SlideShare a Scribd company logo

Managing identity frauds

Download as PPT, PDF
Eddy Cormon
Eddy Cormon

identity frauds,managing identity frauds, treats, Trojan Horse, Virus, Keyboard sniffer, Soliciting Email, Pharming, Session Hijacking, Man-in-the-Middle, Man-in-Browser attack, Replay Attack, Offline Dictionary Attack, Masquerading as customer, Masquerading as technical support, Masquerading as organization

1 of 27
Managing Identity Threats May 2010 1
Where are the threats ? Web/App Server Session Vulnerabilities: Customer •Replay attack •Offline dictionary attack Vulnerabilities: •Password sniffed in transit •Session hijacking •Man-in-the-Middle / Man-in-Browser attack Vulnerabilities: •Trojan sniffers •Soliciting Email to enter credentials Vulnerabilities: •Fake Phishing website •Masquerading as customer •Masquerading as tech support •Masquerading as organization Helpdesk 2
Threats at the Customer (1/5)  Attack Objective:  Collecting ID & Password of end-user to impersonate as customer  Types of attacks  Trojan Horse / Virus Keyboard sniffer  Soliciting Email (Pharming)  Fake Phishing Website 3
Threats at the Customer (2/5)  Trojan Horse / Virus Keyboard sniffer  What happens:  Malicious program that capture the end-user’s ID & password while it is entered by the user and send it to the hacker.  More complex sniffers may target knowledge-based authentication (KBA) to capture the questions-answer pairs or target visual-based authentication (VBA) to capture visual-pattern+password pairs. 4
Threats at the Customer (3/5)  Soliciting Email (Pharming)  What happens:  User receives an email (or message) prompting them to enter their ID & password in some hacker website in order to “win” some prizes, “re-check” their account, etc.  Hacker website will collate captured IDs and Passwords and send it to hacker 5
Threats at the Customer (4/5)  Fake Phishing Website  What happens:  User is redirected to a fake website through a compromised DNS, or invalid Wireless Gateway, or similar-looking URL (e.g. www.citi6ank.com)  Fake website will have a similar look-and-feel to the actual website, and may fool user to entering the ID and password  Fake website will collate captured IDs and Passwords and send it to hacker 6
Threats at the Customer (5/5)  Best Practice:  Use 2-factor authentication at login to render the captured ID and passwords and other KBA, VBA information useless in the hands of the hacker. Web/App Server Session Customer DS3 Authentication Server Vulnerabilities: Best Practice: SMS •Trojan sniffers •Strong 2-factor •Soliciting Emailusing authentication to enter credentials SMS OTP tokens or •Fake Phishing website 7
Threats in the Session (1/7)  Attack Objective:  To fool the application server to believe that the incoming connection is a previously validated session  Types of attacks  Session Hijacking  Man-in-the-Middle / Man-in-Browser attacks 8
Threats in the Session (2/7)  Session Hijacking  What happens:  Users unknowingly rely on a malicious or compromised gateway to access the application.  After the user has logged in, the malicious gateway may transfer the authenticated session to the hacker’s browser 9
Threats in the Session (3/7)  Man-in-the-Middle / Man-in-Browser attack  What happens:  The user’s web session is directed via a malicious reverse proxy which masquerades as the application server in real-time, while connecting to the actual server to maintain a valid SSL user session.  The proxy will re-enact the exact sequence of inputs from the user to the application, and render the same output back to the user.  Such an attack can render 2-factor authentication (using OTP tokens) useless  To attack applications using PKI tokens, the malicious reverse proxy is run within the end-user’s PC to gain similar access to the PKI token. This attack is also known as Man-in-Browser attack. 10
Threats in the Session (4/7)  Man-in-the-Middle / Man-in-Browser attack  The Man-in-the-middle is able to defeat 2-factor authentication User: Alice, Pwd: XXX User: Alice, Pwd: XXX What’s your OTP ? What’s your OTP ? OTP is 123456 OTP is 123456 Alice Welcome Welcome Alice Application Pay $X to Mr ABC MITM Pay $X to Mr XYZ Server OK for $X to Mr ABC OK for $X to Mr XYZ And potentially compromise the transaction  The Man-in-Browser can be carried out similarly to attack PKI tokens 11
Threats in the Session (5/7)  Best Practice:  In session-based attacks, the hacker may have already bypassed the authentication process.  It is therefore important to implement proper security to ensure the integrity of the transaction as well  There are 3 areas where security technologies can be applied:  Protecting the session  Re-validating the transaction through Out-of-band authentication  Requiring the user to provide OTP authorization code for non- repudiation 12
Threats in the Session (6/7)  Best Practice:  Protecting the session  Mastercard SecureChannel using smart card reader  The IBM ZTIC is a USB-attached device that can verify the integrity of the SSL web session on behalf of the end-user. Hello ZTIC Please login Alice SSL certificate is MITM flagged as invalid by ZTIC 13
