part – iii - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/10160/12/12_part 3.pdf ·...

PART – III MATERIALS & METHODS

3. MATERIALS & METHODS

3.1 COMMON HACKING TECHNIQUES

3.1.1 Preface

3.1.2 Classic Attacks

3.1.2.1 Password Guessing

3.1.2.2 Brute-Force Attack

3.1.2.3 Eaves Dropping

3.1.2.4 Shoulder Surfing

3.1.3 New Attacks

3.1.3.1 Off-Line Credential-Stealing Attack

3.1.3.1.1 Phishing Or Carding Or Brand Spoofing

3.1.3.1.2 Spear Phishing

3.1.3.1.3 Vishing

3.1.3.1.4 Malware

3.1.3.1.5 Pharming

3.1.3.1.6 Skimming

3.1.3.1.7 Spoofing

3.1.3.1.8 Credit Card Frauds

Common Hacking Techniques 51

3.1.3.2 On-Line Credential-Stealing Attack

3.1.3.2.1 Spyware / Key loggers / Keystroke

Logging Worms

3.1.3.2.2 Trojans / Back-Door Trojans

3.1.3.2.3 In Session Phishing Attacks

3.1.3.2.4 Hacking Tricks toward Security On

Network Environments Through –

Instant Messaging

3.1.3.2.5 Distributed Deny Of Service Attack

Of Botnet

3.1.3.2.6 Payment Recipient Scams

3.1.1 PREFACE

The role of banking is redefined; customers are also becoming more discerning and

demanding. To meet customer expectations, banks will have to offer a broad range of

deposit, investment and credit from a mere financial intermediary to service provider of

various financial services under one roof acting like a financial supermarket with

maximum security. Thus the customer-oriented demand on internet banking is increasing

continuously because e-banking provides various transactional facilities to its users 24X7

but at the same time banks as well as customers are expected to be aware towards various

types of hacking techniques. However, it also brings new possibilities for thieves. This is

mainly because we have not completely solved the growing problem of computer viruses

and Trojans that can act on our computers against our will. In this chapter we have

discussed about common hacking techniques by classifying these techniques into two

categories classical attacks and new attacks; where examples of classical attacks are

password guessing, brute-force attack, eaves dropping and shoulder surfing.


New attacks we have categorized into two categories off-line credential-stealing attack

and on-line credential-stealing attack. Examples of offline credential-stealing attacks are

phishing or brand spoofing, spear phishing, vishing, malware, pharming, skimming and

credit card frauds etc; whereas in the category of online attack examples are spy ware or

key loggers or keystroke logging, worms, Trojans or back-door Trojans, in session

phishing attacks, hacking tricks toward security on network environments through -

instant messaging, distributed deny of service attack of botnet and payment recipient

scams. All the banks, which have implemented core banking systems, offer e-banking

and mobile banking facilities. But with these facilities always there is a question of

security i. e. protection of personal information from the thieves. Computer damages

have been classified as [13]:

1. Computer Frauds; and 2. Computer Crimes

COMPUTER FRAUDS The latest fraud which is considered as the safest method of crime without making

physical injury is the Computer Frauds in Banks. Computer frauds are those involve

misuse or defalcations achieved by corrupting with computer data record or program.

COMPUTER CRIMES

Computer crimes are those committed with a computer that is where a computer acts as a

medium. The difference is however academic only. A few of the methods adopted by

fraudsters are: Phishing, Skimming spoofing, credit card frauds etc.


Fig 3.1.1: Computer Crimes (Source-www.antifishing.org)

The prevalence of e-commerce in today’s digital world opens a door for various cyber

crimes that we have never seen before. Viruses can he written from, and spread on

virtually any computer platform.

VIRUS ATTACK

Attacks are getting more and more aggressive against computers and servers all around

the net. Computer viruses are nothing more than computer programs and therefore can do

virtually anything the programmer wants on the computers they infect. During the last

decades we have witnessed an exponential growth of the number of computer viruses,

and the real fact is that a virus can make thousands of copies of itself in our computer, but

the wide range of things they can do with the data stored or processed in it. One field in

which this fact should be considered with special care is e-banking. These online services

are normally accessed from personal computers with low protection.


http://www.antifishing.org)

The operating systems used on these computers have a tendency to sacrifice the security

on behalf of the commodity of the user. Under such circumstances, its very easy for an

attacker to implement a man-in-the-middle attack. This way an attacker could end up

controlling the money in our bank accounts [47]. Virus can also attack and used for

automating maintenance tasks on the computer, can delete all the data on the hard disk,

and encrypt it so that the owner has to pay to get the data restored to its original form, and

even steal private data such as documents, system passwords and cryptographic keys

[31].

ATTACK TO THE PC BANK SYSTEMS

Actual PC banking systems rely mostly on the use of password authentication systems,

jointly with strong cryptographic communication systems. The problem is that these

methods are not always robust enough for Internet banking applications. Introducing a

login and a password on a secure Web page for authentication is equivalent to keeping

the door-key under the doormat, as any program executing on our computer like viruses,

Trojans and malwares etc can have access to them.

We could think that a system such as UNIX, where only the operating system can access

all the memory, limiting each program to its own memory space, is immune to such an

attack. This is definitively wrong. A virus could infect the browser program inserting in it

code that steals that information from memory. The operating system cannot distinguish

“good” code from “malicious” code, so it will never notice it. Even more, sometimes it is

enough to steal the file where the critical information is stored and the password(s) used

to secure it. All we need is a virus that waits until the user introduces the password to

access the critical information and then send it over the network with the file where the

secret keys are stored.


Even more, sometimes the access password is so simple that we can break it using a

dictionary attack. In the following figure password snatching attack to a generic internet

banking application has been shown [31]:

Fig 3.1.2: Password Snatching Attack


VIRUSES AND ANTMRAL TECHNIQUES

Viruses can be written to work under any known operating system and there are also

viruses that can be written on macros such as MS Word macros and java script (a web-

based language which allows the introduction of code in web pages). Viruses normally

can only be executed with the operating system for which it was created. But even though

there are operating systems which are more difficult to attack, such as UNIX, not even

these systems are completely safe. Even though it is true there are fewer viruses for these

systems, it is also true that they exist and with them the possibility to expose critical

information to he leaked without our permission [31].

3.1.2 CLASSIC ATTACKS

Here we describe common well known attacks widely used in history and presence.

3.1.2.1 Password Guessing

Guessing or password guessing is usually dictionary based attack, where attacker is

trying to guess our password. Usually, dictionary of a lot of common passwords is used.

When attack remains unsuccessful after applying predefined set of password, than is

redirected to another user.

3.1.2.2 Brute-Force Attacks

Thorough search known as brute-force attack is based on trying a large number (all) of

possibilities of password or secret key. In the following figure a model of simple brute-

force attack on a Norwegian internet bank has been shown.


As it is clear from the following figure, a hacker selects any Social Security

Number(SSN) from the list of customers SSN numbers and then attempts to login using

any randomly chosen Personal Identification Number until the correct password is

acquired or the attack is detected[33]-

Fig 3.1.3: Brute-Force Attack Model

3.1.2.3 Eavesdropping

Eavesdropping is listening without the speaker’s knowledge. It’s usually used for Man-

In-The-Middle (MITM) attack.


3.1.2.4 Shoulder Surfing

One of the oldest and most common threats to our online banking security is "shoulder

surfing". This is as simple as having an unauthorized person watching over account

holder shoulder as user conduct his online banking session. If this person can view user’s

keyboard, they will be able to see the IDs and passwords used to access the system [16].

In this method unauthorized people keeps an eye on that user who is busy in performing

their account operations and try to see the IDs and passwords.

3.1.3 NEW ATTACKS

On the basis of the resistance all internet banking authentication methods can be

classified into two common attacks-

1) Off-Line Credential-Stealing Attack And

2) On-Line Credential-Stealing Attack

3.1.3.1 Off-Line Credential-Stealing Attack

In this type of attack hackers try to steal user’s private information from those clients

PC’s who have insufficient protection for PC [36]. As it is clear from the following figure

that hackers use malicious software’s such as Trojan horse or by tactfully getting user’s

identification through phishing and pharming or by combining phishing with

pharming[35]-


Fig 3.1.4: Offline Credential Stealing Attack Scenario

3.1.3.1.1 Phishing / Carding / Brand Spoofing

The word “Phishing” first appeared in 1996. It is a variant of ‘fishing’, and formed by

replacing the ‘f’ in ‘fishing’ with ‘ph’ from phone. It means tricking users of their money

through e-mails [46]. It is a form of online identity theft that aims to steal sensitive

information from users such as online banking passwords and credit card information

from users. The last years have brought a dramatic increase in the number and

sophistication of such attacks. Attackers are employing a large number of technical

spoofing tricks such as URL obfuscation and hidden elements to make a phishing web

site look authentic to the victims.


