Guest editorial by Roel Schouwenberg

Over the last few months, there’s been quite a lot of news chatter around Banker Trojans emptying out online bank accounts of small businesses in the U.S. Today, I was reading one of such stories on Brian Krebs’ site.  After reading that story I came across another news item that described booting from an alternative media to experience safe internet banking.


That got me thinking again about an article I wrote quite some time ago.  More specifically, I had to think of the portions on Man-in-the-Endpoint (or Browser as some prefer to call it) attacks. My opinion has not changed since then – MitE Banker Trojans already reached some sort of ‘maximum sophistication’ point back in 2007. This specific subset of Banker Trojans was — and still is — extremely sophisticated and will exploit per-bank specific vulnerabilities in the implementation of two-factor authentication.

So where are all these very sophisticated Banker Trojans? Well, they’re very limited in number. Why? Because sophisticated malware is not needed to successfully attack the majority of banks. A lot of banks still don’t employ two-factor authentication for making transactions. Or, when they do, it’s a very weak form of two-factor authentication. Having some secret questions next to a password is not real two-factor authentication. Such protection is no match for most of the Banker Trojans/Spyware out there. Static responses – passwords, answers – should have been abandoned no later than 2007.

What frustrates me most is that there’s an ultimate solution that will solve the online banking security problem to the greatest extent.

In short: Online banking requires multi-factor authentication. The authentication code needs to be received or generated on a device which is not connected to the device that’s doing the transaction.

Ideally, not only the transaction authorization code is generated dynamically but also the password for logging onto the banking site. One thing to keep in mind here is that the cryptographic response algorithm needs to be different for logging on and approving transactions.

We should also realize that Trojans can (potentially) manipulate everything on your screen and in your traffic. The solution to this huge problem is actually quite simple. Make the receiving bank account number a part of the authentication process. Either send along the number with the SMS or use it as an (additional) challenge when using a token. The user knows where the money is supposed to go.

Some people argue that using the recipient’s bank account number as a challenge, or any other code that will uniquely identify the recipient, doesn’t solve the problem as people may not pay attention. Well, when dealing with money, people should be paying attention. It’s a silly excuse and does not take away that this is the only real solution to this problem.

Those banks that opted not to adopt my suggestions listed inconvenience as the main reason.  This certainly seemed a much bigger thing with banks in America rather than Europe. For reasons unknown, American banks seem much more hesitant to potentially inconvenience their clients than those in Europe. Yet the clients I speak to in Europe are thrilled with the added security.

What we also need to keep in mind is that since 2006/2007, a lot has changed. The average sophistication of malware has gone up. Form grabbers, for example, are pretty much standard. In fact, we live in a day and age where Microsoft decided to pull a patch because of problems which turned out to be caused by the extremely advanced TDSS rootkit.

What does this mean? This means that we need online systems in place that are resilient to such powerful malware. Using any other method other than using the recipient’s bank account number there’s no way even the best security expert in the world can say with full confidence that the transaction displayed on screen is actually going where it’s supposed to go.

The state of online banking in some ways resembles that of the internet. For many banks, online banking was not directly designed with proper safety in mind. Convenience is the major driver. The internet was built on very much the same principles. I’d argue that solving the online banking problem is an indefinitely easier task than fixing the fundamental weaknesses in the internet infrastructure.

So, let’s start fixing the online banking problem. I think it’s not nearly as hard as people may think it is. The necessary solution is out there and published. All it takes is for a number of clients to start speaking up and demand better security. Surely one bank will see the competitive advantage of offering better security. From there on other banks will follow. Losing significant amounts of money or a little added inconvenience which can be minimized? I know which one I’d pick.

* Roel Schouwenberg is a senior anti-virus researcher in Kaspersky Lab’s Global Research & Analysis Team.

Categories: Compliance, Cryptography, Malware

Comments (11)

  1. Anonymous
    2

    Well, here is even better solution to online banking: don’t. Prevent high value transactions, especially wires from being done online.

    Alternative is truly two-factor auth with the second authorization performed out-of-band. Well known, but apparently not implemented by this bank.

    Important to note that the bank chose convenience over security, especially if they cannot be held responsible for the money. Call this customer experience if you will.

     

  2. John B. Frank
    3

    I agree wholeheartledly with your conclusions. 29% of Europeans use a card reader to authenticate the online banking session. That’s up 31% from 2008 (22%) Banks trust the methodology used to authenticate an ATM transaction. That’s why we can withdraw $200.00 at 2:00 AM 2000 miles away from our branch. Why not replicate the same methodology to authenticate the online banking session?

    I suggest the solution lies with the world’s only PCI 2.0 Certified PIN Entry Device designed for online financial transactions. HomeATM’s device plugs into the USB port and an API uploaded to the bank’s servers would recogonize it’s attached and rather than asking for a “user name” and “password” it would instruct the online banking customer to “Swipe their card” (3DES Encrytion including the Track 2 data at the maghead) and Enter their PIN. (End to End DUKPT encryption)

    The HomeATM PCI 2.0 PED 100% replicates the same trusted process used at an ATM, using existing cards, existing PIN’s and existing bank rails without the skimming/hidden camera threat inherent with ATM transactions.

    JBF
    http://PINDebit.blogspot.com

  3. John B. Frank
    4

    I agree wholeheartledly with your conclusions. 29% of Europeans use a card reader to authenticate the online banking session. That’s up 31% from 2008 (22%) Banks trust the methodology used to authenticate an ATM transaction. That’s why we can withdraw $200.00 at 2:00 AM 2000 miles away from our branch. Why not replicate the same methodology to authenticate the online banking session?

