SlideShare une entreprise Scribd logo

E banking security

Télécharger en tant que PPTX, PDF
I
Iman Rahmanian

this slide describe security issues in ebanking..

Technologie
1  sur  41
E-banking security ImanRahmanian NooreTouba University – Iran Advisor: Dr Sekhavati Dec 2010
eBanking Security – Quo Vadis? Is eBanking still safe? What are the security trends in eBanking? What can we learn from eBanking trends for other online applications?
agenda eBanking Attacks Security Measures Secure Communication Implementations Outlook / Thesis
eBanking Attacks
Target of Attacks Phishing Attacks Trojan Attacks Pharming DNS Spoofing Network Interception Web Application Attacks Attacking Server
Client Attacks Most promising attack on the client: Phishing ,[object Object],Simple Trojans ,[object Object]
Steal username, password and one time password
Steals session information and URL and sends it to attacker
Attacker imports information into his browser to access the same accountGeneric Trojans ,[object Object]
Can attack any eBanking (and any web application)
New configuration is downloaded continously,[object Object]
Email with link to malicious web site
Links in social networks
Integrated in popular software (downloads)
File transfer of instant messaging/VoIP/file sharing
CD-ROM/USB StickInfection of client without user interaction Malicious web sites (drive by) Infection of trusted, popular web sites (IFRAME …) Misusing software update functionality (like Bundestrojaner) Attacks on vulnerable, exposed computer (network/wireless) Note: About 1% of Google search query results point to a web site that can lead to a drive by attack.
Generic Trojans Features of Generic Trojans Hide from security tools (anti-virus/personal firewall) Inject code in running processes / drivers / operating system Capture/Redirect/Send data Download new configuration / functionality Remote control browser instance
Generic Trojans(cont) Features useful for eBanking attacks Send web pages of unknown eBanking to attacker Download new patterns of eBanking transaction forms Modify transaction in the background (on the fly) Collect financial information
Generic Trojans(cont) Tips and Tricks Every Trojan binary is unique (packed differently) Not detectable by Anti Virus Patterns Trojan code is injected into other files or other processes Personal Firewall can not block communication Installs in Kernel Full privileges on system Invisible Bot Networks
Traded Goods Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
Security Measures
Security Measures Attack Detection Second Channel / Secured Channel Secure Client Second Channel Secured Channel Secure Client Attack Detection
Attack Detection Detect session hijacking attacks Monitor and compare request parameters Identify SSL Session and IP address changes Transaction verification / user profiling Statistic about normal user behaviour Compare transaction with normal user behaviour White list target accounts Limits on transaction amount
Security Measures(cont) Second Channel Send verification using another channel Another application on the client computer Another medium like mobile phones (SMS) Secured Channel Enter data on an external device External device can not be controlled by Trojan Externel device contains a secret key
Security Measures Secure Platform A computer that is only used for eBanking Bootable CD-ROM, Bootable USB Stick Virtual Machine eBanking Laptop Secure Environment Start an application (eg Browser) that protects itself from Trojans Downstripped Browser Proprietary Application (fat client) Verify environment before login is possible
Security Trends Current client security approaches: A) Secured Application/Virtualization Hardened Browser on USB stick Application to secure the client Virtual operating system on host system Bootable CD-ROM/USB stick B) Transaction Signing Transaction details and unlock code on mobile (SMS) External device with SmartCard Read information from screen and decrypt on external device
A) Secured Application/Virtualization Solutions (some examples): Portable Apps, Thinstall CLX Stick, KobilmIdentity Browser Appliance (egVMWare, VirtualPC, etc.)
B) Transaction Signing Devices (some examples): Mobile phones IBM ZTIC, EVM CAP, Axsionics Tricipher
Security Trends
Secure Communication Most Internet shopping sites use usernames and passwords to authenticate its users, so called 'password authentication'. They are typically more concerned with the validity of the credit card than the identity of the user. This will be our starting point.
Password authentication In our fictiousexample we have a user Alice who wishes to login to her bank. We also have a vicious attacker Eve who is trying to steal Alice's hard-earned money. The bank is using a username and password to protect Alice's account but no encryption. This scheme is obviously vulnerable to a snooping attack as illustrated in below Figure. One way to improve security is by employing One-time Passwords.
One-time Passwords One-time passwords (OTPs) are, like the name suggests, passwords that are used only once. A code scratch card with OTPs
OTP implementation The OTPs can be implemented using a hash-chain.
SSL SSL is an abbreviation of Secure Socket Layer and is a protocol designed to provide security and data integrity. SSL supports a wide range of algorithms, some very strong and some weak. For example Handelsbanken, a Swedish bank, uses SHA-1 for signing and RSA for encryption.
Security Tokens we saw how OTPs are constructed and used. We can further enhance the security by a PIN-code. This two-factor authentication makes it more dificultto gain access to an account.
Security Tokens(cont)
Security Tokens(cont) SSL connection setup RSA security tokens
Implementations
Chip Authentication Program (CAP) CAP is a relatively new protocol based on the older EMV standard. It was developed by MasterCard and is based on digitally signing transactions. CAP can operate in three modes: identify, respond and sign.
RSA SecurID This scheme basically works very similar to the identify-mode of CAP. The 6 to 8-digit response of the SecurID tokens is computed over the PIN,thepresent time and a 128 bit key, which is unique to every token, using a variant of the AES algorithm.
Open Authentication (OATH) The open authentication initiative is an attempt at developing an open standard for 2-factor authentication which should provide means for federated authentication systems like OpenID. The core of OATH is the HOTP-algorithm, which provides the OTP component.

