12 - Part 3

PART III
MATERIALS & METHODS
Common Hacking Techniques
51
3. MATERIALS & METHODS
3.1 COMMON HACKING TECHNIQUES
3.1.1 Preface
3.1.2 Classic Attacks 3.1.2.1 Password Guessing 3.1.2.2 Brute-Force Attack 3.1.2.3 Eaves Dropping 3.1.2.4 Shoulder Surfing
3.1.3 New Attacks
3.1.3.1 Off-Line Credential-Stealing Attack 3.1.3.1.1 Phishing Or Carding Or Brand Spoofing 3.1.3.1.2 Spear Phishing 3.1.3.1.3 Vishing 3.1.3.1.4 Malware 3.1.3.1.5 Pharming 3.1.3.1.6 Skimming 3.1.3.1.7 Spoofing 3.1.3.1.8 Credit Card Frauds
52
3.1.3.2 On-Line Credential-Stealing Attack 3.1.3.2.1 Spyware / Key loggers / Keystroke Logging Worms 3.1.3.2.2 Trojans / Back-Door Trojans 3.1.3.2.3 In Session Phishing Attacks 3.1.3.2.4 Hacking Tricks toward Security On Network Environments Through Instant Messaging 3.1.3.2.5 Distributed Deny Of Service Attack Of Botnet 3.1.3.2.6 Payment Recipient Scams
3.1.1 PREFACE
The role of banking is redefined; customers are also becoming more discerning and demanding. To meet customer expectations, banks will have to offer a broad range of deposit, investment and credit from a mere financial intermediary to service provider of various financial services under one roof acting like a financial supermarket with maximum security. Thus the customer-oriented demand on internet banking is increasing continuously because e-banking provides various transactional facilities to its users 24X7 but at the same time banks as well as customers are expected to be aware towards various types of hacking techniques. However, it also brings new possibilities for thieves. This is mainly because we have not completely solved the growing problem of computer viruses and Trojans that can act on our computers against our will. In this chapter we have discussed about common hacking techniques by classifying these techniques into two categories classical attacks and new attacks; where examples of classical attacks are password guessing, brute-force attack, eaves dropping and shoulder surfing.
53
New attacks we have categorized into two categories off-line credential-stealing attack and on-line credential-stealing attack. Examples of offline credential-stealing attacks are phishing or brand spoofing, spear phishing, vishing, malware, pharming, skimming and credit card frauds etc; whereas in the category of online attack examples are spy ware or key loggers or keystroke logging, worms, Trojans or back-door Trojans, in session phishing attacks, hacking tricks toward security on network environments through instant messaging, distributed deny of service attack of botnet and payment recipient scams. All the banks, which have implemented core banking systems, offer e-banking and mobile banking facilities. But with these facilities always there is a question of security i. e. protection of personal information from the thieves. Computer damages have been classified as [13]:
1. Computer Frauds; and
2. Computer Crimes
COMPUTER FRAUDS
The latest fraud which is considered as the safest method of crime without making physical injury is the Computer Frauds in Banks. Computer frauds are those involve misuse or defalcations achieved by corrupting with computer data record or program.
COMPUTER CRIMES
Computer crimes are those committed with a computer that is where a computer acts as a medium. The difference is however academic only. A few of the methods adopted by fraudsters are: Phishing, Skimming spoofing, credit card frauds etc.
54
Fig 3.1.1: Computer Crimes (Source-www.antifishing.org)
The prevalence of e-commerce in todays digital world opens a door for various cyber crimes that we have never seen before. Viruses can he written from, and spread on virtually any computer platform.
VIRUS ATTACK
Attacks are getting more and more aggressive against computers and servers all around the net. Computer viruses are nothing more than computer programs and therefore can do virtually anything the programmer wants on the computers they infect. During the last decades we have witnessed an exponential growth of the number of computer viruses, and the real fact is that a virus can make thousands of copies of itself in our computer, but the wide range of things they can do with the data stored or processed in it. One field in which this fact should be considered with special care is e-banking. These online services are normally accessed from personal computers with low protection.
55
The operating systems used on these computers have a tendency to sacrifice the security on behalf of the commodity of the user. Under such circumstances, its very easy for an attacker to implement a man-in-the-middle attack. This way an attacker could end up controlling the money in our bank accounts [47]. Virus can also attack and used for automating maintenance tasks on the computer, can delete all the data on the hard disk, and encrypt it so that the owner has to pay to get the data restored to its original form, and even steal private data such as documents, system passwords and cryptographic keys [31].
