|
Enemy identification and deterrence
Criminals like to go where the money is. Increasingly, that means
on-line. Here’s how to beat them.
In any assessment of online security solutions we need to ask who
or what are we protecting against?
The range of people who threaten us include:
• Hackers, who break through security, steal customer lists,
private information, and vandalise databases;
• Fraudsters, who impersonate the bank website, steal passwords
and account numbers, execute transactions and transfer money; open
accounts, and spend credit lines before vanishing;
• Employees, who steal intellectual capital and customer data
for resale or abuse.
There are three main types of fraud attack:
• Identity theft, where I pretend to be you and apply for
credit;
• Credential theft, where I use a phishing attack to trick
you into revealing your password (or I steal your diary) and then
withdraw funds from your account; and
• Session hijack, where I use a man in the middle or Trojan
attack to take over a valid user session and withdraw funds or otherwise
misrepresent myself to my advantage.
There are three defences:
1. Customer education — don't put credit card bills into the
recycling bin at work; don't respond to unsolicited emails, and
don't reveal your password in return for a Mars Bar (which seems
to be going price).
2. Activity monitoring — monitors network activity, email,
and payment transaction traffic, look for anything that is out of
character, and when you find it, investigate with guns blazing.
If nothing else, knowing you are vigilant might put off the bad
guys.
3. Use strong authentication. This strengthens the way in which
customers authenticate to the bank, and authenticate the transaction
too, not just the user.
In adopting strong authentication against credential theft, use
two-factor authentication. Use a device that generates a one-time
password (OTP) and make sure the one-time code is issued through
second channel.
These common sense solutions are already well-established for secure
remote access by employees and used widely in B2B banking. As a
result more and more companies are considering them for consumer
banking.
Helping the trend are several innovations such as the standardisation
of OTP algorithms and the growing use of EMV chip-and-PIN smartcard
authentication.
The standardisation of OTP algorithms is being driven by the OATH
initiative. OATH is an industry-wide collaboration to develop an
open-reference architecture by leveraging existing open standards
for the universal adoption of strong authentication.
RSA, the encryption firm, has reacted with its proprietary OTPS
initiative. But OATH removes the tie-in to a single supplier, which
should help commoditise the device and allow the proliferation of
different form factors such as mobile phones and personal organisers.
It also means that the authentication server and devices can be
sourced separately.
Chip authentication programme
MasterCard's Chip Authentication Program (CAP) is a published standard
for using an EMV-enabled payment card for user authentication. The
card reader and EMV card generate an OTP or transaction signature
that is used to verify the customer over the internet, to alert
a call centre or to make any "card not present" payments.
It can also authenticate the customer for internet or phone banking
services.
Nor is the technology restricted to chip&pin cards —
just 20% of the 1.5 billion SIM chips in 2005 were earmarked for
the financial services sector, primarily to address EMV security
standard, says the Meta Group.
What about Visa? Visa has completed but not yet published a CAP
equivalent. A "harmonised with MasterCard CAP" Visa CAP
standard, ratified by APACS, was expected by the summer of 2005.
It is not clear whether Verified by Visa will adopt the Visa CAP
standard, but it appears likely.
Some of the more sophisticated attacks are those that in effect
hijack the communications session hijack. There are several types.
In the Man In the Middle (MIM), a customer logs into MIM website,
believing it to be the bona fide internet banking site. The MIM
website forwards the log-in request to real internet banking website.
Once logged in, the MIM site is free to execute fraudulent transactions
in the customer’s name.
Trojan attacks work slightly differently. Firstly the fraudster
has to persuade the customer to upload the Trojan software, and
there are several techniques that tempt one to do this. When the
customer logs in to his or her on-line bank, the Trojan that infects
the customer’s computer initiates fraudulent transaction requests.
There are defences against session hijacks. But because the fraudulent
transaction is executed from within a valid user session, stronger
user authentication on its own does not protect against these forms
of attack.
To prevent the MIM you need to establish a secure tunnel between
client and server. Then you need to authenticate the transaction
and verify it usinga different channel.
To authenticate a transaction authentication using EMV, the customer
selects the signature application on the ActivReader, enters the
account number, chooses the currency and the transaction amount.
Then he or she enters the card PIN. On entry of the correct PIN
the device generates a transaction signature code that the customer
uses to verify their authority to execute the transaction.
To verify the transaction via a different channel, the customer
logs into their online bank and ask to execute the transaction.
Transaction details are then confirmed in an SMS that is linked
to the transaction in a confirmation code. The customer then enters
the confirmation code to trigger the transaction.
To summarise, there are different types of attack, mainly identity
theft, credentials theft, session hijack. Technology solutions combined
with customer education can reduce the risk these pose to acceptable
levels, provided you implement against a security strategy, as opposed
to a point solution to the latest threat.
|
