Who's hacking your PC?

New York, Moscow, Sao Paulo, Timbuktu – if a hacker is determined to empty your bank account, they can do it from the comfort of their own home.

Few crimes are so ethereal and work so effortlessly across international borders. Ask any law enforcer in the know: pinning down the epicentre of cybercrime is a notoriously difficult task.

Watch a Hollywood film and it'll depict hackers as fast-talking American kids – pale faced, coke swilling, super-smart and capable of doing the impossible. This is, of course, a fiction.

If you were a career computer criminal, would you choose to base yourself in a country with mature computer crime laws and strong-arm enforcers? No. You'd want to be somewhere comparatively lawless. If you're looking for hackers, look east – towards China and Russia – and you'll be barking up the right tree.

That's what the analysts say. But even here myths and rumours get in the way. The Berlin Wall may have fallen but the KGB is still alive and clicking. Beijing has an army of hackers eyeing the West's data. Stories of dark doings and espionage at the keyboard abound. The truth, however, is hard to come by.

Take Russia. While there's no doubt that the ex-Soviet state is genuinely computer-savvy, is there any hard evidence that it poses a greater threat to your PC than, say, South America? In case you're wondering, Brazil is regarded as a leader in banking trojan technology.

Are the Russians phishing like there's no tomorrow? Or are security firms reviving Cold War paranoia in the hope of making 'the enemy' look bigger and uglier, all in order to sell us antivirus software? In this exclusive report, PC Plus magazine goes undercover in the hunt for cybercrime's epicentre.

The code war

Boris Miroshnikov seems almost proud of the criminals that he chases through cyberspace. He's a Lieutenant General with the Russian police's Department K, which fights domestic cybercrime. Speaking at the 2005 E-crime Congress in London, Miroshnikov told delegates: "Our software writers are the best in the world; that's why our hackers are the best in the world."

"You're right in thinking that Russia and Eastern Europe are playing a big role in organised webcrime," says Con Mallon, Symantec's Product Marketing Director for Europe, the Middle East and Asia. "Information made public by various arrests of underground economy groups suggests that groups in Russia and Eastern Europe are more organised and professional operations, and that they also possess greater abilities and manufacturing facilities to mass-produce physical credit and debit cards."

Many Russians have been convicted for cybercrime in the past decade. Vasiliy Gorshkov and Alexey Ivanov are from Chelyabinsk, 75 miles from the Kazakhstan border. In 2001, the FBI tricked them into visiting the USA, where they were arrested and charged with 20 counts of conspiracy, fraud and other offences.

In 2004, Department K broke up a criminal gang that had extorted money from nine British bookies, causing a total of over £45million in lost business. And after extorting more than £2million from British companies in 2006 using distributed denial of service (DDoS) attacks, Ivan Maksakov, Alexander Petrov, and Denis Stepanov were convicted after an international effort by Interpol, the FBI and the UK's now-defunct National High-Tech Crimes Unit.

During their six-month spree, the gang launched over 50 blackmail attempts in 30 countries. When UK based bookmaker CanBet Sports refused to pay the $10,000 demanded, the subsequent DDoS attack saw the company lose around £100,000 per day.

In May 2007, Estonia came under a concerted botnet DDoS attack that knocked out the tiny Baltic state's government, media and business websites, halting its largely web-based banking systems. Similarly, during the Russian invasion of Georgia last year, hackers poured DDoS traffic into the troubled country in order to knock out its infrastructure. But were these hackers Russian?

Reasonable doubts

Ken Munro is Director of the Penetration Testing Division of the National Computer Centre (NCC). "The people who do use botnets are extortionists, and we know there are huge volumes of compromised machines out there, synchronised, ready to run, and you can point them wherever you like," he says. "Who's to say that [the Georgian attack] wasn't another foreign power trying to undermine the Georgian government, and it just happened to coincide with the Russian attack?"

The problem with botnets is that the infected computers could be anywhere. As a result, it's difficult to quantify the amount of cybercrime originating from Russia. "I'm not going to give you a figure," says Munro. "The problem with all these things is that no one genuinely knows. And even with vendors who give you numbers, all they're relying on is what they perceive to be the source IP addresses. That means absolutely nothing, because anyone could use an open proxy on a compromised machine and relay their traffic to any other system in the world."