Threats in the Session (7/7)  Best Practice:  Protecting the transaction  Use Out-of-band authentication to verify the transaction and use a OTP authorization code for non-repudiation SMS …. …. Welcome Alice Welcome Alice Pay $X to Mr ABC Pay $X to Mr XYZ MITM Please Confirm Transaction ID:9999 to DS3 Authentication server Pay $X to Mr XYZ Auth Code: 123456 Transaction is sent to user in SMS via OOB channel, and modification is detected by user 14
Threats at the Server (1/6)  Attack Objective:  Rogue administrator has elevated rights to the system, and will abuse the rights to get the end- user credentials  Types of attacks  Replay attacks  Offline dictionary attacks  Password sniffed in transit 15
Threats at the Server (2/6)  Replay Attack  What happens:  Rogue administrator turns on verbose logs in the web server. All users’ login credentials are captured in the web server logs.  The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user. 16
Threats at the Server (3/6)  Offline Dictionary Attack  What happens:  Rogue administrator gains access to the password database in the system.  The administrator copies the database to an external machine, and runs a brute-force attempt to find the users’ passwords against the password records. 17
Threats at the Server (4/6)  Password sniffed in transit  What happens:  Similar to the replay attack, but carried out by the network administrator  Rogue network administrator turns on sniffing in the intranet. All users’ login credentials being transferred from the web server to the application server are captured in the sniffer logs.  The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user. 18
Threats at the Server (5/6)  Best Practice:  The security risk posed by a rogue administrator is even higher than any phishing website.  It is important that administrators should be prevented from even gaining access to the users’ ID and password login credentials.  There are 3 areas where security technologies can be applied:  Use end-to-end encryption of passwords from browser to authentication server  Store passwords in a hash+encrypted manner  Implement 2-factor authentication for end-user logins 19
Threats at the Server (6/6)  Best Practice: Web/App Server Session Best Practice: Vulnerabilities:encryption of •End-to-end Customer •Replay attack passwords •Offline dictionary attack •Password storage in hash- 3. Passwords remain RSA •Password sniffed in transit encrypted mode encrypted at web- •2-factor authentication at login 2. Encrypted server logs password with session nonce protects against replay attacks UserID abc DS3 Authentication Server Pwd ****** 4. Passwords are stored hash+encrypted in DS3 Authentication Server. DS3 Server will RSA decrypt the password, Login check the session nonce before verifying the password. 1. In addition to SSL session encryption, Password is RSA encrypted with session nonce using Javascript or Java Applet for end-to-end encryption 20
Social Engineering Threats (1/5)  Attack Objective:  To fool victim to carry out certain functions or reveal certain information  Types of attacks  Masquerading as customer  Masquerading as technical support  Masquerading as organization 21
Social Engineering Threats (2/5)  Masquerading as customer  What happens:  Hacker is doing brute force attack on customer account and has locked the account. Hacker will try to convince Helpdesk to unlock the account 22
Social Engineering Threats (3/5)  Masquerading as technical support  What happens:  Hacker pretends to return call from tech support company to convince administrator to reveal information about the system, and even the administrator password 23
Social Engineering Threats (4/5)  Masquerading as organization  What happens:  Hacker may pose as the organization to convince the user to reveal the password; or  Hacker may pose as the organization to obtain answers from user on personal questions in order to gain access to the password reset function. 24
Social Engineering Threats (5/5)  Best Practice:  Besides enforcing strong authentication for end-user logins, administrative or privileged accounts for internal systems should also be protected with 2-factor authentication.  Change or re-set password self-service screens should require the 2nd-factor credential as part of the change/reset password process. UNIX Windows OK UserID, Password + OTP GINA PAM_RADIUS UserID, OK Password + OTP RADIUS Authentication VPN Administrator DS3 Authentication Server Verify 25
Addressing the threats Web/App Server Session Best Practice: Vulnerabilities: •End-to-end encryption of Customer •Replay attack •passwords Offline dictionary attack •Password storage in hash- Vulnerabilities: •Password sniffed in transit Best Practice: encrypted mode •Session session •Verify thehijacking •2-factor authentication at login •Man-in-the-Middle / •Use OOB to re-validate the Man-in-Browser attack transaction •User to provide OTP auth-code for non-repudiation Vulnerabilities: Best Practice: •Trojan sniffers •Strong 2-factor •Soliciting Email to enter Best Practice: authentication using credentials •Require strong authentication Vulnerabilities: tokens or SMS OTP •Fake Phishing website for internal administrative •Masquerading as customer accounts •Masquerading as tech support •Require strong as organization Masquerading authentication for change / reset password Helpdesk 26
Questions ?  Thank you. For enquiries, please contact: Data Security Systems Solutions Pte Ltd Website: http://www.ds3global.com info@ds3global.com 27