Phishing attacks use a combination of social engineering and technical spoofing

techniques to convince users into giving away sensitive information (e.g., using a web

form on a spoofed web page) that the attacker can then use to make a financial profit

[42]. A method in which hackers capture the trusted brands of well known financial

institutions and tactfully asking users personal identification through false/fake website

forms.

These kinds of attacks were harmless so long as user ignored and deleted the e-mail. But

if user responded, then they would try their best to get users account information. So we

can define it as “The act of convincing users to provide personal identification

information, such as social security numbers or bank information, for explicit illegal

use” [37].

Among all the cyber crimes targeting e-banking systems, phishing attack has become one

of the most serious threats. In the main form of phishing attack, the criminals (called

phishers) setup fake e-banking/e-payment web sites, and then send phishing emails to

potential victims, who may be lured to access the phishing sites and expose their sensitive

credentials to the phishers. The credentials harvested by the phishers normally include

bank account numbers, passwords or PIN numbers, e-banking TAN numbers, credit card

numbers and security codes, social security numbers, and so forth. With the collected

credentials, the phishers can login the genuine e-banking/e-payment system to steal the

victim’s money.


There are also many other more advanced forms of phishing attack, such as the following

[44]:

• Phishers get phishing sites indexed by some search engines (via some Search Engine

optimization tricks) and then wait for victims to visit them;

• Phishers use cross-site-scripting (XSS) to inject links of phishing sites to legitimate

sites;

• Spy-phishing (or malware-based phishing): phishers depend on Spyware / malware like

trojan horses and keyloggers to collect sensitive credentials;

• Pharming: phishers misdirect potential victims to phishing sites through DNS

poisoning.

Phishers can also tailor the contents of the phishing mails and even those of the phishing

sites for targeted victims, which is called spear phishing or context-aware phishing. This

kind of phishing attack becomes much easier nowadays, because more and more personal

information is publicly available at online social networks. In the following diagram

information flow of a typical phishing attack has been shown [44]:


Fig 3.1.5: Information flow of a typical phishing attack

In the above figure we can see seven different steps that can be cut down to stop a

phishing attack [44].


TYPES OF PHISHING ATTACKS:

i) Spoofing E-Mails and Web Sites

Phishing attacks fall into several categories like [42]:

a) By Spoofing Emails

We can define Phishing as a method that exploits people’s sympathy in the form of aid-

seeking e-mails; the e-mail act as attraction. These e-mails usually request their readers to

visit a link that seemingly links to some charitable organization’s website; but in truth

links the readers to a website that will install a Trojan program into the reader’s

computer. Therefore, users should not forward unauthenticated charity mails, or click on

unfamiliar links in an e-mail. Sometimes, the link could be a very familiar link or an

often frequented website, but still, it would be safer if you’d type in the address yourself

so as to avoid being linked to a fraudulent website. Phishers cheats people by using

similar e-mails mailed by well-known enterprises or banks; these e-mails often asks users

to provide personal information, or result in losing their personal rights; they usually

contain a counterfeit URL which links to a website where the users can fill in the required

information. One must also be careful when using a search engine to search for donations

and charitable organizations [46]. Perhaps the most common and nasty phishing attack

was the Nigerian General's widow e-mail, asking for your cooperation to transfer a huge

sum into users account. Today, the attack has been modified and user would actually

receive an e-mail from some bank asking users/customers to update their account

information. If user had an account with that bank, then this could have easily been

fooled by it and would have clicked on the bank's URL.


Unfortunately this takes users to a phony website, which was created by the sender of the

e-mail, and after entering bank account details like username and password, user would

be busy in thinking that he may have entered details incorrectly, the fake site was busy

gathering his username and password.

These kinds of attacks were harmless as long as user ignores and deletes the e-mail. But

if user responds, then his account information could be stolen [16]. The earliest form of

phishing attacks were e-mail based and they date back to the mid 90’s. These attacks

involved spoofed e-mails that were sent to users where attackers tried to influence the

victims to send back their passwords and account information. Although such attacks

may be successful today, the success rate from the point of view of the attackers is lower

because many users have learned not to send sensitive information via e-mail. A possible

reason is that many security-sensitive organizations such as banks do not provide

interactive services based on e-mail where the user has to provide a password. Most

organizations, obviously, use their web sites for providing interactive services because

they can rely on encryption technologies such as SSL. Hence, many phishing attacks now

rely on a more sophisticated combination of spoofed e-mails and web sites to steal

information from victims. Such attacks are the most common form of phishing attacks

today.

b) By Websites

Phishers can write a web browser script to open a new browser window with no address

bar at all. Phishers then uses simple, “HTML form elements, style sheets, and Java Script

to create very real, functional imitations of the browsers address bar”. In an even less

complicated scheme than a spoofed address bar, Phishers registers a cousin domain name

for a fraudulent web site. A cousin domain name looks exactly like the domain name of a

legitimate institution but with a slight modification. For example a Phishers could register

www.eastern-bank.com to impersonate www.easternbank.com.


http://www.eastern-bank.com

http://www.e

Malware attacks cover the installation and execution of malicious software on a victim's

personal computer. [41]. In a typical attack, the attackers send a large number of spoofed

e-mails that appear to be coming from a genuine organization such as a bank to random

users and urge them to update their personal information. The victims are then directed to

a web site that is under the control of the attacker. This site looks and feels like the

familiar online banking web site and users are asked to enter their personal information.

Because the victims are directly interacting with a web site that they believe they know,

the success rates of such attacks are much higher than e-mail only phishing attempts.

c) By Instant Messaging Systems

Attackers have also started to use instant messaging systems such as ICQ or

infrastructures such as Internet Relay Chat (IRC) to try to convince and direct users to

spoofed web sites. Once the victim follows a spoofed link, in order not to raise suspicion

and to present the phishing web site as authentic as possible, attackers are employing

various techniques. For example

i) Use of URLs and host names that are confused and modeled so that

they look valid to inexperienced users.

ii) Another example is the use of real logos and corporate identity

elements from the valid web site. Some attacks also make use of

hidden frames and images as well as Java script code to control the

way the page is rendered by the victim’s browser.


ii) Exploit-Based Phishing Attacks

Some phishing attacks are technically more sophisticated and make use of well-known

vulnerabilities in popular web browsers such the Internet Explorer to install malicious

software i.e., malware that collects sensitive information about the victim. For example a

key logger, might be installed that logs all pressed keys whenever a user visits a certain

online banking web site. Another possibility for the attacker could be to change the proxy

settings of the user’s browser so that all web traffic that the user initiates passes through

the attacker’s server to perform a typical man-in-the-middle attack. Exploit-based

phishing attacks as well as other security threats that are directly related to browser

security such as worms, Trojans and spyware, browser manufacturers need to make sure

that their software is bug-free and that users are up to date on the latest security fixes.

A real-world spoofed web site-based phishing attack example: On February 18th

2005, a mass e-mail was sent to thousands of Internet users asking them to verify their

Huntington online banking account details. The e-mail claims that the bank has a new

security system and that account verification is necessary. The attackers have supposedly

inserted a legitimate URL https://onlinebanking.huntington.com/login.asp to the bank’s

online banking web site. However, the link actually points to a spoofed page on the

server with the IP address 210.95.56.101. The aim of the attack is to steal the victim’s

account credentials, credit card information, and personal information such as the social

security number. Once the victim enters the requested information, the phishing site

redirects to the legitimate bank’s web site [42].

3.1.3.1.2 Spear Phishing

Spear phishing attacks are focused to selected organization. Target can be financial

benefit, compromising of confident information or loss of confidence.


https://onlinebanking.huntington.com/login.asp

Substantial difference against ordinary phishing is the source of fake message. In case of

spear phishing, sender is authentic and victims usually have confidence in his/her. The

fraudster collects information on the victim from social networking websites and other

resources and uses it to generate a highly creditable email [45]. Attacker takes advantage

of public available data, which subsequently misuse during socio-technical attack.

Structure of these attacks is as follows:

Attacker chooses organization concerned in valuable information. He gains information

about personal structure, employees and procedures in organization during analysis of

web pages. Personal pages or discussion forums can be used for acquiring detailed

information about employees.

In next step, fake message is created, whose form, contents and appearance imitate real

internal communication in organization. In fake message, employees are asked for

entering sensitive information usable for access to internal computer network. Reason

might be for example testing of new information system. There is of course a URL

leading to this new information system for user comfort. Information about personal

structure is used for increasing credibility. Usually, member of IT department figures as

sender. Trusting employees enter their information into fake web page created by attacker

and make him capable to access to real system. Detection of targeted attack is

problematic particularly because of using mutual relations between sender of fake

message and its receiver. Attackers utilize authority of sender’s position together with

legitimacy and competence of requests. Well organized terrorist organizations were

usually hidden behind spear phishing attacks. They are part of espionage in industry,

military and governmental organizations. Hackers as individuals are usually not engaged

it this kind of attack.