ATTACK TO THE PC BANK SYSTEMS
Actual PC banking systems rely mostly on the use of password authentication systems, jointly with strong cryptographic communication systems. The problem is that these methods are not always robust enough for Internet banking applications. Introducing a login and a password on a secure Web page for authentication is equivalent to keeping the door-key under the doormat, as any program executing on our computer like viruses, Trojans and malwares etc can have access to them.
We could think that a system such as UNIX, where only the operating system can access all the memory, limiting each program to its own memory space, is immune to such an attack. This is definitively wrong. A virus could infect the browser program inserting in it code that steals that information from memory. The operating system cannot distinguish good code from malicious code, so it will never notice it. Even more, sometimes it is enough to steal the file where the critical information is stored and the password(s) used to secure it. All we need is a virus that waits until the user introduces the password to access the critical information and then send it over the network with the file where the secret keys are stored.
56
Even more, sometimes the access password is so simple that we can break it using a dictionary attack. In the following figure password snatching attack to a generic internet banking application has been shown [31]:
Fig 3.1.2: Password Snatching Attack
57
VIRUSES AND ANTMRAL TECHNIQUES
Viruses can be written to work under any known operating system and there are also viruses that can be written on macros such as MS Word macros and java script (a webbased language which allows the introduction of code in web pages). Viruses normally can only be executed with the operating system for which it was created. But even though there are operating systems which are more difficult to attack, such as UNIX, not even these systems are completely safe. Even though it is true there are fewer viruses for these systems, it is also true that they exist and with them the possibility to expose critical information to he leaked without our permission [31].
3.1.2 CLASSIC ATTACKS
Here we describe common well known attacks widely used in history and presence.
3.1.2.1 Password Guessing
Guessing or password guessing is usually dictionary based attack, where attacker is trying to guess our password. Usually, dictionary of a lot of common passwords is used. When attack remains unsuccessful after applying predefined set of password, than is redirected to another user.
3.1.2.2 Brute-Force Attacks
Thorough search known as brute-force attack is based on trying a large number (all) of possibilities of password or secret key. In the following figure a model of simple bruteforce attack on a Norwegian internet bank has been shown.
58
As it is clear from the following figure, a hacker selects any Social Security Number(SSN) from the list of customers SSN numbers and then attempts to login using any randomly chosen Personal Identification Number until the correct password is acquired or the attack is detected[33]-
Fig 3.1.3: Brute-Force Attack Model
3.1.2.3 Eavesdropping
Eavesdropping is listening without the speakers knowledge. Its usually used for ManIn-The-Middle (MITM) attack.
59
3.1.2.4 Shoulder Surfing
One of the oldest and most common threats to our online banking security is "shoulder surfing". This is as simple as having an unauthorized person watching over account holder shoulder as user conduct his online banking session. If this person can view users keyboard, they will be able to see the IDs and passwords used to access the system [16]. In this method unauthorized people keeps an eye on that user who is busy in performing their account operations and try to see the IDs and passwords.
3.1.3 NEW ATTACKS
On the basis of the resistance all internet banking authentication methods can be classified into two common attacks-
1) Off-Line Credential-Stealing Attack And
2) On-Line Credential-Stealing Attack
3.1.3.1 Off-Line Credential-Stealing Attack
In this type of attack hackers try to steal users private information from those clients PCs who have insufficient protection for PC [36]. As it is clear from the following figure that hackers use malicious softwares such as Trojan horse or by tactfully getting users identification through phishing and pharming or by combining phishing with pharming[35]-
60
Fig 3.1.4: Offline Credential Stealing Attack Scenario
3.1.3.1.1 Phishing / Carding / Brand Spoofing
The word Phishing first appeared in 1996. It is a variant of fishing, and formed by replacing the f in fishing with ph from phone. It means tricking users of their money through e-mails [46]. It is a form of online identity theft that aims to steal sensitive information from users such as online banking passwords and credit card information from users. The last years have brought a dramatic increase in the number and sophistication of such attacks. Attackers are employing a large number of technical spoofing tricks such as URL obfuscation and hidden elements to make a phishing web site look authentic to the victims.
61
Phishing attacks use a combination of social engineering and technical spoofing techniques to convince users into giving away sensitive information (e.g., using a web form on a spoofed web page) that the attacker can then use to make a financial profit [42]. A method in which hackers capture the trusted brands of well known financial institutions and tactfully asking users personal identification through false/fake website forms.
