KASPERSKY FRAUD PREVENTION: SOLUTION OVERVIEW

Petr Zahálka

Avnet s.r.o.

AKTUÁLNÍ SITUACE

http://www.csas.cz/banka/content/inet/internet/cs/n

ews_ie_2271.xml?archivePage=phishing&navid=nav00

156_phishing_aktuality

3

AKTUÁLNÍ SITUACE

http://www.csas.cz/banka/content/inet/internet/cs/n

ews_ie_2246.xml?archivePage=phishing&navid=nav00

156_phishing_aktuality

5

AKTUÁLNÍ SITUACE

http://www.csas.cz/banka/content/inet/internet/cs

/news_ie_2246.xml?archivePage=phishing&navid=n

av00156_phishing_aktuality

7

AKTUÁLNÍ SITUACE

8

AKTUÁLNÍ SITUACE

9

FRAUD PREVENTION IN ACTION

10

BANK

MALWARE/

CYBER-CRIMINALS

Social Engineering

Logging Phishing + Stolen Certificates

Driver “killer” DNS Change PHISHING

PAGE

Account #1

Account #2

Malicious Accounts

login

$$$ 3 days

Screenshotting

Code Injection

OBS

login

KASPERSKY FRAUD PREVENTION PLATFORM

11

BANK

Kaspersky Fraud

Prevention Console

Kaspersky

Fraud Prevention

Clientless Engine

Server side protection and

Management

USER Kaspersky Fraud Prevention

for endpoints

Kaspersky Fraud Prevention SDK Mobile SDK

User protection

Kaspersky Fraud Prevention

Education Services

Kaspersky Fraud Prevention

Management Services

Kaspersky Fraud Prevention

Professional Services

Kaspersky Fraud prevention

Intelligence Services

Services

Kaspersky Security Network —

Global Security Intelligence

KASPERSKY FRAUD PREVENTION:

USER PROTECTION

RISKS OF UNTRUSTED BANKING

13

Website Phishing sites

Connection Substitution of DNS,

proxy or hosts file

Traffic interception

Environment Vulnerability exploitation

Code injection

Social engineering

Screenshotting and

keylogging

Website Phishing sites

Connection Substitution of DNS,

proxy or hosts file

Traffic interception

Environment Vulnerability exploitation

Code injection

Social engineering

Screenshotting and

keylogging

TRUSTED BANKING

14

Website

Anti-phishing

List of trusted sites

Connection

Kaspersky

Security Network

SSL certificate database

in the cloud

Environment

Secure Browser

Secure Keyboard

Screenshot Capture

protection

Vulnerability scan

Self-protection

Website

Anti-phishing

List of trusted sites

Connection

Kaspersky

Security Network

SSL certificate database

in the cloud

Environment

Secure Browser

Secure Keyboard

Screenshot Capture

protection

Vulnerability scan

Self-protection

TRUSTED BANKING

15

Safe Money

BROWSER THREATS

16

Code injection

External browser Control

OS Vulnerabilities

Attacks on

the product itself (termination, damage,

modification, etc.)

Keyloggers

MiTM attacks

Phishing

Screenshotting

Fraud

Prevention

for

Endpoints

PROTECTION AGAINST OS VULNERABILITIES

17

Dedicated updatable

vulnerabilities database:

Operation System Only

Kernel Mode privileges escalation only

Protection: Base is checked upon the application

launch and user is informed if the

system is vulnerable

Scan code

Symbols

SECURE KEYBOARD: MAXIMUM SAFETY

18

Keyboard drivers

OS Drivers kbdclass.sys

BROWSER KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Main driver kliff.sys

Keyboard Classic Service Callback

Virtual Keyboard plugin

Protected

channel

Kaspersky keyboard driver

Sca

n c

od

e

Trojan-Banker.Win32.Fibbit

PROTECTION AGAINST TAKING SNAPSHOTS

19

Protect against all used screenshotting

techniques

It’s impossible to take a screenshot if current

window belongs to Safe (protected) browser

Screenshots

are not allowed

SELF-DEFENSE

20

Protect from modifying KFP for

Endpoints:

Windows registry keys

Files

Processes

Threads

One of best self-protection techniques according to independent tests:

http://www.matousec.com/projects/proactive-security-challenge-64/results.php

Website

Anti-phishing

List of trusted sites

Connection

Kaspersky

Security Network

SSL certificate database

in the cloud

Environment

Secure Browser

Secure Keyboard

Screenshot capture

protection

Vulnerability scan

Self-protection

TRUSTED BANKING

21

MITM ATTACKS: SSL CERTIFICATE VALIDATION

22

Internet Kaspersky

Security Network

Request for certificate

Fake certificate

Certificate from KSN

KFP for

endpoint

checks the

certificate

Phishing

web site

Website

Anti-phishing

List of trusted sites

Connection

Kaspersky

Security Network

SSL certificate database

in the cloud

Environment

Secure Browser

Secure Keyboard

Screenshot capture

protection

Vulnerability scan

Self-protection

TRUSTED BANKING

23

Kaspersky Security Network

Client

ANTI-PHISHING: HOW IT WORKS

26

Online base of

phishing sites

Digital certificate

verification

service

Request

Response

Offline

Data Base

Heuristics

results from

clients

Сrawlers

and robots

Content

Analysts

The most popular

KSN queries

Tens of feeds

Huge spam traps

A lot of clients’

samples

WHY USE FRAUD PREVENTION IF AN ANTIVIRUS SOLUTION IS ALREADY INSTALLED?

