sec tor towards a more secure online banking
DESCRIPTION
My presentation on securing online banking at Sector. Covers two-factor authentication for sessions, mutual https authentication: http://www.wikidsystems.com/learn-more/technology/mutual_authentication and transaction authentication: http://www.wikidsystems.com/learn-more/technology/transaction_authenticationTRANSCRIPT
![Page 1: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/1.jpg)
Towards a more Secure Online Banking Experience
Nick Owen
October 2009
@wikidsystems
![Page 2: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/2.jpg)
Where are we going? And why are we in this hand-basket?
![Page 3: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/3.jpg)
Authentication
Evil Princess Duck Bot Sweet Chicky Chirpalot
![Page 4: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/4.jpg)
Session Authentication
• Static Passwords
• Machine authentication– Spoof-able
• Two-factor authentication– Tokens– SMS
![Page 5: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/5.jpg)
Mutual/Host Authentication
• Image-based– Subject to MITM attacks– Highly annoying– Fall back to 20 questions
• Programmatic SSL cert validation– Similar to SSH
![Page 6: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/6.jpg)
Transaction Authentication
• One-time passwords
• Call-back system
• SMS
• Digital Signing
![Page 7: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/7.jpg)
What's the current situation?
![Page 8: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/8.jpg)
Zeus!
![Page 9: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/9.jpg)
Defeating Zeus
• Anti-fraud measures
• Transaction authentication via call-back, SMS or other cryptographically distinct method
![Page 10: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/10.jpg)
Are we done yet?• Call-back
– Scaleability, calls per second?– Costs– Metasploit VoiP war-dialer
• Attacks on SMS – Paris Hilton's secret question– Nokia 1100 phones
![Page 11: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/11.jpg)
Open Source A5/1 Rainbow Tables!
![Page 12: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/12.jpg)
Throw this in the mix
Mobile Banking!
![Page 13: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/13.jpg)
How can this be a good thing?
• Chance to deploy a client
• Defeat of A5/1 means public key encryption
• Most mobile users will also be PC users
• Confirm transactions made in one on the other
• Extremely difficult to break real two-channel banking
![Page 14: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/14.jpg)
If the problem is...
• Stolen passwords– The answer is strong session
authentication
![Page 15: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/15.jpg)
If the problem is...
• MITM attacks– The answer is strong mutual https
authentication
![Page 16: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/16.jpg)
If the problem is
• Malware– The answer is transaction authentication
via a second channel
![Page 17: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/17.jpg)
But those are not the problems
• The problem is a determined, persistent, motivated attacker
• So, what's needed is a forward-thinking, security-focused, responsive, banking software industry
![Page 18: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/18.jpg)
Why aren't we here already?
• Banks don't want to develop software
• Marketing over security
• Banks fear support costs of online banking
• Duopoly in Personal Financial Software
• Monopoly in Aggregation
![Page 19: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/19.jpg)
How about: Bankforge.net?
• Open source site for OFX applications
• Supported by the banks. Bounties? Prizes?
• Plenty of FI organizations that could promote/manage such a site
• Minimal support costs
• Increase competition for Aggregation & Personal Finance software
![Page 20: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/20.jpg)
Financial Aggregation
Personal Finance Software
OFX over SSL
Aggregator
Public Key EncryptionTwo-factor AuthenticationTransaction Authentication
![Page 21: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/21.jpg)
Principles
• Rely on well-tested security principles
• Don't rely on the security of 3rd parties
• Maximize the user's understanding of what's going on
• Use public key encryption!
![Page 22: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/22.jpg)
Browser Improvements
• Site-specific browser
• Content Security Policies
![Page 23: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/23.jpg)
UI Tweeks
• Transaction Mode!
• You could do this with client side asymmetric encryption
![Page 24: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/24.jpg)
OFX
![Page 25: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/25.jpg)
OFX?
![Page 26: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/26.jpg)
OFX on Sourceforge
“Hello Li.
I'm sorry nobody has responded; that probably means nobody is able to help you. As you might have figured out already, the community for the OFX protocol is kind of narrow. It probably has to do with the lack of interest from the banks in fostering such a community.”
![Page 27: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/27.jpg)
Can we have ATM-esque Security?
![Page 28: Sec Tor Towards A More Secure Online Banking](https://reader035.vdocument.in/reader035/viewer/2022070302/547c3a14b4af9fc3158b50a7/html5/thumbnails/28.jpg)
Summary
• Banks need to implement transaction authentication via a 2nd channel ASAP
• Be careful relying on 3rd parties
• Use cryptography! Wisely...
• Involve the user
• Banks need to support the OFX community