These kinds of attacks were harmless so long as user ignored and deleted the e-mail. But if user responded, then they would try their best to get users account information. So we can define it as The act of convincing users to provide personal identification information, such as social security numbers or bank information, for explicit illegal use [37].
Among all the cyber crimes targeting e-banking systems, phishing attack has become one of the most serious threats. In the main form of phishing attack, the criminals (called phishers) setup fake e-banking/e-payment web sites, and then send phishing emails to potential victims, who may be lured to access the phishing sites and expose their sensitive credentials to the phishers. The credentials harvested by the phishers normally include bank account numbers, passwords or PIN numbers, e-banking TAN numbers, credit card numbers and security codes, social security numbers, and so forth. With the collected credentials, the phishers can login the genuine e-banking/e-payment system to steal the victims money.
62
There are also many other more advanced forms of phishing attack, such as the following [44]:
Phishers get phishing sites indexed by some search engines (via some Search Engine optimization tricks) and then wait for victims to visit them;
Phishers use cross-site-scripting (XSS) to inject links of phishing sites to legitimate sites;
Spy-phishing (or malware-based phishing): phishers depend on Spyware / malware like trojan horses and keyloggers to collect sensitive credentials;
Pharming: phishers misdirect potential victims to phishing sites through DNS poisoning.
Phishers can also tailor the contents of the phishing mails and even those of the phishing sites for targeted victims, which is called spear phishing or context-aware phishing. This kind of phishing attack becomes much easier nowadays, because more and more personal information is publicly available at online social networks. In the following diagram information flow of a typical phishing attack has been shown [44]:
63
Fig 3.1.5: Information flow of a typical phishing attack
In the above figure we can see seven different steps that can be cut down to stop a phishing attack [44].
64
TYPES OF PHISHING ATTACKS:
i) Spoofing E-Mails and Web Sites
Phishing attacks fall into several categories like [42]:
a) By Spoofing Emails
We can define Phishing as a method that exploits peoples sympathy in the form of aidseeking e-mails; the e-mail act as attraction. These e-mails usually request their readers to visit a link that seemingly links to some charitable organizations website; but in truth links the readers to a website that will install a Trojan program into the readers computer. Therefore, users should not forward unauthenticated charity mails, or click on unfamiliar links in an e-mail. Sometimes, the link could be a very familiar link or an often frequented website, but still, it would be safer if youd type in the address yourself so as to avoid being linked to a fraudulent website. Phishers cheats people by using similar e-mails mailed by well-known enterprises or banks; these e-mails often asks users to provide personal information, or result in losing their personal rights; they usually contain a counterfeit URL which links to a website where the users can fill in the required information. One must also be careful when using a search engine to search for donations and charitable organizations [46]. Perhaps the most common and nasty phishing attack was the Nigerian General's widow e-mail, asking for your cooperation to transfer a huge sum into users account. Today, the attack has been modified and user would actually receive an e-mail from some bank asking users/customers to update their account information. If user had an account with that bank, then this could have easily been fooled by it and would have clicked on the bank's URL.
65
Unfortunately this takes users to a phony website, which was created by the sender of the e-mail, and after entering bank account details like username and password, user would be busy in thinking that he may have entered details incorrectly, the fake site was busy gathering his username and password.
These kinds of attacks were harmless as long as user ignores and deletes the e-mail. But if user responds, then his account information could be stolen [16]. The earliest form of phishing attacks were e-mail based and they date back to the mid 90s. These attacks involved spoofed e-mails that were sent to users where attackers tried to influence the victims to send back their passwords and account information. Although such attacks may be successful today, the success rate from the point of view of the attackers is lower because many users have learned not to send sensitive information via e-mail. A possible reason is that many security-sensitive organizations such as banks do not provide interactive services based on e-mail where the user has to provide a password. Most organizations, obviously, use their web sites for providing interactive services because they can rely on encryption technologies such as SSL. Hence, many phishing attacks now rely on a more sophisticated combination of spoofed e-mails and web sites to steal information from victims. Such attacks are the most common form of phishing attacks today. b) By Websites Phishers can write a web browser script to open a new browser window with no address bar at all. Phishers then uses simple, HTML form elements, style sheets, and Java Script to create very real, functional imitations of the browsers address bar. In an even less complicated scheme than a spoofed address bar, Phishers registers a cousin domain name for a fraudulent web site. A cousin domain name looks exactly like the domain name of a legitimate institution but with a slight modification. For example a Phishers could register www.eastern-bank.com to impersonate www.easternbank.com.
