's credentials;

Trojan Proxy that installs a http redirector running in the

local address 127.0.0.1 that re-directs all of the browser’s

trac to this Proxy making a copy of the messages and

sending them to the attacker;

Shielding the authentication cycle from malicious processes that can aect the end user's station;

Providing user-to-site authentication strategies which allow the end-user to verify that the connection is indeed established

with the correct site;

Implementing authentication factors that eliminate user decisions from the authentication equation;



DetectID

www.easysol.net 8

Easy Solutions' Total Fraud Protection (ETFP) combines dierent technologies that allow it to stop a fraud attack during any

phase.

To summarize, it is important to dene an authentication strategy which grows on the foundation of a platform that can add

multiple security factors and/or methods for the authentication of applications exposed on the Internet.

The dierent products that make up the protection strategy involve a focus on multi-level protection as described below.

FOCUS ON PROTECTIONEASY SOLUTIONS’

2

ComputerExploit

RootList

$ $$

Attack Planning

Attack Setup

Attack Mass Mailers

$$$ $$$

SHUTDOWNSERVICES

Attack Setup & Launch

EASY SOLUTIONS TOTAL FRAUD PROTECTION

CredentialCollection Cashing

$$$$ $$$$$$

AUTHENTICATIONRISK BASED

Cashing

MONITORING SERVICEDETECT

MONITORING SERVICEDETECT

Implementing authentication factors based on knowledge (what the bank knows about the end-user);

Implementing authentication factors based on something that the user has (OTP, USB Device, etc);

Oering complementary protection for the end-user's station;

Communicating the occurrence of potential transaction frauds to the end-user;



www.easysol.net 9

DetectID is the only authentication platform that combines the potentiality of detecting malicious processes during the

authentication process with the objective of shielding the authentication cycle from malware.

The following graph shows how DetectID keeps a registry of the processes running in the end-device while a session of online

banking is taking place.

3DetectID



www.easysol.net 10

DetectID allows taking the user out of the authentication equation by means of its powerful device authentication engine,

which through the use of hardware allows truly authenticating a device.

DetectID implements the user-to-site authentication concept by means of IdentiSite® which allows each user to dene a secret

image with the bank to identify when he/she is truly connected with the entity.

DetectID3



www.easysol.net 11

DetectID also includes a proprietary implementation of OTP (One Time Password) that allows out of band authentication

schemes via email or mobile phone. Integration with leading technologies of the physical OTP industry such as Vasco and RSA

is also possible.

The following graph compares the dierent factors and authentication methods with the security they oer and the resistance

to dierent threats that aect e-banking platforms, as shown in this study.

DetectID3

O f f e r s S t r o n g A u t h e n t i c a t i o n

R e s i s t s M a n - i n - t h e M i d d l e A t t a c k s

R e s i s t s M a n i n t

h e B r o w s e r A t t a c k s

I s e a s y t o m a n a g e

I s e a s y t o i m p l e m e n t

R e s i s t s S o c i a l E

n g i n e e r i n g A t t a c k s

I m p l e m e n t s U s e

r - t o - S i t e A u t h e n t i c a t i o n

O f f e r s M u l t i - L a y e r P r o t e c t i o n

T C O ( 1 . c h e a p e s t … 5 m o s t e x p e n s i v e )

T o t a l S e c u r i t y ( 1

. l e a s t s e c u r e … 5 . m o s t s e c u r e )

Passwords

One time Password (OTPs)

Coordination Cards

Device Authentication

Image Authentication

Challenge Questions

USB Tokens

Digital Certificates

Authentication + Malware Detection

DetectID Authentication Framework

1 1

5 3

2 2

2 4

1 1

1 1

3 3

4 3

4 5

3 5

F a c t o r s

Protection



Easy Solutions is simplifying the way businesses deal with and eectively deploy – security for

online transactions. We provide solutions for identifying and preventing online transaction fraud

while helping institutions comply with existing US domestic and international two factor authenti-

cation requirements. Using our advanced transaction fraud prevention solutions, we help protect

online businesses and enterprise applications from phishing attacks, online credential theft and

Internet fraud threats.

Our software solutions are simple to manage and easy to deploy. Our patent-pending technologies

provide accurate identication of devices with unprecedented accuracy while protecting users by

monitoring transaction behavior for activity associated with fraudulent activity.

By simplifying online transaction security, Easy Solutions provides consumers and online

merchants and nancial institutions the ability to focus on their business instead of worrying about

the safety of their transactions.

Online security experts with years of extensive knowledge and experience in protecting enterprises

from traditional security threats, online fraud and Internet phishing attacks developed Easy

Solutions’ intellectual property and technologies.

Working closely with the leading security companies and leading nancial enterprises with large

online customer communities, Easy Solutions continuously collect and understands the latest

methods used by online criminals.

This knowledge is combined with our patent pending behavioral monitoring that protects users on

a per transaction basis. The transaction monitoring is backed up with continuous identication of

attributes collected from end-user devices to create a unique device ngerprinting that enables

forensic identication. These capabilities are delivered in a simple eective software package

providing our customers the ability to protect sensitive customer transactions and data while

complying with business regulatory compliance issues.

ABOUTEASY SOLUTIONS

www.easysol.net 12

4



4

One of the most important aspects of our solution is that no change in behavior is required on

behalf of the users and the implementation is easy for both the business and its customers. Easy

Solutions is the only security vendor focused exclusively on fraud prevention; providing

anti-phishing services and research, multifactor authentication and anomaly transaction detection.

The capacity to react to new threats in the antifraud protection eld is based on our proprietary

technology and in the methodology to face each threat in an integral way implemented through

Easy Solutions’ Total Fraud Protection Strategy.

ABOUTEASY SOLUTIONS

Copyright ©2009, Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectTA, Detect Professional Service and Detect

Monitoring Service are trademarks of Easy Solutions , Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property

of their respective owners and used in an editorial context without intent of infringement. Specications and content are subject to change without notice.

www.easysol.net 13

Headquarters:

1401 Sawgrass Corporate Parkway, Sunrise, FL 33323 - Phone: +1-866-524-4782

Latin America:

Calle 93A No. 14 – 17 Of. 506 Bogota, Colombia - Phone: +57 1- 2362455.

www.easysol.net

Best Security Practices Online Banking

Documents

Transcript of Best Security Practices Online Banking