Академический Документы
Профессиональный Документы
Культура Документы
website, it waits for the user to be logged on and then initiates or alters financial
transactions without the user knowing.
HOW CAN BANKS AND CUSTOMERS PROTECT THEMSELVES?
The customer should learn to behave securely when banking over the
Internet, just as he should do with other applications such as buying goods online.
It is therefore very important that the customer becomes familiar with the Internet
street smarts and be able to assess the risks involved in visiting strange websites
and downloading illegal software. He should also be decently equipped before
setting foot on the Internet, and have anti-virus, anti-spam and anti-spyware
software installed on his computer. Banks should take precautions as well, and
strengthen access control to their online banking applications by means of
authentication technology.
Strong authentication mechanisms come in two important flavors:
1. One-time passwords and
2. Electronic signatures.
One-time passwords are used for the authentication of the end-user when he
logs onto the application. One-time passwords are generated based on a variable
parameter, such as the time or a random number. They are valid for only a limited
amount of time (typically in the range of minutes) and can only be used once. The
strength of one-time passwords lies in the fact that they narrow down the window
of opportunity for a fraudster to perform an attack. Hence, it becomes more
difficult to perform fraudulent activities, especially when compared to the
possibilities to perform fraudulent action when using static passwords. One-time
passwords, however, do not provide protection against the injection of or alteration
to financial transactions. In order to resolve this problem electronic signatures
2. WATERING HOLE
Watering hole attacks are considered an evolution of spear phishing
attacks. They consist of injecting malicious code onto the public web pages of a
website that that a small group of people usually visit.
In a watering hole attack scenario, the attackers wait for victims to visit
the compromised site instead of inviting them with phishing messages. The
efficiency of the method could be increased with exploitation of zero-day
vulnerabilities in many large-use software programs such as Internet Explorer or
Adobe Flash Player.
Cyber criminals could easily compromise an improperly configured or
updated website using one of the numerous exploit kits available on the black
market. Usually attackers hack the target site months before they actually use it for
an attack.
The methods are very efficient. Its very difficult to locate a compromised
website. Watering hole is a considerably surgical attack that allows hackers to hit
only specific community, comparatively, classic phishing is less noisy. Targeting a
specific website is much more difficult than merely locating websites that contain
vulnerability. The attacker has to research and probe for a weakness on the chosen
website. Indeed, in watering hole attacks, the attackers may compromise. Once
compromised, the attackers periodically connect to the website to ensure that they
still have access Symantec One of the most interesting cases of watering hole
attacks against a financial institution was discovered in late 2012 by RSAs First
Watch research team.
The campaign was called VOHO attack, and compromised a regional bank
in Massachusetts using the tactic of crafting a watering hole. The majority of the
hxxp://www.xxxxxxxxtrust.com
hxxp://xxxxxxcountymd.gov
Despite that, its unknown if this method was also used to compromise the
watering hole sites. Files found on one of the compromised websites indicate
that the server was likely compromised with a remote buffer overflow (CVE-20083869/CVE-2008-3870) against the servers sadmind daemon, giving the attacker
the ability to establish a remote shell.
Another famous watering hole attack against the banking sector was observed in
March 2013 when several South Korean banks were hit by a widespread attack that
wiped data and shut down systems. Internet banking servers went down causing an
interruption of their services, including online banking.
3.AUTOMATED ATTACKS
Financial malware comes in all shapes and sizes, and will often be tailored
to target a single organization. The way the malware operates is normally
determined by the bank's defences. This means there's no requirement for the cyber
criminals to spend time creating unnecessarily complex malware. There are several
methods which malware authors can use to get around banking security and
harvest user information. For instance, if a bank uses single-factor authentication
with a static username and passwords, it's a simple matter of capturing keystrokes.
Alternatively, some banks have created dynamic keypads so that the user needs to
click a 'random' pattern in order to enter his password. Malware authors use two
different methods to circumvent this type of security - they can either create screen
dumps when the user visits a specific site or simply gather the information being
sent to the site by grabbing the form. In both cases, the stolen data is processed
later.
The use of Transaction Authorisation Numbers (TAN) for signing
transactions makes gaining access to accounts somewhat more complex. The TAN
may come from a physical list issued to the account holder by the financial
organisation or it may be sent via SMS. In either case, the cyber criminal does not
have access to the TAN. In most cases, malware used will capture the information
entered by the user in a way similar to that described above. Once the user enters
the TAN, the malware will intercept this information and either display a fake error
message, or send an incorrect TAN to the financial site. This may result in the user
entering another TAN. An organization may require two TANS to complete a
transaction this depends on the organization and the security systems it has
decided to implement. If only one TAN is required to make a transaction, the attack
describe above could allow a cyber criminal to make two transactions.
The success of such an attack is highly dependent on the exact
implementation of the TAN system. Some systems do not set an expiry date for
TANs; it's simply a case of the next TAN on the list has to be the next TAN used. If
the next TAN on the list doesn't reach the bank's site then the criminal will be able
to either use it immediately, or save it for later use. However, stolen TANs have a
shorter lifespan than a static username and password, due to the fact that a user
who is experiencing persistent problems during an online banking session is likely
to call the bank to request assistance.
Where TANs are sent to the account holder via SMS, a unique TAN can be
issued for each unique transaction in a method somewhat similar to two-factor
authentication. From this point onward cyber criminals have to start processing
data in real-time, by using a Man-in-the-Middle attack.
4.MOBILE MALWARE
Mobile phones today are no different than standard computers so mobile
malwares are able to monitor data that is transmitted through the device to bank's
server. The additional function of mobile malwares is capability to read user's SMS
and send it to attacker's C&C server. Since many banks use OTP sent via SMS to
the mobile device to authenticate logins and transactions, with this feature attacker
can always use victim's mobile banking account since he has access to it. Attackers
are using same social engineering techniques to infect online users like convincing
Submitted by :
v.padmapriya(14301037)
MBA-banking technology first year