Crimeware is bad news. We need to figure out how to stop it. Michael Kassner sees some resolution on the horizon, but will it be enough?
You may have heard of Man in the Middle attacks, meet Man in the Browser attacks (MitB). The term has been around since 2005, but not used much. That's changing, thanks to current crimeware, considered a form of MitB attack. According to Wikipedia, MitB is:
"A trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.
A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place."
I covered an instance where crimeware played a part in stealing almost a half million dollars in this post. In my next article, I discussed Zeus and URLZone, possibly the crimeware used in the half million dollar hoist. In this article, I would like to dig deeper into possible solutions.Protect ourselves
Since it's our money, we need to take the initiative. Doing everything we can to protect our hard-earned savings. Once we have our personal situations in the best shape possible, we can bug the banks to get their act together.
The obviously solution is to not bank on-line. That's a great idea, but what about our service personnel or anyone who cannot physically get to their bank? Besides, we should not have to succumb to cybercriminals. With that in mind, let's look at some of the solutions, you the members have come up with.
I would be negligent if I did not mention one thing first. No solution is fool-proof, especially since crimeware is ever-evolving. That has to temper everyone's decision about which solution to use or if it is worthwhile to bank on-line. Let me know in the comments which if any solution makes sense for you. Here they are:
- Use a dedicated computer running only the operating system (if possible not Windows) and Web browser application, no other applications (especially e-mail) should be installed. Make sure the operating system and Web browser are up-to-date. Finally, this computer should only be used to access the required financial Web portals, no other Web browsing.
- Install Linux on a bootable read-only media (LiveCD or lockable flash drive) along with a Web browsing application. Use this setup for any banking, financial, or credit-card transaction.
- Use a computer with a pristine, up-to-date host operating system. Have one virtual machine (VM) for normal computer functions and another VM setup exactly like the dedicated computer I described earlier. Use that VM exclusively for financial transactions.
I recently read a blog post by Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit of the New South Wales Police Department. He mentions that the iPhone may be immune to existing variants of crimeware. Ironically, it's because of a feature that most users do not like. The iPhone is only capable of running one task at a time. Therefore crimeware cannot run in the background.What banks need to do
Now that we are protecting ourselves as best we can, let's take a look at what the financial institutions need to do. Two key processes, authentication and verification need to be improved. All involved parties need to be who they say they are. All involved parties also need to know that the transaction taking place is accurate and initiated by one of the authenticated parties.Authentication
Web sites that deal with finances, money transfer, or credit card transactions need to offer true multi-factor authentication. In the United States, I am not seeing this. If I am wrong, let me know. Is your bank or credit card provider using more than one of the following factors:
- Something you know: Such as a password, image, or answers to questions.
- Something you have: Such as a one-time password token (SecureID), computer hardware, or a smart-card key.
- Something you are: Such as a finger print, retina, DNA, or a verifiable image.
The three factors are listed in order from weakest to the strongest. My bank uses one-factor authentication. First they ask a security question:
Next, they show me an image I picked during signup and I have to enter my password:
All three are something the bank and I know, one factor, and a very weak approach. In my case, Zeus or URLZone would not have any problem creating transactions.Verification of transactions
Financial institutions around the world seem to be more concerned about verification than those in the United States. For example, several European members mentioned their banks require entering a one-time password to verify each transaction.
Good idea for combating most crimeware, but not Zeus and URLZone. They both have a work-around. Zeus and URLZone are able to decipher the verification code and use it to verify their transactions.So what's needed
What's needed is official Transaction Verification. Wikipedia offers the following definition:
"Transaction Verification must utilize either Out-of-band technology (the use of a two separate channels) or an independent signing device, e.g. a programmable card-reader, capable of having transactional information re-keyed into it in order to create a code cryptographically linked to the underlying transaction detail."
I do not know of any financial institution that is using this approach. If you do, please let me know. That would be one progressive establishment.