Recommandé

Electronic fund transfer system
Electronic fund transfer systemElectronic fund transfer system
Electronic fund transfer systemramandeepjrf
 
Mobile Banking
Mobile BankingMobile Banking
Mobile BankingSanjoy Suthar
 
Fintech in india
Fintech in indiaFintech in india
Fintech in indiaKumar Mayank
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURE
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTUREATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURE
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURERadhika Venkat
 
Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION jaldumanohar manohar
 
e payment system ppt
e payment system ppte payment system ppt
e payment system pptminisharma35
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking pptVishnu V S
 

Recommandé

Electronic fund transfer system
Electronic fund transfer systemElectronic fund transfer system
Electronic fund transfer systemramandeepjrf
 
Mobile Banking
Mobile BankingMobile Banking
Mobile BankingSanjoy Suthar
 
Fintech in india
Fintech in indiaFintech in india
Fintech in indiaKumar Mayank
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURE
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTUREATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURE
ATM(AUTOMATIC TELLER MACHINE)-HISTORY,TYPES, WORKING, STRUCTURERadhika Venkat
 
Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION jaldumanohar manohar
 
e payment system ppt
e payment system ppte payment system ppt
e payment system pptminisharma35
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking pptVishnu V S
 
Internet banking
Internet bankingInternet banking
Internet bankingRanjeet Yadav
 
Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceVinay Chaithanya
 
E banking Services
E banking ServicesE banking Services
E banking ServicesAntony Kolanchery
 
Risk management in e banking
Risk management in e bankingRisk management in e banking
Risk management in e bankingAmer Mushtaq
 
Online banking
Online bankingOnline banking
Online bankingRanvirSingh133
 
E-Commerce Security
E-Commerce SecurityE-Commerce Security
E-Commerce SecuritySyed Maniruzzaman Pabel
 
E banking
E bankingE banking
E bankingApeksha Bhatkar
 
Digital payments
Digital paymentsDigital payments
Digital paymentsChinnaiah S Vivek
 
E wallet
E walletE wallet
E walletAyushi Shah
 
E payment methodss
E payment methodssE payment methodss
E payment methodssuniversity of education,Lahore
 
E banking
E bankingE banking
E bankingJPEAGLES
 
E Payment Methods
E Payment MethodsE Payment Methods
E Payment Methodsuniversity of education,Lahore
 
FinTech Overview
FinTech OverviewFinTech Overview
FinTech OverviewAlbert Wang
 
Some E-commerce Applications
Some E-commerce ApplicationsSome E-commerce Applications
Some E-commerce ApplicationsAnuj Gupta
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemDattatreya Reddy Peram
 
E Banking
E BankingE Banking
E Bankingcssangoram
 
Computerized Banking System
Computerized Banking SystemComputerized Banking System
Computerized Banking SystemShibly Ahamed
 
Internet Banking
Internet BankingInternet Banking
Internet Bankingsnehateddy
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 

Contenu connexe

Tendances

Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceVinay Chaithanya
 
Risk management in e banking
Risk management in e bankingRisk management in e banking
Risk management in e bankingAmer Mushtaq
 
FinTech Overview
FinTech OverviewFinTech Overview
FinTech OverviewAlbert Wang
 
Some E-commerce Applications
Some E-commerce ApplicationsSome E-commerce Applications
Some E-commerce ApplicationsAnuj Gupta
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Computerized Banking System
Computerized Banking SystemComputerized Banking System
Computerized Banking SystemShibly Ahamed
 
Internet Banking
Internet BankingInternet Banking
Internet Bankingsnehateddy
 

Tendances (20)

Internet banking
Internet bankingInternet banking
Internet banking
 
Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E Commerce
 
E banking Services
E banking ServicesE banking Services
E banking Services
 
Risk management in e banking
Risk management in e bankingRisk management in e banking
Risk management in e banking
 