Recommended

Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Workstrusteer
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17Hai Nguyen
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Ib final project
Ib final projectIb final project
Ib final projectManasi Deliwala
 
Phishing
PhishingPhishing
PhishingNaval OPSEC
 
TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 

Recommended

Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Workstrusteer
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17Hai Nguyen
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Ib final project
Ib final projectIb final project
Ib final projectManasi Deliwala
 
Phishing
PhishingPhishing
PhishingNaval OPSEC
 
TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Nuzhat Memon
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 
Sipc%20 English%202009
Sipc%20 English%202009Sipc%20 English%202009
Sipc%20 English%202009guest743684
 
XSS Remediation
XSS RemediationXSS Remediation
XSS RemediationDenim Group
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Evan Clark
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
Novinky F5
Novinky F5Novinky F5
Novinky F5MarketingArrowECS_CZ
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflameVenafi
 
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadPhishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadeLearning Papers
 
Sec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online BankingSec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online BankingNick Owen
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish PandaPreetish Panda
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerceMohsin Ahmad
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSanket Gogoi
 
Security Primer
Security PrimerSecurity Primer
Security PrimerAlison Gianotto
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 

More Related Content

What's hot

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Nuzhat Memon
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 
Sipc%20 English%202009
Sipc%20 English%202009Sipc%20 English%202009
Sipc%20 English%202009guest743684
 

What's hot (7)

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
 
this is test for today
this is test for todaythis is test for today
this is test for today
 
Sipc%20 English%202009
Sipc%20 English%202009Sipc%20 English%202009
Sipc%20 English%202009
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 

Similar to Managing identity frauds

Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Evan Clark
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflameVenafi
 
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadPhishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadeLearning Papers
 
Sec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online BankingSec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online BankingNick Owen
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish PandaPreetish Panda
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerceMohsin Ahmad
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
Common Security Issues on the Internet
Common Security Issues on the InternetCommon Security Issues on the Internet
Common Security Issues on the InternetBretz Harllynne Moltio
 
Ezmcom: Middle East Retail Banking Expo 2016
Ezmcom: Middle East Retail Banking Expo 2016Ezmcom: Middle East Retail Banking Expo 2016
Ezmcom: Middle East Retail Banking Expo 2016Deepak (Deeps) Panigrahy
 

Similar to Managing identity frauds (20)

Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflame
 
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadPhishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
 
Sec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online BankingSec Tor Towards A More Secure Online Banking
Sec Tor Towards A More Secure Online Banking
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish Panda
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
Phishing
PhishingPhishing
Phishing
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
Common Security Issues on the Internet
Common Security Issues on the InternetCommon Security Issues on the Internet
Common Security Issues on the Internet
 
Ezmcom: Middle East Retail Banking Expo 2016
Ezmcom: Middle East Retail Banking Expo 2016Ezmcom: Middle East Retail Banking Expo 2016
Ezmcom: Middle East Retail Banking Expo 2016
 