3.1.3.1.3 Vishing

Vishing (Voice Phishing) is a new kind of attack similar to phishing in the way it tricks

the victim to give away sensitive information. Vishing is a social engineering attack

based on the bank-services through the telephone system. Vishers use a war dialer

configured to dial all numbers in a given area. The person answering is informed that

his/her credit card is fraudulent used and are encouraged to dial a given number. If the

victim dials the number, they are instructed to enter their credit card number, three digit

CVV security code and other identification credentials. After a complete call the visher

has all the information needed to use the victim’s credit card [29]. Vishing sometimes

uses fake caller-ID data to give the appearance that calls come from a trusted

organization [39].

3.1.3.1.4 Malicious Code / Malware

A malware attack is more harmful than other forms of information security (IS)

vulnerabilities in that its impact is generally not limited to one or a few entities; rather, it

is normal for a large number of organizations to be affected at once, to a substantial

degree. As we have mentioned malware is short for malicious software and is typically

used as a catch-all term to refer to the class of software designed to cause damage to any

device, be it an end-user computer, a server, or a computer network. The term Malware is

a compound of the words malicious and software. The expression is generally used by

computer professionals to describe a variety of hostile, intrusive, or annoying software.

Software is considered as a malware based on the perceived intent of the creator rather

than any particular features. Malware includes computer viruses, worms, Trojan horses,

most root kits, spyware, dishonest adware, and other malicious and unwanted software.

Malware should not be confused with defective software, that is, software which has a

legitimate purpose but contains harmful bugs [37].


Malware is Software that fulfills the harmful intent of an attacker. Current systems to

detect malicious code (most prominently, virus scanners) are largely based on syntactic

signatures. A program is declared malware when one of the signatures is identified in the

program’s code. Recent work has demonstrated that techniques such as polymorphism

and metamorphism are successful in prevention commercial virus scanners. The reason is

that syntactic signatures are ignorant of the semantics of instructions [39]. The number of

Malware has increased since its breakthrough in 1986 due to new technologies specially

the internet. The time taken by Virus to become prevalent over years has been shown in

the following table [43]:

Table 3.1.1: Time taken by Virus to become prevalent over years

(Source: Orshesky, 2002)


Malware And Phishing

It is a combination of malware and phishing. In this attack information gained by

malware can be used for increasing credibility of phish pages as well as malware can

affect targeted computer itself.

3.1.3.1.5 Pharming

It can be defined as a method in which a misuse of DNS server software openness

redirects web sites traffic to a fake site. This form of attack doesn't give the user any prior

intimation. The user simply enters the URL of his bank's website, but instead of being

taken to the bank's website, he's automatically redirected to the fake site.

Thus in pharming, scammers never have to access the users' machines in any way [16].

User can protect their information and transactional activities by regular installation of

antivirus and anti-hacking software.

Diff between Phishing and Pharming

Phishing involves attracting the target to a particular website through an e-mail, while

pharming is even more dangerous as it doesn't even let the target know that an attack is in

progress [16].

Process of redirecting somebody automatically to another site through DNS

poisoning: If the hacker can gain access to a user's DNS server, and exchange the

IP address of the bank's website with his own web site IP address, then the user will

automatically be redirected to the fake website instead of the original one. So the humble

DNS server, which nobody suspects of doing anything, has actually become the target of

attack in pharming. The technique is called DNS poisoning.


Many broadband service providers use simple Ethernet cables, hubs, and switches to

extend Internet access to their subscribers. In such a setup, it's very easy for one

subscriber to be able to see others. Someone with malicious intent can use DNS spoofing

software to redirect requests for specific websites to somewhere else. This can even

happen on corporate networks [16].

Process of redirecting somebody automatically to another site through hosts: There's

another easier way of taking the user automatically to a fake bank website. It's done by

infecting a tiny file that sits on most desktop machines, known as hosts. It's nothing but a

file that maps IP addresses to URLs. So whenever we try to access a website, the machine

first checks the hosts file to see if it can find the URL's IP address there and if someone

were to map a fake IP address to a bank's website in the hosts file then user maybe

redirected to another fake website. For example Trojan 127.0.0.1 IP address doesn't let us

update our anti-virus software. It has simply mapped the URLs of all the anti-virus

software sites to 127.0.0.1, which is our own local machine. This kind of Trojan can

come as an attachment in a nicely written e-mail [16].

Fake Bank Sites Are Easy To Create

After redirecting users to another IP address, the scamsters just have to ensure that they

have a website that looks and functions exactly like the original bank's website. All

websites are created using various Web technologies like HTML, ASP, JSP, XML, etc.

Another factor that helps scamsters in creating the fake site is the fact that they can view

the source code of all the bank's web pages. For example in Internet Explorer, source

code can be seen by clicking on the View Menu and choose Source. This will show you

the source code for the entire Web page, irrespective of whether it's using plain old HTTP

or the secure HTTPS i. e. in HTTPS “s” stands for security then too we can see source

code of the web site.


Another method by which web pages can easily be saved and hosted on another Web

server, using a simple tool such as FrontPage or even Notepad. In a few minutes, the

scamster now has to do is to ensure that the script for the login button extracts the

username and password and sends it to another destination. Thus, the entire process

of redirecting the request for a URL to another location is not difficult and the saddest

part is that it can all be done using freely available tools [16]

3.1.3.1.6 Skimming

A skimmer is a card – swipe device that reads the information on a consumer’s ATM

card. The skimmer catches the PIN through a small camera mounted on the ATM.

Scammers insert onto an ATM, ready to swipe information from unsuspecting customers.

Fraudsters make imitation ATM cards using scammers. They take a blank card and

encode all the information from an ATM card when they swipe [13].

3.1.3.1.7 Spoofing

The attacker creates a false context to trick users into making an inappropriate security –

relevant decision. For example, false ATM machines have been set up. Once they have

the PIN number they have enough information to steal from the account [13].

3.1.3.1.8 Credit Card Frauds

Credit card fraud is widespread as a means of stealing from banks, merchants and clients.

A credit card is made of three plastic sheet of polyvinyl chloride. The central sheet of the

card is known as the core stock. These cards are of a particular size and many data are

embossed over it. But credit cards fraud manifest in a number of ways as discussed below

[13]:


• Genuine cards are manipulated

• Genuine cards are altered

• Counterfeit cards are created

• Fraudulent telemarketing is done with credit cards.

• Genuine cards are obtained on fraudulent applications in the names / addresses of

other persons and used.

3.1.3.2 On-Line Credential-Stealing Attack

In this type of attack hackers attack in session credentials through interception as they

move between the client Personal computer and banking server. Online channel-breaking

attack scenario is shown in the following figure [36]:


Fig 3.1.6: Online Channel-Breaking Attack Scenario

3.1.3.2.1 Spyware / Key loggers / Keystroke Logging Worms

This is the most known kind of attack, in this method hackers attempt to place an

unauthorized program on to user’s computer that will record all users’ keyboard strokes

as user type. Then this captured information is sent to an unauthorized person, who then

scans the information for user’s online banking details [16].


Thus Key loggers are malicious software designed to record user input events and

activities. Executing as a device driver, a key logger monitors keyboard and mouse input

[41].

3.1.3.2.2 Trojans / Back-Door Trojans

This is another kind of attack and the purpose of these threats is to place an unauthorized

program on to user’s computer that will enable a remote hacker to gain unauthorized

access to user’s computer. The unauthorized scammer then has the ability to monitor

everything user does via user’s computer whilst it remains infected [16].

3.1.3.2.3 In Session Phishing Attacks

This technique is a sophisticated and highly effective next generation phishing attack

technique that is carried out while a user is in an active session with a secure banking,

brokerage, or other sensitive web application. Various utilities allow fraudsters to copy

the login page of any bank and set up a fraudulent website within minutes. Once the

website is up and running the criminals can start inviting people to “login”, usually using

emails pretending to be sent by the targeted bank. The biggest challenge phishers now

face is convincing users to open these malicious email messages and click on the links

that lead to the fraudulent websites. Users are growing more sensitive to security threats

and are more suspicious of emails from the “bank”. An in-session phishing attack occurs

while the victim is logged onto an online banking application and therefore is much more

likely to succeed. A typical attack scenario would occur as follows. A user logs onto their

online banking application to perform some tasks. Leaving this browser window open,

the user then navigates to other websites.


A short time later a popup appears, allegedly from the banking website, which asks the

user to retype their username and password because the session has expired, or complete

a customer satisfaction survey, or participate in a promotion, etc. Since the user had

recently logged onto the banking website, he/she will likely not suspect this popup is

fraudulent and thus provide the requested details. In order for in-Session phishing attacks

to succeed the following conditions are required [45]:

1. A base website must be compromised from which the attack can be launched.

2. The malware injected on the compromised website must be able to identify which

website the victim user is currently logged on to The first condition is easily achieved,

since more than two million legitimate websites are known to be compromised by

criminals, and hundreds more are being compromised every day. Each one of them can

be used as a base for this attack. Once the website is compromised, the attacker injects

code into the website. This code does not change the appearance of the website and does

not download malware to the user’s PC. Therefore it is very hard to detect. This code is

designed to search for online banking websites that visitors are currently logged onto, and

present them with a popup that claims to be from the banking website they are logged on

to. These pop ups ask for login and personal information.

