SlideShare a Scribd company logo

9 3

Hai Nguyen
Hai Nguyen
Technology
1 of 8
Download to read offline
How to Attack Two-Factor Authentication Internet Banking Manal Adham1, Amir Azodi1,3, Yvo Desmedt2,1, and Ioannis Karaolis1 1 University College London, UK 2 The University of Texas at Dallas, USA 3 Hasso Plattner Institute, Germany Abstract. Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To bet- ter be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that they could be auto- mated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we developed three browser rootkits which perform the automated attack on the client’s computer. Also, in some banks attempt to be regarded as user-friendly, security has been downgraded, making them vulnerable to exploitation. To wrap up, we discuss the measures needed to avoid the next generation of attacks. 1 Introduction A lot of research has been done on the cyber-security of financial trans- actions, both from a cryptographic as well as from a computer security viewpoint. Due to work like [7], wholesale transactions are now relatively secure. The challenge today is to secure the PC-based transactions. We see that identity theft has been for more than a decade the most frequent white collar crime. We know that attacks against US and UK Internet banking systems have been quite successful [16]. Tools like the Zeus mal- ware kit [15] and the SilentBanker Trojan [19], have been helping criminals perform fraudulent on-line bank transactions. Since research should be ahead of hackers, the main goal of this pa- per is to predict the next generation of OB attacks and how they may worsen the already questionable security. We survey the tools hackers use and see that, they are not fully automated, requiring an involvement of humans to perform the fraudulent transactions. To demonstrate the fea- sibility of a fully automated attack, three advanced browser rootkits (for Firefox Browsers) were developed, targeting the Internet banking systems of NatWest, HSBC and Bank of Cyprus. An attack against Barclays’ sys- tem is also proposed. Security of these major banks is largely dependent
on the commonly used two-factor authentication schemes. By successfully circumventing and exploiting the weaknesses of such systems, we hope to raise awareness on how dangerous the current situation is. Aside from security in the absolute sense, we consider auxiliary factors like usability. This is a critical factor that can drive a bank to lower its security threshold in order to satisfy its customers’ desires (e.g., Barclays). 2 Background 2.1 Attack Strategies and Techniques We distinguish between three main Internet banking attack vectors that can be used alone or in combination. Firstly, a Credential Stealing attack, is where fraudsters try to gather users’ credentials, either with the use of a malicious software or through phishing [8]. Secondly, a Channel Breaking attack, involves intercepting the communication between the client side and the banking server, by masquerading as the server to the client and vice versa [18]. Finally, a Content Manipulation (also called man-in-the- browser (MiTB) [14]) attack, takes place in the application layer between the user and the browser. The adversary is granted with privileges to read, write, change and delete browser’s data “on the fly”, whilst the legitimate user is seamlessly unaware. A Browser Rootkit, is a content manipulation technique, which is ca- pable of completely changing the browser’s display and behavior [4]. It is basically a malicious browser extension, which are used to extend and/or customize the browser’s functionality [1]. To control unauthorized instal- lation of browser extensions, modern browsers like Firefox, have employed numerous but weak security measures, which can be easily bypassed [4]. 2.2 Related Work and Attacks A Firefox malicious extension called BROWSERSPY was developed, which once installed on the victim’s machine, begins collecting personal data that is later sent to the remote attacker [20]. Zeus [15], SilentBanker [19] and URLZone1 [2], are infamous Trojans, which have been successfully used against on-line banking systems (OBS) to steal millions of dollars [12, 16]. They are primarily used to steal lo- gin credentials and card numbers with their security codes, but can also change transaction details on the fly. This is commonly achieved by adding form fields at the browser level. The stolen data is sent to a command
and control server (C&C server) controlled by the remote attacker, who is then able to manually connect to the victims on-line banking accounts. An attack against Helios 2.0 e-voting system is described in [4]. The attack exploits Adobe Acrobat/Reader vulnerabilities to install a browser rootkit on the voters’ machines. This rootkit changes the selected legiti- mate candidate vote to the one chosen by the extension’s author, and also misleads the voters to believe they have voted for their desired candidate. In [9], an hPIN/hTAN device is proposed, which concentrates on the trade-off between security and usability. The central concept of the design is to make it simple. 3 Authentication Systems Used in Internet Banking Currently, several banks implement an additional layer of secondary au- thentication, required for monetary transactions. Four common classes of authentication schemes are usually employed. One-Time-Password (OTP) schemes, generate passwords using pseudo- random generators or mathematical algorithms in order to authenticate the users. However, they offer no security against man-in-the-middle (MiTM) or MiTB attacks [9]. Bank of Cyprus uses the DigiPass GO3 token for authenticating its customers’ monetary transactions [21]. In Full Transaction Authentication schemes, the OTP generated to authenticate the transaction is cryptographically bound to the transaction data. For example, Barclays’ PINsentry device, which adopts the CAP protocol, implements this scheme when in ‘Sign mode” [17]. However, since August 2011, the implementation of PINsentry has been relaxed and favors usability rather than security. Specifically, account holders no longer need to use PINsentry for authenticating transactions when the payee is in their beneficiary list. It is evident that pressures from unhappy customers, who are unaware of security issues, have influenced Barclays to downgrade its security [5,13]. Partial Transaction Authentication is a “relaxed” form of full transac- tion authentication, where only part of the transaction data are required during authentication. Example implementations of these systems include NatWest card reader (challenge/response mode) and HSBC security key. Here the cryptograms generated to authenticate transactions are based only on the last four digits of the payees’ account numbers [17]. Finally, some OBSs do not require authentication of monetary trans- actions (i.e., No Secondary Authentication is required). This situation is true for NatWest and HSBC customers, who can perform payment
