Global
| SecureWorks - On the Radar Newsletter - November 2007 | |
|---|---|
 |
|
Wall Street Journal Exclusive:
Web Scammer Targets Senior U.S. Executives
Recently, Wall Street Journal journalist Christopher Rhoads chronicled the efforts of SecureWorks researcher Joe Stewart as he traced the hacker responsible for the Better Business Bureau Phishing scam which has duped more than 1,400 top executives in the U.S.
View the full Wall Street Journal Article
Featured Gartner Research:
PCI Questions Are Often Clearer Than Their Answers
According to Gartner, "PCI compliance progress has been made, but many questions remain as companies wrestle with changing interpretations, uneven enforcement and evolving standards." Gartner provides guidance for the most-common questions companies have raised.
View this complimentary Gartner research report made available to you by SecureWorks.
Ask the Expert:
Joe Stewart on Two-Factor Authentication
by: Joe Stewart, GCIH
Senior Security Researcher, SecureWorks
Many financial institutions are pondering two-factor authentication schemes in an attempt to keep fraudsters from stealing credentials from their customers online. After all, we've been told that strong authentication should incorporate a minimum of two of the following three things:
- Something you know (e.g. a PIN)
- Something you have (e.g. a token)
- Something you are (e.g. a thumbprint)
Unfortunately, this advice falls flat on its face when modern fraud by malicious software comes into play. The reason is that this "malware", once installed on a victim's computer, can do anything your customer can do, even more.
No one knows this better than banks in Brazil. For years, Brazil has been plagued by gangs of thieves who use malware to steal money. At first, these "trojan horse" programs simply purloined a victim's keystrokes in order to send them back to the thief, who would log into the bank account later to transfer money out. The banks figured that they could defeat these keystroke-logging trojans by creating a new method for logging in - you type your account number, but then use an on-screen keyboard in order to enter your PIN using your mouse to point to the numbers. It was brilliant - for about half a day. Then the malware authors simply began to take tiny pictures from the infected computer's screen in a 30-pixel square any time the mouse was clicked on the bank's website. The money the banks put into the development of on-screen keyboards was all for naught.
Stronger authentication methods have been suggested - tokens, biometrics, SSL client certificates and more. All in an attempt to lock the bad guys out of an account, even if they manage to steal the user's credentials. It sounds like an ideal plan (if you get past the cost and user-education issues) until you consider the example of Win32.Grams.
This piece of malware targeted customers of the online payment service e-gold.com. No matter what authentication method the e-gold service used to allow access to the site, Win32.Grams would still be able to siphon money out of user accounts. This is because the trojan simply waited for the user to log in, then automated the transfer of money by simulating inputs and clicks in the right forms, all while hiding this activity from the user.
Ultimately, if your customers can gain access to their accounts via their computer, so can a third party who installs malware on that computer, no matter what kind of gateway authentication is involved. It is possible that this kind of automated theft could be tripped up by using transaction-level authentication, but again, the malware authors will eventually figure out a way to bypass it. You can't solve a human problem with technology for very long.
So, what can banks and other financial institutions do to combat the rampant fraud that is occurring online every day? Probably the best investment you can make is in fraud detection - there are many characteristics of a fraudulent transaction that can be spotted if you have a system tightly integrated with your online banking site. By themselves, they may not always indicate fraud, but collectively, a score can be assigned to each transaction to allow your fraud team to deal with the possible loss in an intelligent way.
When dealing with non-automated theft, at some point the fraudster has to log in to the victim's account to transfer money. Usually they will do this using proxies to hide their real IP address and make it seem as though they are located in the same country as the victim (some even go so far as to proxy through the victim's computer, making it even harder to differentiate between the fraudulent login and the normal one. But there are still ways to detect this kind of activity. For example, you can use a little bit of JavaScript to detect a user's time zone as reported by their web browser. If a login occurs at 2AM from a cable modem in Iowa, but the user's time zone is set to Moscow time, it might raise some red flags. There are even methods of "decloaking" proxy users to reveal their true IP address, using Java or Flash applets.
There are even ways to detect when Internet Explorer has been automated by malware - the browser's User-Agent header suddenly changes right after authentication - something that shouldn't happen in most cases.
Although not a lot of malware is using this technique yet, we are seeing it increase in popularity as strong "gateway" authentication schemes are rolled out.
And all websites that face the risk of stolen logins should consider using dummy accounts to feed to phishing sites and malware. These can help a fraud team identify patterns and characteristics of fraud from specific groups, as well as allowing them to flag destination accounts that are being used by money mules who will in turn wire the stolen money to the masterminds of the operation.
Finally, financial institutions should seek out the members of the security research community who are constantly tracking malware and phishers. In the course of investigating fraud trojans, security researchers frequently come across repositories of stolen credentials.
One of the biggest challenges researchers have is getting in contact with the right person at the bank to give them the information on which accounts have been compromised. Although ultimately it will take years and much international cooperation to tackle the problem of online fraud, if we begin working together, we can make it a lot harder in the short term for the fraudsters to be successful in their illicit ventures.
All third-party brands and trademarks referenced in the text above belong to their respective owners. SecureWorks’ On the Radar Newsletter is not authorized by, associated with or sponsored by the respective trademark owners.