Identifying websites to which the user is currently logged onto is harder to achieve, but

not impossible. For example, in 2006 this blog

http://ha.ckers.org/blog/20061108/detecting-states-ofauthentication-with-protected-

images/ discussed one method that attempts to load images that are only accessible to

logged-in users. If the offensive website code is capable of loading the image, this

confirms the user is logged on. If it fails, then the user is not logged on. However, most

websites do not protect images with login. Instead they are stored on a different server

that does not require authentication.


http://ha.ckers.org/blog/20061108/detecting-states-ofauthentication-

Recently Trustier CTO Amit Klein and his research group discovered vulnerability in the

JavaScript engine of all leading browsers - Internet Explorer, Fire fox, Safari, and

Chrome – which allows a website to check whether a user is currently logged onto

another website. The source of the vulnerability is a specific JavaScript function. When

this function is called it leaves a temporary footprint on the computer and any other

website can identify this footprint. Websites that use this function in a certain way are

traceable. Many websites, including financial institutions, online retailers, social

networking websites, gaming, and gambling websites use this function and can be traced.

To protect themselves from in-session phishing attacks, Trustier recommends that users

[45]:

1. Deploy web browser security tools

2. Always log out of banking and other sensitive online applications and accounts before

navigating to other websites

3. Be extremely suspicious of pop ups that appear in a web session if you have not

clicked a hyperlink.

One example of phishing mail has been shown in the following fig [45]:


Fig 3.1.7- Recent Phishing Email

3.1.3.2.4 Hacking Tricks Towards Security On Network Environments

Hacking tricks when successfully carried out could cause considerable loss and damage

to users. Hacking tricks into three categories [46]:

(1) Trojan programs that share files via instant messenger like eavesdropping and Denial

of Service (DoS)

(2) Phishing or fraud via e-mails.

(3) Fake Websites.


3.1.3.2.5 Distributed Deny Of Service Attack Of Botnet

Online criminals can use a virus to take control of large numbers of computers at a time,

and turn them into "zombies" that can work together as a powerful "botnet" to perform

malicious tasks. Botnets, which can control huge number of zombie computers, can

distribute spam e-mail, spread viruses, attack other computers and servers, and commit

other kinds of crime and fraud. According to a report from Russian-based Kaspersky

Labs, botnets currently pose the biggest threat to the Internet. The computers that form a

botnet can be programmed to redirect transmissions to a specific computer, such as a

Web site that can be closed down by having to handle too much traffic - a Distributed

Denial-of-Service (DDoS) attack [29].

3.1.3.2.6 Payment Recipient Scams

The criminals who carry out online fraud require payment recipients and bank accounts

through which they can direct funds and launder their money. Innocent parties have been

deceived into assisting the fraudsters to carry out these crimes in several ways, such as:

Advertisements are placed with employment agencies for financial or account

staff. After applicants have been notified of their appointment to the role, they are

asked to receive and distribute funds on behalf of the company via their personal

accounts.

People have been approached via email or chat rooms where they have been

asked to facilitate international funds transfers, due to costs or restrictions on

doing these transactions overseas, and in return receive a percentage of these

funds.


Thus Money laundering is a serious crime and people involved in these scams can be

held personally liable for lost funds as well as being prosecuted [45]. To fight against

various types of attacks several methods are being used but none can be considered 100%

effective. In the following diagram status of all kind of attacks as compare to security has

been shown [35]:

Fig 3.1.8: Status of Various Attacks as Compare to Security


3. MATERIALS & METHODS

3.2 SECURITY MEASUREMENT STRATEGIES

3.2.1 Preface

3.2.1.1 Key Components for E-Banking

3.2.1.2 Security Mechanism Towards E-Banking

Authentication Methods

3.2.3 Antivirus Techniques

3.2.3.1 Virus Scanning

3.2.3.2 Behavior Checkers

3.2.3.3 Integrity Checkers

3.2.3.4 Firewalls

3.2.3.5 Intrusion Detection System (IDS)

3.2.3.6 Intrusion Prevention System (IPS)

3.2.3.7 Honey Pots

3.2.3 Anti-Phishing Approach

3.2.3.1 Browsers Alerting Users to Fraudulent Websites

3.2.3.1.1 PwdHash

3.2.3.1.2 Spoof Guard

3.2.3.1.3 VeriSign

Security Measurement Strategies 82

3.2.4 Common Strategies Used For Secured Authentication

3.2.4.1 Authentication Using Passwords

3.2.4.2 One Time Password (OTP) Generators

3.2.4.3 Challenge / Response (C / R) Calculators

3.2.4.4 Two Factor Authentications

3.2.4.5 Smartcard System

3.2.4.6 Chip Card Readers

3.2.4.7 Conventional Encryption Schemes

3.2.4.8 Public Key Encryption

3.2.4.9 Digital Signature

3.2.4.10 Secure Socket Layer (SSL)

3.2.4.11 Secure Electronic Transaction (SET)

3.2.4.12 Pretty Good Privacy (PGP)

3.2.4.13 Kerberos

3.2.4.14 Cryptographic Authentication

3.2.4.15 Public Key Infrastructure (PKI)


3.2.4.16 Public-Key Cryptosystems (PKC)

3.2.4.16.1 Elliptic Curve Discrete Logarithm

Systems / Elliptic Curve Crypto

Systems

3.2.4.16.2 Elliptic Curve Cryptography (ECC)

3.2.4.17 Biometric

3.2.4.18 MeCHIP

3.2.5 Comparison Between Hardware-Based System Solution And

Software Based System Solution

3.2.1 PREFACE

The statistics do not lie as there are more and more people who are doing only e-

banking. When it comes to the future of banking, there is a variety of predictions. The

majority of individuals predict consumers with imbedded chip implants. By using these

chip implants customer simply walks into the store, swipes and views his balance

instantaneously. To provide safe and secured e-banking many banks have adopted

various technologies for encryption so that users personal information can be prevent

from unauthorized access. In the introductory part of this chapter we are introducing key

components for e-banking and security mechanism towards e-banking authentication.

Then in the second part of the chapter we are talking about antivirus techniques like virus

scanning, behavior checkers, integrity checkers, firewalls, IDS, IPS and honey pots.


Then in the third part we have discussed about anti-phishing approaches like Browsers

used to alert users against fraudulent websites by mentioning PwdHash, Spoof Guard and

VeriSign. In the fourth part of this chapter we have thrown some light on common

strategies used for secured authentication for example authentication using passwords,

OTP generators, C / R calculators, two factor authentications, smartcard system, chip

card readers, conventional encryption schemes, PKE, Digital Signature, SSL Technique,

SET Technique, PGP, Kerberos, Cryptographic Authentication, PKI, PKC, Elliptic Curve

Discrete Logarithm Systems / Elliptic Curve Crypto Systems, ECC, Biometric and

MeCHIP. Finally we will end the chapter with the comparison between hardware based

system solutions and software based system solutions.

3.2.1.1 KEY COMPONENTS FOR E-BANKING

Each authentication method has its strengths and weaknesses, which need to be weighed

by the bank, including the impact on customers. Key components that will help to

maintain a high level of public confidence in an open network environment include [8]:

1. Security

2. Authentication

3. Trust

4. Non-repudiation

5. Privacy

6. Availability

1. Security: It is an issue in Internet banking systems. Hardware or software “sniffers”

can obtain passwords, account numbers, credit card numbers, etc. without regard to the

means of access. National banks therefore must have a sound system of internal controls

to protect against security breaches for all forms of electronic access.


A sound system of preventive, detective, and corrective controls will help assure the

integrity of the network and the information it handles. Firewalls are frequently used on

Internet banking systems as a security measure to protect internal systems and should be

considered for any system connected to an outside network. Firewalls are a combination

of hardware and software placed between two networks through which all traffic must

pass, regardless of the direction of flow. They provide a gateway to guard against

unauthorized individuals gaining access to the bank’s network. The simple presence of a

firewall does not assure logical security and firewalls are not impenetrable: firewalls must

be configured to meet a specific operating environment and they must be evaluated and

maintained on a regular basis to assure their effectiveness and efficiency.

2. Authentication: It is another issue in a Internet banking system. Transactions on the

Internet or any other telecommunication network must be secure to achieve a high level

of public confidence. Banks typically use symmetric (private key) encryption technology

to secure messages and asymmetric (public/private key) cryptography to authenticate

parties. Asymmetric cryptography employs two keys; a public key and a private key.

These two keys are mathematically tied but one key cannot be deduced from the other.