66
Malware attacks cover the installation and execution of malicious software on a victim's personal computer. [41]. In a typical attack, the attackers send a large number of spoofed e-mails that appear to be coming from a genuine organization such as a bank to random users and urge them to update their personal information. The victims are then directed to a web site that is under the control of the attacker. This site looks and feels like the familiar online banking web site and users are asked to enter their personal information. Because the victims are directly interacting with a web site that they believe they know, the success rates of such attacks are much higher than e-mail only phishing attempts. c) By Instant Messaging Systems
Attackers have also started to use instant messaging systems such as ICQ or infrastructures such as Internet Relay Chat (IRC) to try to convince and direct users to spoofed web sites. Once the victim follows a spoofed link, in order not to raise suspicion and to present the phishing web site as authentic as possible, attackers are employing various techniques. For example
i)
Use of URLs and host names that are confused and modeled so that they look valid to inexperienced users.
ii)
Another example is the use of real logos and corporate identity elements from the valid web site. Some attacks also make use of hidden frames and images as well as Java script code to control the way the page is rendered by the victims browser.
67
ii) Exploit-Based Phishing Attacks
Some phishing attacks are technically more sophisticated and make use of well-known vulnerabilities in popular web browsers such the Internet Explorer to install malicious software i.e., malware that collects sensitive information about the victim. For example a key logger, might be installed that logs all pressed keys whenever a user visits a certain online banking web site. Another possibility for the attacker could be to change the proxy settings of the users browser so that all web traffic that the user initiates passes through the attackers server to perform a typical man-in-the-middle attack. Exploit-based phishing attacks as well as other security threats that are directly related to browser security such as worms, Trojans and spyware, browser manufacturers need to make sure that their software is bug-free and that users are up to date on the latest security fixes.
A real-world spoofed web site-based phishing attack example: On February 18th 2005, a mass e-mail was sent to thousands of Internet users asking them to verify their Huntington online banking account details. The e-mail claims that the bank has a new security system and that account verification is necessary. The attackers have supposedly inserted a legitimate URL https://onlinebanking.huntington.com/login.asp to the banks online banking web site. However, the link actually points to a spoofed page on the server with the IP address 210.95.56.101. The aim of the attack is to steal the victims account credentials, credit card information, and personal information such as the social security number. Once the victim enters the requested information, the phishing site redirects to the legitimate banks web site [42].
3.1.3.1.2 Spear Phishing
Spear phishing attacks are focused to selected organization. Target can be financial benefit, compromising of confident information or loss of confidence.
68
Substantial difference against ordinary phishing is the source of fake message. In case of spear phishing, sender is authentic and victims usually have confidence in his/her. The fraudster collects information on the victim from social networking websites and other resources and uses it to generate a highly creditable email [45]. Attacker takes advantage of public available data, which subsequently misuse during socio-technical attack. Structure of these attacks is as follows:
Attacker chooses organization concerned in valuable information. He gains information about personal structure, employees and procedures in organization during analysis of web pages. Personal pages or discussion forums can be used for acquiring detailed information about employees.
In next step, fake message is created, whose form, contents and appearance imitate real internal communication in organization. In fake message, employees are asked for entering sensitive information usable for access to internal computer network. Reason might be for example testing of new information system. There is of course a URL leading to this new information system for user comfort. Information about personal structure is used for increasing credibility. Usually, member of IT department figures as sender. Trusting employees enter their information into fake web page created by attacker and make him capable to access to real system. Detection of targeted attack is problematic particularly because of using mutual relations between sender of fake message and its receiver. Attackers utilize authority of senders position together with legitimacy and competence of requests. Well organized terrorist organizations were usually hidden behind spear phishing attacks. They are part of espionage in industry, military and governmental organizations. Hackers as individuals are usually not engaged it this kind of attack.
69
3.1.3.1.3 Vishing
Vishing (Voice Phishing) is a new kind of attack similar to phishing in the way it tricks the victim to give away sensitive information. Vishing is a social engineering attack based on the bank-services through the telephone system. Vishers use a war dialer configured to dial all numbers in a given area. The person answering is informed that his/her credit card is fraudulent used and are encouraged to dial a given number. If the victim dials the number, they are instructed to enter their credit card number, three digit CVV security code and other identification credentials. After a complete call the visher has all the information needed to use the victims credit card [29]. Vishing sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization [39].
