SlideShare ist ein Scribd-Unternehmen logo

Man in the Browser attacks on online banking transactions

Als PPTX, PDF herunterladen
D
DaveEdwards12

What is Man in the Browser(MITB) ? How MITB can steal your money? How can you be safe from MITB ? Mitigation Strategies for Banks, Financial Institutions and other Application Owners

Technologie
1 von 18
© iViZ Security Inc 0Apr 2013 Nilanjan De, CTO, iViZ Security Inc. Man in the Browser on Online Transactions & Prevention Strategies
© iViZ Security Inc 1Apr 2013 Overview • What is Man in the Browser(MITB) ? • How MITB can steal your money? • How can you be safe from MITB ? • Mitigation Strategies for Banks, Financial Institutions and other Application Owners
© iViZ Security Inc 2Apr 2013 Man in the Browser
© iViZ Security Inc 3Apr 2013 History • Initially demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds" • The name man-in-the-browser was coined by Philipp Gühring in 2007 • Study by Sharek et.al in 2008 finds that most Internet users (73%) cannot distinguish between real and fake pop up warning messages. Shows that users are soft targets • 2008 – Trojans like Clampi, Torpig, Zeus surface which have inbuilt MITB capabilities.
© iViZ Security Inc 4Apr 2013 Man in the Browser • Classic “Man in the Middle” attack – Typically in a “Man in the Middle” attack, the attacker or its agent lies between the victim client and the server. – can be defeated by encrypting traffic e.g., using SSL. • Compromised host with trojan/rootkit – Attacker typically exploits victim’s system and installs trojan to maintain full access to the OS and monitor activities of the user including logging keystrokes. – Cannot be defeated using encryption, however, it can be defeated using multi-factor authentication, eg, OTP or Biometric • Man in the browser – Deadly combination of the above two attacks – the agent/trojan installs itself as part of the victim’s client itself (ie, the browser) – Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active- X Controls/Browser Extension/Add-on/Plugin. – Neither encryption nor OTP can defeat MITB attacks.
© iViZ Security Inc 5Apr 2013 MITB Transfer $1000 to Dad Transferred $1000 to Dad Alice Bank transfers $1000 to Dad
© iViZ Security Inc 6Apr 2013 MITB Transfer $1000 to Dad Transfer $1000000 to Hacker Alice Transferred $1000 to Dad Transferred $1000000 to Hacker Bank transfers $1000000 to HackerMITB Sends Trojan to infect Alice’s Browser
© iViZ Security Inc 7Apr 2013 Why MITB is dangerous? • It can read your identity, bank balance, banking passwords, debit/credit card numbers, session keys. • It can modify details of the transactions that you initiate • It can change your password or lock you out of your account • It bypasses all forms of multi-factor authentication or captcha or other forms of challenge response authentication
© iViZ Security Inc 8Apr 2013 As an end-user, how can I protect against MITB?
© iViZ Security Inc 9Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Use strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Basic Security Awareness, keep OS, Browser updated. Maybe Chances of getting infected by Malware is lower though still high if using vulnerable OS/Browser Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti- virus/Anti-malware Sometimes Depends on detection capability of anti- virus. Less likely to protect if the malware is new or is targeted.
© iViZ Security Inc 10Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Hardened Browser in an USB drive Moderate Malware has less chance to infect the browser though not impossible. Recently there was news of a 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Only do online banking with those banks who are aware of this threat and have implemented counter- measures. In the worst case, do not use online banking at all High
© iViZ Security Inc 11Apr 2013 Mitigation Strategies for Banks
© iViZ Security Inc 12Apr 2013 Safeguards How? Effectiveness against MITB Why? Enforce strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Using Encryption, eg, SSL or client side encryption of password/transaction details Not effective Malware can intercept and modify the request/response Multi-factor authentication, eg, Biometric/OTP/Smart Card Not effective Malware can simply wait till the user has authenticated himself. CSRF Tokens, Frame- buster, Challenge response/captcha, etc Not effective
© iViZ Security Inc 13Apr 2013 SafeguardsHow? Effectiveness against MITB Why? Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication Moderate Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect. OTP token with Signature Yes User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request. However, it is inconvenient. OOB transaction details confirmation with OTP Yes Out of bank confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.
© iViZ Security Inc 14Apr 2013 Passive Safeguards How? Effectiveness against MITB Why? IP Location tracking Not effective This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile. Device profiling Not effective Fraud Detection based on Transaction type and amount Sometimes Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack. Fraud Detection based on user behavior Good User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.
© iViZ Security Inc 15Apr 2013 Conclusion • Man-in-the-browser attacks can be very dangerous • Security Awareness and best practices is required to protect oneself against getting infected with malware • Safeguards – Out of Band transaction verification containing transaction details along with OTP. Users need to be alert while doing transactions. – Fraud detection based on User behavior profiling.
© iViZ Security Inc 16Apr 2013 Questions?
© iViZ Security Inc 17Apr 2013 Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/

Empfohlen

Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
Mário Almeida
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
Imperva
 