For example, to authenticate that a message came from the sender, the sender encrypts

the message using their private key. Only the sender knows the private key. But, once

sent, the message can be read only using the sender’s public key. Since the message can

only be read using the sender’s public key, the receiver knows the message came from

the expected sender.

Internet banking systems should employ a level of encryption that is appropriate to the

level or risk present in the systems. Thus, a national bank should conduct a risk

assessment in deciding upon its appropriate level of encryption. A common asymmetric

cryptography system is RSA, which uses key lengths up to 1,024 bits.


By using the two forms of cryptography together, symmetric to protect the message and

asymmetric to authenticate the parties involved, banks can secure the message and have a

high level of confidence in the identity of the parties involved. Biometric devices are an

advanced form of authentication. These devices may take the form of a retina scan, finger

or thumb print scan, facial scan, or voice print scan. Use of biometrics is not yet

considered mainstream, but may be used by some banks for authentication. Examiners

should evaluate biometric activities based on management’s understanding of risks,

internal or external reviews, and the overall performance of these devices.

3. Trust: It is another issue in Internet banking systems. A trusted third party is a

necessary part of the process. That third party is the certificate authority. A proper mix of

preventive, detective, and corrective controls can help protect national banks from these

pitfalls. Digital certificates may play an important role in authenticating parties and thus

establishing trust in Internet banking systems.

4. Nonrepudiation: It is the undeniable proof of participation by both the sender and

receiver in a transaction. It is the reason public key encryption was developed, i.e., to

authenticate electronic messages and prevent denial or repudiation by the sender or

receiver.

5. Privacy: Privacy is a consumer issue of increasing importance.

6. Availability: Availability is another component in maintaining a high level of public

confidence in a network environment. All of the previous components are of little value if

the network is not available and convenient to customers. Users of a network expect

access to systems 24 hours per day, seven days a week.


3.2.1.2 SECURITY MECHANISM TOWARDS E-BANKING AUTHENTICATION

METHODS

System for remote authentication should at least consider few of the following security

mechanisms [63]:

I) User Secure Authentication (Identity Proof): System should provide secure

identification and user authentication by using password or other mechanism. Users’

unique account access and transaction capabilities are provided by user authentication.

II) Safe Confidentiality of Transferred Data: Eavesdropping of the communication

between client and his bank is avoided by confidentiality mechanism.

II) Integrity of Transferred Data: Providing integrity mechanism ensures that

information transferred between bank and its client can't be forged or modified by an

attacker.

IV) Undeniable Responsibility For Transactions Made: This mechanism ensures that

message sender is responsible for message he has sent and this sender can't deny that he

has sent this message. Typical use of this mechanism is in active transactions, where

client sends message of transaction into his bank. Receiver of message of transaction

(bank) can easily proof that this message was created and sent by the specific client and

this client can't deny responsibility for this message. Most common way to ensure this

mechanism is electronic signature.


Modern ways of authentication, such as smart cards, authentication calculators,

biometrical authentication and cryptographic authentication should remove the

weaknesses of authentication by password. Some of them are called as systems with one

time password. For example smart card or authentication calculator generates the

challenge, which is used instead of password. Authentication calculator, or smart card,

cooperates with workstation and generated challenge is unique for each authentication.

That is why this challenge is useless for an attacker [63].

The second problem related to the identity is problem, which can be solved just after the

authentication is solved. This problem is called expression of will. In some application is

needed to maintain and clearly express the will of user, by which the user express his will

to provide some transaction. This expression of will must be [63]:

Clear in identity and attributes

Capable of representation will of the user

Auditable and un-impugn-able

One of the main problems noticed here is huge difference between human non digital

communication and computer communication. Human non digital communication uses

different mechanism for identification and for will expression like name, password,

handwritten contract etc, than the electronic or digital communication. The electronic or

digital communication uses for identification and will expression different means such as

digital signature or other authentication methods mentioned in this article.

Other Security Measures

Most Internet banks offer other protective measures to ensure your information is kept

safe and secure. Some examples of other security measures in place include:


Secure Logins: You will create your own online access account number and code that

you will need each time you log in.

Limited Logins: Many banks limit the number of times you can attempt to log in per day

and lock you out if you exceed this. That way someone can't attempt to break your login

code easily.

Limited Sessions: Most banks offer limited sessions that require you to re-login after

you have been inactive for a period of time preventing anyone from viewing your

information if you leave your computer for too long.

When exploring towards solutions users can minimize risk by improving password

complexity; implementing security measures such as personal firewalls, anti-spyware,

anti-phishing features and up-to-date antivirus application; and installing the most current

client software, browsers and operating system patches and updates.

As technology evolves, end users will be able to minimize risk through trusted federated

directory structures and stronger authentication and cryptographic applications. The

solutions to the security issues require the use of software-based systems or hardware-

based systems or a hybrid of the two. Due to the need of fighting against money

laundering, nowadays most financial institutes are maintaining AML (anti-money

laundering) software as part of the e-banking system to monitor transactions and detect

suspicious money laundering activities [44]. In the coming sections we have discussed

some antivirus techniques to locate and eliminate viruses but none of these has proven to

be 100% effective and therefore, there is actually no way to know if our system is free of

viruses [31].


3.2.2 ANTIVIRUS TECHNIQUES

Antivirus software has been the chief defense mechanism since the creation of viruses

started. Most antivirus solutions are comprehensive security solutions that can be

centrally monitored. They can also be configured to remove administrative rights from

client machines. Antivirus programs normally manage the life cycle of viruses in four

steps [43]:

1. Prevention or avoidance of virus outbreak;

2. Suppression or control of virus outbreak;

3. Reinstallation of the affected nodes; and

4. Reporting and alerting all the complementing perimeter security systems.

3.2.2.1 VIRUS SCANNING

Scanning for viruses is the oldest and most popular method for locating viruses. In this

method scanners search for specific code which is believed to indicate the presence of a

virus. Scanners have an important advantage over other types of virus protection in that

they allow one to catch a virus before it ever executes in our computer. Depending on the

virus type, the anti-viral software will search only in .COM files, or .EXE files, in the

boot sector. But long back in the late 1980’s, when there were only a few viruses floating

around, it was easy to write a scanner. In the present days, with thousands of viruses, and

many being written every year, keeping a scanner up to date is a major task. Another

major problem is that, from the moment the virus is created to when the antiviral software

is able to detect it; it can spread and cause a lot of damage [31].


3.2.2.2 BEHAVIOUR CHECKERS

A behavior checker is a memory resident program that a user loads in the autoexec.bat

file and then it sits in the background looking for unusual behavior for virus-like activity,

and alerts user when it takes place. But even this is not enough to detect all possible

viruses [31].

3.2.2.3 INTEGRITY CHECKERS

Integrity checkers simply monitor for changes in files. Typically, an integrity checker

will build a log that contains the names of all the files on a computer and some type of

characterization of those files. That characterization may consist of basic data like the file

size and date time stamp, as well as checksum, CRC, or cryptographic checksum of some

type. Each time the user examines each file on the system and compares it with the

characterization it made earlier. An integrity checker will catch most changes to files

made on your computer, including changes made by computer viruses. But there could be

thousands of viruses in our computer and integrity checker would never tell us as long as

those viruses did not execute and change some other file. Moreover the problem is that

this method does not assure that the software has not been infected on its way from the

programmer’s computer to the final user’s computer. Therefore, it is a good system for

controlling the reproduction of viruses but it cannot do a thing against programs that are

installed infected from the first moment. Moreover a virus installed as a Trojan horse can

modify the code of the antiviral so it will not detect any virus and we will think that the

system is free of viruses [31].


Thus Antivirus is a good way to protect against viruses, but as we know that signatures

are used with the antivirus database that means that antivirus is unable to discover new

attacks until and unless we will remedy the database of existing antivirus by updating it

periodically. Beside this antivirus stays helpless against different kinds of attacks like

hijacking, Denial of Service etc. Therefore we need other software’s also along with the

use of antivirus and there are a variety of tools that can be used for this purpose like

firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), honey

pots etc [32].

3.2.2.4 FIREWALLS

Firewalls stops any suspicious data before it enters in our system; there are three kinds of

firewall and two architectures based on it named DMZ (De Materialized Zone).

Firewall offers great advantages in the field of security but still has its limits: the main

reason is that it can never close its port totally. Certainly it must have even one open port

to communicate with the Internet and this single port can be considered as a door for

attacks. This means that anytime our computer maybe under attack [32].

3.2.2.5 INTRUSION DETECTION SYSTEM (IDS)

Intrusion Detection System is used to detect the presence of an attack in our system. The

alarm of IDS is launched when an intrusion / interference have break in/enter the system.

There are two types of IDS: HIDS and NIDS. HIDS is more reliable way as compare to

NIDS because it can detect illegal access easily but at the same time HIDS delivers all the

collected information to a central computer .


