Thursday, December 11, 2014

Man in the Browser – The Online Banking Nightmare

Since 2004 the popularity of online banking has been rising rapidly, Hackers, fraudsters, cybercriminals and other individuals with malicious intentions present heavy threats to online banking. These people have led banks to adopt internal and external security countermeasures; some of the internal measures include deploying multiple defense layers, DMZ, filters, firewalls, intrusion prevention systems, honey pots, packet analyzers and so on. While on the external level banks were able to impose some security features on their clients including strong password, double factor authentications, tokens, virtual keyboards, secure socket layer (SSL) encryption, and awareness guides to their clients.
When these cybercriminals realized that targeting banks is now hectic and will require lots of time and effort, they switched to the weaker link, the USER, the person that is using the online banking service.
And therefore a new attack emerged, the Man In the Browser Attack or: MITB attack is an attack that threatens the current online banking systems not by addressing the top notch security implemented by banks but by targeting the less aware and vulnerable end users.

Two-Factor Authentication

Two-factor authentication also known as two-step verification is a process involving two stages to verify the identity of a person trying to access services on a computer or in a network. One of which is typically something memorized, such as a security code, password or PIN, and the other of which being an OTP (One Time Password) generated by a physical token, such as a card, or even mobile verification (SMS).
Since this method elevates the level of security and decreases the incidents of identity thefts, it has not only been adopted by financial institutions (online banking), but also by several online services providers (Social Media, Cloud Storages and Email Services)
The adoption of TFA or Two-Factor Authentication significantly decreased the fraud figures in the last two years. For example if hacker succeeded in unveiling a customer’s login password by either cracking it, regardless of its strength and complexity using commonly used technical tools, or by stealing this password by the use of spear phishing, the hacker will not be able to proceed without supplying the online banking website with the another verification OTP that is sent to the customer via his personal mobile phone (SMS). In this case the hacker along with having the first password is required to have access to the customer’s mobile phone to utilize the received code in order to proceed with any transaction.
Moreover, TFA provide an elevated sense of security to the customer and to the issuing financial institution. But then the MITB attack was introduced.


MITB: Man-In-The-Browser-Attack

Man in the Browser or a modified version of the notorious Man in the Middle Attack is a form of internet threat introduced to the victim’s system using a malware, mainly a Trojan that infects the web browser by taking advantage of vulnerabilities in the browser security and it aims to modify web pages, transaction content or even insert additional transactions. All of these modifications are done in a completely covert fashion invisible to both the user and host web application. An MITB is created to intercept data as it is transmitted over the secure communication channel between the victim and the online application. The Trojan responsible for the infection hides itself deep into the browser code and can be programmed to launch itself when the user accesses a specific online banking website.
The malware responsible for infecting a user’s PC is usually introduced to the victims system when the user is tricked into clicking on an applet placed in a fraudulent website; usually this applet claim that an update or so called advantage is needed to view the un-displayed content. Upon clicking on this applet a script is executed allowing the malware to run and accordingly infect the browser.
When MITB Attack is running it has the ability to intercept, manipulate and modify the contents of online banking WebPages by adding extra fields in order to trick and outsmart second authentication mechanisms.
Two famous examples are widely spread and can explain the situation clearly,
Example1:  when a user with an infected browser initiates a transaction, the attacker has the ability to change several parameters of this transaction including but not limited to the amount or the beneficiary but the victim’s browser will still display to the user the original and correct information, tricking him into believing that he had entered the valid data. Thus the user inputs his authentication credentials along with the OTP generated for this transaction and submits the transaction for processing. The attacker can even modify statement of accounts in order to trick the user into seeing the legitimate transaction being processed.
Example 2: Some online banking services require the user to enter another OTP while processing his application: one at the login page in order to verify the user identity, another is when the transaction is submitted or even when the online banking page has been idle for a longer time. The attacker uses advantage of these options and uses them to tricking the user to generate an OTP and input it to field totally controlled by the attacker, and thus trick the user into providing him with an un-used ready to be used OTP. The attacker then makes use of this newly generated OTP to conduct a fraudulent transaction while using the correct credentials of the victim. 
In both examples, Banks involved in these transactions can’t detect that the transactions are fraudulent, since they appear to be originating from the authentic customer himself, and therefore these transactions will be normally processed and flagged legitimate.
So, to sum up the basic flow of a Man in the Browser Attack:
  1. A customer gets infected by a Trojan designed to launch an MITB attack
  2. When the customer is initiating an online transaction, the Trojan is activated
  3. The victim will affect all his credentials and authentications required
  4. The Trojan will modify the transaction details.
  5. The Trojan tricks the user by displaying fake pages, showing transaction details originally entered by the user.

MITB attacks are not targeted to one region or geography; they are a global threat affecting all regions.  Since they are hard and expensive to conduct, they are usually performed by well funded and well organized cyber criminals. These criminals mostly target clients or accounts with high volume of transactions and multiuser authorizations: accounts that are managed by multiple users within an organization.

MITB Mitigation

Ensuring user confidentiality and integrity of their online banking services, as well as reducing financial impact caused by online frauds are of high importance to financial institutions. Although hackers will keep on finding several technical and non technical ways to conduct fraudulent malicious activities, there are some concepts and methods, in the case of MITB, that could lead to the reduction of financial impacts.
The first would be implementing an Out-Of-Band Authentication and Transaction Verification. An OOB requires that authentication and transaction verification are performed outside the customer’s web browser and essentially outside the customers PC. A common form of OOB authentication is delivering an SMS OTP along with the details of the transaction and therefore allowing the user to review and confirm the details of the transaction before entering the OTP into his PC browser.  
The second method would be implementing an enforced secure browsing environment. For example, some financial institutions provide their users with portable web browsers stored on the USB authentication tokens, this USB flash device is set as “Read Only” which prevents any user, malicious attacker or any software from modifying the data stored on it, this setup which will prevent any infection from reaching the stored portable browser application. Moreover, this trusted browser can be pre configured by the bank to open specific internet pages and block any attempt to navigate into other un-assigned sites.
Another effective method to mitigate risks arising from MITB is to use Fraud Detection Based on behavior. User profiling will create a baseline normal behavior so that abnormal behavior can be detected and the user can be alerted before an actual transaction takes place. For example if a bank detects that an online banking customer is conducting an abnormal and unusual transaction (maybe using a new beneficiary, a newly used currency, a new location to establish the online banking session, etc…) it will stop the transaction and require direct intervention from the user in order to verify the validity of this transaction either by using SMS, Email or even phone calls. The bank systems will learn the patterns and behavior of this user in order to improve their screening process.
There are several ways to fight MITB attacks, but the most effective one is user awareness. Total dependency on the technical aspects is insufficient. When indulging in an online Bank agreement with its customers, Banks should provide adequate training, materials and even awareness quizzes and instructions that aim to educate the user into spotting any inappropriate and malicious activity being conducted on his PC, and in his browser specifically. Yet banks should acknowledge that protecting their security should be extended outside their parameter to reach the client side.

Finally a combination of customer awareness and education, the correct and appropriate use of alerting systems, along with the keen screening behavior and monitoring systems can provide the online banking industry with an effective protection against MITB attacks. Although these protective measures will not guarantee a safe and fraud free environment, but it will significantly lower the risks of getting bitten by a malicious attacker.

This article is cross posted in the Lebanese "Certified Accountant" Magazine issue 52 - Year 2014 

No comments:

Post a Comment