Man In The Browser
Man In The BrowserMan In The Browser
Man In The Browser
Save Manos
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
AM Publications,India
 
Jon ppoint
Jon ppointJon ppoint
Jon ppoint
Cheryl White
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
Marco Morana
 

Empfohlen

Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
Mário Almeida
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
Imperva
 
Man In The Browser
Man In The BrowserMan In The Browser
Man In The Browser
Save Manos
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
AM Publications,India
 
Jon ppoint
Jon ppointJon ppoint
Jon ppoint
Cheryl White
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
Marco Morana
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlog
ITrust - Cybersecurity as a Service
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
IJRAT
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
Yogesh Kumar
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
IRJET Journal
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
Mike Spaulding
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
What is a Malware - Kloudlearn
What is a Malware - KloudlearnWhat is a Malware - Kloudlearn
What is a Malware - Kloudlearn
KloudLearn
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaper
Hai Nguyen
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment Systems
Domenico Catalano
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
Social engineering
Social engineeringSocial engineering
Social engineering
lokenra
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
M Nadeem Qazi
 
Phishing Education
Phishing EducationPhishing Education
Phishing Education
BrandProtect
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
Onlinetransaction
OnlinetransactionOnlinetransaction
Onlinetransaction
arikazukito
 

Weitere ähnliche Inhalte

Was ist angesagt?

Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
IJRAT
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
Yogesh Kumar
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaper
Hai Nguyen
 

Was ist angesagt? (20)

The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlog
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
What is a Malware - Kloudlearn
What is a Malware - KloudlearnWhat is a Malware - Kloudlearn
What is a Malware - Kloudlearn
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaper
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment Systems
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
 
Phishing Education
Phishing EducationPhishing Education
Phishing Education
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 

Andere mochten auch

Online transaction security (an undergraduate independent study)
Online transaction security (an undergraduate independent study)Online transaction security (an undergraduate independent study)
Online transaction security (an undergraduate independent study)
Amila Gamanayake
 

Andere mochten auch (7)

Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
 
Onlinetransaction
OnlinetransactionOnlinetransaction
Onlinetransaction
 
Online transaction security (an undergraduate independent study)
Online transaction security (an undergraduate independent study)Online transaction security (an undergraduate independent study)
Online transaction security (an undergraduate independent study)
 
No Free Lunch: Transactions in Online Games
No Free Lunch: Transactions in Online GamesNo Free Lunch: Transactions in Online Games
No Free Lunch: Transactions in Online Games
 
Online transaction
Online transactionOnline transaction
Online transaction
 
Online Payment Transactions
Online Payment TransactionsOnline Payment Transactions
Online Payment Transactions
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 

Ähnlich wie Man in the Browser attacks on online banking transactions

Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
VISTA InfoSec
 
Cyber Security and Fraud Prevention Tools Tactics
Cyber Security and Fraud Prevention Tools TacticsCyber Security and Fraud Prevention Tools Tactics
Cyber Security and Fraud Prevention Tools Tactics
Ben Graybar
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 

Ähnlich wie Man in the Browser attacks on online banking transactions (20)

Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?
 
Cyber Security and Fraud Prevention Tools Tactics
Cyber Security and Fraud Prevention Tools TacticsCyber Security and Fraud Prevention Tools Tactics
Cyber Security and Fraud Prevention Tools Tactics
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Are you at risk on the World Wide Web?
Are you at risk on the World Wide Web? Are you at risk on the World Wide Web?
Are you at risk on the World Wide Web?
 
Protecting Yourself Against Mobile Phishing
Protecting Yourself Against Mobile PhishingProtecting Yourself Against Mobile Phishing
Protecting Yourself Against Mobile Phishing
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Keeping hackers out of your POS!
Keeping hackers out of your POS!Keeping hackers out of your POS!
Keeping hackers out of your POS!
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
 
Guarding the Digital Fortress.pdf
Guarding the Digital Fortress.pdfGuarding the Digital Fortress.pdf
Guarding the Digital Fortress.pdf
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 

Mehr von DaveEdwards12

Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
DaveEdwards12
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
DaveEdwards12
 

Mehr von DaveEdwards12 (11)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Man in the Browser attacks on online banking transactions