This means that in an internal network if we have a big number of machine with HIDS

then it may be risky because big flow of information could diminish the performance of

the system, that’s why NIDS is preferred in that kind of network even that he could miss

some illegal access that HIDS can see.

3.3.2.6 INTRUSION PREVENTION SYSTEM (IPS)

We need something that prevents the attacks before it happens. IPS identifies and stops

the malicious codes before they penetrate in our system; this type of software’s provides

the 4‘h layer of protection shield to the system.

It is advisable that user should not eliminate the firewall from our system even if it has

limited capacities compared to IPS or IDS, because a firewall reduces the amount of the

bad traffic that can reach the IPS and IDS, which will reduce the alarms and the

suspicious data [32].

3.2.2.7 HONEY POTS

One major objective of honey pot is to gather as much information as possible.

Generally, such information should be done silently without alarming an attacker. All the

gathered information leads to an advantage on the defending site and can therefore be

used on productive systems to prevent attacks. All the methods of detecting and

preventing are based on known facts, and known attack patterns. By knowing attack

strategies, countermeasures can be improved and vulnerabilities can be fixed. Another

purpose of the honey pot is to divert hackers from productive systems or catch a hacker

while conducting an attack.


Compared to IDS, honey pots have the big advantage that they do not generate false alert

as each observed traffic is suspicious, because no productive components are running on

the system. Compared to an IPS a honey pot doesn’t prevent any attack, at the opposite

sometimes it pushes hackers to attack a system, by deceiving them or by faking them that

this system is easy to penetrate [32].

3.2.3 ANTIPHISH APPROACH

AntiPhish is an application that is integrated into the web browser. It is a novel browser

extension and it is free for public use with the intension to protect inexperienced users

against spoofed web site-based phishing attacks. AntiPhish tracks the sensitive

information of a user and generates warnings whenever the user attempts to transmit this

information to an untrusted web site.

Main Functionality of AntiPhish: The development of AntiPhish was inspired by

automated form-filler applications. Most browsers such as Mozilla or the Internet

Explorer have integrated functionality that allows form contents to be stored and

automatically inserted if the user desires. This content is protected by a master password.

Once this password is entered by the user, a login form that has previously been saved,

for example, will automatically be filled by the browser whenever it is accessed. Anti

phish takes this common functionality one step further and tracks where this information

is sent [55].


3.2.3.1 BROWSERS ALERTING USERS TO FRAUDULENT WEBSITES

Another popular approach to fighting phishing is to maintain a list of known phishing

sites and to check websites against the list. Microsoft's IE7 browser, Mozilla Fire fox 2.0,

Safari 3.2, and Opera all contain this type of anti-phishing measure. Fire fox 2 used

Google anti-phishing software. Opera 9.1 uses live blacklists from Phish Tank and Geo

Trust, as well as live white lists from Geo Trust. Some implementations of this approach

send the visited URLs to a central service to be checked, which has raised concerns about

privacy. According to a report by Mozilla in late 2006, Fire fox 2 was found to be more

effective than Internet Explorer 7 at detecting fraudulent sites in a study by an

independent software testing company [56]. Following similar, browser-based plug-in

solutions were provided by Stanford University to mitigate phishing attacks [55]:

3.2.3.1.1 PwdHash

It is an Internet Explorer plug-in that transparently converts a user’s password into a

domain-specific password so that the user can safely use the same password on multiple

web sites. A side-effect of the tool is some protection from phishing attacks. Because the

generated password is domain specific, the password that is phished is not useful. The

problem, however, is that the solution only works for protecting passwords and does not

work for sensitive information that is needed in unaltered form by a web site such as

credit card information and social security numbers.


3.2.3.1.2 Spoof Guard

It is a plug-in solution specifically developed to mitigate phishing attacks. The main

difference between Spoof Guard and Anti Phish is that Spoof Guard is symptom-based.

That is, the plug-in looks for “phishing symptoms” such as similar sounding domain

names and masked links in the web sites that are visited. Alerts are generated based on

the number of symptoms that are detected. Anti Phish, in comparison, is user input-based

and guarantees that sensitive information will not be transferred to a web site that is un-

trusted.

3.2.3.1.3 Veri Sign

It has recently started to provide an anti phishing service. The company is crawling

millions of web pages to identify “clones” in order to detect phishing web sites. As a

solution several companies like AOL has recently announced that it is planning to

integrate black list-based anti phishing support into the Netscape browser, furthermore

black lists of phishing web sites are maintained. The browser will not allow the user to

connect to web sites that are black-listed. [55].

3.2.4 COMMON STRATEGIES USED FOR SECURED AUTHENTICATION

Financial institutions engaging in any form of internet banking should have effective and

reliable methods to authenticate their customers. These methods include, Authentication

using passwords, cryptographic authentication, digital certificates using public key

infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTP),

USB plug0-ins, transaction profile scripts, and biometric identification. Moreover, most

internet banks offer other protective measures to ensure information is safe and secure

such as secure logins, limited logins and limited sessions.


3.2.4.1 Authentication Using Passwords

Passwords are still the most common security mechanism although it is well known that

this method alone is not good enough to provide adequate protection. These passwords

can be easily discovered by a dictionary attack. Online dictionary attacks are easy to

detect by counting the number of failed access tryouts, but offline dictionary attacks are

more complex and difficult to treat. However, there are other ways to compromise these

passwords. Capturing keystrokes has been used in some situations for compromising the

passwords introduced by the users. This method works even when using a secure

connection over SSL. The only system based on passwords that can compete with

cryptographic authentication methods is the one-time-pad (OTP) where each key is

disposed of after use, thus making it a dynamic password scheme. However, even these

authentication methods can he compromised [47].

3.2.4.2 One Time Password (OTP) Generators

This method generates codes synchronized with an application running on the server in a

way that makes it practically impossible to know the next code from the previous codes

generated. In order to do so, the OTP generator and the server application share a seed

that is used in the generation process. They are normally implemented as a small

hardware device, but sometimes it is possible to find them in software. They are a good

way to verify the identity of anyone that connects to a server. However, this is not enough

for many critical operations such as bank account transfer orders, as an attacker executing

code at the client’s computer can use this authentication information to place different

orders to the server on behalf of the client. Hardware OTP generators are more secure

than those implemented in software because they don’t have to store data on the

computer [47].


Similarly in One-Time-Pad Scheme other banks provide their customers a login and one

or two passwords that follow a one-time-pad scheme. This way, a different code is

required for each transfer operation. For example: The customer could have a login, a

table with 80 one-time-pad passwords and another table with 18 codes. The customers

must keep track of the one-time-pad codes (by scratching them, for example) so that they

are able to authenticate a transaction. Sometimes this one-time-pad code must be

introduced to confirm a transaction after the first validation, but they are all based on the

same basic idea and require the customer to buy a hardware device (a custom piece of

hardware with a smart card) for accessing the service. This device allows the user to

navigate on the Internet and therefore connect to the bank web server [31].

Fig 3.2.1: SMS-Short Message Service, OTP-One-Time Password

3.2.4.3 Challenge / Response (C / R) Calculators

They take a challenge value and calculate the corresponding response that is different for

each user. A secret key cryptographic algorithm is normally used to generate the response

value. The knowledge of the correct response for a random challenge authenticates the

user. This challenge can he passed to the C/R calculator either manually through a

keyboard or using any other kind of communication link such as a cable connection.


This method is equally vulnerable because the user has to rely on the computer to handle

the C/R generated making it possible for the attacker to send data to the server using the

identity of the real user [47].

3.2.4.4 Two Factor Authentications

Another strategy is the use of two passwords, only random parts of which are entered at

the start of every online banking session as well as passwords are confirmed through

tokens or SMS messages. Two factor authentications require smart card and password

and it is usable with any smart card reader. It provides strong authentication and it is non-

repudiation for sensitive application such as e-banking, electronic commerce, and other

financial transactions. One of the popular techniques is e-Token PRO smartcard

technique-which stores user’s private keys, passwords and certificates, using 1024- or

2048-bit RSA authentication and digital signature. Example of products providing two-

factor authentication, using AES (Advanced Encryption Standard) or RSA ( Rivest,

Shamir, and Adleman) technique are- key fob, card, PIN pad and USB(Universal Serial

Bus) hardware. Software tokens available for windows, pocket PC, Palm OS, Blackberry,

and Ericsson, Nokia, and NTT Do Como cell phones [35].

