Transcript Internet Banking

Internet Banking
Security risks and solutions
Tamas Gaidosch
KPMG Advisory Services
Piata Financiara Conference
Bucharest
October 2004
Purpose of the presentation
If you know the enemy and know yourself, you need not fear the
results of a hundred battles.
If you know yourself but not the enemy, for every victory gained
you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in
every battle.
Sun Tzu – The Art of War
Effective countermeasures can only be
developed if risks are identified.
Agenda
Security trends
Common security issues
Less common and more dangerous issues
Real-life examples
Effective countermeasures
Background
Information Risk Management practice of KPMG
IT Security services – Budapest centre of competence
System audits
Penetration tests
Security design
Incident response
Significant experience in CEE and beyond
23 Internet Banking security engagements
39 penetration tests for banks
Unauthorised use of computer systems within the
last 12 months
The Internet connection is a frequent
point of attack
Dollar amount of losses per type
Incident statistics
2004
2003
Source: US Department of Homeland Security
Computer Emergency Readiness Team
Sophistication and knowledge
Required
knowledge
Attack
Sophistication
BackOrifice
DDoS
Automatic
Toolkits
Packet
spoofing
Automatic
probing
1990
Based on a Carnegie Mellon University Study
today
http://www.alliancesecurities.com ALLIANCE SECURITIES INC
http://www.allstatetrustfinancesecurity.com AllStateTrustFinanceSecurity
http://www.androsbank.com Andros Bank of Investments
http://www.apextrustbank.com APEX TRUST BANK
http://www.arabenin.int.ms Arab Bank Benin
http://www.asiapacific-group.com ASIA PACIFIC GROUP aka Asia Pacific Trust
http://www.atlanticcreditbank.com Atlantic Credit Bank aka ACB
http://www.atlantictrustbank.com Atlantic Trust Bank aka ATB
http://www.atmb.co.uk Allied Trust Merchant Bank aka ATMB
http://www.alliedcreditfinance Allied Credit Finance
http://www.awedinter.com ABC Internet Limited aka All New Lottery and Competitions
http://www.banqueparibinternatianale.com BANQUE PARIB INTERNATIONAL
http://www.bond-bank.com BOND BANK
http://www.bondplc.com Bond Financial Services PLC aka BFS
http://www.brabant-international.com Brabant International BV.
http://www.btci-tg.net Banque Togolaise pour le Commerce et l'industrie aka BTCI
http://www.caledontrustbank.com Caledon Trust Bank
http://www.carnegiedirects.com Carnegie Fiduciary
http://www.creditrims.com Credit-Rims Investment Bankers
http://www.credittrustfinance.com CREDIT TRUST FINANCE LIMITED
http://www.ctrbonline.net CITI Trust Bank aka Caledon Trust Bank Incorporated
http://www.cureserve.com Credit Union Reserve
Implications of scam
Phising
Phising
Phising
Magnitude
New, unique phising attacks reported per month
Source: Anti-Phising Working Group
Motivation
William Sutton on the reasons
why one would rob banks:
“Because that’s where the money is.“
“I was more alive when I was inside a bank, robbing it,
than at any other time in my life.”
Attacking the online bank
Through the infrastructure
Through the web application
Combined with phising / social engineering
Attacking the infrastructure
Exploiting vulnerabilities in
Networking devices and firewalls
Operating systems
Database management systems
“Classic” hacking
Threats and countermeasures are relatively well
understood
Banks are usually well protected at this level
BUT …
Wireless networks
Wardriving
GPS + antenna + laptop + car = wardriving
Budapest, Budapest, you are so wonderful!
Wardriving results (1st test)
Date:
Place:
Time:
6th November, 2003 01:43(CET)
a route in the inner city (Bank HQs!)
