Since
2004 the popularity of online banking has been rising rapidly, Hackers, fraudsters,
cybercriminals and other individuals with malicious intentions present heavy
threats to online banking. These people have led banks to adopt internal and
external security countermeasures; some of the internal measures include
deploying multiple defense layers, DMZ, filters, firewalls, intrusion prevention
systems, honey pots, packet analyzers and so on. While on the external level
banks were able to impose some security features on their clients including
strong password, double factor authentications, tokens, virtual keyboards,
secure socket layer (SSL) encryption, and awareness guides to their clients.
When
these cybercriminals realized that targeting banks is now hectic and will
require lots of time and effort, they switched to the weaker link, the USER,
the person that is using the online banking service.
And
therefore a new attack emerged, the Man In the Browser Attack or: MITB attack
is an attack that threatens the current online banking systems not by
addressing the top notch security implemented by banks but by targeting the
less aware and vulnerable end users.
Two-Factor Authentication
Two-factor authentication also known as two-step verification is a
process involving two stages to verify the identity of a person trying to
access services on a computer or in a network. One of which is typically
something memorized, such as a security code, password or PIN, and the other of
which being an OTP (One Time Password) generated by a physical token, such as a
card, or even mobile verification (SMS).
Since this method elevates the level of security and decreases the
incidents of identity thefts, it has not only been adopted by financial
institutions (online banking), but also by several online services providers
(Social Media, Cloud Storages and Email Services)
The adoption of TFA or Two-Factor Authentication significantly
decreased the fraud figures in the last two years. For example if hacker
succeeded in unveiling a customer’s login password by either cracking it,
regardless of its strength and complexity using commonly used technical tools,
or by stealing this password by the use of spear phishing, the hacker will not
be able to proceed without supplying the online banking website with the
another verification OTP that is sent to the customer via his personal mobile
phone (SMS). In this case the hacker along with having the first password is
required to have access to the customer’s mobile phone to utilize the received
code in order to proceed with any transaction.
Moreover, TFA provide an elevated sense of security to the customer
and to the issuing financial institution. But then the MITB attack was
introduced.
MITB: Man-In-The-Browser-Attack
Man in the Browser or a modified version of the notorious Man in
the Middle Attack is a form of internet threat introduced to the victim’s
system using a malware, mainly a Trojan that infects the web browser by taking
advantage of vulnerabilities in the browser security and it aims to modify web
pages, transaction content or even insert additional transactions. All of these
modifications are done in a completely covert fashion invisible to both the
user and host web application. An MITB is created to intercept data as it is
transmitted over the secure communication channel between the victim and the
online application. The Trojan responsible for the infection hides itself deep
into the browser code and can be programmed to launch itself when the user
accesses a specific online banking website.
The malware responsible for infecting a user’s PC is usually introduced
to the victims system when the user is tricked into clicking on an applet placed
in a fraudulent website; usually this applet claim that an update or so called
advantage is needed to view the un-displayed content. Upon clicking on this
applet a script is executed allowing the malware to run and accordingly infect
the browser.
When MITB Attack is running it has the ability to intercept,
manipulate and modify the contents of online banking WebPages by adding extra
fields in order to trick and outsmart second authentication mechanisms.
Two famous examples are widely spread and can explain the
situation clearly,
Example1: when a user with
an infected browser initiates a transaction, the attacker has the ability to
change several parameters of this transaction including but not limited to the
amount or the beneficiary but the victim’s browser will still display to the
user the original and correct information, tricking him into believing that he
had entered the valid data. Thus the user inputs his authentication credentials
along with the OTP generated for this transaction and submits the transaction
for processing. The attacker can even modify statement of accounts in order to
trick the user into seeing the legitimate transaction being processed.
Example 2: Some online banking services require the user to enter
another OTP while processing his application: one at the login page in order to
verify the user identity, another is when the transaction is submitted or even
when the online banking page has been idle for a longer time. The attacker uses
advantage of these options and uses them to tricking the user to generate an
OTP and input it to field totally controlled by the attacker, and thus trick
the user into providing him with an un-used ready to be used OTP. The attacker
then makes use of this newly generated OTP to conduct a fraudulent transaction
while using the correct credentials of the victim.
In both examples, Banks involved in these transactions can’t
detect that the transactions are fraudulent, since they appear to be
originating from the authentic customer himself, and therefore these
transactions will be normally processed and flagged legitimate.
So,
to sum up the basic flow of a Man in the Browser Attack:
- A customer gets infected by a Trojan designed to launch an MITB attack
- When the customer is initiating an online transaction, the Trojan is activated
- The victim will affect all his credentials and authentications required
- The Trojan will modify the transaction details.
- The Trojan tricks the user by displaying fake pages, showing transaction details originally entered by the user.
MITB attacks are not targeted to one region or geography; they are
a global threat affecting all regions. Since
they are hard and expensive to conduct, they are usually performed by well
funded and well organized cyber criminals. These criminals mostly target
clients or accounts with high volume of transactions and multiuser
authorizations: accounts that are managed by multiple users within an
organization.
MITB Mitigation
Ensuring user confidentiality and integrity of their online
banking services, as well as reducing financial impact caused by online frauds
are of high importance to financial institutions. Although hackers will keep on
finding several technical and non technical ways to conduct fraudulent
malicious activities, there are some concepts and methods, in the case of MITB,
that could lead to the reduction of financial impacts.
The first would be implementing an Out-Of-Band Authentication and
Transaction Verification. An OOB requires that authentication and transaction
verification are performed outside the customer’s web browser and essentially
outside the customers PC. A common form of OOB authentication is delivering an
SMS OTP along with the details of the transaction and therefore allowing the
user to review and confirm the details of the transaction before entering the
OTP into his PC browser.
The second method would be implementing an enforced secure
browsing environment. For example, some financial institutions provide their
users with portable web browsers stored on the USB authentication tokens, this
USB flash device is set as “Read Only” which prevents any user, malicious
attacker or any software from modifying the data stored on it, this setup which
will prevent any infection from reaching the stored portable browser
application. Moreover, this trusted browser can be pre configured by the bank
to open specific internet pages and block any attempt to navigate into other
un-assigned sites.
Another effective method to mitigate risks arising from MITB is to
use Fraud Detection Based on behavior. User profiling will create a baseline
normal behavior so that abnormal behavior can be detected and the user can be
alerted before an actual transaction takes place. For example if a bank detects
that an online banking customer is conducting an abnormal and unusual transaction
(maybe using a new beneficiary, a newly used currency, a new location to
establish the online banking session, etc…) it will stop the transaction and
require direct intervention from the user in order to verify the validity of
this transaction either by using SMS, Email or even phone calls. The bank
systems will learn the patterns and behavior of this user in order to improve
their screening process.
There are several ways to fight MITB attacks, but the most
effective one is user awareness. Total dependency on the technical aspects is
insufficient. When indulging in an online Bank agreement with its customers,
Banks should provide adequate training, materials and even awareness quizzes
and instructions that aim to educate the user into spotting any inappropriate
and malicious activity being conducted on his PC, and in his browser
specifically. Yet banks should acknowledge that protecting their security
should be extended outside their parameter to reach the client side.
Finally a combination of customer awareness and education, the
correct and appropriate use of alerting systems, along with the keen screening
behavior and monitoring systems can provide the online banking industry with an
effective protection against MITB attacks. Although these protective measures
will not guarantee a safe and fraud free environment, but it will significantly
lower the risks of getting bitten by a malicious attacker.
This article is cross posted in the Lebanese "Certified Accountant" Magazine issue 52 - Year 2014