3.1.3.1.4 Malicious Code / Malware
A malware attack is more harmful than other forms of information security (IS) vulnerabilities in that its impact is generally not limited to one or a few entities; rather, it is normal for a large number of organizations to be affected at once, to a substantial degree. As we have mentioned malware is short for malicious software and is typically used as a catch-all term to refer to the class of software designed to cause damage to any device, be it an end-user computer, a server, or a computer network. The term Malware is a compound of the words malicious and software. The expression is generally used by computer professionals to describe a variety of hostile, intrusive, or annoying software. Software is considered as a malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan horses, most root kits, spyware, dishonest adware, and other malicious and unwanted software. Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs [37].
70
Malware is Software that fulfills the harmful intent of an attacker. Current systems to detect malicious code (most prominently, virus scanners) are largely based on syntactic signatures. A program is declared malware when one of the signatures is identified in the programs code. Recent work has demonstrated that techniques such as polymorphism and metamorphism are successful in prevention commercial virus scanners. The reason is that syntactic signatures are ignorant of the semantics of instructions [39]. The number of Malware has increased since its breakthrough in 1986 due to new technologies specially the internet. The time taken by Virus to become prevalent over years has been shown in the following table [43]:
Table 3.1.1: Time taken by Virus to become prevalent over years (Source: Orshesky, 2002)
71
Malware And Phishing
It is a combination of malware and phishing. In this attack information gained by malware can be used for increasing credibility of phish pages as well as malware can affect targeted computer itself. 3.1.3.1.5 Pharming It can be defined as a method in which a misuse of DNS server software openness redirects web sites traffic to a fake site. This form of attack doesn't give the user any prior intimation. The user simply enters the URL of his bank's website, but instead of being taken to the bank's website, he's automatically redirected to the fake site. Thus in pharming, scammers never have to access the users' machines in any way [16]. User can protect their information and transactional activities by regular installation of antivirus and anti-hacking software. Diff between Phishing and Pharming Phishing involves attracting the target to a particular website through an e-mail, while pharming is even more dangerous as it doesn't even let the target know that an attack is in progress [16]. Process of redirecting somebody automatically to another site through DNS poisoning: If the hacker can gain access to a user's DNS server, and exchange the IP address of the bank's website with his own web site IP address, then the user will automatically be redirected to the fake website instead of the original one. So the humble DNS server, which nobody suspects of doing anything, has actually become the target of attack in pharming. The technique is called DNS poisoning.
72
Many broadband service providers use simple Ethernet cables, hubs, and switches to extend Internet access to their subscribers. In such a setup, it's very easy for one subscriber to be able to see others. Someone with malicious intent can use DNS spoofing software to redirect requests for specific websites to somewhere else. This can even happen on corporate networks [16]. Process of redirecting somebody automatically to another site through hosts: There's another easier way of taking the user automatically to a fake bank website. It's done by infecting a tiny file that sits on most desktop machines, known as hosts. It's nothing but a file that maps IP addresses to URLs. So whenever we try to access a website, the machine first checks the hosts file to see if it can find the URL's IP address there and if someone were to map a fake IP address to a bank's website in the hosts file then user maybe redirected to another fake website. For example Trojan 127.0.0.1 IP address doesn't let us update our anti-virus software. It has simply mapped the URLs of all the anti-virus software sites to 127.0.0.1, which is our own local machine. This kind of Trojan can come as an attachment in a nicely written e-mail [16]. Fake Bank Sites Are Easy To Create After redirecting users to another IP address, the scamsters just have to ensure that they have a website that looks and functions exactly like the original bank's website. All websites are created using various Web technologies like HTML, ASP, JSP, XML, etc. Another factor that helps scamsters in creating the fake site is the fact that they can view the source code of all the bank's web pages. For example in Internet Explorer, source code can be seen by clicking on the View Menu and choose Source. This will show you the source code for the entire Web page, irrespective of whether it's using plain old HTTP or the secure HTTPS i. e. in HTTPS s stands for security then too we can see source code of the web site.
