2. Where are the threats ?
Web/App Server
Session Vulnerabilities:
Customer •Replay attack
•Offline dictionary attack
Vulnerabilities: •Password sniffed in transit
•Session hijacking
•Man-in-the-Middle /
Man-in-Browser attack
Vulnerabilities:
•Trojan sniffers
•Soliciting Email to enter
credentials Vulnerabilities:
•Fake Phishing website •Masquerading as customer
•Masquerading as tech support
•Masquerading as organization
Helpdesk
2
3. Threats at the Customer (1/5)
Attack Objective:
Collecting ID & Password of end-user to
impersonate as customer
Types of attacks
Trojan Horse / Virus Keyboard sniffer
Soliciting Email (Pharming)
Fake Phishing Website
3
4. Threats at the Customer (2/5)
Trojan Horse / Virus Keyboard sniffer
What happens:
Malicious program that capture the end-user’s ID &
password while it is entered by the user and send it to
the hacker.
More complex sniffers may target knowledge-based
authentication (KBA) to capture the questions-answer
pairs or target visual-based authentication (VBA) to
capture visual-pattern+password pairs.
4
5. Threats at the Customer (3/5)
Soliciting Email (Pharming)
What happens:
User receives an email (or message) prompting them
to enter their ID & password in some hacker website
in order to “win” some prizes, “re-check” their account,
etc.
Hacker website will collate captured IDs and
Passwords and send it to hacker
5
6. Threats at the Customer (4/5)
Fake Phishing Website
What happens:
User is redirected to a fake website through a
compromised DNS, or invalid Wireless Gateway, or
similar-looking URL (e.g. www.citi6ank.com)
Fake website will have a similar look-and-feel to the
actual website, and may fool user to entering the ID
and password
Fake website will collate captured IDs and Passwords
and send it to hacker
6
7. Threats at the Customer (5/5)
Best Practice:
Use 2-factor authentication at login to render the captured
ID and passwords and other KBA, VBA information useless
in the hands of the hacker. Web/App Server
Session
Customer
DS3 Authentication
Server
Vulnerabilities:
Best Practice: SMS
•Trojan sniffers
•Strong 2-factor
•Soliciting Emailusing
authentication to enter
credentials SMS OTP
tokens or
•Fake Phishing website
7
8. Threats in the Session (1/7)
Attack Objective:
To fool the application server to believe that the
incoming connection is a previously validated
session
Types of attacks
Session Hijacking
Man-in-the-Middle / Man-in-Browser attacks
8
9. Threats in the Session (2/7)
Session Hijacking
What happens:
Users unknowingly rely on a malicious or
compromised gateway to access the application.
After the user has logged in, the malicious gateway
may transfer the authenticated session to the hacker’s
browser
9
10. Threats in the Session (3/7)
Man-in-the-Middle / Man-in-Browser attack
What happens:
The user’s web session is directed via a malicious reverse proxy
which masquerades as the application server in real-time, while
connecting to the actual server to maintain a valid SSL user
session.
The proxy will re-enact the exact sequence of inputs from the user
to the application, and render the same output back to the user.
Such an attack can render 2-factor authentication (using OTP
tokens) useless
To attack applications using PKI tokens, the malicious reverse
proxy is run within the end-user’s PC to gain similar access to the
PKI token. This attack is also known as Man-in-Browser attack.
10
11. Threats in the Session (4/7)
Man-in-the-Middle / Man-in-Browser attack
The Man-in-the-middle is able to defeat 2-factor authentication
User: Alice, Pwd: XXX User: Alice, Pwd: XXX
What’s your OTP ? What’s your OTP ?
OTP is 123456 OTP is 123456
Alice Welcome Welcome Alice
Application
Pay $X to Mr ABC MITM Pay $X to Mr XYZ Server
OK for $X to Mr ABC OK for $X to Mr XYZ
And potentially compromise the transaction
The Man-in-Browser can be carried out similarly to attack PKI
tokens
11
12. Threats in the Session (5/7)
Best Practice:
In session-based attacks, the hacker may have already
bypassed the authentication process.
It is therefore important to implement proper security to ensure
the integrity of the transaction as well
There are 3 areas where security technologies can be applied:
Protecting the session
Re-validating the transaction through Out-of-band authentication
Requiring the user to provide OTP authorization code for non-
repudiation
12
13. Threats in the Session (6/7)
Best Practice:
Protecting the session
Mastercard SecureChannel using smart card reader
The IBM ZTIC is a USB-attached device that can verify the
integrity of the SSL web session on behalf of the end-user.
Hello
ZTIC Please login
Alice
SSL certificate is MITM
flagged as
invalid by ZTIC
13
14. Threats in the Session (7/7)
Best Practice:
Protecting the transaction
Use Out-of-band authentication to verify the transaction and
use a OTP authorization code for non-repudiation
SMS
…. ….
