Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011.

Similar presentations


Presentation on theme: "Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011."— Presentation transcript:

1 Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011

2 UK Payments  Voice of the payments industry  Payment scheme management – we run the Payments Council, BACS, CHAPS, Faster Payments, cheques, cash…  Our schemes processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion)  Protecting the integrity of UK payments systems  We are increasingly central to the UK anti-fraud effort

3 Payments Council members

4 The world we live in Internet is a major channel for banks and payments Challenges  Internet is not secure  Customer PCs are not secure  But customers love it, and banks love it  So we need to address the challenges Source: UK Payments, 2011

5 What is being attacked?  Not the bank directly (so much)  The customer  Static authentication credentials & card details  “data that never changes”  And can therefore be stolen or given away  The customer’s equipment  Malware!

6 Part 1: Phishing Phishing attacks are becoming more sophisticated:

7 Phishing incidents – UK banks Source: UK Payments 2011 Total for 2010: 61,873 incidents

8 Phishing – looking closer Source: UK Payments 2011

9 Standard Phishing life cycle SpamBot Phishing hosts (bots) Various DNS Tools – fast-flux etc. Credential recovery/ storage Attacker

10 Developments in Phishing ADAPTIVE PHISHING  Sites designed to evade / confuse analysis  Phishing host serves up different sites depending on localisation and other factors  One site can:  Firefox with German language – redirect to German PayPal phishing site  IE with English language – redirects to English bank phish  Seamonkey – tries to install malware  Text browsers (often used by analysts) – Error 404  Browser run within a VM (ditto) – Error 404

11 Developments in Phishing LIVE PHISHING  Customer enticed to visit fake bank site as usual  All communications relayed by phishing site to bank site in real time  Payment / authentication requests injected / amended by attacker  Target: two-factor authentication

12 Click to edit the outline text format Second Outline Level  Third Outline Level Fourth Outline Level  Fifth Outline Level  Sixth Outline Level  Seventh Outline Level  Eighth Outline Level Ninth Outline LevelClick to edit Master text styles  Second level  Third level  Fourth level  Fifth level Phishing still here because… It still works! Source: UK Payments Would ignore / delete a phishing 65%50%57%59% Would ask bank for advice 28%39%31% “Would act on it” 4%3.8%4%6% Under 24 year-olds who “would act on it” 12% 13%

13

14 Some further reading  Dhamija (Harvard)& Tygar and Hearst (UC Berkley)  Wu, Miller, Grafinkel (MIT Computer Science and Artificial Intelligence Lab)  Jagatic, Johnson, Jakobsson, and Menczer (School of Informatics Indiana University, Bloomington) preprint.pdf Other good sources of research on people’s perception and acceptance of risk: Prof. A. John Maule (Leeds), Dr Angela Sasse (UCL), Hazel Lacohee (BT)

15 Part 2: Malware  Some names to remember: Torpig, Zeus (aka z-Bot, Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon…  Two factor authentication is now a target  Man In The Browser is the new Man In The Middle  Scripting: Automated payment injection  Controlled distribution: targeted, low infection numbers, quiet operation  They work but:  Difficult to industrialise  Their effect can be detected (odd GET and POST data, old/nonexistent fieldnames, unusual browser headers etc…)  They can be “broken”

16 Click to edit the outline text format Second Outline Level  Third Outline Level Fourth Outline Level  Fifth Outline Level  Sixth Outline Level  Seventh Outline Level  Eighth Outline Level Ninth Outline LevelClick to edit Master text styles  Second level  Third level  Fourth level  Fifth level Part 3: Money Mules  Bad guys use phishing and malware to gain access to accounts  But they need one more thing to get hold of the money: Mules  Mule = a friendly account, to which funds from a victim’s account can be transferred  Adverts in job websites, banner ads, printed newspapers…  We typically see new fake companies set up each month  Fire and forget. They usually last for one transaction before the bank shuts down their account Job offer We have found your resume at Monster.com and would like to suggest you a "Transfer manager"vacancy. We have thoroughly studied your resume and are happy to inform you that your skills completely meet our requirements for this position. Our company buy, sell, and exchange digital currencies, like E-gold and E-bullion.

