Streamlining Python Development: A Guide to a Modern Project Setup
Online banking trojans
1. Online banking Trojans
Recent developments and countermeasures
DND, ISF, ISACA member meeting 02. May 2011
André N.Klingsheim
IT security specialist, PhD
3. The login procedures
• Online banking password
– With One Time Password (OTP) by SMS
– Or from a code card
• BankID
– BankID password
– OTP from code card
• BankID mobile
– Pin entered on mobile phone
3
5. Traditional Trojans
• Most simplistic Trojans
– Are essentially keyloggers
– Record your usernames and passwords
– Sends the data to some drop site on the Internet
– Attacker later picks up the data from drop site
– Will compromise traditional username/password
schemes (single factor authentication)
• High security sites have introduced OTPs to counter
this threat (others follow)
5
6. More recent Trojans
• Not so simplistic Trojans
– Target two-factor authentication
– Target systems employing reauthentication
• Means you need to supply new OTPs to
perform sensitive operations
– Attempt to steal OTPs
– Have functionality to show malicious webpages
to the user, to confuse the user into giving
several OTPs
– Requires user interaction 6
7. More recent Trojans II
• More advanced Trojans
– Target two-factor authentication
– Performs attack in realtime
• Overcomes short lived OTPs
• Overcomes singular OTPs
– Requires user interaction
7
8. Modern Trojan threat
• Advanced Trojans can conceal rogue payments:
– Rewrite payment registry
– Rewrite account statement
• Can make the attack undetectable for the user
– There are no visual indications that something is
wrong, i.e. the account statement looks ok
• We’ll have a look at the Zeus Trojan
– Screenshots stolen from Symantec video (9 mins
worth watching!)
– www.youtube.com/watch?v=CzdBCDPETxk 8
13. Combined PC/mobile Trojan threat
• Trojans on pc attempt to install mobile Trojan
– Ask customer to install ”App” during login
– Steal username/password on pc, OTP on mobile
• Some attacks reported in Europe
– This is an upcoming threat
• We haven’t seen any of these attacks in Norway yet
13
14. Zeus combined mobile Trojan
•www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
14
15. Combined PC/mobile Trojan threat II
• Mobile platforms are consolidated
– iOS (iPhone), Android, Windows Mobile 7
– Makes mobile Trojans scale better
– Increases ROI for attackers, increases our risk
• Installing the mobile Trojan still requires user
participation
– User must supply phone model and maker
– User must accept installation on the phone
15
17. Our security design
• Payment authorization
– By an OTP (reauthentication)
– Or by signature, BankID/BankID
• Required for:
– Payments to new recipients
– Payments over a certain threshold
• Hampered attacks from traditional Trojans
• Balanced usability/security
17
18. The OTPs
• Generated securely
– Infeasible to guess them
• Short lived, 15 mins
• You can only have one valid OTP at any given
moment
– Requesting a new OTP invalidates the previous
– Forces real time attack
• OTP is tied to the operation you perform
– Login/payment/changing personal information etc
18
20. Recent security adjustments
• We’ve done some important security design
changes to our online bank to deal with the modern
threats
• Most noteworthy (and visible to our customers)
– Introduced contextual information with our OTPs
• The effect:
– Faced with a Trojan attack, all attempted rogue
transactions are detectable for the customer
20
23. The standard countermeasures
• These are the usual suspects
– Surveillance of Trojan activity (through partner)
– IDS/firewall/etc
– Payment monitoring
– This is not an exhaustive list
• In addition
– Tight collaboration with other Norwegian banks
– Information sharing (extremely important)
– Security collaboration, not competition
23
24. Thank you!
• You’ll find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
• I don’t want to be your Facebook friend
• Note: Skandiabanken participates with two lightning
talks at the upcoming Roots conference
24