internet banking security risks and solutions piata financiara conference bucharest october 2004...
Post on 16-Dec-2015
215 Views
Preview:
TRANSCRIPT
Internet BankingSecurity risks and solutions
Piata Financiara Conference Bucharest
October 2004
Tamas GaidoschKPMG Advisory Services
Purpose of the presentation
If you know the enemy and know yourself, you need not fear the results of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
Sun Tzu – The Art of War
Effective countermeasures can only be developed if risks are identified.
Agenda
Security trendsCommon security issuesLess common and more dangerous issuesReal-life examplesEffective countermeasures
Background
Information Risk Management practice of KPMG
IT Security services – Budapest centre of competence
System audits
Penetration tests
Security design
Incident response
Significant experience in CEE and beyond
23 Internet Banking security engagements
39 penetration tests for banks
Incident statistics
2004
2003
Source: US Department of Homeland SecurityComputer Emergency Readiness Team
Sophistication and knowledge
1990 today
Packet spoofing
Automatic probing
DDoS
BackOrifice
AutomaticToolkits
Based on a Carnegie Mellon University Study
Required knowledge
Attack Sophistication
http://www.alliancesecurities.com ALLIANCE SECURITIES INC
http://www.allstatetrustfinancesecurity.com AllStateTrustFinanceSecurity
http://www.androsbank.com Andros Bank of Investments
http://www.apextrustbank.com APEX TRUST BANK
http://www.arabenin.int.ms Arab Bank Benin
http://www.asiapacific-group.com ASIA PACIFIC GROUP aka Asia Pacific Trust
http://www.atlanticcreditbank.com Atlantic Credit Bank aka ACB
http://www.atlantictrustbank.com Atlantic Trust Bank aka ATB
http://www.atmb.co.uk Allied Trust Merchant Bank aka ATMB
http://www.alliedcreditfinance Allied Credit Finance
http://www.awedinter.com ABC Internet Limited aka All New Lottery and Competitions
http://www.banqueparibinternatianale.com BANQUE PARIB INTERNATIONAL
http://www.bond-bank.com BOND BANK
http://www.bondplc.com Bond Financial Services PLC aka BFS
http://www.brabant-international.com Brabant International BV.
http://www.btci-tg.net Banque Togolaise pour le Commerce et l'industrie aka BTCI
http://www.caledontrustbank.com Caledon Trust Bank
http://www.carnegiedirects.com Carnegie Fiduciary
http://www.creditrims.com Credit-Rims Investment Bankers
http://www.credittrustfinance.com CREDIT TRUST FINANCE LIMITED
http://www.ctrbonline.net CITI Trust Bank aka Caledon Trust Bank Incorporated
http://www.cureserve.com Credit Union Reserve
http://www.e-ufinance.com EU FINANCE AND SECURITIES HOLLAND
Motivation
William Sutton on the reasonswhy one would rob banks:
“Because that’s where the money is.“
“I was more alive when I was inside a bank, robbing it, than at any other time in my life.”
Attacking the online bank
Through the infrastructureThrough the web applicationCombined with phising / social engineering
Attacking the infrastructure
Exploiting vulnerabilities inNetworking devices and firewallsOperating systems Database management systems
“Classic” hackingThreats and countermeasures are relatively well understoodBanks are usually well protected at this level
BUT …
Wardriving results (1st test)
Date: 6th November, 2003 01:43(CET)Place: a route in the inner city (Bank HQs!)Time: 1 hour
Access points detected: 175Easy to break in (no encryption) : 124 (70.8%)Harder to break in (using WEP): 51 (29.2%)Secure (using 802.11x): 0 ( 0.0%)
Imagine… today
Rogue Access Point connected to a flat TCP/IP network …
Hacker in the parking lot …
Bankomat on the same flat TCP/IP network… runs Windows … not security hardened … uses clear text protocol … weak PIN encryption (simple DES) …
HackMe Bank
Imagine … tomorrow
"Cars with the Microsoft software will speak up when it's time for an oil change.
The software running the brakes will upgrade itself wirelessly."
AP, 12/2003
Checkpoints
Last Wireless Network test? Anything leaking?Internal firewalls?Sensitive network traffic encrypted?ATM/InternetBank/etc. security hardened?3DES used for PIN? (Mandatory from 2005)Intrusion Detection System on the internal network?Security logs reviewed daily? Alerts?
Attacking the web application
Application level security is still a bleeding edge.
Whilst we see more techniques and knowledge being used when designing and implementing network security, we often see applications with security vulnerabilities.
Flawed applications often present high risks to the business because:
Attack patterns may not be recognised, therefore the attack could remain unnoticed
A successful attack may have higher impact on business
Session hijacking – identity theft
Secondexample
coy701sqm1ji5j1vsqm2wh98wgsqn1pqpy33sqn23syq34sqo1w738k0sqo2xg9wwbsqp18nte9gsqp2mnerqrsqq1ux5faksqq2597z61sqr1iyo8q5sqr2pagsiwsqs1
Tomcat 3.2.4Open Source
package org.apache.tomcat.utilSessionIdGenerator.java
* format of id is <6 chars random> <3 chars time> <1+ char count>
Session hijacking – identity theft
Third example ZH1SUEYAAAACDZH1XEZYAAAACFZH11W4IAAAACHZH2AGGYAAAACJZH2E02AAAAACLZH2ZH3YAAAACNZH23YUAAAAACPZH2SJKIAAAACRZH2W0BIAAAACTZH21KWYAAAACVZH251TIAAAACXZH3EMCQAAAACZZH3Y23AAAAAC1ZH33NTQAAAAC3
Combined attacks
Client: financial servicesOnly point: SMTPBreaking in by specially crafted e-mailTop virus protection software on desktops and servers, IDS and firewall.
Mixture of social engineering and technical attack.Developing the attack: 3 days. Executing it: 5 minutes.Employees leave traces everywhere on the Internet.
So how bad is this anyway?
Internet Banking security engagements of KPMG Hungary in the last three years: 23Answers the question: how deep could skilled attackers penetrate the system in a given limited timeframe?
Compromise: 6 (26%)
High risk: 10 (44%)Embarrassment: 3 (13%)
Minor issues: 4 (17%)
Effective countermeasures
General IT controls(process)
Security awareness(people)
IT infrastructure(technology) Adequate measures
should always be taken to ensure that no unauthorized information interchange takes place
Effective countermeasures
IT infrastructure IT controls Security awareness Firewalls Intrusion detection Wireless security VPN Cryptography Physical security
Policy and strategy Change management Configuration
management Problem management Incident response Security management Availability management Audits
Business risks Privacy issues Password usage Teleworking issues Reporting incidents Contact persons
Q&A
Tamas Gaidosch, CISA, CISSPPartnerKPMG Advisory Services+36 1 270 7139tamas.gaidosch@kpmg.hu
Align
countermeasure
s
with risks
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2004 KPMG Hungária Kft., the Hungarian member firm of KPMG International, a Swiss cooperative. All rights reserved.
top related