17 Put it all together – Online Banking Fraud Workflow CollectTestMarketDefraudLaunder Credentials valid? Available funds? ID theft opportunities? Professionals in place Recruit “mules” Check validity (no cops please! Trade Credentials Build attack profile Build attack profile Transfer funds Funds out of system Money Transfer Intermediate destinations Proceeds distributed Research & Development

18 Loss trends Net loss to banks from online banking fraud,

19 Tactics and countermeasures  Strength in depth – the multi-layered approach  Identifying & protecting point of risk  Banks can also put a stronger lock on the front door (two-factor authentication) Back-end detection Service controls Transaction authentication Log-on authentication Increasing customer visibility

20 A stronger front door  Millions of customers  Millions with several accounts  Cheap  Easy to use  Secure  Simples! Multifactor authentication - what banks need to consider:

21 Functions OTP Challenge/responseData signing

22 The 2FA-effect Source: UK Payments 2009 Barclays 2fa announced, Back-end controls introduced Barclays 2fa mandatory RBS/NatWest 2fa mandatory Nationwide 2fa mandatory

23 Lots of options for multifactor

24 Attacking two-factor  Two factor remains technically very secure  Attackers circumvent by exploiting user uncertainty, because…  Customers remain vulnerable to social engineering – assumption of authority: “We have changed the process – you must do it this way now…”  Attacks seen elsewhere in the world for years (TANs, iTANs, OTP)

25 Socially Engineering EMV CAP 1. In order to make payment ….. 2. Beneficiary Acct = Amount = £ “Enter Ref” 5. “Enter Amount” 6. Passcode = A further security check ….. 2. Security Code 1 = Security Code 2 = “Enter Ref” 5. “Enter Amount” 6. Passcode = Becomes

26 What does the customer see?

27 Malware features - Carberp  Persistent storage in browser  Get account balance  Replace login button with a malicious version  Hide fraudulent transactions on statement display from user  Hide fraudulent logins from user  Amend transaction requests on the fly and hide from user  Installs a rogue Anti Virus app

28 Zeus  Probably the most significant identity theft malware in existence (but may be about to go into decline)  Nicely written, regularly updated, full technical support for customers  Targets two-factor authentication  Man in the browser, html injection, etc etc  Some banks using out of band authentication with mobile phones as a means of combating MITB.  Customers are sent a one-time passcode or a challenge via SMS or voice SMS intercept

29 Mobile phones for two-factor  Out of band authentication  Good in principle  Increases challenge of interception  Practical challenges:  Ensuring all customers have a phone  That it is switched on & in range  SMS delivery is not guaranteed or SLAd  Bringing other parties into the authentication loop - don’t ignore the risks  Attacks in Turkey, South Africa, Australia, Spain and UK  Account takeover, redirection of replacement SIMs  Phone call redirection  Malware on phones is now a reality

30 Click to edit the outline text format Second Outline Level  Third Outline Level Fourth Outline Level  Fifth Outline Level  Sixth Outline Level  Seventh Outline Level  Eighth Outline Level Ninth Outline LevelClick to edit Master text styles  Second level  Third level  Fourth level  Fifth level Zeus SMS “Zitmo”  Zeus-infected victim as asked to provide their mobile model and number  SMS containing link to “a new security certificate” sent to phone  Victim clicks on link and malware installs  For Symbian devices, the bad guys obtained a genuine developer certificate, since revoked (but no OCSP!!).  Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C  Incoming SMS from C&C number used to issue commands  Malware can create/delete entries in the phonebook  C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom) Calling MyBank Support

31 Zeus arrests  11 Arrests in UK in September 2010 (mainly mules)  38 in USA (ditto)  5 in Ukraine (aha!)  Consequences: Zeus the subject of a “takeover” by SpyEye coder, with functionality to be migrated to SpyEye UK arrestsUSA arrestsUkraine arrests

32 Malware – what next?  Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have recognised that Zeus’ usefulness is nearing its end.  Dump and move on  Malware as a service emerging  Point and click malware kits

33 Further malware reading  Zeus tracker: https://zeustracker.abuse.ch/https://zeustracker.abuse.ch/  Spyeye tracker: https://spyeyetracker.abuse.ch/https://spyeyetracker.abuse.ch/  InfoWar Monitor:  Malware Intelligence Blog: malwareint.blogspot.com  Contagio malware dump: contagiodump.blogspot.com  TrustDefender Labs blog:  F-Secure blog:  Brian Krebs :  Gary Warner blog: garwarner.blogspot.com

34 Where are the real vulnerabilities? OS  95% of customers use Windows – it’s the way it is  90% of Windows installs ARE up to date Ubiquitous 3rd Party Software  80% of Adobe Flash installs are NOT up to date  84% of Adobe Acrobat installs are NOT up to date  “Trusted” software does not always act in the users’ best interests: some of the most popular iPhone games contain spyware

35 Banks are not the only fruit  As banks harden their defences, the attackers are turning to weaker targets  ALL online businesses are at risk  Facebook, Twitter, Myspace, LinkedIn etc. being raided for ID theft and card data  Retailer customer accounts raided for payment details, backend databases  Businesses being attacked via their web front ends or by “spear phishing” to gain access to corporate networks. Industrial & state espionage, intellectual property theft, sabotage, financial fraud, etc.

36 Things to come Living in a digital world, expect the unexpected

37 Richard Martin Head of Innovation UK Payments


Download ppt "Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011."

Similar presentations


Ads by Google