Even if you trace malicious traffic back to a single machine, it might not be the real source. "It could be some poor home user who's got an XP system sat there on the internet and doesn't know they're being used as a back door," confirms Munro. "So, there's almost no confidence in the statistics."

There's no denying that press reports of Russian hacker convictions are true and that they're on the rise, but there have also been plenty of non-Russian convictions over the last decade. Some of the crimes perpetrated by US and non-Russian European hackers have been very sophisticated.

Take Gabriel Bogdan Ionescu, for example. He's a 22-year-old Romanian currently serving three years in an Italian prison for setting up a cloned copy of the Italian Post Office's website and siphoning off money in a sophisticated phishing scam.

Meanwhile, in the US, Robert Moore was convicted of what, to most people, looked like an ingenious scheme to steal VoIP services and sell them through a second company. In an interview before he was due to start a two-year prison sentence, he described what he had done as being "so easy a caveman could do it". In all, Moore broke into 15 telecommunications providers and "hundreds" of private companies.

And Kiwi hacker Owen Walker, who was convicted in April 2008, managed to create a botnet of 1.3 million compromised computers as his part of a large online crime ring. The botnet was used to siphon off millions of dollars from unsuspecting users' bank accounts.

The now-infamous Estonian DDoS attack of 2007 was initially linked to the Russian government by the press. However, a subsequent investigation revealed that it had been perpetrated by an impromptu 'flashmob' who were angry at the removal of a Russian war statue in the Estonian capital Tallinn. Though the first person to be convicted of the attack, Dmitri Galushkevic, was Russian by birth, he lived in Estonia and attacked from within.

A hacker speaks

Not all hackers are convinced that Russia is the world's centre for cybercrime, either. Abdulrahman Alibrahim (also known as 'Earthquaker') is a hacker who calls himself a 'grey hat': he claims that he never acts with malicious intent.

Alibrahim talked exclusively to PC Plus through an intermediary. "To be honest about what's written ... I think that this is not true because computer crimes happen on a daily basis from all around the globe," he says. "[The existence of] computer crime depends on the reason it has been committed: for money, private information, threat or even for fun.

"In the end, a crime is a crime, no matter who committed it and where he is from," says Alibrahim. "But in my personal point of view, [people refer] to Russians in computer crime maybe because they are so talented."

This is a view echoed by David Emm of Kaspersky Lab. "Right now," he says, "though more stuff is coming out of China, the stuff coming out of Russia is probably more sophisticated because they tend to focus on the botnet as opposed to single attacks. One of the things we've looked at is whose resources are used to host malicious programs. That doesn't necessarily mean that they develop the programs, but again China comes out top in that list. The Russian Federation is actually number five. Though a lot of the stuff gets written in Latin America and Russia, the attacks aren't necessarily hosted on machines in those countries."

So, are crooked programmers writing malicious code for profit, selling it to criminals who then perpetrate electronic crime? Or do the criminals write their own programs? "It's both, actually," says Emm. "A lot of the attacks now are drive-by downloads. They're web-based. So they look for a compromised server somewhere and secrete their code in it, so that when you go to view the page you get infected automatically. And quite often it's done through an exploit bundle where they put together a composite script that will exploit a whole series of different applications, depending on what vulnerabilities the user might have. MPack is the name of one of the most common ones."

MPack is a PHP-based malware bundle that was created by Russian hackers in 2006. It's marketed to criminals as a commercial package that costs between $500 and $1,000. Frequent updates keep it one step ahead of antivirus software. MPack even comes with a management console that allows the botnet owner to keep track of how many computers have been infected, which browsers their owners were using at the time and which countries they're in.

Following the money

Last year, Mikko Hypponen – F-Secure's Chief Research Officer – called for an international organisation to fight cybercrime. The amount emanating from Russian soil is, he claims, less than you'd think: "As a rough estimate: a third," he told us. "Note that that's not just Russia by itself but pretty much all of the old Soviet Union: Russia, Ukraine, Belarus, Kazakhstan, Latvia, and so on."

"The two other main cybercrime hotspots are China and South America," says Hypponen. "Especially Brazil, which is the number one country in the world creating trojans affecting online banks."

Dave Emm of Kaspersky agrees. "It's difficult to put a categorical figure on it," he told us. "In terms of stuff we get in, it's probably China at the top, and that's more than 50 per cent. Next would be between Russia and Latin America. A lot of the banking trojans originate out of Latin America."