transactions to payees who have previously been authenticated and to governmental/financial institutions deemed trustworthy by the banks. 4 Automation of the Attack Current black-hat hackers’ software requires manual intervention to per- form fraudulent transactions, limiting the damage that can be caused. In the future, hackers may adapt their tools to take advantage of the weaknesses in modern OBSs and fully automate their attack. In order to demonstrate the current shortcomings of OBSs, we have implemented three browser rootkits that undermine the OB security of HSBC, NatWest and Bank of Cyprus. An attack against Barclay’s OBS is also proposed. 4.1 Automatic Fraudulent Transaction Once the browser rootkit is installed on the victims’ machines, it passively monitors their browsing activities, and activates once they successfully log onto the targeted OB. In order to achieve successful fraudulent transactions, some conditions must first be met. In the case of HSBC and NatWest, the last 4 digits of the beneficiary’s account number must match the respective last 4 digits of an account controlled by the attacker (as this paper is a proof of con- cept, the attacker’s account numbers are stored in the browser rootkits. To counter traceability, different account numbers, which can be mule accounts, can be fetched from different locations). In the case of Bank of Cyprus, a freshly generated OTP must be typed. When the necessary condition is met, the respective browser rootkit can successfully execute a fraudulent transaction by changing the transaction data ”on the fly” (i.e., the beneficiary’s account number and amount), whilst displaying what the user expects to see (i.e., the intended by the user transaction data). In order to keep the attacks undetectable for a longer period, a small percentage of the holdings in an account is taken each time.It is more likely that the victim will disregard a few missing dollars compared to a few hundred missing dollars. At the time this study began, Barclays’ OBS required a fresh full authenticating signature from PINsentry for every monetary transaction, thus no browser rootkit was feasible on its own to successfully attack the given system (full transaction authentication for every transaction beats browser rootkit attacks). However, the fact that account numbers in the user’s beneficiary list need no signature, creates a vulnerability. Specif- ically, if the attacker is successful in tricking the victim to purchase or
buy a fake service (e.g., through scareware [11]), then the account num- ber used by the attacker will be listed in the victim’s beneficiary list. The browser rootkit will then be capable to perform fraudulent transactions to the attacker’s account number, since money transfers to that account will require no signature! Similarly with NatWest and HSBC, money transfers to a host of businesses (deemed trustworthy) do not require a transac- tion verification step. In this case, the browser rootkit can be instructed to perform funds transfers to these hosts, hidden from the user’s view. Although there is no direct financial gain for the attacker, this remains a vulnerability of this specific OBS and other similar. 4.2 Hiding the Attacks The developed browser rootkits cover up all traces of their activities. Specifically, they store the information pertaining to the fraudulent trans- actions in browser cookies and on the victim’s hard drive (under Firefox’s ”Profiles” directory). All fraudulent activity is successfully hidden from the victim by first, having the browser displaying the expected by the victim account balance rather than the actual one (which obviously has less money since the browser rootkit fraudulently transfered money from it), and secondly, by removing all fraudulent activity from the victims’ statements. This is achieved by exploiting DOM elements of the HTML page. The fraudulent activity is kept hidden from the user no matter when and how many times the user logs out and back in again. As long the malicious extension is installed, the attack remains hidden. 4.3 What is New The biggest advantage of the developed browser rootkits is that they are fully automated. Once they are successfully installed, they are capable of performing fraudulent transactions and covering their traces at the same time, without any further human intervention or instructions from a remote C&C server, as in the case of Zeus and the like Trojans [2,15, 19]. This is feasible since the attacks are against fixed banks, with the browser rookits explicitly designed to attack the given OB systems of the respective targeting banks. In addition, the adversarial bank account numbers are stored in the browser rootkits code. Additionally, no theft of banking information is necessary. Our browser rootkits are clever enough to remain hidden and submit when successful fraudulent transactions are possible.
Finally, in contrast with Trojans of black-hat hackers that create files and modify the registry keys in the victims’ machines, our developed browser rootkits are simple browser extensions written in a few hundred lines of code. Browser rootkits are really hard detected by any antivirus program, since once installed they become a part of the browser. In con- trast, OS rootkits and Trojans are much easier to detect with an updated antivirus or an Intrusion Detection System. 