Online banking
Online bankingOnline banking
Online banking
 
E-Commerce Security
E-Commerce SecurityE-Commerce Security
E-Commerce Security
 
E banking
E bankingE banking
E banking
 
Digital payments
Digital paymentsDigital payments
Digital payments
 
E wallet
E walletE wallet
E wallet
 
E payment methodss
E payment methodssE payment methodss
E payment methodss
 
E banking
E bankingE banking
E banking
 
E Payment Methods
E Payment MethodsE Payment Methods
E Payment Methods
 
FinTech Overview
FinTech OverviewFinTech Overview
FinTech Overview
 
Some E-commerce Applications
Some E-commerce ApplicationsSome E-commerce Applications
Some E-commerce Applications
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
E Banking
E BankingE Banking
E Banking
 
Computerized Banking System
Computerized Banking SystemComputerized Banking System
Computerized Banking System
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 

Similaire à E banking security

Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvanitrraincity
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
Network Security
Network SecurityNetwork Security
Network SecurityBeth Hall
 
Secure E-Banking with KOBIL technologies
Secure E-Banking with KOBIL technologiesSecure E-Banking with KOBIL technologies
Secure E-Banking with KOBIL technologiesmarketingkobil
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Fusion Informatics
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationeSAT Journals
 

Similaire à E banking security (20)

Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Network security
Network securityNetwork security
Network security
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvan
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time Password
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
120 i143
120 i143120 i143
120 i143
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTP
 
B Hkorba
B HkorbaB Hkorba
B Hkorba
 
Network Security
Network SecurityNetwork Security
Network Security
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Secure E-Banking with KOBIL technologies
Secure E-Banking with KOBIL technologiesSecure E-Banking with KOBIL technologies
Secure E-Banking with KOBIL technologies
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
E0962833
E0962833E0962833
E0962833
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
 