Fig 3.2.2 : RSA ( Rivest, Shamir, and Adleman) Technique


3.2.4.5 Smartcard System

Smartcard System is a mechanical device which has information encoded on a small chip

on the card and identification is accomplished by algorithms based on asymmetric

sequences. Each chip on the Smartcard is unique and is registered to one particular user,

which makes it impossible for a virus to penetrate the chip and access the confidential

data. Thus Smart cards are small, portable, tamper resistant devices providing users with

convenient storage and processing capability. Because of their unique capability, smart

cards are proposed for use in a wide variety of applications such as electronic commerce,

identification, and health care. For many of these proposed applications, cryptographic

services offered by digital signatures would be required. To be practical for widespread

use, however, smart cards also need to be inexpensive. However, practical limitations in

the Smartcard system prevent it from broad acceptance for major applications such as

home banking or on-line distribution. One draw-back for the Smartcard is that it can not

handle large amounts of information which need to be decoded. Furthermore, the

Smartcard only protects the user’s private identification and it does not secure the transfer

of information. For example, when the information is keyed into the banking software, a

virus could attack the information, altering its destination or content.

The Smartcard would then receive this altered information and send it, which would

create a disaster for the user. Nevertheless, the Smartcard is one hardware-based system

that offers confidential identification [16]. The only one way to break the security of this

system is to steal the smart card jointly with the pin code, which reduces the risk to that

of an ATM [31].


Fig 3.2.3: Cryptographic Smart Card

3.2.4.6 Chip Card Readers: A third option is providing customers with chip card readers

capable of generating single use passwords unique to the customer's chip card. Many

problems arise because of unprotected data transfer between clients and servers. For

example in systems such as NFS, AFS, and Windows NT, there is no authentication of

file contents when information is sent between the client and server [35].

Fig 3.2.4: Chip Card Reader


3.2.4.7 Conventional Encryption Schemes

In this scheme one key is used by two parties to both encrypt and decrypt the

information. Once the secret key is entered, the information looks like a meaningless

jumble of random characters. The file can only be viewed once it has been decrypted

using the exact same key.

3.2.4.8 Public Key Encryption

In this method, there are two different keys held by the user: a public key and a private

key. These two keys are not interchangeable but they are complementary to each other,

meaning that they exist in pairs. Therefore, the public keys can be made public

knowledge, and posted in a database somewhere. Anyone who wants to send a message

to a person can encrypt the message with the recipient public key and this message can

only be decrypted with the complementary private key. The private key remains on one’s

personal computer and cannot be transferred via the Internet. This key is encrypted to

protect it from hackers breaking into the personal computer.

3.2.4.9 Digital Signature

Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University.

A digital signature transforms the message that is signed so that anyone who reads it can

know who sent it. The use of digital signatures employs a secret key (private key) used to

sign messages and a public key to verify them. The sender encrypts the message by using

the private key can only be verified by the public key and when receiving the message,

the receiver decrypts the encrypted message with sender’s public key. This ensures that

the message was actually from the appropriate person.


Besides uniquely identifying the sender, the digital signature also ensures that the original

message was not tampered with in transit. The receiver can use the original hashing

algorithm to create a new message digest after decrypting the message and compare the

new message digest to the original digest. If they match each other, it can be sure that the

message has not been altered in transit. Because of the signature contains information are

produced by “one-way hashing algorithm”, it is impossible to duplicate a signature by

copying the signature block to another message. Therefore, it is guaranteed that the

signature is original. For example First Digital Bank is using digital signature in the e-

banking industry to provide more secured and authentic transactions [16].

A digital signature is produced by first running the message through a hashing algorithm

to come up with the message digest. Next, by encrypting the message digest with

sender’s private key, this would uniquely identify the sender of the message. Digital

signature technology requires a public key infrastructure (PKI), under which each

individual has a pair of private and public keys [58].

3.2.4.10 Secure Socket Layer (SSL) Technology

This technology has been adopted by many banks. This technology encrypts the

information that user send over the Internet. That means the data user sends from one

computer to another is encrypted to prevent it from hacking. This technology is now

accepted or compatible with most browsers including Internet Explorer and Netscape

Navigator. Usually we can see a little yellow padlock (lock//security device) in the right

lower hand corner of our screen, indicating that a page is being secured using this

technology


3.2.4.11 Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET) software system, the global standard for secure card

payments on the Internet, which is defined by various international companies such as

Visa MasterCard, IBM, Microsoft, Netscape Communications Corp., GTE, SAIC, Terisa

Systems and Veri-sign. SET promises to secure bank-card transactions online. Lockhart,

CEO of MasterCard said, “We are glad to work with Visa and all of the technology

partners to craft SET. This action means that consumers will be able to use their bank

cards to conduct transactions in cyberspace as securely and easily as they use cards in

retail stores today.” SET adopts RSA public key encryption to ensure message

confidentiality. Moreover, this system uses a unique public/private key pair to create the

digital signature. Although the public key encryption and the digital signature ensure the

confidentiality and the authenticity of the message, there is still a potential danger existed

in that the information the sender provides may not be real. For example, the sender may

encrypt a bank card number which belongs to someone else by using his/her own private

key. To ensure the true authentication, there is a need for a process of certification. A

third party who is trusted by both the sender and the receiver will issue the key pair to the

user who provides sufficient proof that he is who he claims to be. Thus SET can become

a better solution by using encryption, authentication and certification.

3.2.4.12 Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP), created by Philip Zimmermann, is a “hybrid crypto system

that combines a public key (asymmetric) algorithm, with a conventional private key

(symmetric) algorithm to give encryption combining the speed of conventional

cryptography with the considerable advantages of public key cryptography”.


PGP is a well established privacy/authentication technique created by Philip

Zimmermann in 1991, which enables both encryption and signing of e-mails. Each user

of PGP has both a private and a public key, with the private key the user can encrypt and

sign the e-mails they send out. The receiver of a signed e-mail needs the public key of

that sender to control the signature. If companies would use a similar technique to sign

their e-mails this would make it impossible for malicious people to spoof their e-mails as

long as only the company has access to the private key. This would make it possible for

users to securely authenticate any sender of an e-mail by clicking a button [65]. The

advantage of PGP is that it does not require a trusted channel of transmitting the

encryption key to the intended recipient of our message. Furthermore, it has the ability to

sign the messages by encrypting them with sender’s private key which can not be

replaced by any other key. Once the receiver received the message, he/she can then

decrypt the message with the sender’s public key which can not be forged and represents

the true identity of the sender.

The biggest part of today’s anti phishing applications is to more clearly inform the users

of the security of the site they are visiting. Anti phishing applications most often use

“black-list” containing the URL of known phishing-sites to compare the requested URL.

But new anti phishing applications e.g. Microsoft Internet Explorer, use both “black-list“

and “white-lists” (containing known authentic URL’s) and checks remaining sites after

known phishing characteristics. This can be considered an efficient way to even discover

unknown phishing-sites and by the fact that all features are dynamic the protection can

follow phishing’s development [65].


3.2.4.13 Kerberos

Kerberos is named after the three-headed supervisory body of Greek tradition and it is

one of the best known private-key encryption technologies. Kerberos creates an

encrypted data packet, called a ticket, which securely identifies the user. To make a

transaction, one generates the ticket during a series of coded messages by making

exchanges with a Kerberos server, which sits between the two computer systems. The

two systems share a private key with the Kerberos server to protect information from

hackers and to assure that the data has not been altered during the transmission. One

example of this encryption is Net-Cheque which is developed by the Information

Sciences Institute of the University of Southern California. Net-Cheque uses Kerberos to

authenticate signatures on electronic checks that Internet users have registered with an

accounting server.

The following four popular anti-virus applications: McAfee Anti-Virus, Kaspersky Anti-

Virus Personal, AntiVir Personal Edition, and Ikarus Virus Utilities [64].

3.2.4.14 Cryptographic Authentication

These methods provide higher security than static passwords. They are based on the idea

that it is possible to prove the identity of a person by doing some cryptographic operation

over some given information which is different for each operation. This way the access

code generated is different each time, making it worthless to steal them, as the code will

be different next time. Even if the attacker can collect hundreds or even thousands of

codes from the same user, it is still impossible to obtain the value of the cryptographic

key used to generate them. Therefore, as in all cryptographic systems, the main problem

is the protection of the keys from the attacker.


Public key cryptography is normally used, but in cases where the communication is

established between entities that have a previous relationship (like the clients of a bank),

private key cryptography can also he used. Both, public and private key cryptography can

provide authentication, data encryption and digital signature [47].

3.2.4.15 Public Key Infrastructure (PKI)

PKI is a security architecture that has been introduced to provide an increased level of

confidence for exchanging information over the increasingly insecure internet. PKI

consists of methods, technologies and techniques that together provide a secure

infrastructure. PKI refers to the use of a public and private key pair for authenticating and

proof of content. The public key cryptography uses two pairs of mathematically related

cryptographic keys. If one key is used to encrypt the message then only the related key

can decrypt that message. Public keys are stored in digital certificates along with other

relevant information. Since the certificate is publicly available, preventing access is not

an issue; however, it should be protected from corruption, deletion or replacement.

No one should be able to access someone else’s private key, so access to private keys is

generally protected with a password of the owner’s choice. Hence, PKI’s main problem is

the management of private keys. They need to be stored somewhere like a PC, a server,

or smart cards, etc, and be protected with a password. In this manner, accessing a private

key requires knowledge of the password not being the right person, so it is vulnerable to

attacks of hackers.