Roger Thompson, Chief Research Officer at AVG Technologies, believes that cybercrime is evolving into a threat that can come from anywhere: "While there are a lot of malware and web threats coming from Russia and China, there is also lots of activity in Turkey, Romania, Brazil and the US," he says.

"We expect that these threats will continue to spread and it will become increasingly difficult to establish who is behind them. This is not about infancy, but rather a maturity of cybercriminal gangs – the groups may be international and using infrastructure and websites from many different parts of the world. The only real way to find the perpetrators, like traditional bank robberies, is to follow the money."

But just like following a chain of IP addresses, following the money is difficult. "It often involves multiple countries, and there are many different layers and players in the malware industry, from the [software development kit] writers to the botnet masters and malware data resellers," says Thompson.

Other consultants that we spoke to also aren't convinced about the size of the threat posed by Russian organised cybercriminals. The press make claims for a Russian cybermafia type organisation running cybercrime from behind the scenes. Is this the case?

"The plain and simple answer to this question is no. Personally, I believe this to be media hype," says Alex Constantinides, director and Security Consultant at MetaSec Security. "I believe that these claims are unfounded and unjust. I would love to see evidence that backs this statement up. Even if the statistics proved that the vast majority of cybercrime came from Russia, this is not evidence that the crimes committed are directly linked to the mafia."

So where does Constantinides believe that most online crime originates? "It is our belief at MetaSec that there is more high-tech crime coming from Asia than there is from Russia. On top of that, we hold no belief that this crime is run by the organised crime outfits like the Triad. No doubt the Triad probably have their part in it, but we do not believe they run it."

But could Russian cybercrime be linked to its more traditional mafia? Constantinides still isn't so sure. "The Russians in general are not small players in cybercrime by any means, but there's no way of knowing how many of the attacks that come from Russia are actually linked to the Russian mafia."

China caught red-handed

Shortly before PC Plus went to press, news broke that researchers at the University of Toronto's Munk Centre for International Studies had discovered a massive cyber espionage network with strong links to China that contained hacked computers belonging to 103 foreign governments.

Helped by Cambridge University, the group discovered a total of 1,295 compromised computers belonging to foreign ministries of countries as diverse as Bangladesh, Latvia and Iran. The discovery of the GhostNet cyber espionage network is just the latest in a trail of evidence pointing to the world's largest communist state.

"China is presently the world's largest internet population," says a recent report from the Information Warfare Monitor, a think-tank based at the University of Toronto. "The sheer number of young digital natives online can more than account for the increase in Chinese malware," it goes on. "With more people using computers, it's expected that China will account for a larger percentage of cybercrime."

China's economy has been especially hard hit by the current recession. At the CanSecWest security conference held in Vancouver in March, CEO of Beijing based Knownsec, Wei Zhao, said that the country's cybercrime industry is booming. He claimed that IT security researchers are beginning to sell network vulnerabilities rather than report them. "China is not only the world's factory, but also the world's malware factory," he said.

Perhaps the reason the West hears little about Chinese cybercrime is because the domestic pickings are huge; China has over 250 million computer users. But the annual McAfee Virtual Criminology Report shows that Chinese cybercriminals are branching out. "Thought to be a target because it houses the HQ of both the EU and NATO in Brussels, Belgium has had emails containing spyware sent to State departments.

Similarly, India claims its government and private sector networks are under constant cyberattack," claims the report. "The cyber-kingpins remain at large while minor mules are caught and brought to rights. Some governments are guilty of protecting offenders."

Regardless of which country houses the most cybercriminals, Munro warns that cybercrime could become even more organised in future. "I can almost guarantee that every power in the world of any significance has got [botnet] technology at their disposal," he told us.

 

 

Cyber Criminals Pouncing on Gaming Credentials

Webroot, an online security company, is alerting online gamers to be wary of cyber crooks who are increasingly seeking to steal users' gaming credentials.

Andrew Brandt, a Security Researcher at Webroot, via a posting on the company's blog indicated that the Threat Research Group of Webroot had traced growth in such activity ever since 2009 started, as reported by security watchdog on June 14, 2009.

Brandt indicated that there was a surprisingly large number of Trojans that phished for gamers' license keys required for loading lawfully purchased games as well as for installing usernames and passwords for logging into online game accounts like those for World of Warcraft.