73
Another method by which web pages can easily be saved and hosted on another Web server, using a simple tool such as FrontPage or even Notepad. In a few minutes, the scamster now has to do is to ensure that the script for the login button extracts the username and password and sends it to another destination. Thus, the entire process of redirecting the request for a URL to another location is not difficult and the saddest part is that it can all be done using freely available tools [16] 3.1.3.1.6 Skimming A skimmer is a card swipe device that reads the information on a consumers ATM card. The skimmer catches the PIN through a small camera mounted on the ATM. Scammers insert onto an ATM, ready to swipe information from unsuspecting customers. Fraudsters make imitation ATM cards using scammers. They take a blank card and encode all the information from an ATM card when they swipe [13]. 3.1.3.1.7 Spoofing The attacker creates a false context to trick users into making an inappropriate security relevant decision. For example, false ATM machines have been set up. Once they have the PIN number they have enough information to steal from the account [13].
3.1.3.1.8 Credit Card Frauds Credit card fraud is widespread as a means of stealing from banks, merchants and clients. A credit card is made of three plastic sheet of polyvinyl chloride. The central sheet of the card is known as the core stock. These cards are of a particular size and many data are embossed over it. But credit cards fraud manifest in a number of ways as discussed below [13]:
74
Genuine cards are manipulated Genuine cards are altered Counterfeit cards are created Fraudulent telemarketing is done with credit cards. Genuine cards are obtained on fraudulent applications in the names / addresses of other persons and used.
3.1.3.2 On-Line Credential-Stealing Attack
In this type of attack hackers attack in session credentials through interception as they move between the client Personal computer and banking server. Online channel-breaking attack scenario is shown in the following figure [36]:
75
Fig 3.1.6: Online Channel-Breaking Attack Scenario
3.1.3.2.1 Spyware / Key loggers / Keystroke Logging Worms
This is the most known kind of attack, in this method hackers attempt to place an unauthorized program on to users computer that will record all users keyboard strokes as user type. Then this captured information is sent to an unauthorized person, who then scans the information for users online banking details [16].
76
Thus Key loggers are malicious software designed to record user input events and activities. Executing as a device driver, a key logger monitors keyboard and mouse input [41].
3.1.3.2.2 Trojans / Back-Door Trojans
This is another kind of attack and the purpose of these threats is to place an unauthorized program on to users computer that will enable a remote hacker to gain unauthorized access to users computer. The unauthorized scammer then has the ability to monitor everything user does via users computer whilst it remains infected [16].
3.1.3.2.3 In Session Phishing Attacks
This technique is a sophisticated and highly effective next generation phishing attack technique that is carried out while a user is in an active session with a secure banking, brokerage, or other sensitive web application. Various utilities allow fraudsters to copy the login page of any bank and set up a fraudulent website within minutes. Once the website is up and running the criminals can start inviting people to login, usually using emails pretending to be sent by the targeted bank. The biggest challenge phishers now face is convincing users to open these malicious email messages and click on the links that lead to the fraudulent websites. Users are growing more sensitive to security threats and are more suspicious of emails from the bank. An in-session phishing attack occurs while the victim is logged onto an online banking application and therefore is much more likely to succeed. A typical attack scenario would occur as follows. A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites.
77
A short time later a popup appears, allegedly from the banking website, which asks the user to retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details. In order for in-Session phishing attacks to succeed the following conditions are required [45]:
1. A base website must be compromised from which the attack can be launched.
2. The malware injected on the compromised website must be able to identify which website the victim user is currently logged on to The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Each one of them can be used as a base for this attack. Once the website is compromised, the attacker injects code into the website. This code does not change the appearance of the website and does not download malware to the users PC. Therefore it is very hard to detect. This code is designed to search for online banking websites that visitors are currently logged onto, and present them with a popup that claims to be from the banking website they are logged on to. These pop ups ask for login and personal information.
Identifying websites to which the user is currently logged onto is harder to achieve, but not impossible. For example, in 2006 this blog
http://ha.ckers.org/blog/20061108/detecting-states-ofauthentication-with-protectedimages/ discussed one method that attempts to load images that are only accessible to logged-in users. If the offensive website code is capable of loading the image, this confirms the user is logged on. If it fails, then the user is not logged on. However, most websites do not protect images with login. Instead they are stored on a different server that does not require authentication.
78
Recently Trustier CTO Amit Klein and his research group discovered vulnerability in the JavaScript engine of all leading browsers - Internet Explorer, Fire fox, Safari, and Chrome which allows a website to check whether a user is currently logged onto another website. The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced. To protect themselves from in-session phishing attacks, Trustier recommends that users [45]:
1. Deploy web browser security tools
2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites
3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.