  • 1. © iViZ Security Inc 0Apr 2013 Nilanjan De, CTO, iViZ Security Inc. Man in the Browser on Online Transactions & Prevention Strategies
  • 2. © iViZ Security Inc 1Apr 2013 Overview • What is Man in the Browser(MITB) ? • How MITB can steal your money? • How can you be safe from MITB ? • Mitigation Strategies for Banks, Financial Institutions and other Application Owners
  • 3. © iViZ Security Inc 2Apr 2013 Man in the Browser
  • 4. © iViZ Security Inc 3Apr 2013 History • Initially demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds" • The name man-in-the-browser was coined by Philipp Gühring in 2007 • Study by Sharek et.al in 2008 finds that most Internet users (73%) cannot distinguish between real and fake pop up warning messages. Shows that users are soft targets • 2008 – Trojans like Clampi, Torpig, Zeus surface which have inbuilt MITB capabilities.
  • 5. © iViZ Security Inc 4Apr 2013 Man in the Browser • Classic “Man in the Middle” attack – Typically in a “Man in the Middle” attack, the attacker or its agent lies between the victim client and the server. – can be defeated by encrypting traffic e.g., using SSL. • Compromised host with trojan/rootkit – Attacker typically exploits victim’s system and installs trojan to maintain full access to the OS and monitor activities of the user including logging keystrokes. – Cannot be defeated using encryption, however, it can be defeated using multi-factor authentication, eg, OTP or Biometric • Man in the browser – Deadly combination of the above two attacks – the agent/trojan installs itself as part of the victim’s client itself (ie, the browser) – Typically MITB is a Trojan or Malware in the form of BHO(Browser Helper Object)/Active- X Controls/Browser Extension/Add-on/Plugin. – Neither encryption nor OTP can defeat MITB attacks.
  • 6. © iViZ Security Inc 5Apr 2013 MITB Transfer $1000 to Dad Transferred $1000 to Dad Alice Bank transfers $1000 to Dad
  • 7. © iViZ Security Inc 6Apr 2013 MITB Transfer $1000 to Dad Transfer $1000000 to Hacker Alice Transferred $1000 to Dad Transferred $1000000 to Hacker Bank transfers $1000000 to HackerMITB Sends Trojan to infect Alice’s Browser
  • 8. © iViZ Security Inc 7Apr 2013 Why MITB is dangerous? • It can read your identity, bank balance, banking passwords, debit/credit card numbers, session keys. • It can modify details of the transactions that you initiate • It can change your password or lock you out of your account • It bypasses all forms of multi-factor authentication or captcha or other forms of challenge response authentication
  • 9. © iViZ Security Inc 8Apr 2013 As an end-user, how can I protect against MITB?
  • 10. © iViZ Security Inc 9Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Use strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Basic Security Awareness, keep OS, Browser updated. Maybe Chances of getting infected by Malware is lower though still high if using vulnerable OS/Browser Using separate system for and only for Online banking Maybe Chances of getting infected by Malware is lower but it is inconvenient and requires strict discipline which is rare (even among many security experts) Use updated Anti- virus/Anti-malware Sometimes Depends on detection capability of anti- virus. Less likely to protect if the malware is new or is targeted.
  • 11. © iViZ Security Inc 10Apr 2013 Protection Strategies How? Effectiveness against MITB Why? Hardened Browser in an USB drive Moderate Malware has less chance to infect the browser though not impossible. Recently there was news of a 0-day which was used against hardened Firefox. Also this may be inconvenient for corporates as USB drives are usually disabled for security reasons. Only do online banking with those banks who are aware of this threat and have implemented counter- measures. In the worst case, do not use online banking at all High
  • 12. © iViZ Security Inc 11Apr 2013 Mitigation Strategies for Banks
  • 13. © iViZ Security Inc 12Apr 2013 Safeguards How? Effectiveness against MITB Why? Enforce strong password Not effective Malware can intercept the password or simply wait till the user has authenticated himself Using Encryption, eg, SSL or client side encryption of password/transaction details Not effective Malware can intercept and modify the request/response Multi-factor authentication, eg, Biometric/OTP/Smart Card Not effective Malware can simply wait till the user has authenticated himself. CSRF Tokens, Frame- buster, Challenge response/captcha, etc Not effective
  • 14. © iViZ Security Inc 13Apr 2013 SafeguardsHow? Effectiveness against MITB Why? Provide your customers with Hardened Browsers on USB also containing cryptographic smart tokens for authentication Moderate Smart tokens do not add to security against MITB but hardened browsers are more a more difficult target to infect. OTP token with Signature Yes User has to key in transaction details again on the OTP device which generates a signature based on the details, so it would not match if the MITB modifies the transfer request. However, it is inconvenient. OOB transaction details confirmation with OTP Yes Out of bank confirmation of the details by phone call or SMS with full details of the transaction ensures that the user can see the details of the transaction before proceeding.
  • 15. © iViZ Security Inc 14Apr 2013 Passive Safeguards How? Effectiveness against MITB Why? IP Location tracking Not effective This is effective only when credentials are stolen and used from elsewhere. In case of MITB attack, the request comes from the genuine user’s browser so server cannot distinguish based on IP location of device profile. Device profiling Not effective Fraud Detection based on Transaction type and amount Sometimes Some banks have fraud detection based on transaction details. However, such detection is typically done as a batch process and not in real time and therefore any detection is normally much after the attack. Fraud Detection based on user behavior Good User profiling to create a baseline normal behavior so that abnormal behavior can be detected and user can be alerted before an actual transaction takes place.
  • 16. © iViZ Security Inc 15Apr 2013 Conclusion • Man-in-the-browser attacks can be very dangerous • Security Awareness and best practices is required to protect oneself against getting infected with malware • Safeguards – Out of Band transaction verification containing transaction details along with OTP. Users need to be alert while doing transactions. – Fraud detection based on User behavior profiling.
  • 17. © iViZ Security Inc 16Apr 2013 Questions?
  • 18. © iViZ Security Inc 17Apr 2013 Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/