Managing identity frauds

  • 2. Where are the threats ? Web/App Server Session Vulnerabilities: Customer •Replay attack •Offline dictionary attack Vulnerabilities: •Password sniffed in transit •Session hijacking •Man-in-the-Middle / Man-in-Browser attack Vulnerabilities: •Trojan sniffers •Soliciting Email to enter credentials Vulnerabilities: •Fake Phishing website •Masquerading as customer •Masquerading as tech support •Masquerading as organization Helpdesk 2
  • 3. Threats at the Customer (1/5)  Attack Objective:  Collecting ID & Password of end-user to impersonate as customer  Types of attacks  Trojan Horse / Virus Keyboard sniffer  Soliciting Email (Pharming)  Fake Phishing Website 3
  • 4. Threats at the Customer (2/5)  Trojan Horse / Virus Keyboard sniffer  What happens:  Malicious program that capture the end-user’s ID & password while it is entered by the user and send it to the hacker.  More complex sniffers may target knowledge-based authentication (KBA) to capture the questions-answer pairs or target visual-based authentication (VBA) to capture visual-pattern+password pairs. 4
  • 5. Threats at the Customer (3/5)  Soliciting Email (Pharming)  What happens:  User receives an email (or message) prompting them to enter their ID & password in some hacker website in order to “win” some prizes, “re-check” their account, etc.  Hacker website will collate captured IDs and Passwords and send it to hacker 5
  • 6. Threats at the Customer (4/5)  Fake Phishing Website  What happens:  User is redirected to a fake website through a compromised DNS, or invalid Wireless Gateway, or similar-looking URL (e.g. www.citi6ank.com)  Fake website will have a similar look-and-feel to the actual website, and may fool user to entering the ID and password  Fake website will collate captured IDs and Passwords and send it to hacker 6
  • 7. Threats at the Customer (5/5)  Best Practice:  Use 2-factor authentication at login to render the captured ID and passwords and other KBA, VBA information useless in the hands of the hacker. Web/App Server Session Customer DS3 Authentication Server Vulnerabilities: Best Practice: SMS •Trojan sniffers •Strong 2-factor •Soliciting Emailusing authentication to enter credentials SMS OTP tokens or •Fake Phishing website 7
  • 8. Threats in the Session (1/7)  Attack Objective:  To fool the application server to believe that the incoming connection is a previously validated session  Types of attacks  Session Hijacking  Man-in-the-Middle / Man-in-Browser attacks 8
  • 9. Threats in the Session (2/7)  Session Hijacking  What happens:  Users unknowingly rely on a malicious or compromised gateway to access the application.  After the user has logged in, the malicious gateway may transfer the authenticated session to the hacker’s browser 9
  • 10. Threats in the Session (3/7)  Man-in-the-Middle / Man-in-Browser attack  What happens:  The user’s web session is directed via a malicious reverse proxy which masquerades as the application server in real-time, while connecting to the actual server to maintain a valid SSL user session.  The proxy will re-enact the exact sequence of inputs from the user to the application, and render the same output back to the user.  Such an attack can render 2-factor authentication (using OTP tokens) useless  To attack applications using PKI tokens, the malicious reverse proxy is run within the end-user’s PC to gain similar access to the PKI token. This attack is also known as Man-in-Browser attack. 10
  • 11. Threats in the Session (4/7)  Man-in-the-Middle / Man-in-Browser attack  The Man-in-the-middle is able to defeat 2-factor authentication User: Alice, Pwd: XXX User: Alice, Pwd: XXX What’s your OTP ? What’s your OTP ? OTP is 123456 OTP is 123456 Alice Welcome Welcome Alice Application Pay $X to Mr ABC MITM Pay $X to Mr XYZ Server OK for $X to Mr ABC OK for $X to Mr XYZ And potentially compromise the transaction  The Man-in-Browser can be carried out similarly to attack PKI tokens 11
  • 12. Threats in the Session (5/7)  Best Practice:  In session-based attacks, the hacker may have already bypassed the authentication process.  It is therefore important to implement proper security to ensure the integrity of the transaction as well  There are 3 areas where security technologies can be applied:  Protecting the session  Re-validating the transaction through Out-of-band authentication  Requiring the user to provide OTP authorization code for non- repudiation 12
  • 13. Threats in the Session (6/7)  Best Practice:  Protecting the session  Mastercard SecureChannel using smart card reader  The IBM ZTIC is a USB-attached device that can verify the integrity of the SSL web session on behalf of the end-user. Hello ZTIC Please login Alice SSL certificate is MITM flagged as invalid by ZTIC 13
  • 14. Threats in the Session (7/7)  Best Practice:  Protecting the transaction  Use Out-of-band authentication to verify the transaction and use a OTP authorization code for non-repudiation SMS …. …. Welcome Alice Welcome Alice Pay $X to Mr ABC Pay $X to Mr XYZ MITM Please Confirm Transaction ID:9999 to DS3 Authentication server Pay $X to Mr XYZ Auth Code: 123456 Transaction is sent to user in SMS via OOB channel, and modification is detected by user 14