One example of phishing mail has been shown in the following fig [45]:
79
Fig 3.1.7- Recent Phishing Email
3.1.3.2.4 Hacking Tricks Towards Security On Network Environments
Hacking tricks when successfully carried out could cause considerable loss and damage to users. Hacking tricks into three categories [46]:
(1) Trojan programs that share files via instant messenger like eavesdropping and Denial of Service (DoS)
(2) Phishing or fraud via e-mails.
(3) Fake Websites.
80
3.1.3.2.5 Distributed Deny Of Service Attack Of Botnet
Online criminals can use a virus to take control of large numbers of computers at a time, and turn them into "zombies" that can work together as a powerful "botnet" to perform malicious tasks. Botnets, which can control huge number of zombie computers, can distribute spam e-mail, spread viruses, attack other computers and servers, and commit other kinds of crime and fraud. According to a report from Russian-based Kaspersky Labs, botnets currently pose the biggest threat to the Internet. The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic - a Distributed Denial-of-Service (DDoS) attack [29]. 3.1.3.2.6 Payment Recipient Scams The criminals who carry out online fraud require payment recipients and bank accounts through which they can direct funds and launder their money. Innocent parties have been deceived into assisting the fraudsters to carry out these crimes in several ways, such as:
Advertisements are placed with employment agencies for financial or account staff. After applicants have been notified of their appointment to the role, they are asked to receive and distribute funds on behalf of the company via their personal accounts.
People have been approached via email or chat rooms where they have been asked to facilitate international funds transfers, due to costs or restrictions on doing these transactions overseas, and in return receive a percentage of these funds.
81
Thus Money laundering is a serious crime and people involved in these scams can be held personally liable for lost funds as well as being prosecuted [45]. To fight against various types of attacks several methods are being used but none can be considered 100% effective. In the following diagram status of all kind of attacks as compare to security has been shown [35]:
Fig 3.1.8: Status of Various Attacks as Compare to Security
Security Measurement Strategies
82
3. MATERIALS & METHODS 3.2 SECURITY MEASUREMENT STRATEGIES
3.2.1 Preface 3.2.1.1 Key Components for E-Banking 3.2.1.2 Security Mechanism Towards E-Banking Authentication Methods
3.2.3 Antivirus Techniques 3.2.3.1 3.2.3.2 3.2.3.3 3.2.3.4 3.2.3.5 3.2.3.6 3.2.3.7 Virus Scanning Behavior Checkers Integrity Checkers Firewalls Intrusion Detection System (IDS) Intrusion Prevention System (IPS) Honey Pots
3.2.3 Anti-Phishing Approach 3.2.3.1 Browsers Alerting Users to Fraudulent Websites 3.2.3.1.1 PwdHash 3.2.3.1.2 Spoof Guard 3.2.3.1.3 VeriSign
83
3.2.4 Common Strategies Used For Secured Authentication 3.2.4.1 Authentication Using Passwords 3.2.4.2 One Time Password (OTP) Generators 3.2.4.3 Challenge / Response (C / R) Calculators 3.2.4.4 Two Factor Authentications 3.2.4.5 Smartcard System 3.2.4.6 Chip Card Readers 3.2.4.7 Conventional Encryption Schemes 3.2.4.8 Public Key Encryption 3.2.4.9 Digital Signature 3.2.4.10 Secure Socket Layer (SSL) 3.2.4.11 Secure Electronic Transaction (SET) 3.2.4.12 Pretty Good Privacy (PGP) 3.2.4.13 Kerberos 3.2.4.14 Cryptographic Authentication 3.2.4.15 Public Key Infrastructure (PKI)
84
3.2.4.16 Public-Key Cryptosystems (PKC) 3.2.4.16.1 Elliptic Curve Discrete Logarithm Systems / Elliptic Curve Crypto Systems 3.2.4.16.2 Elliptic Curve Cryptography (ECC)
3.2.4.17 Biometric 3.2.4.18 MeCHIP 3.2.5 Comparison Between Hardware-Based System Solution And Software Based System Solution
3.2.1 PREFACE
The statistics do not lie as there are more and more people who are doing only ebanking. When it comes to the future of banking, there is a variety of predictions. The majority of individuals predict consumers with imbedded chip implants. By using these chip implants customer simply walks into the store, swipes and views his balance instantaneously. To provide safe and secured e-banking many banks have adopted various technologies for encryption so that users personal information can be prevent from unauthorized access. In the introductory part of this chapter we are introducing key components for e-banking and security mechanism towards e-banking authentication. Then in the second part of the chapter we are talking about antivirus techniques like virus scanning, behavior checkers, integrity checkers, firewalls, IDS, IPS and honey pots.