Dernier

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

E banking security

  • 1. E-banking security ImanRahmanian NooreTouba University – Iran Advisor: Dr Sekhavati Dec 2010
  • 2. eBanking Security – Quo Vadis? Is eBanking still safe? What are the security trends in eBanking? What can we learn from eBanking trends for other online applications?
  • 3. agenda eBanking Attacks Security Measures Secure Communication Implementations Outlook / Thesis
  • 5. Target of Attacks Phishing Attacks Trojan Attacks Pharming DNS Spoofing Network Interception Web Application Attacks Attacking Server
  • 6.
  • 7. Steal username, password and one time password
  • 8. Steals session information and URL and sends it to attacker
  • 9.
  • 10. Can attack any eBanking (and any web application)
  • 11.
  • 12. Email with link to malicious web site
  • 13. Links in social networks
  • 14. Integrated in popular software (downloads)
  • 15. File transfer of instant messaging/VoIP/file sharing
  • 16. CD-ROM/USB StickInfection of client without user interaction Malicious web sites (drive by) Infection of trusted, popular web sites (IFRAME …) Misusing software update functionality (like Bundestrojaner) Attacks on vulnerable, exposed computer (network/wireless) Note: About 1% of Google search query results point to a web site that can lead to a drive by attack.
  • 17. Generic Trojans Features of Generic Trojans Hide from security tools (anti-virus/personal firewall) Inject code in running processes / drivers / operating system Capture/Redirect/Send data Download new configuration / functionality Remote control browser instance
  • 18. Generic Trojans(cont) Features useful for eBanking attacks Send web pages of unknown eBanking to attacker Download new patterns of eBanking transaction forms Modify transaction in the background (on the fly) Collect financial information
  • 19. Generic Trojans(cont) Tips and Tricks Every Trojan binary is unique (packed differently) Not detectable by Anti Virus Patterns Trojan code is injected into other files or other processes Personal Firewall can not block communication Installs in Kernel Full privileges on system Invisible Bot Networks
  • 20. Traded Goods Symantec Internet Security Threat Report July-December 2007 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
  • 22. Security Measures Attack Detection Second Channel / Secured Channel Secure Client Second Channel Secured Channel Secure Client Attack Detection
  • 23. Attack Detection Detect session hijacking attacks Monitor and compare request parameters Identify SSL Session and IP address changes Transaction verification / user profiling Statistic about normal user behaviour Compare transaction with normal user behaviour White list target accounts Limits on transaction amount
  • 24. Security Measures(cont) Second Channel Send verification using another channel Another application on the client computer Another medium like mobile phones (SMS) Secured Channel Enter data on an external device External device can not be controlled by Trojan Externel device contains a secret key
  • 25. Security Measures Secure Platform A computer that is only used for eBanking Bootable CD-ROM, Bootable USB Stick Virtual Machine eBanking Laptop Secure Environment Start an application (eg Browser) that protects itself from Trojans Downstripped Browser Proprietary Application (fat client) Verify environment before login is possible
  • 26. Security Trends Current client security approaches: A) Secured Application/Virtualization Hardened Browser on USB stick Application to secure the client Virtual operating system on host system Bootable CD-ROM/USB stick B) Transaction Signing Transaction details and unlock code on mobile (SMS) External device with SmartCard Read information from screen and decrypt on external device
  • 27. A) Secured Application/Virtualization Solutions (some examples): Portable Apps, Thinstall CLX Stick, KobilmIdentity Browser Appliance (egVMWare, VirtualPC, etc.)
  • 28. B) Transaction Signing Devices (some examples): Mobile phones IBM ZTIC, EVM CAP, Axsionics Tricipher
  • 30. Secure Communication Most Internet shopping sites use usernames and passwords to authenticate its users, so called 'password authentication'. They are typically more concerned with the validity of the credit card than the identity of the user. This will be our starting point.
  • 31. Password authentication In our fictiousexample we have a user Alice who wishes to login to her bank. We also have a vicious attacker Eve who is trying to steal Alice's hard-earned money. The bank is using a username and password to protect Alice's account but no encryption. This scheme is obviously vulnerable to a snooping attack as illustrated in below Figure. One way to improve security is by employing One-time Passwords.
  • 32. One-time Passwords One-time passwords (OTPs) are, like the name suggests, passwords that are used only once. A code scratch card with OTPs
  • 33. OTP implementation The OTPs can be implemented using a hash-chain.
  • 34. SSL SSL is an abbreviation of Secure Socket Layer and is a protocol designed to provide security and data integrity. SSL supports a wide range of algorithms, some very strong and some weak. For example Handelsbanken, a Swedish bank, uses SHA-1 for signing and RSA for encryption.
  • 35. Security Tokens we saw how OTPs are constructed and used. We can further enhance the security by a PIN-code. This two-factor authentication makes it more dificultto gain access to an account.
  • 37. Security Tokens(cont) SSL connection setup RSA security tokens
  • 39. Chip Authentication Program (CAP) CAP is a relatively new protocol based on the older EMV standard. It was developed by MasterCard and is based on digitally signing transactions. CAP can operate in three modes: identify, respond and sign.
  • 40. RSA SecurID This scheme basically works very similar to the identify-mode of CAP. The 6 to 8-digit response of the SecurID tokens is computed over the PIN,thepresent time and a 128 bit key, which is unique to every token, using a variant of the AES algorithm.
  • 41. Open Authentication (OATH) The open authentication initiative is an attempt at developing an open standard for 2-factor authentication which should provide means for federated authentication systems like OpenID. The core of OATH is the HOTP-algorithm, which provides the OTP component.
  • 42. Response-mode of the CAP-protocol
  • 44. Personal Risk Management! How do we manage our personal financial risk? Only as much money we need at home or in the wallet Different bank accounts for different purposes Limits on bank accounts or ATM cards Insurances for damages we can not afford Applied to eBanking Only required amount of money accessible by eBanking Move savings to other accounts / banks Set limit in payment height per month Insurance for eBanking losses?
  • 45. We need different solutions for different clients! Big/medium companies Separate computer only for eBanking and finance work No connections to Internet except for eBanking Small companies / Private people Secure Applications/Virtualization Transaction Signing
  • 46. Other Ideas! Computer only for eBanking Cheap laptops ($100) only for eBanking Boot from USB Stick or CD-ROM Pool for eBanking claims Take the model of the credit card industry Cover claims with insurance
  • 47. What‘s going on in the future More Trojans will be installed on client computers The banks will deliver secure devices / secured applications The criminals will focus on weaker eBankings in the beginning They will eventually attack the eBankings with secure devices / secure applications. Especially the social engineering attacks will be improved Attacking other applications may become more interesting. Like in reality: where the money is, there are the thiefs.
  • 48. Is eBanking still safe? Alternatives: Retrieve your money at the bank and pay at the post office Fill out a payment order and send it to your bank by snail mail Send your bank a fax/letter with a payment order eBanking is safer as old style payment methods! User‘s have to learn the threats and precautions with the new technology!
  • 50. references http://en.wikipedia.org/wiki/Online banking http://www.rsa.com/node.aspx?id=1158 APACS: Online banking usage amongst over 55s up fourfold in five years http://www.apacs.org.uk/media centre/press/08 24 07.html APACS: APACS announces latest fraud figures http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm Symantec SilentBankerTrojanerdescription http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-1009-99&tabid=2