Architecture, Network security, Strategy, Vulnerability management, Threats, Cybercrime, Malware

ZeuS vs. online authentication, Part 1

January 24, 2011

It seems that public opinion around the risks of banking trojan cyberattacks is changing. With one recent banking survey reporting that one half of respondents viewed real-time banking trojan attacks as the greatest threat to online banking, ZeuS and banking trojans are now seen as serious threats to business.

Businesses, nonprofits, governments and schools simply don't have the same banking protection as consumers, and when banking trojans succeed, it often costs the business money it can ill afford. Readers of Cybercrime Corner will recall our series from July 2010 which covered the impact of banking trojans:

Banking trojans have the potential to become the largest historically destructive threat to our nation's economy short of the Civil War. Business account hijacking has the ability to completely destroy what typically takes strong business teams years of nurturing – all from thousands of miles away or from right across the street.

Online banking: Perception of safety is changing

Last February, Brian Krebs reported on a half-million dollar loss which led to a lawsuit against a bank for practices which allegedly groomed the business employees for a successful phishing attack. Brian Krebs led off 2011 with an excellent analysis of EMI v Comerica, including this commentary from legal experts David Navetta and Charisse Castagnoli:

David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee, said the court in this case punted on any discussion of whether Comerica's security procedures were commercially reasonable. Instead, Navetta said, the court focused on the contracting process between the parties. It declared as a matter of law that Comerica's security was reasonable because EMI had agreed that it was reasonable in a contract.

'The question becomes where do the bank's responsibilities end and the customer's begin, and to what degree must banks anticipate their customers' mistakes and develop security to mitigate the risk of a security breach. Reading the trial papers, it is obvious that the big fight in front of the jury is whether and to what degree EMI brought this upon itself.'

Navetta believes this case is likely to make banks look very carefully at their security policies and make sure they are in line with federal guidance from federal regulators. ‘They also may beef up their educational processes around phishing attacks,' Navetta said. ‘They will also likely offer very robust security in some cases that their clients may ultimately turn down.'

For the moment, though, relatively few banks  –  particularly smaller to mid-sized institutions  –  are offering commercial customers that robust security that goes beyond mere customer authentication, said Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School.

There are two fundamental problems here from the authentication perspective, adds cybersecurity researcher Marsh Ray of PhoneFactor. Marsh, well-known for finding a recent zero-day vulnerability in transport layer security (TLS) and scheduled to speak in Germany in March on the topic of authentication weakness, added detail in a recent email:

First, most second factors represent forwardable credentials. the hardware token doesn't "know" how to produce a one-time password (OTP) that works only from the legitimate user's browser to the legitimate website because it lacks sufficient context. Since passwords are considered ‘replayable credentials,' they're even worse.

Combine this with a user who doesn't know how to authenticate his bank's website and you have a phishing vulnerability, albeit one which requires the attacker be online to exploit it within some window.

Interestingly, the client certificate-based system the bank was reportedly using before hardware tokens would likely not have been a forwardable credential. It would perhaps be mildly easier to steal via malware though. the best of this class is the client certificate in a hardware smart card (e.g., DoD CAC).

Second, the bank was authenticating the wrong thing. They were validating the user's credentials for the purpose of authorizing the initiation of a "login session," which would then be largely unrestricted in its scope. But really, the thing they wanted to authenticate was the money transfer out of the country.

Note that the attackers didn't "break" the authentication. The legitimate user was, in fact, sitting at his PC intending to authenticate. The system just wasn't specific enough about the context and so the attackers could repurpose it for their own use. "Circumventing" is just the right word to use here.

Laura Mather, founder and VP of product marketing at Silver tail Systems, agrees about the authentication weaknesses. "Online criminals have found multiple ways to circumvent authentication technologies  –  whether that's through man in the browser or parameter injection or man in the mobile," she said a recent email.

‘Telling websites, both financial institutions as well as other websites, that authentication is the best form of protection would be remiss," she added. "Authentication is no longer sufficient to protect websites against the latest attacks. The fact that the one-time passwords are authenticating 'clicks' on the website and not actually authenticating the user is a good one. In general, I'm very concerned about the reliance on authentication."

PhoneFactor's latest poll reports some serious numbers in malware infection rates as well as the business perception of online banking in 2010.

According to the survey, real-time attacks from online banking trojans (ZeuS, Clampi, etc.) are seen as the greatest threat to online banking today for more than half (51%) of respondents.

More recently, malware like ZeuS is reported to have infected computers at 90% of the Fortune 500 companies. More than one in three respondents (37%) reported that online banking trojans are the most prevalent type of attack at their bank today, making them more prevalent than any other attack vector.

Given that the goal of ZeuS-style malware is to transfer funds to mule accounts, not surprisingly online ACH and wire transfers were seen as being most vulnerable, with nearly one in three respondents rating these types of transactions as either ‘extremely' or ‘very' vulnerable to attack.

Continued in ZeuS vs. online authentication, Part 2

prestitial ad