Brandt further wrote on the threat blog of Webroot on June 12, 2009 that the Trojans with such a single purpose were extremely good at their task and could quickly and quietly transmit the selected information to remote servers that typically and somewhat astonishingly were located in China.

The researcher added that his organization knew all servers that were connected to these Trojans as well as what all information they were transmitting.

Meanwhile, security researchers say that there are two categories of phishing Trojans - Browser Helper Objects (BHOs) and Windows Services. The Windows Services Trojans are designed to steal information of a wide range, both when users type in details in a specified form, and at times when they enter them idly but miss to notice something that could be scrutinizing their system registry. Conversely, the BHO Trojans work only on active Internet Explorer and fundamentally steal users' login details.

According to the researchers, there are different ways in which the first malicious executable is loaded on a user's computer. Commonly, the exploits are introduced through malicious iFrames, which after the infection lead to a huge amount of malicious software on them.

However, the attacks could get uglier as the downloaded payloads might not always be from the phishers. They could sometimes be downloaders themselves, which facilitate a fresh surge of infections.

Brandt wrote that he could imagine how with little effort the attacks could potentially retrieve numerous account data.

 

Police say hacker stole phone time from AT&T, others

Philip Willan

June 12, 2009 (IDG News Service) An Italian magistrate has issued an international arrest warrant for a Filipino hacker suspected of causing millions of dollars of losses to telecommunications multinationals, and Italian police have arrested five Pakistani nationals accused of exploiting the hacker's work to defraud the telecom companies, officials in the northern city of Brescia said Friday.

The Filipino hacker allegedly penetrated the IT systems belonging to customers of major telephone companies, including AT&T, to steal access codes for international phone calls that he then sold to the group of Italy-based Pakistanis who ran a network of public phone centers. Police declined to identify the hacker by name, saying only that he was a 27-year-old male living in the Philippines.

The Pakistanis offered cut-price calls to their clients by piggy-backing on the PBXs (private branch exchanges) of commercial companies in the United States, Australia and Europe, Italian officials said. The Filipino hacker allegedly sold the access codes that enabled users to take control of the exchanges at US$100 per code, and the codes were then sold on to other users, they said. Some of the illegal profits were allegedly sent to finance the activities of Islamist extremists in Pakistan and Afghanistan, the officials said.

Police identified Zamir Mohammad, 40, the manager of a phone center in Brescia, as the principal buyer of the Filipino's allegedly illegally acquired access codes. Mohammad was responsible for exploiting the codes and selling them on to other telephone service operators in Italy and Spain, police said. On Friday the U.S. Department of Justice unsealed an indictment charging Mohammad ahmoud Nusier, 40, Paul Michael Kwan, 27, and Nancy Gomez, 24, all currently residing in the Philippines, with unauthorized computer access and wire fraud.

As well as making the arrests, police seized 10 phone centers Friday in northern and central Italy and raided 16 properties belonging to Pakistani and Moroccan nationals suspected of links to the telephone pirates.

The investigation began in May 2007 following a tip-off from the FBI that a group of hackers based in the Philippines had violated the IT security of major international phone companies. The group was allegedly headed by a Jordanian, Nusier Mahmoud, who was arrested at that time, Italian police said.

"Italy's antiterrorism police and the FBI are still investigating the group's activities in Spain and Switzerland," Brescia police spokeswoman Sara Del Rosario said in a telephone interview. During the five years the scam was operating, Mohammad allegedly sent some €400,000 (US$560,000) to an Islamic charity run by Jamal Khalifa, a brother-in-law of al Qaida leader Osama bin Laden, Del Rosario said. Khalifa, who was killed in Madagascar in 2007, was suspected, among other things, of funding the Abu Sayyaf group, an organization of Muslim extremists operating in the Philippines.

Many of the calls from the phone centers were made to conflict hotspots in the Middle East and Asia, Del Rosario said. "The stolen access codes offered the added advantage of anonymity to the callers, in violation of Italy's 2005 antiterrorism law," she said.

The biggest victim of the hackers was AT&T Corp., which estimated its losses to the organization since 2003 amounted to US$56 million, Brescia police said in a prepared statement. Other companies targeted by the group were not identified by name.

(Robert McMillan in San Francisco contributed to this report.)

 

Man made $112,000 in bank account hacking scheme

Robert McMillan

 June 5, 2009 (IDG News Service) A Hampton, New Hampshire, man has pleaded guilty to fraud charges for his role in a scheme to empty brokerage accounts by installing malicious Trojan horse software on victims' computers.