    I suggest the solution lies with the world’s only PCI 2.0 Certified PIN Entry Device designed for online financial transactions. HomeATM’s device plugs into the USB port and an API uploaded to the bank’s servers would recogonize it’s attached and rather than asking for a “user name” and “password” it would instruct the online banking customer to “Swipe their card” (3DES Encrytion including the Track 2 data at the maghead) and Enter their PIN. (End to End DUKPT encryption)

    The HomeATM PCI 2.0 PED 100% replicates the same trusted process used at an ATM, using existing cards, existing PIN’s and existing bank rails without the skimming/hidden camera threat inherent with ATM transactions.

    JBF
    http://PINDebit.blogspot.com

  4. Anonymous
    5

    Change the tax loopholes that allow financial institutions to virtually write-off fraud. Then, they’ll be banging down the doors to find solutions from you people. Right now, it’s cheaper to write it off, as opposed to implementing security measures. I believe it’s just that simple.

  5. Dave
    6

    “When all you’re a hammer, all your problems look like nails.”  Geeks think every solution has to be technical.  2FA is not going to solve this.  Shifting the risk will solve it.  

    Presently, banks are, generally, accepting risk for individual accounts and risk for business accounts lie with the business, as many of Brian Krebs’ articles attest.  In the US, credit card laws require this for credit card accounts and banks are extending the same “protection” to most individual accounts and debit cards.  Brokerages are a whole other segment of the financial services industry where no one can easily and accurately predict who is at risk from a breach.

    If you want to think in terms of “how to fix online banking fraud” centralize the risk.  Force financial institutions to cover all breaches.  Force them to publicly disclose all breaches.  Do not provide blanket exemptions for investigations, some will never close.  Require a public court hearing for an extension beyond one year for a breach notification, and, at least, the institution will have to go before a judge and say, “we had a breach, it affects X customers and it’s under investigation by Y.”  

    Put the risk on the entity with the greatest resources to solve the problem and compel them to solve it. Then their geeks can play with it.

  6. Kris
    7

    The security difference between European and US banks goes as far as this: since January 2010, I can no longer use my Belgian VISA card on multiple US-websites as Verified by VISA is a mandatory issue on every Belgian VISA card now… and, in my opinion, the European Verified by VISA program is incompatible with the US-version.  We use a seperate code-generator that requires to insert the VISA-card ( vasco.com ).  Security, a nice issue, but how can I pay my bill now?

  7. Will Urbanski
    8

    Why not use PKI? If banks maintained a key for each account then wire transfers could include a challenge-response portion to ensure that the recipient of the money is who they say they are.

  8. Anonymous
    9

    I agree that what most banks call 2-factor is not true 2-factor, but the examples you describe seem to be focused on the retail banking side when most of the fraud is occurring on the commercial side.  The fraud that we read about almost daily from Kerbs involves a business that has cash management services through some FI.  The hackers gain access to the login credentials and often times the answers to the challenge questions and carry out the fraud w/o any interaction from the consumer.  Often times they will post micro-payments to see if they’re caught, then they make the big transfers either through mutiple wires under $10,000 or an ACH transfer.  So having some out-of-band method to confirm a transaction, while certainly an extra layer, could easily be defeated if SMS is used and the SMS setting can be changed by the consumer.  The attacker would simply change all setting related to the consumer, email, cell #, etc to carry out the fraud.  It would however work if the consumer could not change this setting only the FI.

    I agree that there are solutions to remedy the problem but most people want convenience over security, that is until they get nailed:-).

  9. Anonymous
    10

    speaking from a victims perspective; that is, one that has had to learn the hard way, 2 factor techniques including ANY token based authentication, biometrics such as fingerprint, etc has and will continue to be defeated.  For the sake of bringing it up, although telephony based authentication can be defeated as well, albiet not as easily as other in and out of band measures, phone based OOB authentication of new payees in an online banking world is the hardest to defeat.  Notwithstanding, authentication of any kind should only be the first of a layered approach to securing online banking transactions.  Risk analysis and fraud detection that can be adapted on the fly to changing threats must be a part of any online banking protocol bearing the word “secure” in it’s description.

    As it has been pointed out in earlier posts, FI’s are mandated by FR Reg. E to protect consumers only; this should be extended to commercial accounts to force FI’s to adapt better authentication and ant-fraud techniques

  10. John
    11

    Well spoken, Roel!

    You are absolutely spot on in your insights – it’s almost like hearing my own words echo :)

    Based on the same conclusions (multi-factor authentication, cross-channel attack mitigation, user-friendliness and understanding what you’re signing) we (Todos AB) HAVE performed all of our R&D, leading to the introduction of cool things such as Dynamic Signatures, Secure Domain Separation, Sign-What-You-See etc. Basically we’ve taken standards (incl. CAP/EMV, Verified by Visa etc.) and made them better. Better as in more secure, and much more user-friendly.

    With Steven Elefant, chief information officer for Heartland Payments Systems (the fourth largest card payment processor in the US) recently saying that US issuers would begin migrating to EMV standard smart cards (chip) this year we could not only hear jaws drop, but also sighs of relief. Suddenly US online banking might also be on the track to opt for really secure setups, such as European giants incl. ABN AMRO, Nordea etc.

    Check out these links if you want to know more:
    http://www.todos.se/index.php/technology/sign_what_you_see
    http://www.todos.se/index.php/technology/dynamic_signatures

Comments are closed.