Is e-banking on both PC and mobile platforms possible without inviting e-Criminals to a feast?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Is e-banking on both PC and mobile
platforms possible without inviting
e-Criminals to a feast?
Classification: Restricted to e-Crime Delegates
Place & Date: London, 12-13 March 2013
EISST Ltd
Fairfax House,
15 Fulwood Place
co-sponsored with:
London WC1V 6AY, UK
T: +44 (0)20 79 695 688
F: +44 (0)20 77 483 273
E: info@eisst.com
W: www.eisst.com
WELCOME BACK!.... WHAT’S NEW? © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 2
SETTING THE STAGE
Can one restrict e-banking only to Smartphone users?
Can one restrict e-banking only to PC users?
Are mobile platforms inherently more/less vulnerable than
PCs to attacks by financial malware ?
Can fraud detection methods alone support the e-banking
business model and stimulate user adoption/retention?
Can employing security measures known to be vulnerable
to existing financial malware be considered as exercising
Reasonable Care in providing e-banking services?
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 3
© 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 4
© 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 5
© 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 6
The ANDROID Manifesto
An open society, the unrestricted access to
knowledge, the unplanned and uninhibited association
of men for its furtherance — these are what may make
a vast, complex, ever growing, ever changing, ever
more specialized and expert technological world,
nevertheless a world of human community.
J. Robert Oppenheimer
Science and the Common Understanding (1953)
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 7
The iOS Manifesto
A functioning Police State needs no Police Force.
William Borroughs (1914 – 1997)
American novelist, painter, and spoken word performer.
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 8
An ANDROID Advantage?
Open App Store Model (Google Marketplace)
Supports Enterprise Private-App Stores
Security as a value-differentiator
Researcher-friendly
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 9
Mass Adoption Leads to OS Legacy:
Slower Updates Impact Security
GINGERBREAK (6/2011) – affects up to 2.3.4,
almost 2 years old, can infect at least 10% of
devices
(Source: www.GSMArena .com) Android Apps can dynamically pull down
code at runtime and execute it !
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 10© 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 11
THE GOOD NEWS
Smartphone Design:
- Lessons from PC turned useful
- Built-in exploit mitigations (e.g. sandboxing)
- Cannot just download and run apps from the Internet
Limits on Exploitation:
- Smaller Attack Surface (no 3rd party plug-ins)
- Address Space Layout Randomization
- Data Execution Prevention
- Breaking sandboxing requires multiple exploits
- Apps must declare which permissions they require
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 12AN APPLICATION ATTACK SURFACE
The sum of all paths for data/commands into and out of
the application, and
The code that protects these paths (including resource
connection and authentication, authorization, activity logging,
data validation and encoding); and
All confidential and sensitive data used in the application,
including secrets and keys, critical business data and PII, and
The code that protects these data (including encryption and
checksums, access auditing, and data integrity and
operational security controls).
(Source: OWASP)
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 13A SYSTEM ATTACK SURFACE
The sum of all components able to take data into and out
of the system, and
The measures that protect these components (including
resource connection and authentication, authorization, activity
logging, data validation and encoding); and
All confidential and sensitive data used in the system,
including secrets and keys, critical business data and PII, and
The measures that protect these data (including encryption
and checksums, access auditing, and data integrity and
operational security controls).
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 14E-BANKING CLIENT ATTACK SURFACE
PC SP
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 15E-BANKING CLIENTS ATTACK SURFACE
PC SP
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 16USERNAME - PASSWORD © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 17
BIOMETRIC AUTHENTICATION
FINGERPRINT
IRIS SCAN
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 18BIOMETRIC AUTHENTICATION © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 19
ONE-TIME PASSWORDS © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 20
ONE-TIME PASSWORDS © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 21
CHIP & PIN © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 22
CHIP & PIN © 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 23
MOBILE OOB/mTAN
AUTHENTICATION & VERIFICATION
http://www.h-apps.com/video/
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 24MOBILE OOB/MTAN
AUTHENTICATION & VERIFICATION
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 25ZITMO: CROSS-PLATFORM
ATTACK SURFACE
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 26PC USERS CANNOT CONTROL
MAIN-STREAM VULNERABILITIES
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 27THE BOTTOM LINE
No authentication measure on its own, especially
when communicating through a browser, is sufficient
to counter today's threats. Additional fraud prevention
layers must be utilized.
Gartner Report:
The Five Layers of Fraud Prevention – April 2011
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 28“STRONG” Authentication:
Ineffective against Down-Stream Exploits
HACKER
USER
AUTHENTICATION
SERVER
APPLICATION
TRANSACTION
ENGINE
DEVICE
“Strong” Authentication:
1. What the User knows (PIN)
2. What the User has (Hardware Token)
3. What the User is (Biometric)
4. What the User uses (Application)
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 29Application Hardening:
The Prevention Front Line
“Strong” Authentication typical setting:
– Server is secure and trusts the Application
– Device is secure and trusts the Application
– User has no choice, but to trust the Application
Practical consequence:
– Hackers target the weakest link: the Application.
– Man-In-The-Application attack!
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 30Application Hardening Disables Malware
The number of active Attack Vectors
is reduced after application hardening
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 31WORKING ASSUMPTION #1
The End User’s computer
is controlled by Malware
REALISTIC
RELEVANT
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 32WHAT ARE WE LOOKING FOR?