According to court documents, Alexey Mineev set up several "drop accounts" that were then wired funds stolen from banking and brokerage accounts between July and December 2007. He pleaded guilty to one count of money laundering on Wednesday, according to Mike Ruocco, deputy to Judge Paul Gardephe of the U.S. District Court for the Southern District of New York, who is presiding in the case.

The criminals would infect PCs with malicious Trojan software that would steal account numbers and passwords whenever victims logged into their accounts online. Authorities say that another conspirator, Alexander Bobnev, would e-mail Mineev screenshots of the hacked accounts showing how much money was being transferred into Mineev's drop account, along with instructions such as "Withdraw the money ... tomorrow."

Mineev would then move the cash, sometimes as much as US$10,000, to Russia, using services such as Western Union.

Trojans are malicious programs that users install on their computers, believing them to be benign. Hackers disguise them as things such as video codecs, screensavers, and even security patches.

Account theft is a growing problem for banks and brokerage firms. They want to keep offering customers low-cost online banking services but are also sustaining losses from international criminals. Once the money has been moved offshore, it is virtually impossible to recover, security experts say.

Fraudsters often try to recruit so-called money mules to move funds from hacked accounts overseas. Often these mules are unwitting participants in the scheme, believing that they are simply doing freelance payroll work for international companies.

When charges were filed against Mineev and Bobnev last November, the U.S. Department of Justice charged a third man, Aleksey Volynskiy of New York, of also setting up drop accounts and laundering stolen money. Bobnev, of Volgograd, Russia, reportedly is out of the reach of U.S. law enforcement in his home country.

Mineev faces as much as two years in prison and a fine as high as $40,000 on the charge. In his plea agreement, he said he would return the $112,000 he made from the scheme.

 

 

New Attack Blends SSL, 'Man-in-the-Browser' Vulnerabilities Written by Jart Armin Lately, Secure Sockets Layer (SSL, and the "S" in HTTPS) has come under fire for undermining Web security. It's been said it is no longer a secure system, due to its reliance on now-hackable MD5 cryptography. Therefore, the argument continues, it must be upgraded to combat new threats to the current Internet security climate. In a recent interview, Taher Elgamal, the man credited with being an inventor of the SSL system, argues there is in principal nothing wrong with the SSL system. The fault, he claims, lies in the way browsers interact with SSL, thus ultimately making the issues attributed to the SSL failure a browser problem. He goes on to say, "Security professionals always struggle with the general public because usability always wins. When you get an expired certificate, the site owner or organization would always prefer to allow the user to do things rather than disallow. This is just an unfortunate fact." What Taher is talking about is the human element, which occurs when we interact with our browsers and the options we are given for the sake of usability. Most users are inclined to click "Yes" if it promises to get us what we want, thus saving valuable seconds in viewing or interacting with a Website, even if it reduces security. But a new form of blended attack has emerged where the victim is socially engineered into becoming an unknowing agent in banking and commercial fraud. The technique uses a combination of SSL-forged Web pages and man-in-the-browser (MIB) attack that is capable of stealing login credentials, account numbers, and various types of financial information. The attack combines the use of what is known as the Brazilian Banking Trojan with phishing to replicate a window that overlays the browser on a given computer. The presence of the trojan is transparent to the user and does not interfere with the normal use of the browser or PC. More importantly, these new MIB cyber-crime engines now come with very advanced Ajax scripting devices and Ajax JSon-based sniffers, which greatly improve the speed and efficiency of the attack. These engines include the ability to alter any content being received by the Web browser before it's rendered to the customer, but they can also make numerical calculations of balances and effectively erase or hide the extra transactions from what the customer sees. The whole attack can now even provide the account balances to appear normal and conceal any reductions made by the cyber criminal. The victims here aren't just individuals, but institutions as well. As much as $500,000 got lifted recently from the bank account of the Novato Sanitary District at the Bank of Marin in Northern California. As the manager of the utility company said, "We won't be doing pure electronic banking anymore." For several days they saw no loss of funds, until the online banking did not match the paper account. Interestingly, this form of new attack has great difficulty penetrating the browser designs like Google Chrome, which uses a sandbox approach; just make sure to avoid third-party OS-based plug-ins! This returns us to Taher’s argument about SSL, and the browser companies' responsibility to create systems that can marry security protocol with usability, with warning systems as to what users are saying "yes" to. Through this blended attack we can see one of the weak points in our systems, and the pressure to activate products that bypass security in order to give us the freedom to do what we want. The question we have to ask ourselves ultimately is this: Who, exactly, is responsible for our problems in our desire for enhanced speed and ease of use? Is it us as individuals? Or is it the browser and software companies, which provide us with secure gadgets that make our lives easier on a daily basis? — Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com

 

 

Identity Theft

If the Fortune 500 Can't Stop It, How Can We?