5 Defenses It is possible to implement security measures that protect client machines from browser rootkits. The simplest defense, is the adoption of security devices that enforce all monetary transactions to be fully authenticated, including payments to governmental institutes or other public services (browser rootkits can be instructed to just empty the victim’s balance (e.g., HSBC attack)).This means that at least the whole account num- ber and the amount must be signed for each transaction. No trustee list should exist as this is exploitable as demonstrated in this paper. Fur- thermore, it is crucial that these devices are user-friendly, since customer dissatisfaction can lead banks to relax their security and in effect make their systems vulnerable. The approach we propose is to adopt the Glass [6] approach and ad- vance it. As suggested by Glass, the need for a display and a keyboard is of vital importance. Our device has a USB connection that powers the de- vice and establishes a secure communication channel with the bank. This can be realized in a number of ways (e.g., VPN, SSL/TLS). We also in- clude two buttons to accept or reject any process. The process of Logging into the OBS requires the use of the device. The user powers the device via USB, which in turn asks for the user’s PIN. If correct, the device will activate and attempt to establish a secure communication channel with the OBS (e.g., a VPN Connection). In order to make any transactions, the user will then have to enter the details of his desired transaction into the browser and submit them to the bank’s server. The bank will sign the transaction based on the details it has received, and encrypt both the transaction details and its signature. The ciphertext with its MAC are then sent to the security device through the VPN connection. The device checks the integrity of the message and decrypts the ciphertext. The de- vice will then display the recipient’s account number and the amount. If confirmed by the user, the device will relay this confirmation through the VPN connection to the OBS and commit the transaction.
6 Future Work Real deployments of two-factor authentication schemes suffer from secu- rity issues as a result of bad design, underestimating client-side attacks and lack of usability. An ideal scheme must accommodate for the trade-off between usability and security. Clearly, new ideas that focus on security with minimal user interaction are very important. Given that a secure ele- ment (i.e., something the user has) has become essential to reach the stan- dards of modern secure authentication schemes, the question of whether we can get rid of them may no longer stand. However, whether a universal security device for all OBSs could be deployed still remains, and depends on the willingness, effort and cooperation of the financial institutions. In addition, as the use of smartphones has transformed our daily lives, it is possible to use mobile phones to generate transaction authentication signatures. Mobile phones are in fact used as a second authentication, but the question is whether they can improve the current processes. Finally, some advances that could be addressed in a future work may be the use of Out-of-Band (OOB) communication channels [3]. In such a setting, the device is able to communicate with the authenticating servers through the secure OOB channel and display the information for confirmation. 7 Conclusions and Reflections Two-factor authentication (excluding full transaction verification) is still inadequate to deal with browser rootkit attacks. Although the original user-unfriendly approach of Barclays shows that if criminals would auto- mate their attacks, certain banks are ready to roll out their modifications and annul most of the attacks, the hardware/software used by most banks though, as HSBC, NatWest and Bank of Cyprus, may not allow them to switch quickly. We finally observe that full transaction verification may not fully address all security concerns. The information displayed on the PC including; account numbers, name, balance and transaction details, do not remain private! Indeed, a browser rootkit can leak all this infor- mation to an attacker who could use it to physically target rich users, use identity theft techniques, etc. To deal with this problem banks need to carefully consider what they display on the browser. Finally, this study has multiple precautions to ensure that no malware was released in the wild. No bank servers were violated. A longer version of this paper is available in [10].
Acknowledgments. We would like to thank the referees for their feed- back and the shepherd of the paper Ahmad-Reza Sadeghi for his effort. References 1. Mozilla Developer Centre. Extensions. https://developer.mozilla.org/en-US/docs. 2. D. Chechik. Malware Analysis Trojan Banker URLZone/Bebloh, September 2009. http://goo.gl/z7YSV. 3. D. Chou. Strong User Authentication on the Web, August 2008. http://goo.gl/6xbky. 4. S. Estehghari and Y. Desmedt. Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example. In Proceedings of the 2010 international conference on Electronic voting technology/workshop on trustworthy elections, EVT/WOTE’10, pages 1–9, 2010. 5. PistonHeads Web Forum. Barclays PINsentry, what a dumb POS, 2008. http://goo.gl/wRoJV. 6. A. S. Glass. Could the Smart Card Be Dumb. In Abstract of Papers, Eurocrypt 86, pages 1.5A–1.5B, May 20–22, 1986. ISBN 91–7870–077–9, Link¨oping, Sweden. 7. F. M. B. Greenlee. Requirements for key management protocols in the whole- sale financial services industry. IEEE Communications Magazine, 23(9):22–28, September 1985. 8. M. Jakobsson. Modeling and Preventing Phishing Attacks. In Financial Cryptog- raphy. Springer Verlag, 2005. 9. S. Li, A.-R. Sadeghi, S. Heisrath, R. Schmitz, and J. Ahmad. hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers. In Financial Cryptography and Data Security, LNCS, pages 235–249. 2012. 10. M. Adham, A. Azodi, Y. Desmedt and I. Karaolis. How To Attack Two-Factor Authentication Internet Banking. 2013. http://goo.gl/YsA6j. 11. Microsoft Safety & Security Centre. Watch out for fake virus alerts. http://goo.gl/YEZMT. 12. E. Mills. Banking Trojan steals money from under your nose, September 2009. http://goo.gl/tuDfJ. 13. moneysavingexpert Web Forum. Stupid Barclays PINsentry Thingymajic. Can I Log Into My Online Account Without It?, 2010. http://goo.gl/eqaey. 14. RSA White Paper. Making Sense of Man-in-the-browser Attacks: Threat Analysis and Mitigation for Financial Institutions, 2010. http://goo.gl/NRcez. 15. S. Ragan. Overview: Inside the Zeus Trojan’s source code, May 2011. http://goo.gl/nsvpG. 16. RiskAnalytics LLC. $70 Million Stolen From U.S. Banks With Zeus Trojan, Oc- tober 2010. http://goo.gl/XkSgq. 17. S. J. M. Saar Drimer and R. Anderson. Optimised to Fail: Card Readers for Online Banking. Financial Cryptography and Data Security, February 2009. 18. B. Schneier. Two-Factor Authentication: Too Little, Too Late. Commun. ACM, 48(4):136–, April 2005. 19. Symantec. Banking in Silence, June 2009. http://goo.gl/aj61F. 20. M. Ter Louw, J. Lim, and V. Venkatakrishnan. Extensible Web Browser Security. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 4579 of LNCS, pages 1–19. Springer, 2007. 21. VASCO. DIGIPASS GO 3, August 2012. http://goo.gl/EmLFy.