This problem can be solved by using biometrics in PKI. One way of doing so is

generating the private keys directly from the biometric templates. Since private keys can

be generated dynamically from one’s biometric template, there is no need to store private

keys anymore, which solves the PKI’s private key storage problem [58].


3.2.4.16 Public-Key Cryptosystems (PKC)

The use of public-key Cryptosystems (PKC) received considerable attention. They are

beneficial in encryption as well as signing that plays an essential role in e-banking and

financial transactions. Elliptic Curve Cryptography (ECC) is one of best public key

techniques because of its small key size and high security [34]. Public key, with the

enormous growth of the computer and communication industry, became the type of

cryptography that controls electronic mail, ecommerce and Internet. It is beneficial in

encryption as well as digital signing which plays an essential role in electronic money

transactions and identity verification. Public key systems solve the key management

problems associated with symmetric-key encryption; however, and even more

importantly, public key cryptography offers the ability to efficiently implement digital

signatures. The digital signature of a person uniquely identifies that person in a

transaction. Today, three types of systems, classified according to the mathematical

problem on which they are based, are generally considered both secure and efficient. The

systems are: Integer factorization systems (of which RSA is the best known example)

Discrete logarithm systems (such as the U.S. Government’s DSA).

3.2.4.16.1 Elliptic Curve Discrete Logarithm Systems / Elliptic Curve Crypto

Systems

Today ECC offers those looking for a smaller, faster public-key system a practical and

secure technology for even the most constrained environments. This is why ECC is well

suited for low bandwidth and low memory applications such as mobile communication

and smart cards. ECC delivers the highest strength per bit of any known public-key

system because of the difficulty of the hard problem upon which it is based.


This greater difficulty of the hard problem - the Elliptic Curve Discrete Logarithm

Problem (ECDLP) - means that smaller key sizes yield equivalent levels of security. [34].

3.2.4.16.2. Elliptic Curve Cryptography (ECC)

ECC is a public key cryptography algorithm. In public key cryptography, each party has a

key pair (a public key and a private key) and a set of operations associated with the keys

for cryptographic operations [58]. Secure applications in smart cards present

implementation challenges particular to the platform’s memory, bandwidth, and

computation constraints. Unique properties of ECC makes it especially well suited to

smart card applications. ECC systems provide the highest strength per bit of any

cryptosystem known today. Here author presents a new method for smart card

implementation of elliptic curves explaining how ECC can not only significantly reduce

the cost, but also accelerate the deployment of smart cards in new applications. ECC

permits reductions in key and certificate size that translate to smaller memory

requirements especially for EEPROM, which represent significant cost savings. This

added functionality can play an effective role in electronic payment and online banking

technologies. The protocol described here depends on the security of the elliptic curve

primitives, e.g., key generation, signature generation, and signature verification. These

operations utilize the arithmetic of points which are elements of the set of solutions of an

elliptic curve equation defined over a finite field. The security of the protocol depends on

the intractability of the elliptic curve analogue of the discrete logarithm problem, which is

a well-known and extensively studied computationally hard problem [34].

Summarizing, ECC key size advantages afford many benefits for smart cards, and the

superior performance offered by ECC implementations make applications feasible in low

end devices without dedicated crypto hardware.


3.2.4.17 Biometric

A biometric is a “measurable physiological and/or behavioral trait that can be captured

and subsequently compared with another instance at the time of verification”. Biometric

based systems are being used in authentication and identification of an individual by

processing his/her biometric data. A biometric identifier comes from “something the user

is” and it is created through fingerprint, retina or iris scan, hand geometry, voice patterns,

vein patterns or any other such technologies. An individual’s biometric data can then be

stored in a database. In identification by biometric based systems, individuals must first

enroll in the biometric system. A process in which their biometric data is collected by an

input device, specific to each type of biometric, and a master template is built and stored

from that data. From this point on, in each identification instance, the biometric data is

collected from the individual and a new template is created. This template is then

compared with the master template and based on a threshold of matching rate the system

decides to accept or reject the claimed identity [58].

Biometric Signatures: A biometric signature is formed by means of generating a private

key from a biometric sample and using that private key to create a digital signature.

Biometric signatures have all of the advantages of both PKI and biometrics, as well as

some additional advantages such as no storage requirement for the biometric template or

the private key. This biometric template must be swiftly recognizable and very accurate

in order to create the same private key every time. Iris scan has such a low Equal Error

Rate (ERR) (one in 1.2 million) and it seems to be a good choice for this mechanism. Iris

scan generates a 512 byte iris template for user authentication [58].

Biometric Methods: Some other authentication methods are like Biometrics: example of

this method is retina scan, fingerprints/handprints, voice prints; DNA (Deoxyribonucleic

acid), face recognition, lip movement, signature etc.


These technologies are good but not perfect nor foolproof. Similarly online authentication

models are- one time password scratch card, one time password tokens, smart cards

(requires readers, drivers, operating system etc), OOB (Out -of –Band authentication); in

this method a telephone call will be made to complete a financial transaction. Similarly

another online authentication model is IP address and geo-location method; in this

method IP address is compared with customers known location and if the customer

informed location is questionable then this method requires additional authentication

information, another method is Mutual authentication method; this method is based upon

public-key infrastructure and uses SSL (Secure Sockets Layer) so that client and server

can exchange certificates [35].

Fig 3.2.5: Biometric Sensors Example (Out-Of-Band authentication)

3.2.4.18 MeCHIP: MeCHIP which developed by ESD is connected directly to the PC’s

keyboard using a patented connection. All information which needs to be secured is sent

directly to the MeCHIP, circumventing the client’s vulnerable PC microprocessor. Then

the information is signed and transmitted to the bank in secure coded form. A closed,

secure channel from the client to the bank is assumed in this case. All information which

is transmitted and received is logged and verified to ensure that it has not been tampered

with. If there are any deviations, the session is immediately terminated. This hardware-

based solution offers the necessary security at the personal computer to transfer

confidential information [16].


3.2.5 COMPARISION BETWEEN HARDWARE-BASED SYSTEM SOLUTIONS

AND SOFTWARE BASED SYSTEM SOLUTION

Following are two possibilities to provide secure PC banking system are [31]:

A) Using a custom hardware platform for accessing the bank from home: This

would act as an ATM connected to the Internet: as long as the communications are

encrypted, an on-line attack is not possible nor an inside attack, as the browsing software

is stored in a ROM memory and therefore cannot he infected. This option looks better,

although it still has a high cost and most users won’t make intensive use of it for PC

banking operations. For example Argentaria bank in Spain and West Fargo bank in the

US provides a hardware Internet navigation platform for this purpose.

B) Using a PC from a ROM disk: Booting up the computer from a CD-ROM disk can

ensure that no viruses or hostile software have been introduced after it is delivered by the

bank. Under these conditions, it is perfectly safe to use a password-based authentication

system even for doing funds transferences. But it requires shutting down the computer

each time the user wants to order funds transference, hence generally not preferred.

HARDWARE BASED SYSTEM

Hardware-based systems offer a more secure way to protect information, but, it is less

portable and more expensive than software-based systems for example Smartcard and the

Me-CHIP provide better protection for the confidentiality of personal information. Thus

the hardware-based security system creates a secure, closed channel where the

confidential identification data is absolutely safe from unauthorized users.


SOFTWARE BASED SYSTEM

Many systems today use some form of software-based protection. Software-based

protections are easily obtained at lower costs than hardware-based protection.

Consequently, software-based protection is more widely used. But, software-based

protection has many potential hazards. For software-based systems, there are four ways to

break in the system:

i) First of all, attacking the encryption algorithms is one possible approach. This

form of attack would require much time and effort to be invested to break in.

ii) A more direct approach would be using brute force by actually trying out all

possible combinations to find the password.

iii) A third possible form of attack is to the bank’s server which is highly unlikely

because these systems are very sophisticated. This leaves the fourth possible

method, which also happens to be the most likely attack.

iv) Forth method is to attack the client’s personal computers. This can be done by

a number of ways, such as planting viruses (e.g. Trojan Horse) as mentioned

above. But, unlike the traditional viruses, the new viruses will aim to have no

visible effects on the system, thus making them more difficult to detect and

easy to spread un-intentionally [16].


In software-based security systems, the coding and decoding of information is done using

specialized security software. Encryption is the main method used in these software-

based security systems. Thus encryption is a process that modifies information in a way

that makes it unreadable until the exact same process is reversed. In general, there are

two types of encryption. Due to the easy portability and ease of distribution through

networks, software-based systems are more affluent in the market. These software-based

solutions involve the use of encryption algorithms, private and public keys, and digital

signatures to form software packets known as Secure Electronic Transaction (SET) used

by Master card and Pretty Good Privacy.


part – iii - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/10160/12/12_part 3.pdf ·...

Documents