 

In the wake of so many high-profile security breaches in recent months, businesses face a critical question: if major organizations with huge network security budgets can't protect themselves, how can we? A look at the cases, though, shows that there are clear lessons to be learned about securing assets – no matter how large the institution.

 

   1. Information is compromised at its most compromising position. Far from being daring raids on a secure vault in broad daylight, recent breaches have one thing in common: they've exploited weaknesses in systems, processes, or technology in order to steal identities.

 

          * The Bank of America and Wachovia scam, in which over 670,000 bank accounts were compromised, exploited weak access controls and employees who were vulnerable to manipulation by social engineering. Exposing a systemic problem, a man posing as a credit agency persuaded not one, but seven, New Jersey bank employees to access customer databases and sell him account information.

 

          * While insiders in the Bank of America scandal violated business processes by selling data, it was ChoicePoint's business processes themselves that represented their most compromising position. Because the company sold data to businesses without thorough audits to verify legitimacy, it was easy for thieves to pose as legitimate businesses and steal the personal records of over 145,000 people.

 

          * When CitiFinancial lost computer tapes containing personal account information of over 3.9 million customers in June, the data was in its most compromising position: in transit (via UPS) from one secure site to another, in an unencrypted state.

 

          * The hack of credit card processor CardSystems Solutions' network resulted in the exposure of over 40 million accounts to fraud and the theft of at least 200,000 more. Where was CSS's biggest weakness? In their processes, and in their network itself. Not only was CSS maintaining records they were supposed to have deleted; they didn't have adequate technical controls in place to prevent their own network from being used to capture and forward the data. Exploiting this weakness, hackers installed rogue applications on the company's internal systems that in turn sent the data offsite.

 

      What can you do about it? Take the perspective of a hacker and follow the path of your data during the course of a business day. Who has access to the information? How do you back it up? Where are the most compromising positions? This must be an iterative process, as you repeat the steps until you have identified your most compromising positions and secured them. Doing so can be expensive, but the cost of being compromised is exponentially higher than the cost of preventing the compromise.

 

   2. Use detective controls to identify breaches early in the process. In most of these cases, breaches were identified only through the evidence of an abnormally high rate of fraudulent transactions. By this point, it's too late for the organization to do anything to protect the information – or to find out where it is, in many cases. Having compromised the system, stolen the data, and erased his tracks, the hacker – and not the business – is now the data owner.

 

      It doesn't have to be that way.  Many scams could have been detected by simply monitoring system logs.  Employees involved in selling customer data were frequently accessing up to 500 customer accounts each day - well over the average of forty.  Network monitoring would have detected the CardSystems Solutions hack as well.  An effective intrusion prevention system would have stopped the hack altogether.

 

   3. Take a security-based approach to compliance, not the reverse. Each of these organizations were regulated and compliant to varying degrees. Even CSS, which was found to be out of compliance by Visa & MasterCard in an after-the-fact review, had been judged to meet standards just a year earlier. But compliance measures proved ineffective because regulations address the least amount of security controls an organization needs. Thus, when banks focus solely on making a 1 or a 2 on their regulatory exam, the result is not only a minimum return on their security investment, but inadequate security.

Magic tokens

 

While online financial fraud hasn't rendered passwords useless, they're certainly not strong enough for today's computing environment. The market wants security tokens but analysts paint a grim picture.

 

People can be surprisingly foolish, especially when it comes to safeguarding their sensitive information online. If you work for Vasco, RSA Security or another multi-factor authentication outfit, that happens to be great news right now because security tokens and two-factor authentication are hot stuff.

Token-based authentication is hardly new. Traditionally, tokens were expensive, niche and considered extremely cool by those working in the information security business.

Back in 1995, displaying a key-chain with an RSA SecureID token attached earned you more status than whipping out a set of Porsche keys.

