Weitere ähnliche Inhalte Ähnlich wie Man in the Browser attacks on online banking transactions (20) Mehr von DaveEdwards12 (11) Kürzlich hochgeladen (20) Man in the Browser attacks on online banking transactions1. © iViZ Security Inc 0Apr 2013
Nilanjan De, CTO, iViZ Security Inc.
Man in the Browser on Online
Transactions & Prevention Strategies
2. © iViZ Security Inc 1Apr 2013
Overview
• What is Man in the Browser(MITB) ?
• How MITB can steal your money?
• How can you be safe from MITB ?
• Mitigation Strategies for Banks, Financial
Institutions and other Application Owners
4. © iViZ Security Inc 3Apr 2013
History
• Initially demonstrated by Augusto Paes de Barros
in his 2005 presentation about backdoor trends
"The future of backdoors - worst of all worlds"
• The name man-in-the-browser was coined by
Philipp Gühring in 2007
• Study by Sharek et.al in 2008 finds that most
Internet users (73%) cannot distinguish between
real and fake pop up warning messages. Shows
that users are soft targets
• 2008 – Trojans like Clampi, Torpig, Zeus surface
which have inbuilt MITB capabilities.
5. © iViZ Security Inc 4Apr 2013
Man in the Browser
• Classic “Man in the Middle” attack
– Typically in a “Man in the Middle” attack, the attacker or its agent lies between the
victim client and the server.
– can be defeated by encrypting traffic e.g., using SSL.
• Compromised host with trojan/rootkit
– Attacker typically exploits victim’s system and installs trojan to maintain full access to the
OS and monitor activities of the user including logging keystrokes.
– Cannot be defeated using encryption, however, it can be defeated using multi-factor
authentication, eg, OTP or Biometric
• Man in the browser
– Deadly combination of the above two attacks
– the agent/trojan installs itself as part of the victim’s client itself (ie, the browser)
– Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active-
X Controls/Browser Extension/Add-on/Plugin.
– Neither encryption nor OTP can defeat MITB attacks.
6. © iViZ Security Inc 5Apr 2013
MITB
Transfer $1000 to Dad
Transferred $1000 to Dad
Alice
Bank
transfers
$1000 to
Dad
7. © iViZ Security Inc 6Apr 2013
MITB
Transfer $1000 to Dad Transfer $1000000 to Hacker
Alice
Transferred $1000 to Dad
Transferred $1000000 to Hacker
Bank
transfers
$1000000
to HackerMITB
Sends Trojan to
infect Alice’s
Browser
8. © iViZ Security Inc 7Apr 2013
Why MITB is dangerous?
• It can read your identity, bank balance, banking
passwords, debit/credit card numbers, session
keys.
• It can modify details of the transactions that you
initiate
• It can change your password or lock you out of
your account
• It bypasses all forms of multi-factor
authentication or captcha or other forms of
challenge response authentication
9. © iViZ Security Inc 8Apr 2013
As an end-user, how can I protect
against MITB?
10. © iViZ Security Inc 9Apr 2013
Protection Strategies
How? Effectiveness
against MITB
Why?
Use strong password Not effective Malware can intercept the password or
simply wait till the user has authenticated
himself
Basic Security Awareness,
keep OS, Browser
updated.
Maybe Chances of getting infected by Malware is
lower though still high if using vulnerable
OS/Browser
Using separate system for
and only for Online
banking
Maybe Chances of getting infected by Malware is
lower but it is inconvenient and requires
strict discipline which is rare (even among
many security experts)
Use updated Anti-
virus/Anti-malware
Sometimes Depends on detection capability of anti-
virus. Less likely to protect if the malware
is new or is targeted.
11. © iViZ Security Inc 10Apr 2013
Protection Strategies
How? Effectiveness
against MITB
Why?
Hardened Browser in an USB
drive
Moderate Malware has less chance to infect
the browser though not impossible.
Recently there was news of a 0-day
which was used against hardened
Firefox. Also this may be
inconvenient for corporates as USB
drives are usually disabled for
security reasons.
Only do online banking with
those banks who are aware of
this threat and have
implemented counter-
measures. In the worst case, do
not use online banking at all
High
13. © iViZ Security Inc 12Apr 2013
Safeguards
How? Effectiveness
against MITB
Why?
Enforce strong password Not effective Malware can intercept the password or
simply wait till the user has authenticated
himself
Using Encryption, eg, SSL
or client side encryption
of password/transaction
details
Not effective Malware can intercept and modify the
request/response
Multi-factor
authentication, eg,
Biometric/OTP/Smart
Card
Not effective Malware can simply wait till the user has
authenticated himself.
CSRF Tokens, Frame-
buster, Challenge
response/captcha, etc
Not effective
14. © iViZ Security Inc 13Apr 2013
SafeguardsHow? Effectiveness
against MITB
Why?
Provide your customers
with Hardened Browsers
on USB also containing
cryptographic smart
tokens for authentication
Moderate Smart tokens do not add to security
against MITB but hardened browsers are
more a more difficult target to infect.
OTP token with Signature Yes User has to key in transaction details again
on the OTP device which generates a
signature based on the details, so it would
not match if the MITB modifies the
transfer request. However, it is
inconvenient.
OOB transaction details
confirmation with OTP
Yes Out of bank confirmation of the details by
phone call or SMS with full details of the
transaction ensures that the user can see
the details of the transaction before
proceeding.
15. © iViZ Security Inc 14Apr 2013
Passive Safeguards
How? Effectiveness
against MITB
Why?
IP Location tracking Not effective This is effective only when credentials are
stolen and used from elsewhere. In case of
MITB attack, the request comes from the
genuine user’s browser so server cannot
distinguish based on IP location of device
profile.
Device profiling Not effective
Fraud Detection based on
Transaction type and
amount
Sometimes Some banks have fraud detection based on
transaction details. However, such
detection is typically done as a batch
process and not in real time and therefore
any detection is normally much after the
attack.
Fraud Detection based on
user behavior
Good User profiling to create a baseline normal
behavior so that abnormal behavior can be
detected and user can be alerted before
an actual transaction takes place.
16. © iViZ Security Inc 15Apr 2013
Conclusion
• Man-in-the-browser attacks can be very
dangerous
• Security Awareness and best practices is required
to protect oneself against getting infected with
malware
• Safeguards
– Out of Band transaction verification containing
transaction details along with OTP. Users need to be
alert while doing transactions.
– Fraud detection based on User behavior profiling.
18. © iViZ Security Inc 17Apr 2013
Thank You
nilanjan@ivizsecurity.com
http://www.ivizsecurity.com/