Recommended

Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Jon handout 3
Jon handout 3Jon handout 3
Jon handout 3Cheryl White
 
Jon handout 2
Jon handout 2Jon handout 2
Jon handout 2Cheryl White
 

Recommended

Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Jon handout 3
Jon handout 3Jon handout 3
Jon handout 3Cheryl White
 
Jon handout 2
Jon handout 2Jon handout 2
Jon handout 2Cheryl White
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogITrust - Cybersecurity as a Service
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security SolutionMobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solutionguestd1c15
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention CMR WORLD TECH
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177Engineering Research Publication
 
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
13_2
13_213_2
13_2Prince Gupta
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Alan McSweeney
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
Zsun
ZsunZsun
ZsunHai Nguyen
 

More Related Content

What's hot

The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogITrust - Cybersecurity as a Service
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security SolutionMobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solutionguestd1c15
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention CMR WORLD TECH
 
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersAndrey Apuhtin
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
this is test for today
this is test for todaythis is test for today
this is test for todayDreamMalar
 

What's hot (17)

The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlog
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking Applications
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security SolutionMobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177
 
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggersCompromised e commerce_sites_lead_to_web-based_keyloggers
Compromised e commerce_sites_lead_to_web-based_keyloggers
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTP
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
13_2
13_213_2
13_2
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary Data
 
this is test for today
this is test for todaythis is test for today
this is test for today
 

Similar to 9 3

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Alan McSweeney
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
When thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacksWhen thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacksSangram Gayal
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...Ajay Alex
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!Caroline Johnson
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelInnesGerrard
 
Cybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & ImportanceCybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & Importancemanoharparakh
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank ReportYogesh Kumar
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Editor IJCATR
 

Similar to 9 3 (20)

CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
Zsun
ZsunZsun
Zsun
 
When thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacksWhen thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacks
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
 
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
 
Cybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & ImportanceCybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & Importance
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Major Prc.pptx
Major Prc.pptxMajor Prc.pptx
Major Prc.pptx
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
 
Secure client
Secure clientSecure client
Secure client
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
 