TechRepublic member Jkameleon and I had an interesting conversation concerning how this could be solved. Jkameleon described a device that would defeat Zeus and URLZone. Surprisingly, I was able to locate such a device.IBM's ZTIC
IBM is working on a hardware device they call Zone Trusted Information Channel (ZTIC). Here is IBM describing how ZTIC works:
"After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC."
That is important, but not fool-proof against Zeus and URLZone. What does help is how ZTIC verifies each transaction:
"In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment."
The following slide (courtesy of IBM) depicts how the ZTIC will look:
It appears that ZTIC is offering official transaction verification. The following steps show how:
- Transaction information and account numbers are detected in the traffic exchange between the Web browser and ZTIC.
- The ZTIC then displays the pertinent information asking for user confirmation.
- The user has to press the OK button for the transaction to continue.
This approach prevents URLZone from creating hidden transactions. It also foils Zeus. All information is displayed on a separate device, which defeats screen capture and logging malware. IBM has a video on YouTube that demonstrates how the device works. As good as this concept is, I see two problems:
- The device is not using an out-of band (second) communications method to verify the transaction.
- This approach would require a ZTIC for each banking or financial institution, due to the device being specific to each institution.
Still, using a ZTIC would go a long way to improve on-line banking security. I have more good news. There is another concept that has promise.MSK Security
I discovered another company that is working on this problem. Wanting to know more, I had several conversations with Shahram Karimian, CEO of MSK Security. Initially, I thought MSK Security was developing a software version of ZTIC. After talking to Mr. Karimian, I found differences, and I want to share those differences with you.
MSK Security uses what they call non-linear authentication. It is a new concept that should enhance user log-on credential security and help verify on-line financial transactions. Mr. Karimian explained the difference between linear and non-linear authentication as being:
- Linear authentication: Is where the user directly authenticates with the Web portal.
- Non-linear authentication: Is where a third party authenticates and verifies both the user and the Web portal as shown in the following slide:
I liken MKS Security's approach as combining the best features of OpenID technology and ZTIC.MSK Digital ID
The digital ID is software, individualized by a serial number and an IP address. The IP address allows a direct connection with MSK's authentication server. The digital ID is used to authenticate users as well as verify transactions. Here is how Mr. Karimian describes the process:
- When the user goes to the Web site to login, there is a redirect to the authentication server.
- The authentication server drops a cookie with a one-time serial number (valid for 2min) and the name of the website the user is logging into.
- The name of the Web site shows up on the "signature" portion of the Digital ID or if it's a transaction the amount of the transaction and who the transaction is going to will show up on the signature portion of the token.
- The Digital ID reads the onetime serial number off the cookie, takes the computer fingerprint (CPU serial number, hard drive serial number, MAC address, and computer name) hashes them together, twice salted using SHA 256 (SHA 512 for financial transactions).
- This is sent over SSL from the token directly to the authentication server, never to the Web site.
If everything is correct, the authentication server will tell the Web site to allow access. If it's a transaction, the authentication server will forward all information pertaining to the transaction to the Web site.MSK's advantages and disadvantages
Unlike ZTIC, MSK's digital ID can be used to authenticate any Web site that is MSK-security enabled, just like OpenID. This foils several attack vectors including phishing. I particularly like how phishing is defeated. MSK's authentication server will not allow any information to be transmitted to anything other than the official Web site.
I have some concerns with the digital ID from MSK Security and they are:
- Like ZTIC, MSK's digital ID is not using an out-of band (second) communications method to verify the transaction.
- MSK's approach is totally reliant on one point of contact, the authentication server. I would want some kind of up-time guarantee.
We can alter our on-line habits to better protect ourselves. Yet each change we make is only temporary. The bad guys will figure out another way. Our collective goal should be to get financial institutions and on-line merchants to start implementing true solutions like I outlined above.
"There are risks and costs to a program of action. But, they are far less than the long-range risks and costs of comfortable inaction."
—John F. Kennedy (1917-1963)—