Alas, the token is no longer a mysterious gadget looking like a prop from a James Bond movie. In just a few years a significant number of people will carry one. While online financial fraud hasn't rendered passwords useless, they're certainly not strong enough for today's computing environment. The market has spoken. The market wants tokens.

 

The threat

Criminal syndicates have been using Trojan horse malicious software — or malware — to steal the login credentials of ordinary users for years. Phishing scams, which fool internet banking customers into divulging their login details to fake banking websites, have also proven alarmingly effective.

At first glance, two-factor authentication seems to be the silver bullet. Login details are rendered useless to attackers if they don't also have access to the two-factor device, like a token. But a silver bullet they are not. Token-based authentication significantly raises the bar. However, fraudsters have already bypassed the authentication measure — cyber-scammers got around the tokens and defrauded Citibank customers in the United States last year.

They'd successfully staged a man-in-the-middle phishing attack that siphoned funds out of Citibank customers' accounts in real time. In this instance, the tokens were rendered useless.

"The end user's computers were compromised. It doesn't matter what token they use, the two-factor token only proved the user was actually holding the device," Ted Egan, chief executive of TrustDefender says. "What happens is the Trojan sitting on the computer was able to transact in real time while the user put in the details."

Egan's no fan of tokens, though it's hardly surprising — his company makes software designed to prevent man-in-the-middle attacks.

Then there's the elephant in the room — just how many security devices, be they smart cards, tokens or something else — will the average consumer have to carry?

Currently, federated identity solutions, which would allow consumers to use one token to authenticate themselves to many organisations, are not up to it, says Geoff Noble, a banking and finance specialist with RSA Security. They would require cooperation between competing commercial interests and perhaps even the government. "Is bank A going to trust bank B? Is the government going to trust enterprise? It's bigger than bank versus bank, it's government versus private enterprise," he says. "There's no line of least resistance through all of this."

Still, Noble says he doubts ordinary consumers will have to lug around multiple tokens. "The only people I know who have more than one password generating device work for the bank," he says. "I don't know that we're going to see people with many tokens."

RSA sells token-based solutions, but Noble isn't particularly evangelical about the technology's potential as a cure-all. Criminals will adapt to the new devices. "We forecast that universal man-in-the-middle kits will become more prevalent," he says. "The most robust form (of authentication) is getting something out of band." (See sidebar: Popular security measures)

 

Hey honey, it's me

Two-factor authentication isn't limited to tokens. Last year Australian Health Management (AHM) deployed a voice biometric system in its call centres to authenticate its customers. In all, 8500 of the not-for-profit health fund's 130,000 members are registered with the VeCommerce voiceprint system. AHM's operations manager, Melinda Charlesworth, says the added security is a bonus, though improving the customer experience and shortening call times was the primary objective.

"We started looking at it about 12 months ago. We were looking for a way to simplify the calls we were getting from our members so we could shorten them and improve the customer experience," she says. "When we started looking at how to improve the call experience for members we stumbled across biometrics. We recognised pretty quickly that it was going to solve a number of issues, as well as improving the customer experience."

Once a client is registered, call centre agents no longer have to ask customers for their date of birth, mother's maiden name or any other identifying information. It makes life easier for call centre staff, who no longer waste time authenticating customers who are using the system. They can get straight down to the work that matters.

While AHM's 400,000 calls a year is hardly an earth-shattering figure, the average call-time saving of 40-80 seconds equates to approximately 6500 hours of call time saved. "When they ring us there's an IVR system at the beginning of the call that simply asks them to say their membership number," Charlesworth says. "The system then goes and checks to see if we have a biometric record for them. If we do, it transfers them straight through to an agent (who knows) if they're authenticated."

The system will pay for itself within 12 months.

Some boffins say voice biometrics is unreliable, but Charlesworth insists the system works well. AHM has a call centre operator step through the registration process with users to make sure there's no background noise and the phone line is good. This ensures a high-quality biometric capture.

Protecting health insurance information comes with its own unique challenges, Charlesworth says. AHM's customer data is more likely to be targeted by unhappy ex-wives in Bondi than fraudsters in Tajikistan. "That's where health insurance differs from the bank," Charlesworth says. "The people who are most likely to try to get this sort of sensitive information are the people who know you. It's not the stranger on the street, it's your ex-wife, it's your neighbour, it's your disgruntled brother and they're the people who know the answers to your secret questions."