More from Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 

More from Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

9 3

  • 1. How to Attack Two-Factor Authentication Internet Banking Manal Adham1, Amir Azodi1,3, Yvo Desmedt2,1, and Ioannis Karaolis1 1 University College London, UK 2 The University of Texas at Dallas, USA 3 Hasso Plattner Institute, Germany Abstract. Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To bet- ter be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that they could be auto- mated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we developed three browser rootkits which perform the automated attack on the client’s computer. Also, in some banks attempt to be regarded as user-friendly, security has been downgraded, making them vulnerable to exploitation. To wrap up, we discuss the measures needed to avoid the next generation of attacks. 1 Introduction A lot of research has been done on the cyber-security of financial trans- actions, both from a cryptographic as well as from a computer security viewpoint. Due to work like [7], wholesale transactions are now relatively secure. The challenge today is to secure the PC-based transactions. We see that identity theft has been for more than a decade the most frequent white collar crime. We know that attacks against US and UK Internet banking systems have been quite successful [16]. Tools like the Zeus mal- ware kit [15] and the SilentBanker Trojan [19], have been helping criminals perform fraudulent on-line bank transactions. Since research should be ahead of hackers, the main goal of this pa- per is to predict the next generation of OB attacks and how they may worsen the already questionable security. We survey the tools hackers use and see that, they are not fully automated, requiring an involvement of humans to perform the fraudulent transactions. To demonstrate the fea- sibility of a fully automated attack, three advanced browser rootkits (for Firefox Browsers) were developed, targeting the Internet banking systems of NatWest, HSBC and Bank of Cyprus. An attack against Barclays’ sys- tem is also proposed. Security of these major banks is largely dependent
  • 2. on the commonly used two-factor authentication schemes. By successfully circumventing and exploiting the weaknesses of such systems, we hope to raise awareness on how dangerous the current situation is. Aside from security in the absolute sense, we consider auxiliary factors like usability. This is a critical factor that can drive a bank to lower its security threshold in order to satisfy its customers’ desires (e.g., Barclays). 2 Background 2.1 Attack Strategies and Techniques We distinguish between three main Internet banking attack vectors that can be used alone or in combination. Firstly, a Credential Stealing attack, is where fraudsters try to gather users’ credentials, either with the use of a malicious software or through phishing [8]. Secondly, a Channel Breaking attack, involves intercepting the communication between the client side and the banking server, by masquerading as the server to the client and vice versa [18]. Finally, a Content Manipulation (also called man-in-the- browser (MiTB) [14]) attack, takes place in the application layer between the user and the browser. The adversary is granted with privileges to read, write, change and delete browser’s data “on the fly”, whilst the legitimate user is seamlessly unaware. A Browser Rootkit, is a content manipulation technique, which is ca- pable of completely changing the browser’s display and behavior [4]. It is basically a malicious browser extension, which are used to extend and/or customize the browser’s functionality [1]. To control unauthorized instal- lation of browser extensions, modern browsers like Firefox, have employed numerous but weak security measures, which can be easily bypassed [4]. 2.2 Related Work and Attacks A Firefox malicious extension called BROWSERSPY was developed, which once installed on the victim’s machine, begins collecting personal data that is later sent to the remote attacker [20]. Zeus [15], SilentBanker [19] and URLZone1 [2], are infamous Trojans, which have been successfully used against on-line banking systems (OBS) to steal millions of dollars [12, 16]. They are primarily used to steal lo- gin credentials and card numbers with their security codes, but can also change transaction details on the fly. This is commonly achieved by adding form fields at the browser level. The stolen data is sent to a command