Welcome Alice Welcome Alice
Pay $X to Mr ABC Pay $X to Mr XYZ
MITM
Please Confirm
Transaction ID:9999 to DS3 Authentication
server
Pay $X to Mr XYZ
Auth Code: 123456 Transaction is sent to user in SMS
via OOB channel, and modification
is detected by user 14
15. Threats at the Server (1/6)
Attack Objective:
Rogue administrator has elevated rights to the
system, and will abuse the rights to get the end-
user credentials
Types of attacks
Replay attacks
Offline dictionary attacks
Password sniffed in transit
15
16. Threats at the Server (2/6)
Replay Attack
What happens:
Rogue administrator turns on verbose logs in the web
server. All users’ login credentials are captured in the
web server logs.
The administrator copies the login credentials from the
logs (even if they were already hashed at the browser)
and does a replay of the web session to gain access
as the user.
16
17. Threats at the Server (3/6)
Offline Dictionary Attack
What happens:
Rogue administrator gains access to the password
database in the system.
The administrator copies the database to an external
machine, and runs a brute-force attempt to find the
users’ passwords against the password records.
17
18. Threats at the Server (4/6)
Password sniffed in transit
What happens:
Similar to the replay attack, but carried out by the
network administrator
Rogue network administrator turns on sniffing in the
intranet. All users’ login credentials being transferred
from the web server to the application server are
captured in the sniffer logs.
The administrator copies the login credentials from the
logs (even if they were already hashed at the browser)
and does a replay of the web session to gain access
as the user.
18
19. Threats at the Server (5/6)
Best Practice:
The security risk posed by a rogue administrator is even higher
than any phishing website.
It is important that administrators should be prevented from even
gaining access to the users’ ID and password login credentials.
There are 3 areas where security technologies can be applied:
Use end-to-end encryption of passwords from browser to
authentication server
Store passwords in a hash+encrypted manner
Implement 2-factor authentication for end-user logins
19
20. Threats at the Server (6/6)
Best Practice:
Web/App Server
Session Best Practice:
Vulnerabilities:encryption of
•End-to-end
Customer •Replay attack
passwords
•Offline dictionary attack
•Password storage in hash-
3. Passwords
remain RSA •Password sniffed in transit
encrypted mode
encrypted at web- •2-factor authentication at login
2. Encrypted server logs
password with
session nonce
protects against
replay attacks
UserID abc
DS3 Authentication Server
Pwd ****** 4. Passwords are stored hash+encrypted
in DS3 Authentication Server. DS3
Server will RSA decrypt the password,
Login
check the session nonce before verifying
the password.
1. In addition to SSL session
encryption, Password is RSA encrypted
with session nonce using Javascript or
Java Applet for end-to-end encryption
20
21. Social Engineering Threats (1/5)
Attack Objective:
To fool victim to carry out certain functions or
reveal certain information
Types of attacks
Masquerading as customer
Masquerading as technical support
Masquerading as organization
21
22. Social Engineering Threats (2/5)
Masquerading as customer
What happens:
Hacker is doing brute force attack on customer
account and has locked the account. Hacker will try to
convince Helpdesk to unlock the account
22
23. Social Engineering Threats (3/5)
Masquerading as technical support
What happens:
Hacker pretends to return call from tech support
company to convince administrator to reveal
information about the system, and even the
administrator password
23
24. Social Engineering Threats (4/5)
Masquerading as organization
What happens:
Hacker may pose as the organization to convince the
user to reveal the password; or
Hacker may pose as the organization to obtain
answers from user on personal questions in order to
gain access to the password reset function.
24
25. Social Engineering Threats (5/5)
Best Practice:
Besides enforcing strong authentication for end-user logins,
administrative or privileged accounts for internal systems should
also be protected with 2-factor authentication.
Change or re-set password self-service screens should require
the 2nd-factor credential as part of the change/reset password
process.
UNIX Windows
OK
UserID, Password + OTP GINA
PAM_RADIUS
UserID, OK
Password
+ OTP
RADIUS
Authentication
VPN
Administrator
DS3 Authentication
Server
Verify 25
26. Addressing the threats
Web/App Server
Session Best Practice:
Vulnerabilities:
•End-to-end encryption of
Customer •Replay attack
•passwords
Offline dictionary attack
•Password storage in hash-
Vulnerabilities: •Password sniffed in transit
Best Practice: encrypted mode
•Session session
•Verify thehijacking •2-factor authentication at login
•Man-in-the-Middle /
•Use OOB to re-validate the
Man-in-Browser attack
transaction
•User to provide OTP auth-code
for non-repudiation
Vulnerabilities:
Best Practice:
•Trojan sniffers
•Strong 2-factor
•Soliciting Email to enter Best Practice:
authentication using
credentials •Require strong authentication
Vulnerabilities:
tokens or SMS OTP
•Fake Phishing website for internal administrative
•Masquerading as customer
accounts
•Masquerading as tech support
•Require strong as organization
Masquerading authentication
for change / reset password Helpdesk
26
27. Questions ?
Thank you. For enquiries, please contact:
Data Security Systems Solutions Pte Ltd
Website: http://www.ds3global.com
info@ds3global.com
27