Security x.0

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.

The fundamental problem with two factor (2FA) session authentication is that the approach is vulnerable to Man in the Middle and Man in the Browser attacks. 2FA requires that customers present not only a password (something they know) when they log into online banking, but also demonstrate that they possess an authentication device (something they have). Devices normally take the form of a key fob which displays a number that changes every few seconds, but another approach is to require the customer to insert their bank card into a stand-alone reader. Unfortunately, there is nothing to stop an attacker using a 2FA authentication code to commit fraud.

In the classic Man in the Middle attack, the customer is coerced to visit the attacker's website, normally by a phishing email. The website will look identical to the legitimate bank site, but when the customer enters their account details and one-time-password, the malicious software will immediately connect to the real bank site and use the details to impersonate the customer and make a fraudulent transaction. Even mutual authentication does not defend against this attack, since the attacker also is able to see what the bank would normally show, making the customer think that they are communicating directly with the bank.

The Man in the Browser attack is an enhancement of the Man in the Middle, already seen in the wild. It is designed to work even against customers who are careful enough to not enter their bank details on sites visited from links in emails. In this attack, the fraudster installs malware on the customer's PC, either via email or a drive-by download (even with up to date anti-virus software, 80% of new malware is undetected). Then, when the customer makes a transfer using their normal online banking, the malware inside the web browser silently manipulates the amount and destination.

Man in the Browser

Both the of these attacks circumvent one-time-passwords, since 2FA only authenticates the session, not the transaction. The Man in the Browser attack is particularly hard for the bank to detect, since from their perspective the customer is visiting from their normal Internet connection and web browser. The user is also powerless to spot the attack since the URL will be correct and the certificate will be valid, it is only the content of the web page which is being modified.

The solution to these attacks is transaction authentication. Here, the person accessing the bank website proves not only that they know a one-time-password, but also that the real customer has seen the details for the transaction. In a Man in the Middle or Man in the Browser scenario, if any transaction details are modified, the authentication code will be incorrect and the bank will refuse the transfer. However, in order for this to be reliable, it must be easy to use.

There are three main options available for transaction authentication: CAP, two-channel, and Cronto's visual cryptograms. Cronto's visual signing products are designed to give strong security assurances, while being acceptable to customers. Unlike CAP, as transaction details are encoded in a visual cryptogram, the user does not have to re-enter them into the trusted device, increasing speed, reducing errors and mitigating security problems. Costs to the service provider are also reduced, and reliability improved, since unlike SMS-based two-channel authentication, no mobile phone network access is required.

Cronto have published a whitepaper “Beyond phishing – de-mystifying the growing threat of Internet banking fraud”, discussing the threat of Man in the Middle and Man in the Middle attacks in more detail.

Trusted path is quite a common term in security research. It is the basis of many security protocol and application designs, and a security breach of it is one of the most common attack vectors.

This week, the Security Group published their findings on the vulnerability of PIN entry devices (PEDs) currently deployed in the UK (details available in their technical report). The vulnerability arises partially from insufficient protection of the PEDs from tampering and partially from communications between the card and the device not being encrypted. This effectively breaks the trusted path between customer's card and the retailer's terminal/card processing network. You can watch the BBC Newsnight program covering this.

This week we (Cronto) have also made an announcement about potential vulnerabilities of Chip and PIN based authentication for online banking. Whilst the CAP readers deployed by the UK banks can provide transaction authentication, there is still a weak link. If the user is tricked into entering incorrect details into the CAP reader then they could be inadvertently authorising a fraudulent transaction. Whilst the possibility of this happening might seem remote, our analysis of existing systems shows otherwise. Again, the threats arise because there is no trusted path from the bank to the user's card/reader as the attacker can manipulate the presentation of the bank's website to the user.

The trusted path issue is common to all consumer payments industry applications: from ATMs with added PIN pads and tampered retail terminals to man-in-the-browser'ed banking websites. The problem is also increasing with the growth of the payments industry, and any potentially successful solution requires a new approach based on innovation rather than attempts to patch the holes in the old protocols.

These issues are already a subject of both academic research and commercial product development. Some see a solution in the USB tokens with strong security protocols, some suggest the mobile phone based PKI certificates are the answer. At Cronto, we believe the visual channel is the best way to go.

<!-- If you are offended by a commercial company being passionate about its product and advocating innovation in a traditionally very conservative industry, you can stop reading now -->

We believe that our visual cryptogram can provide a trusted path from a bank to the customer in the way which is both secure and simple for consumers.

We chose the visual channel for the following reasons:

• The image can contain encrypted data
• Most end user terminals can display images: from ATMs to Train Ticket machines to websites, no hardware modifications are needed
• Taking a picture of the terminal is easy for the user
• Any personal device can be used: a camera phone, a dedicated camera token or, potentially, a CAP reader, and even a credit card itself extended with a camera and our algorithms running on the chip
• Both attack vectors – the data in transfer being tampered with, and the user typing incorrect information – are mitigated

On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"

Committee:

8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"

Committee:

8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.
(6.46)

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"

Committee:

8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"

Committee:

8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"

Committee:

8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?

I certainly can’t claim to suffer from the early adopter syndrome, however, for the online banking experiment I was probably among the earliest adopters. Everything felt right: no more “may I please leave earlier today, I need to pop into the bank”, no queues, no closed doors and late payments – everything at a “touch of a button”, quick, effective, whenever you need it, and in the comfort of your own home. Besides, what did I have to lose – as a customer, I’m covered, no matter what happens?

I’m still covered and had almost forgotten the last time I actually visited my local branch when I suddenly found myself “having to pop into the bank” again and again. Services I was so used to were no longer available: I had to urgently transfer some money to a friend – turned out it was no longer possible for the new payees; my end of the month regular transfer of 1010 pounds didn’t go through due to a newly imposed limit of 1000, and one day I simply couldn’t login and was asked to call and answer some “security” questions … such as “what was the exact amount of your last transfer in April and how many direct debits do you have on your account?” How am I expected to remember?

Of course, with increasing online banking adoption, security is becoming a serious concern and rightly so; and it certainly IS as important to make the user feel secure as it is to actually secure their funds. And it's not just the funds that are in danger there - it's also the important private data that could be misused and exploited if exposed. However, is prevention through restriction rather than through technology really the answer? Does it make the user "feel secure and protected", or just annoyed and inconvenienced? Does it conveys the feeling of “being taken care of” or just the inability to offer adequate protection of the users' money as well as their valuable personal information?