  • 15. Threats at the Server (1/6)  Attack Objective:  Rogue administrator has elevated rights to the system, and will abuse the rights to get the end- user credentials  Types of attacks  Replay attacks  Offline dictionary attacks  Password sniffed in transit 15
  • 16. Threats at the Server (2/6)  Replay Attack  What happens:  Rogue administrator turns on verbose logs in the web server. All users’ login credentials are captured in the web server logs.  The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user. 16
  • 17. Threats at the Server (3/6)  Offline Dictionary Attack  What happens:  Rogue administrator gains access to the password database in the system.  The administrator copies the database to an external machine, and runs a brute-force attempt to find the users’ passwords against the password records. 17
  • 18. Threats at the Server (4/6)  Password sniffed in transit  What happens:  Similar to the replay attack, but carried out by the network administrator  Rogue network administrator turns on sniffing in the intranet. All users’ login credentials being transferred from the web server to the application server are captured in the sniffer logs.  The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user. 18
  • 19. Threats at the Server (5/6)  Best Practice:  The security risk posed by a rogue administrator is even higher than any phishing website.  It is important that administrators should be prevented from even gaining access to the users’ ID and password login credentials.  There are 3 areas where security technologies can be applied:  Use end-to-end encryption of passwords from browser to authentication server  Store passwords in a hash+encrypted manner  Implement 2-factor authentication for end-user logins 19
  • 20. Threats at the Server (6/6)  Best Practice: Web/App Server Session Best Practice: Vulnerabilities:encryption of •End-to-end Customer •Replay attack passwords •Offline dictionary attack •Password storage in hash- 3. Passwords remain RSA •Password sniffed in transit encrypted mode encrypted at web- •2-factor authentication at login 2. Encrypted server logs password with session nonce protects against replay attacks UserID abc DS3 Authentication Server Pwd ****** 4. Passwords are stored hash+encrypted in DS3 Authentication Server. DS3 Server will RSA decrypt the password, Login check the session nonce before verifying the password. 1. In addition to SSL session encryption, Password is RSA encrypted with session nonce using Javascript or Java Applet for end-to-end encryption 20
  • 21. Social Engineering Threats (1/5)  Attack Objective:  To fool victim to carry out certain functions or reveal certain information  Types of attacks  Masquerading as customer  Masquerading as technical support  Masquerading as organization 21
  • 22. Social Engineering Threats (2/5)  Masquerading as customer  What happens:  Hacker is doing brute force attack on customer account and has locked the account. Hacker will try to convince Helpdesk to unlock the account 22
  • 23. Social Engineering Threats (3/5)  Masquerading as technical support  What happens:  Hacker pretends to return call from tech support company to convince administrator to reveal information about the system, and even the administrator password 23
  • 24. Social Engineering Threats (4/5)  Masquerading as organization  What happens:  Hacker may pose as the organization to convince the user to reveal the password; or  Hacker may pose as the organization to obtain answers from user on personal questions in order to gain access to the password reset function. 24
  • 25. Social Engineering Threats (5/5)  Best Practice:  Besides enforcing strong authentication for end-user logins, administrative or privileged accounts for internal systems should also be protected with 2-factor authentication.  Change or re-set password self-service screens should require the 2nd-factor credential as part of the change/reset password process. UNIX Windows OK UserID, Password + OTP GINA PAM_RADIUS UserID, OK Password + OTP RADIUS Authentication VPN Administrator DS3 Authentication Server Verify 25
  • 26. Addressing the threats Web/App Server Session Best Practice: Vulnerabilities: •End-to-end encryption of Customer •Replay attack •passwords Offline dictionary attack •Password storage in hash- Vulnerabilities: •Password sniffed in transit Best Practice: encrypted mode •Session session •Verify thehijacking •2-factor authentication at login •Man-in-the-Middle / •Use OOB to re-validate the Man-in-Browser attack transaction •User to provide OTP auth-code for non-repudiation Vulnerabilities: Best Practice: •Trojan sniffers •Strong 2-factor •Soliciting Email to enter Best Practice: authentication using credentials •Require strong authentication Vulnerabilities: tokens or SMS OTP •Fake Phishing website for internal administrative •Masquerading as customer accounts •Masquerading as tech support •Require strong as organization Masquerading authentication for change / reset password Helpdesk 26
  • 27. Questions ?  Thank you. For enquiries, please contact: Data Security Systems Solutions Pte Ltd Website: http://www.ds3global.com info@ds3global.com 27