Security x.0

A lot is written on privacy implications of sharing your personal information with different web services. Concerns have been raised about the ownership of information users upload in "the cloud" and it's persistence.

One recent experiment demonstrated that once you have used an online service to share your photos it might be problematic to remove them even when you choose:

My colleagues Jonathan Anderson, Andrew Lewis, Frank Stajano and I ran a small experiment on 16 social-networking, blogging, and photo-sharing web sites and found that most failed to remove image files from their photo servers after they were deleted from the main web site. It’s often feared that once data is uploaded into “the cloud,” it’s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.

Well, maybe deleting a single photo is too small of an operation to expect the site to really make sure it's gone forever. Surely, one would hope that once you de-register your whole account, it will be gone for good?

I have recently tried to close my Facebook account. According to Facebook's privacy policy:

Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

OK, I understand purging backup copies is probably asking too much for a user. However, I was surprised to receive the following email after deactivating my account:

You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to.

Thanks,
The Facebook Team

Indeed, trying to click on the "resurrect" link I found myself back to my profile with all connections and personal information intact.

OK, maybe having a "grace" period for users deactivating their accounts on the spur of the moment is a good feature. So I deactivated my account again and this time left it for almost a month. Yet, today I was able to successfully login to my surely-by-now-non-existent account and found all my connections and information intact as it was...

Welcome to the Hotel California 2.0:

"You can checkout any time you like, But you can never leave!"

The increasing number of online banking attacks from phishing to trojans has been largely driven by a high Return on Investement (ROI): buy a toolkit, rent a botnet and get access to a high numbers of compromised accounts. It is all about the Economy of Scale - a single piece of malware can infect millions of computers and attack hundreds of banks.

The malware technology has been rapidly evolving, yet it is a known fact that some tasks are still better done by humans than a machine. Resolving CAPTCHAs is one of them, hence they are often used to circumvent automated mass scale attacks (e.g. blogs comments spam), hitting e-crime where it hurts - its ROI.

Unfortunately, these measures are no longer effective – E-crime crowd-sourcing has arrived! The screenshot on the left advertises "Easy money here!" and offers a job of "re-typing text from pictures". Required skills: "knowledge of English letters" and "medium proficiency in English keyboard layout". Paid for every correctly recognised picture, the site promises rates up to 3 dollars/hour with daily payouts.

Wondered why would anyone need this? Have a look at this in-depth analysis of Koobface - the Facebook virus that needs to resolve CAPTCHAs in order to propagate itself.

"Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer."

ThreatExpert Blog

Now, apply the same concept to the Man-in-the-Browser attack on online banking and it becomes Hu(Man)-in-the-Browser – a real-time Trojan+Human attack. These attacks, already seen in the wild, indicate a shift from the basic "spray and pray" approach to maximising the return value of each compromised account - a human can assess the account balance, overdraft limit, payments patterns (e.g. when does your salary arrive) in a matter of seconds allowing then to choose the optimal amount and time for the attack.

With the required technology infrastructure in place: Compromised Computer – Command & Control centre – Human Operator, it is only a matter of time, before the virtual gold digging sweatshops switch to a more lucrative revenue stream.

Since the beginning of the 2FA "hype", many have advocated that the most reliable way of authentication is when it's taken Out of Band, meaning that authentication happens on a different channel to the one where the action requiring authentication is taking place.

In the online banking world it means using a different channel to the Internet connection to customer's computer (the most insecure banking terminal), generally achieved by providing additional authentication codes via SMS messages or phone calls. Overall, this is definitely a better idea than asking the user to e.g. manually re-enter transaction details into a separate device or having them to connect another device to the computer. The issue however is that of cost and availability...

SMS has never been a Quality Assured channel as it mostly works in "fire and forget" mode, with delivery speed depending on many factors outside the sender's (bank's) control. The bank also has to maintain the current user phone number and have a secure procedure for changing it. Furthermore, the cost of an SMS is still relatively high. Assuming 1m online users with 10 transaction per month, the bank will be sending 10m messages that, at the average SMS cost of 5 cents, will translate into 0.5m euro per month or 6m euro per year (or 6 euro per user per year).

A phone call is a better option since it establishes a real-time independent connection with the user and has, in principal, unlimited bandwidth (subject to cost and usability). It does come at the price of a higher overhead in managing multiple user's phone numbers and the cost of the call varies depending on a particular implementation and user location (wouldn't want to use this method on a mobile phone during a holiday abroad where a missed call can cost 5 euro, thanks to hidden operator's charges!).

The SMS/phone call Out of Band approach works as a relatively simple to roll-out complimentary method of authentication suitable for small size deployments. It does not scale. When having just 0.1% failed/delayed delivery rate for the SMS would mean 1m failed transactions per month for a bank with 1m online customers – this will have a significant impact both on customer retention levels and the support calls volume (and associated costs).

If only there was a way of establishing an independent secure communications channel between the user and the bank that will have high availability and no operational cost

At Cronto, we believe the visual channel meets these requirements. The bank can generate a special image – e.g. the Cronto visual cryptogram – that could be displayed in any browser just as any other image (= no cost and availability issues) and the user can decode it using an independent device: a cameraphone or a standalone optical token, ensuring channel separation.

The use of visual channel is definitely gaining momentum; Cronto has recently launched the deployment with Commerzbank AG, a number of vendors are announcing optically capable devices, and academic researchers are designing cameraphone-based solutions:

• Gemalto Unveils World’s First Optical Reader for Online Banking that Fits in a Wallet
• Die neue Messlatte im mobilen Onlinebanking: chipTAN comfort
• Digipass 835, VASCO’s new card reader with optical interface
• Fotohandy-PIN: Trojanersichere PIN- und TAN-Eingabe via Fotohandy

This month Finextra has launched the Innovation Showcase – "a new feature on Finextra.com highlighting the most innovative financial technology developments over the past 12 months". Cronto is pleased to be named as one of the leading innovators in Authentication and Security category.

Using innovation to improve processes and focusing on retaining the customer is vital in the current economic environment, and the visual channel offers the optimal Out of Band-type solution for banks looking to reduce/prevent fraud damages in a cost-effective and scalable way, while delivering better customer experience.

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

• Banknotes have watermarks and other security features to resist counterfeiting
• Cheques require the account holder's signature
• ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
• Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.