Tuesday, October 28, 2008
Financial malware gets smarter? But we've said that many times!
This is yet another case of predictions coming true; Now it's Kaspersky time to say that malware is changing the way they attack online banking users to defeat two-factor authentication. Tjey even try to create a new security buzzword for that:"For example, two-factor authentication for online banking, which uses a hardware token in addition to a secret password, is increasingly ineffective. This is because malware writers have perfected the tools to get around it by redirecting the user to a separate server to harvest the necessary access information in real time – the so called ‘man in the middle’ attack.This defeats the two-factor process, but malware writers have taken the process a step further with a new ‘man in the endpoint’ attack. This eliminates the need for a separate server by conducting the entire attack on the user’s machine."Nice catch, but we are saying that this would be the next logical step for financial malware evolution since 2005. Now that it's here the important questions is, how we're gonna deal with that? If 2FA doesn't work, what does?There are some interesting stuff being developed to provide a "secure tunnel" inside the user's computer, avoiding keyloggers and other nasty stuff. But again, we end up on that malware x protection_software_whatever at the user computer. Every time a security company develops something to protect resources from being tampered by malware, malware evolves to get the information from a lower level layer or by disabling the security software. This problem won't go away until we can assure that security software will always run in a higher privilege level than the malware.I like Windows Vista because of the effort on trying to make the user run as a non-privileged user. Unfortunately, this hasn't been the MIcrosoft OS user culture for years, it won't start from nothing. UAC tried to make it less painful, but the huhe amount of badly designed 3rd party software turned that feature into a nightmare. Even with all SDLC efforts there are still a lot of things out of Redmond's company to be done. Unix and Linux has technology and security conscious users. Apple has complete control over hardware and software. Microsoft, in the other hand, lives in hell (no control over hardware AND software + the most dumb users).A intermediate option to secure online banking transactions is trying to explore the different devices that banks customers have. There are some products that implement 2FA on mobile phones, but most of them suffer from the same vulnerabilities as regular 2FA tokens. Challenge-response and transaction signing could be leverage mobile phones as a OoB (out of band) factor. A over-simplified example would be:- User on computer intiates transaction- Bank encrypts the transaction data received with the user public key and send it by SMS to his mobile, together with a confirmation code- The bank's app on the phone receives the message and decrypts it with the user private key- The user verifies the details of the transaction on the mobile and, if everything is the same as it was sent from the computer. The user sends the confirmation code to the bank (can be done from out of the previous session, to minimize the assyncronous nature of the conversation), who finishes the transaction.You may ask why the user answers the challenge from the computer instead of doing that from the phone too. This would be good as end user's SMS messages can have a different priority level to the mobile networks than the messages sent by the bank, who can buy differentiated SLAs from them.I know that there are lots of challenges in this single example (public key encryption on devices with limited resources, protecting the user private key, mobile network dependency, among others), but it can be seen as a way to allow users to do banking over untrusted channels. The catch here is that only half of the transactions passes through a untrusted channel. One can argue that the mobile network is also untrusted, but in order to allow fraud both channels would have to be compromised by the same attacker. Very unlikely (not impossible!).