  • 3. and control server (C&C server) controlled by the remote attacker, who is then able to manually connect to the victims on-line banking accounts. An attack against Helios 2.0 e-voting system is described in [4]. The attack exploits Adobe Acrobat/Reader vulnerabilities to install a browser rootkit on the voters’ machines. This rootkit changes the selected legiti- mate candidate vote to the one chosen by the extension’s author, and also misleads the voters to believe they have voted for their desired candidate. In [9], an hPIN/hTAN device is proposed, which concentrates on the trade-off between security and usability. The central concept of the design is to make it simple. 3 Authentication Systems Used in Internet Banking Currently, several banks implement an additional layer of secondary au- thentication, required for monetary transactions. Four common classes of authentication schemes are usually employed. One-Time-Password (OTP) schemes, generate passwords using pseudo- random generators or mathematical algorithms in order to authenticate the users. However, they offer no security against man-in-the-middle (MiTM) or MiTB attacks [9]. Bank of Cyprus uses the DigiPass GO3 token for authenticating its customers’ monetary transactions [21]. In Full Transaction Authentication schemes, the OTP generated to authenticate the transaction is cryptographically bound to the transaction data. For example, Barclays’ PINsentry device, which adopts the CAP protocol, implements this scheme when in ‘Sign mode” [17]. However, since August 2011, the implementation of PINsentry has been relaxed and favors usability rather than security. Specifically, account holders no longer need to use PINsentry for authenticating transactions when the payee is in their beneficiary list. It is evident that pressures from unhappy customers, who are unaware of security issues, have influenced Barclays to downgrade its security [5,13]. Partial Transaction Authentication is a “relaxed” form of full transac- tion authentication, where only part of the transaction data are required during authentication. Example implementations of these systems include NatWest card reader (challenge/response mode) and HSBC security key. Here the cryptograms generated to authenticate transactions are based only on the last four digits of the payees’ account numbers [17]. Finally, some OBSs do not require authentication of monetary trans- actions (i.e., No Secondary Authentication is required). This situation is true for NatWest and HSBC customers, who can perform payment
  • 4. transactions to payees who have previously been authenticated and to governmental/financial institutions deemed trustworthy by the banks. 4 Automation of the Attack Current black-hat hackers’ software requires manual intervention to per- form fraudulent transactions, limiting the damage that can be caused. In the future, hackers may adapt their tools to take advantage of the weaknesses in modern OBSs and fully automate their attack. In order to demonstrate the current shortcomings of OBSs, we have implemented three browser rootkits that undermine the OB security of HSBC, NatWest and Bank of Cyprus. An attack against Barclay’s OBS is also proposed. 4.1 Automatic Fraudulent Transaction Once the browser rootkit is installed on the victims’ machines, it passively monitors their browsing activities, and activates once they successfully log onto the targeted OB. In order to achieve successful fraudulent transactions, some conditions must first be met. In the case of HSBC and NatWest, the last 4 digits of the beneficiary’s account number must match the respective last 4 digits of an account controlled by the attacker (as this paper is a proof of con- cept, the attacker’s account numbers are stored in the browser rootkits. To counter traceability, different account numbers, which can be mule accounts, can be fetched from different locations). In the case of Bank of Cyprus, a freshly generated OTP must be typed. When the necessary condition is met, the respective browser rootkit can successfully execute a fraudulent transaction by changing the transaction data ”on the fly” (i.e., the beneficiary’s account number and amount), whilst displaying what the user expects to see (i.e., the intended by the user transaction data). In order to keep the attacks undetectable for a longer period, a small percentage of the holdings in an account is taken each time.It is more likely that the victim will disregard a few missing dollars compared to a few hundred missing dollars. At the time this study began, Barclays’ OBS required a fresh full authenticating signature from PINsentry for every monetary transaction, thus no browser rootkit was feasible on its own to successfully attack the given system (full transaction authentication for every transaction beats browser rootkit attacks). However, the fact that account numbers in the user’s beneficiary list need no signature, creates a vulnerability. Specif- ically, if the attacker is successful in tricking the victim to purchase or