Charlesworth says AHM sought a legal opinion on whether voice biometrics is strong enough to ensure compliance with privacy and data protection regulations. Apparently, the technology's kosher.

 

Two-factor differentiation

Both Suncorp-Metway and Commonwealth Bank have rolled out two-factor authentication solutions, though their approaches differ. Both offer tokens, but by default, Commonwealth Bank customers sign up to Netbank SMS. One-time passwords are sent as SMS text messages to the customer's mobile phone every time they want to perform specific actions, like transferring money to a previously unknown third-party.

"There are two drivers for us. One is the cost of the fraud. In the last year, over the past couple of years, we've seen fraudulent attacks on our customers rising," says Marcus Judge, Commonwealth's general manager, e-Commerce. "The second thing was not so much about the hard dollars, but one of the important things to our customers, always, is that they're confident about the bank."

Increasing discussion and nervousness among customers around internet banking was eroding confidence in the online service. Something had to be done to make customers feel good about using it again.

While the Commonwealth bank is using token and SMS-based authentication at this stage, its chief information security officer, Sarv Girn, says that may not always be the case. He'd even consider voice biometrics as the technology improves. "There's still some question marks on how useful it can be and how reliable. But having said that, it's constantly changing," he says. "There's no reason (the bank's) out of band (authentication) channel couldn't be voice."

The split between SMS and token-based authentication is useful on a couple of fronts. Aside from giving customers a choice, the Commonwealth team says there's little point giving a hardware token to someone who'll only use it once a year.

For Queensland-based Suncorp, the decision was a tad tougher. Its own study showed SMS authentication wasn't an option for the group's customers. Suncorp has a large regional customer base so ruled out using SMS. "In terms of SMS, we talked to our customers back when we were looking at our two-factor implementation. At that stage we found the reach of SMS through our customer base and mobile phone usage wasn't at a rate we felt that SMS was viable," says Suncorp's Jamie Glenn, the company's manager of e-commerce.

High-risk customers, who conduct multiple payments to third parties through their bank accounts, were issued with tokens, but any Suncorp customer who wants one can purchase a Suncorp branded token for A$20.

 

We haven't got it nutted yet

The picture painted by analysts is fairly grim. According to Gartner, "stronger authentication alone is not sufficient: Emerging attacks can succeed no matter how strong user authentication is".

The company's analysts say banks must rely heavily on fraud detection and transaction verification to defend themselves against fraud, not just strong authentication technologies. Is a customer logging in through an IP address registered in Botswana? Best give them a call — if they're down at the shops when they answer, you know something's amiss. Are 20 customers all trying to log in from the one IP and transfer money into a single account? Again, it should give fraud departments cause for concern.

Still, the analysis firm says password authentication for rudimentary internet banking functions, like checking your balance or moving money between users' own accounts, should be sufficient. "Especially with complementary controls in place, authentication by a simple password alone may still be appropriate for some, less-critical online banking functions," Gartner says.

 

POPULAR SECURITY MEASURES

TOKENS

A small device that fits on a key ring, security tokens display a numerical code on an LCD display. The code changes every minute or so, and only the bank and the token holder know what the code is at any given time.

PROS: Cheap, simple.

CONS: Tokens raise the bar significantly, but they're not fraud-proof.

 

SMS AUTHENTICATION

Users receive one-time passwords via SMS (text) when they wish to perform high-risk actions.

PROS: SMS allows the authenticating party to communicate a message with the password. For example, "To transfer $500 to account number 3432 4343, use one-time password: 76987." Out-of-band authentication means the one-time code is sent to the user via their handset, not the internet.

CONS: SMS is an insecure protocol. Not everyone has a mobile phone.

 

SMART CARD

Smart cards, a chip embedded on a credit-card sized piece of plastic, contain a cryptographic processor and an embedded cryptographic key that cannot (in theory) be extracted from the card.

PROS: Strong form of two-factor authentication. Ties in with established PKI technology.

CONS: Requires too much infrastructure on the client side. (Smart card reader.)

 

VOICE

Voice biometrics allow for fairly confident verification of a user through a voiceprint over the phone.

PROS: Cheap, saves a bunch of money in call centres. Out-of-band authentication, i.e. auto-dialler can ring an internet banking customer to get voiceprint.

CONS: Questions around reliability.