The main result of deploying best-of-breed e-Banking
security solutions should be to:
A. maximize detection of malware and fraud attempts
B. raise the percentage of legitimate transactions
C. minimize financial losses due to online fraud
Answer: B (what use would it be to have perfect
security but no transactions? Of course, the answer of
choice when asking Banks is C...)
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 33WORKING ASSUMPTION #2
A Security Solution should be
evaluated based on how it performs
under known attack scenarios
i.e. based on how well it supports the
Internet banking business model
within the current Internet ecosystem
(encourage customers to transact online!)
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 34WHAT IS TRANSACTION EFFICIENCY?
The ability to reduce the level of exposure to online
fraud while enabling a growing number of legitimate
transactions.
By design, fraud detection methods can only lower the
transaction efficiency: i.e. at best under attack the
response is to abort the transaction
Fraud prevention methods actively protect against
malware attacks, achieving higher security without
degrading transaction efficiency by allowing to transact
also over an infected PC.
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 35BEYOND AUTHENTICATION
In order to be linked in a meaningful way to the practical
security of online transactions, the acts of identification
and authentication must be integrated and stretched
across a single coherent process inclusive of all the
information and components necessary for a specific
transaction to take place.
The INDIVIDUATION act extends beyond the
identification and authentication factors to include
information on what you use and do to transact,
most noticeably the details of the client application(s)
and device(s), the network location, the operating
system’s context and your online behavioral patterns.
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 36TRANSACTION INDIVIDUATION
FACTOR DESCRIPTION EXAMPLE
a secret known only to the user PASSWORD
a hardened (secure by design) application SECURE
BROWSER
a unique digital secret PRIVATE KEY
an external crypto processor SMART CARD
an external tamper-proof storage USB DEVICE
an external display POS DEVICE
an external keypad POS DEVICE
behaviour analytics SERVER APP
application analytics SERVER APP
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 37TRANSACTION INDIVIDUATION
FACTOR DESCRIPTION EFFICIENCY
a secret known only to the user CLIENT
high
a hardened client application
a unique digital secret
an external crypto processor
an external tamper-proof storage
an external display THIRD PARTY
an external keyboard
behaviour analytics
application analytics
low SERVER
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 38SUMMARY OF FINDINGS
End Users and Banks consider malware their biggest
immediate threat to growing volume of Internet transactions
No single layer of fraud prevention or authentication is enough,
especially when communicating through a browser.
Multiple layers must be employed to defend against today's
attacks. Fraud detection alone cannot grant high efficiency.
Deploy both secure browsing and out-of-band dedicated
hardware transaction verification for high-risk transactions as
additional fall back detection when prevention fails.
By 2014, Gartner estimates that 15% of enterprises will
adopt layered fraud prevention techniques to compensate for
weaknesses inherent in using authentication methods only.
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 39BEST OF BREED INDIVIDUATION
FACTOR DESCRIPTION CLX.SentinelDisplay
a secret known only to the user PIN
a hardened (secure by design) application SECURE
BROWSER
a unique digital secret PRIVATE KEY
an external crypto processor SMART CARD
an external tamper-proof storage KEY STORE
FLASH MEMORY
an external display DEDICATED
HARDWARE
an external keypad DEDICATED
HARDWARE
behaviour analytics OPTIONAL
application analytics APPLICATION
AUTHENTICATION
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 40H-TOKEN™ MARCOPOLO
STRONGEST Security (HW+SW+FW)
High Usability
AES256 HW Encryption
Smart Card (EAL4+)
Firmware updates in the field
On-board H-Applications™
Display and Keypad integrated
External slot for ID1-size smart cards
GUI Enabled
Up to 32GB Flash storage
Multi Platform (Win, Mac, Linux)
High-quality custom-color housing
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 41© 2013 EISST Ltd - http://www.eisst.com CONFIDENTIAL - 42
SECURE CHANNEL FOR
TRANSACTION SIGNING
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 43PRACTICAL SECURITY IS A SKILL...
LAYERED SECURITY IS A ROADMAP.
Software-Hardware bundle.
Best of class solution for
transaction signing, requires
changing e-Banking server
Software-Hardware bundle.
Entry point solution for
transaction security without
changing e-Banking server
Software-only, hardened
desktop and browser, with
malware detection and
prevention techniques
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 44CONCLUSIONS (Repetita Iuvant)
- The PC and Smartphone technical and functional convergence has
expanded the Attack Surface exploitable by malware,
notwithstanding the relatively higher security of mobile OS
platforms with respect to the PC (both Windows and OSX)
- Don’t rely on the “strength” of authentication, think endpoint
identification and transaction individuation
- Hacking the endpoint client application (man-in-the-app) provides a
devastating advantage to e-criminals and allows them to control
the user experience (via the social engineering attack vector)
- Mobile out-of-band has been hacked and will become increasingly
insecure as combined PC-mobile malware attacks grow in
volume and sophistication.
- Multiple layers must be employed to defend against today's
attacks. Fraud detection alone cannot grant high efficiency.
- Secure browsing, hardware-enabled transaction verification &
signing on both PC and Smartphone is today a viable, usable and
mature technology.
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 45THANK YOU!
FOR FURTHER INFORMATION: cronchi@eisst.com
EISST Ltd
Fairfax House,
15 Fulwood Place
London WC1V 6AY, UK
T: +44 (0)20 79 695 688
F: +44 (0)20 77 483 273
E: info@eisst.com
W: www.eisst.com
© 2013 EISST Ltd - http://www.eisst.com
CONFIDENTIAL - 46You can also read