  • 5. buy a fake service (e.g., through scareware [11]), then the account num- ber used by the attacker will be listed in the victim’s beneficiary list. The browser rootkit will then be capable to perform fraudulent transactions to the attacker’s account number, since money transfers to that account will require no signature! Similarly with NatWest and HSBC, money transfers to a host of businesses (deemed trustworthy) do not require a transac- tion verification step. In this case, the browser rootkit can be instructed to perform funds transfers to these hosts, hidden from the user’s view. Although there is no direct financial gain for the attacker, this remains a vulnerability of this specific OBS and other similar. 4.2 Hiding the Attacks The developed browser rootkits cover up all traces of their activities. Specifically, they store the information pertaining to the fraudulent trans- actions in browser cookies and on the victim’s hard drive (under Firefox’s ”Profiles” directory). All fraudulent activity is successfully hidden from the victim by first, having the browser displaying the expected by the victim account balance rather than the actual one (which obviously has less money since the browser rootkit fraudulently transfered money from it), and secondly, by removing all fraudulent activity from the victims’ statements. This is achieved by exploiting DOM elements of the HTML page. The fraudulent activity is kept hidden from the user no matter when and how many times the user logs out and back in again. As long the malicious extension is installed, the attack remains hidden. 4.3 What is New The biggest advantage of the developed browser rootkits is that they are fully automated. Once they are successfully installed, they are capable of performing fraudulent transactions and covering their traces at the same time, without any further human intervention or instructions from a remote C&C server, as in the case of Zeus and the like Trojans [2,15, 19]. This is feasible since the attacks are against fixed banks, with the browser rookits explicitly designed to attack the given OB systems of the respective targeting banks. In addition, the adversarial bank account numbers are stored in the browser rootkits code. Additionally, no theft of banking information is necessary. Our browser rootkits are clever enough to remain hidden and submit when successful fraudulent transactions are possible.
  • 6. Finally, in contrast with Trojans of black-hat hackers that create files and modify the registry keys in the victims’ machines, our developed browser rootkits are simple browser extensions written in a few hundred lines of code. Browser rootkits are really hard detected by any antivirus program, since once installed they become a part of the browser. In con- trast, OS rootkits and Trojans are much easier to detect with an updated antivirus or an Intrusion Detection System. 5 Defenses It is possible to implement security measures that protect client machines from browser rootkits. The simplest defense, is the adoption of security devices that enforce all monetary transactions to be fully authenticated, including payments to governmental institutes or other public services (browser rootkits can be instructed to just empty the victim’s balance (e.g., HSBC attack)).This means that at least the whole account num- ber and the amount must be signed for each transaction. No trustee list should exist as this is exploitable as demonstrated in this paper. Fur- thermore, it is crucial that these devices are user-friendly, since customer dissatisfaction can lead banks to relax their security and in effect make their systems vulnerable. The approach we propose is to adopt the Glass [6] approach and ad- vance it. As suggested by Glass, the need for a display and a keyboard is of vital importance. Our device has a USB connection that powers the de- vice and establishes a secure communication channel with the bank. This can be realized in a number of ways (e.g., VPN, SSL/TLS). We also in- clude two buttons to accept or reject any process. The process of Logging into the OBS requires the use of the device. The user powers the device via USB, which in turn asks for the user’s PIN. If correct, the device will activate and attempt to establish a secure communication channel with the OBS (e.g., a VPN Connection). In order to make any transactions, the user will then have to enter the details of his desired transaction into the browser and submit them to the bank’s server. The bank will sign the transaction based on the details it has received, and encrypt both the transaction details and its signature. The ciphertext with its MAC are then sent to the security device through the VPN connection. The device checks the integrity of the message and decrypts the ciphertext. The de- vice will then display the recipient’s account number and the amount. If confirmed by the user, the device will relay this confirmation through the VPN connection to the OBS and commit the transaction.
