Internet BankingSecurity risks and solutions

Piata Financiara Conference Bucharest

October 2004

Tamas GaidoschKPMG Advisory Services

Purpose of the presentation

If you know the enemy and know yourself, you need not fear the results of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.

Sun Tzu – The Art of War

Effective countermeasures can only be developed if risks are identified.

Agenda

Security trendsCommon security issuesLess common and more dangerous issuesReal-life examplesEffective countermeasures

Background

Information Risk Management practice of KPMG

IT Security services – Budapest centre of competence

System audits

Penetration tests

Security design

Incident response

Significant experience in CEE and beyond

23 Internet Banking security engagements

39 penetration tests for banks

Unauthorised use of computer systems within the last 12 months

The Internet connection is a frequent point of attack

Dollar amount of losses per type

Incident statistics

2004

2003

Source: US Department of Homeland SecurityComputer Emergency Readiness Team

Sophistication and knowledge

1990 today

Packet spoofing

Automatic probing

DDoS

BackOrifice

AutomaticToolkits

Based on a Carnegie Mellon University Study

Required knowledge

Attack Sophistication

http://www.alliancesecurities.com ALLIANCE SECURITIES INC

http://www.allstatetrustfinancesecurity.com AllStateTrustFinanceSecurity

http://www.androsbank.com Andros Bank of Investments

http://www.apextrustbank.com APEX TRUST BANK

http://www.arabenin.int.ms Arab Bank Benin

http://www.asiapacific-group.com ASIA PACIFIC GROUP aka Asia Pacific Trust

http://www.atlanticcreditbank.com Atlantic Credit Bank aka ACB

http://www.atlantictrustbank.com Atlantic Trust Bank aka ATB

http://www.atmb.co.uk Allied Trust Merchant Bank aka ATMB

http://www.alliedcreditfinance Allied Credit Finance

http://www.awedinter.com ABC Internet Limited aka All New Lottery and Competitions

http://www.banqueparibinternatianale.com BANQUE PARIB INTERNATIONAL

http://www.bond-bank.com BOND BANK

http://www.bondplc.com Bond Financial Services PLC aka BFS

http://www.brabant-international.com Brabant International BV.

http://www.btci-tg.net Banque Togolaise pour le Commerce et l'industrie aka BTCI

http://www.caledontrustbank.com Caledon Trust Bank

http://www.carnegiedirects.com Carnegie Fiduciary

http://www.creditrims.com Credit-Rims Investment Bankers

http://www.credittrustfinance.com CREDIT TRUST FINANCE LIMITED

http://www.ctrbonline.net CITI Trust Bank aka Caledon Trust Bank Incorporated

http://www.cureserve.com Credit Union Reserve

http://www.e-ufinance.com EU FINANCE AND SECURITIES HOLLAND

Implications of scam

Phising

Phising

Phising

Magnitude

Source: Anti-Phising Working Group

New, unique phising attacks reported per month

Motivation

William Sutton on the reasonswhy one would rob banks:

“Because that’s where the money is.“

“I was more alive when I was inside a bank, robbing it, than at any other time in my life.”

Attacking the online bank

Through the infrastructureThrough the web applicationCombined with phising / social engineering

Attacking the infrastructure

Exploiting vulnerabilities inNetworking devices and firewallsOperating systems Database management systems

“Classic” hackingThreats and countermeasures are relatively well understoodBanks are usually well protected at this level

BUT …

Wireless networks

Wardriving

GPS + antenna + laptop + car = wardriving

Budapest, Budapest, you are so wonderful!

Wardriving results (1st test)

Date: 6th November, 2003 01:43(CET)Place: a route in the inner city (Bank HQs!)Time: 1 hour

Access points detected: 175Easy to break in (no encryption) : 124 (70.8%)Harder to break in (using WEP): 51 (29.2%)Secure (using 802.11x): 0 ( 0.0%)

Imagine… today

Rogue Access Point connected to a flat TCP/IP network …

Hacker in the parking lot …

Bankomat on the same flat TCP/IP network… runs Windows … not security hardened … uses clear text protocol … weak PIN encryption (simple DES) …

HackMe Bank

Imagine … tomorrow

"Cars with the Microsoft software will speak up when it's time for an oil change.

The software running the brakes will upgrade itself wirelessly."

AP, 12/2003

Checkpoints

Last Wireless Network test? Anything leaking?Internal firewalls?Sensitive network traffic encrypted?ATM/InternetBank/etc. security hardened?3DES used for PIN? (Mandatory from 2005)Intrusion Detection System on the internal network?Security logs reviewed daily? Alerts?

Attacking the web application

Application level security is still a bleeding edge.

Whilst we see more techniques and knowledge being used when designing and implementing network security, we often see applications with security vulnerabilities.

Flawed applications often present high risks to the business because:

Attack patterns may not be recognised, therefore the attack could remain unnoticed

A successful attack may have higher impact on business

Session hijacking – identity theft

First example 26665266662666726668266692667026671266722667326674

Session hijacking – identity theft

Secondexample

coy701sqm1ji5j1vsqm2wh98wgsqn1pqpy33sqn23syq34sqo1w738k0sqo2xg9wwbsqp18nte9gsqp2mnerqrsqq1ux5faksqq2597z61sqr1iyo8q5sqr2pagsiwsqs1

Tomcat 3.2.4Open Source

package org.apache.tomcat.utilSessionIdGenerator.java

* format of id is <6 chars random> <3 chars time> <1+ char count>

Session hijacking – identity theft

Third example ZH1SUEYAAAACDZH1XEZYAAAACFZH11W4IAAAACHZH2AGGYAAAACJZH2E02AAAAACLZH2ZH3YAAAACNZH23YUAAAAACPZH2SJKIAAAACRZH2W0BIAAAACTZH21KWYAAAACVZH251TIAAAACXZH3EMCQAAAACZZH3Y23AAAAAC1ZH33NTQAAAAC3

Combined attacks

Client: financial servicesOnly point: SMTPBreaking in by specially crafted e-mailTop virus protection software on desktops and servers, IDS and firewall.

Mixture of social engineering and technical attack.Developing the attack: 3 days. Executing it: 5 minutes.Employees leave traces everywhere on the Internet.

So how bad is this anyway?

Internet Banking security engagements of KPMG Hungary in the last three years: 23Answers the question: how deep could skilled attackers penetrate the system in a given limited timeframe?

Compromise: 6 (26%)

High risk: 10 (44%)Embarrassment: 3 (13%)

Minor issues: 4 (17%)

Effective countermeasures

General IT controls(process)

Security awareness(people)

IT infrastructure(technology) Adequate measures

should always be taken to ensure that no unauthorized information interchange takes place

Effective countermeasures

IT infrastructure IT controls Security awareness Firewalls Intrusion detection Wireless security VPN Cryptography Physical security

Policy and strategy Change management Configuration

management Problem management Incident response Security management Availability management Audits

Business risks Privacy issues Password usage Teleworking issues Reporting incidents Contact persons

Q&A

Tamas Gaidosch, CISA, CISSPPartnerKPMG Advisory Services+36 1 270 7139tamas.gaidosch@kpmg.hu

Align

countermeasure

s

with risks

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2004 KPMG Hungária Kft., the Hungarian member firm of KPMG International, a Swiss cooperative. All rights reserved.