1 hour
Access points detected:
175
Easy to break in (no encryption) : 124
Harder to break in (using WEP):
51
Secure (using 802.11x):
0
(70.8%)
(29.2%)
( 0.0%)
Imagine… today
Rogue Access Point connected to a flat TCP/IP network …
Hacker in the parking lot …
HackMe Bank
Bankomat
 on the same flat TCP/IP network…
 runs Windows …
 not security hardened …
 uses clear text protocol …
 weak PIN encryption (simple DES) …
Imagine … tomorrow
"Cars with the Microsoft software
will speak up when it's time for an
oil change.
The software running the brakes
will upgrade itself wirelessly."
AP, 12/2003
Checkpoints
Last Wireless Network test? Anything leaking?
Internal firewalls?
Sensitive network traffic encrypted?
ATM/InternetBank/etc. security hardened?
3DES used for PIN? (Mandatory from 2005)
Intrusion Detection System on the internal
network?
Security logs reviewed daily? Alerts?
Attacking the web application
Application level security is still a bleeding
edge.
Whilst we see more techniques and
knowledge being used when designing and
implementing network security, we often see
applications with security vulnerabilities.
Flawed applications often present high risks
to the business because:
Attack patterns may not be recognised, therefore
the attack could remain unnoticed
A successful attack may have higher impact on
business
Session hijacking – identity theft
First example
26665
26666
26667
26668
26669
26670
26671
26672
26673
26674
Session hijacking – identity theft
Second
example
coy701sqm1
ji5j1vsqm2
wh98wgsqn1
pqpy33sqn2
3syq34sqo1
w738k0sqo2
xg9wwbsqp1
8nte9gsqp2
mnerqrsqq1
ux5faksqq2
597z61sqr1
iyo8q5sqr2
pagsiwsqs1
Tomcat 3.2.4
Open Source
package org.apache.tomcat.util
SessionIdGenerator.java
* format of id is <6 chars random>
<3 chars time>
<1+ char count>
Session hijacking – identity theft
Third example
ZH1SUEYAAAACD
ZH1XEZYAAAACF
ZH11W4IAAAACH
ZH2AGGYAAAACJ
ZH2E02AAAAACL
ZH2ZH3YAAAACN
ZH23YUAAAAACP
ZH2SJKIAAAACR
ZH2W0BIAAAACT
ZH21KWYAAAACV
ZH251TIAAAACX
ZH3EMCQAAAACZ
ZH3Y23AAAAAC1
ZH33NTQAAAAC3
Combined attacks
Client: financial
services
Only point: SMTP
Breaking in by
specially crafted
e-mail
Top virus protection
software on desktops
and servers, IDS and
firewall.
Mixture of social engineering and technical attack.
Developing the attack: 3 days. Executing it: 5 minutes.
Employees leave traces everywhere on the Internet.
So how bad is this anyway?
Minor issues: 4 (17%)
Compromise: 6 (26%)
Internet Banking security
engagements of KPMG
Hungary in the last three
years: 23
Answers the question:
how deep could skilled
attackers penetrate the
system in a given limited
timeframe?
Embarrassment: 3 (13%)
High risk: 10 (44%)
Effective countermeasures
Adequate measures should always be
taken to ensure that no unauthorized
information interchange takes place
IT infrastructure
(technology)
General IT controls
(process)
Security awareness
(people)
Effective countermeasures
IT infrastructure
IT controls
Security awareness
 Firewalls
 Policy and strategy
 Business risks
 Intrusion detection
 Change management
 Privacy issues
 Wireless security
 Configuration
 Password usage
 VPN
management
 Problem management
 Incident response
 Security management
 Availability management
 Audits
 Teleworking issues
 Cryptography
 Physical security
 Reporting incidents
 Contact persons
Q&A
Align countermeasures
with risks
Tamas Gaidosch, CISA, CISSP
Partner
KPMG Advisory Services
+36 1 270 7139
[email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular
situation.
© 2004 KPMG Hungária Kft., the Hungarian member firm of KPMG International, a Swiss cooperative. All rights reserved.