27

Not all users install good security software or

regularly update it

Traditional signature-based AV is vulnerable to

zero-day and targeted attacks (but modern AV

products are more than just blacklisting)

FRAUD PREVENTION is compatible with the

anti-malware solutions of other vendors

MOBILE CLIENT PROTECTION

IN DETAILS

SDK FUNCTIONALITY

30

KFP

SDK

Self Defense

Web & Network

Protection Secure

Connection

URL Web Filter

Web Anti Virus

URL

Reputation

DNS Checker

Certificate

Validation

Data Protection

Secure SMS

Banking

Secure

Storage

Safe Input Anti Virus

(ODS)

Anti Virus

(OAS)

Device Protection

SECURE MESSAGES IN SECURE STORAGE

31

Secured SMS Storage

Incoming SMS

from Bank

Kaspersky Safe Money SDK

User

SMS Secure

Interception

Malware #1

Malware #1 Standard Storage

SMS Malware Interception

SDK FUNCTIONALITY

32

KFP

SDK

Self Defense

Web & Network

Protection Secure

Connection

URL Web Filter

Web Anti Virus

URL

Reputation

DNS Checker

Certificate

Validation

Data Protection

Secure SMS

Banking

Secure

Storage

Safe Input

Risk Detection

Suspicious

Applications

Device

Fingerprint

Wi-Fi Safety

Analysis

Device

Configuration

Firmware

Verification

Root /

Jailbreak

Detection

Anti Virus

(ODS)

Anti Virus

(OAS)

Device Protection

KASPERSKY FRAUD PREVENTION

CLIENTLESS ENGINE

KASPERSKY FRAUD PREVENTION PLATFORM

35

BANK

Kaspersky Fraud

Prevention Console

Kaspersky

Fraud Prevention

Clientless Engine

Server side protection and

Management

USER Kaspersky Fraud Prevention

for endpoints

Kaspersky Fraud Prevention SDK Mobile SDK

User protection

Kaspersky Fraud Prevention

Education Services

Kaspersky Fraud Prevention

Management Services

Kaspersky Fraud Prevention

Professional Services

Kaspersky Fraud prevention

Intelligence Services

Services

Kaspersky Security Network —

Global Security Intelligence

CLIENTLESS ENGINE: WHERE THE DATA COMES FROM

36

DATA SOURCES

• Kaspersky Fraud Prevention for Endpoints

• Kaspersky Security Network

• Online banking customers

• Fraud Analyst from Bank

CLIENTLESS ENGINE

Multi-layered security approach

with Management Console.

Online banking customer

with Kaspersky Fraud

Prevention for Endpoints

Malware Detection Service

Rule Engine

Behavior Analysis

VALUABLE DATA FOR ANTI-FRAUD ENGINES

Kaspersky Fraud Prevention can provide additional data for anti-fraud systems:

Presence of applications for remote access (RDP, VNC, etc.)

Usage of physical mouse or keyboard while sending the transaction

Attempts to modify banking application

Presence of vulnerable software

Kaspersky Fraud Prevention

for endpoints

Kaspersky Fraud Prevention SDK

Mobile SDK Anti-Fraud System

PROTECTION AGANST ONLINE-BANKING ATTACKS

39

Web page modification

(web-injects) Social Engineering

+ Phishing Site

Keylogging /

Screenshoting /

Modifying DNS Phase #1 Credentials Stealing

(optional)

Phase #2 Making Fraud

Transaction

With Malware Without Malware

Attacker’s PC

Using stolen credentials

(incl. OTPs)

User’s infected PC

Remotely

(Sending

POST request)

Kaspersky

Fraud

Prevention

for Endpoints

Kaspersky

Clientless

Engine Social Eng. +

Web-Injects

(Spyeye

Chiptan case)

Manually (via

RDP session)

KASPERSKY FRAUD PREVENTION: MATURE

TECHNOLOGY WITH MILLIONS OF USERS WORLDWIDE

46

Leading bank in

Ecuador,

750,000 online

users covered

KFP technology was introduced by Kaspersky Lab in 2011

Now used by 30M endpoint users of Kaspersky Lab products

MAJOR BENEFITS FOR BANKS

47

Minimizes the number of security incidents due to targeted

attacks against online banking users

Minimizes financial risks

Increases customer loyalty and awareness of threats

Provides competitive advantage

Motivates customers to use remote banking on different

platforms: Windows, Mac OS X, Android, iOS

Improves compliance with legal regulations

Additional communication with clients

TECHNICAL BENEFITS FOR BANKS

48

Provides multi-layered security for any kind of online

transactions on PC, MAC, iOS and Android

Dynamic and real-time: cloud updates keep you ahead of the

threats

One of the lowest level of false positives in the industry

proven by independent tests

Global vision and deep insight of security incidents through

intelligent reporting

Kaspersky Intelligence skills and knowledge is transferred to

your security experts through training and consulting

Compatibility with anti virus software

Cloud

CHTĚJTE VÍCE

51

Požadujte ve Vaší bance vyšší stupeň zabezpečení

DĚKUJI ZA POZORNOST

52

Petr Zahálka

Avnet s.r.o.

Petr.zahalka@avnet.com

602 354 836