  • 7. 6 Future Work Real deployments of two-factor authentication schemes suffer from secu- rity issues as a result of bad design, underestimating client-side attacks and lack of usability. An ideal scheme must accommodate for the trade-off between usability and security. Clearly, new ideas that focus on security with minimal user interaction are very important. Given that a secure ele- ment (i.e., something the user has) has become essential to reach the stan- dards of modern secure authentication schemes, the question of whether we can get rid of them may no longer stand. However, whether a universal security device for all OBSs could be deployed still remains, and depends on the willingness, effort and cooperation of the financial institutions. In addition, as the use of smartphones has transformed our daily lives, it is possible to use mobile phones to generate transaction authentication signatures. Mobile phones are in fact used as a second authentication, but the question is whether they can improve the current processes. Finally, some advances that could be addressed in a future work may be the use of Out-of-Band (OOB) communication channels [3]. In such a setting, the device is able to communicate with the authenticating servers through the secure OOB channel and display the information for confirmation. 7 Conclusions and Reflections Two-factor authentication (excluding full transaction verification) is still inadequate to deal with browser rootkit attacks. Although the original user-unfriendly approach of Barclays shows that if criminals would auto- mate their attacks, certain banks are ready to roll out their modifications and annul most of the attacks, the hardware/software used by most banks though, as HSBC, NatWest and Bank of Cyprus, may not allow them to switch quickly. We finally observe that full transaction verification may not fully address all security concerns. The information displayed on the PC including; account numbers, name, balance and transaction details, do not remain private! Indeed, a browser rootkit can leak all this infor- mation to an attacker who could use it to physically target rich users, use identity theft techniques, etc. To deal with this problem banks need to carefully consider what they display on the browser. Finally, this study has multiple precautions to ensure that no malware was released in the wild. No bank servers were violated. A longer version of this paper is available in [10].
  • 8. Acknowledgments. We would like to thank the referees for their feed- back and the shepherd of the paper Ahmad-Reza Sadeghi for his effort. References 1. Mozilla Developer Centre. Extensions. https://developer.mozilla.org/en-US/docs. 2. D. Chechik. Malware Analysis Trojan Banker URLZone/Bebloh, September 2009. http://goo.gl/z7YSV. 3. D. Chou. Strong User Authentication on the Web, August 2008. http://goo.gl/6xbky. 4. S. Estehghari and Y. Desmedt. Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example. In Proceedings of the 2010 international conference on Electronic voting technology/workshop on trustworthy elections, EVT/WOTE’10, pages 1–9, 2010. 5. PistonHeads Web Forum. Barclays PINsentry, what a dumb POS, 2008. http://goo.gl/wRoJV. 6. A. S. Glass. Could the Smart Card Be Dumb. In Abstract of Papers, Eurocrypt 86, pages 1.5A–1.5B, May 20–22, 1986. ISBN 91–7870–077–9, Link¨oping, Sweden. 7. F. M. B. Greenlee. Requirements for key management protocols in the whole- sale financial services industry. IEEE Communications Magazine, 23(9):22–28, September 1985. 8. M. Jakobsson. Modeling and Preventing Phishing Attacks. In Financial Cryptog- raphy. Springer Verlag, 2005. 9. S. Li, A.-R. Sadeghi, S. Heisrath, R. Schmitz, and J. Ahmad. hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers. In Financial Cryptography and Data Security, LNCS, pages 235–249. 2012. 10. M. Adham, A. Azodi, Y. Desmedt and I. Karaolis. How To Attack Two-Factor Authentication Internet Banking. 2013. http://goo.gl/YsA6j. 11. Microsoft Safety & Security Centre. Watch out for fake virus alerts. http://goo.gl/YEZMT. 12. E. Mills. Banking Trojan steals money from under your nose, September 2009. http://goo.gl/tuDfJ. 13. moneysavingexpert Web Forum. Stupid Barclays PINsentry Thingymajic. Can I Log Into My Online Account Without It?, 2010. http://goo.gl/eqaey. 14. RSA White Paper. Making Sense of Man-in-the-browser Attacks: Threat Analysis and Mitigation for Financial Institutions, 2010. http://goo.gl/NRcez. 15. S. Ragan. Overview: Inside the Zeus Trojan’s source code, May 2011. http://goo.gl/nsvpG. 16. RiskAnalytics LLC. $70 Million Stolen From U.S. Banks With Zeus Trojan, Oc- tober 2010. http://goo.gl/XkSgq. 17. S. J. M. Saar Drimer and R. Anderson. Optimised to Fail: Card Readers for Online Banking. Financial Cryptography and Data Security, February 2009. 18. B. Schneier. Two-Factor Authentication: Too Little, Too Late. Commun. ACM, 48(4):136–, April 2005. 19. Symantec. Banking in Silence, June 2009. http://goo.gl/aj61F. 20. M. Ter Louw, J. Lim, and V. Venkatakrishnan. Extensible Web Browser Security. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 4579 of LNCS, pages 1–19. Springer, 2007. 21. VASCO. DIGIPASS GO 3, August 2012. http://goo.gl/EmLFy.