85
Then in the third part we have discussed about anti-phishing approaches like Browsers used to alert users against fraudulent websites by mentioning PwdHash, Spoof Guard and VeriSign. In the fourth part of this chapter we have thrown some light on common strategies used for secured authentication for example authentication using passwords, OTP generators, C / R calculators, two factor authentications, smartcard system, chip card readers, conventional encryption schemes, PKE, Digital Signature, SSL Technique, SET Technique, PGP, Kerberos, Cryptographic Authentication, PKI, PKC, Elliptic Curve Discrete Logarithm Systems / Elliptic Curve Crypto Systems, ECC, Biometric and MeCHIP. Finally we will end the chapter with the comparison between hardware based system solutions and software based system solutions.
3.2.1.1 KEY COMPONENTS FOR E-BANKING Each authentication method has its strengths and weaknesses, which need to be weighed by the bank, including the impact on customers. Key components that will help to maintain a high level of public confidence in an open network environment include [8]: 1. Security 2. Authentication 3. Trust 4. Non-repudiation 5. Privacy 6. Availability
1. Security: It is an issue in Internet banking systems. Hardware or software sniffers can obtain passwords, account numbers, credit card numbers, etc. without regard to the means of access. National banks therefore must have a sound system of internal controls to protect against security breaches for all forms of electronic access.
86
A sound system of preventive, detective, and corrective controls will help assure the integrity of the network and the information it handles. Firewalls are frequently used on Internet banking systems as a security measure to protect internal systems and should be considered for any system connected to an outside network. Firewalls are a combination of hardware and software placed between two networks through which all traffic must pass, regardless of the direction of flow. They provide a gateway to guard against unauthorized individuals gaining access to the banks network. The simple presence of a firewall does not assure logical security and firewalls are not impenetrable: firewalls must be configured to meet a specific operating environment and they must be evaluated and maintained on a regular basis to assure their effectiveness and efficiency.
2. Authentication: It is another issue in a Internet banking system. Transactions on the Internet or any other telecommunication network must be secure to achieve a high level of public confidence. Banks typically use symmetric (private key) encryption technology to secure messages and asymmetric (public/private key) cryptography to authenticate parties. Asymmetric cryptography employs two keys; a public key and a private key. These two keys are mathematically tied but one key cannot be deduced from the other. For example, to authenticate that a message came from the sender, the sender encrypts the message using their private key. Only the sender knows the private key. But, once sent, the message can be read only using the senders public key. Since the message can only be read using the senders public key, the receiver knows the message came from the expected sender.
Internet banking systems should employ a level of encryption that is appropriate to the level or risk present in the systems. Thus, a national bank should conduct a risk assessment in deciding upon its appropriate level of encryption. A common asymmetric cryptography system is RSA, which uses key lengths up to 1,024 bits.
87
By using the two forms of cryptography together, symmetric to protect the message and asymmetric to authenticate the parties involved, banks can secure the message and have a high level of confidence in the identity of the parties involved. Biometric devices are an advanced form of authentication. These devices may take the form of a retina scan, finger or thumb print scan, facial scan, or voice print scan. Use of biometrics is not yet considered mainstream, but may be used by some banks for authentication. Examiners should evaluate biometric activities based on management s understanding of risks, internal or external reviews, and the overall performance of these devices.
3. Trust: It is another issue in Internet banking systems. A trusted third party is a necessary part of the process. That third party is the certificate authority. A proper mix of preventive, detective, and corrective controls can help protect national banks from these pitfalls. Digital certificates may play an important role in authenticating parties and thus establishing trust in Internet banking systems.
4. Nonrepudiation: It is the undeniable proof of participation by both the sender and receiver in a transaction. It is the reason public key encryption was developed, i.e., to authenticate electronic messages and prevent denial or repudiation by the sender or receiver.
5. Privacy: Privacy is a consumer issue of increasing importance.
6. Availability: Availability is another component in maintaining a high level of public confidence in a network environment. All of the previous components are of little value if the network is not available and convenient to customers. Users of a network expect access to systems 24 hours per day, seven days a week.
88
3.2.1.2 SECURITY MECHANISM TOWARDS E-BANKING AUTHENTICATION METHODS
System for remote authentication should at least consider few of the following security mechanisms [63]:
I) User Secure Authentication (Identity Proof): System should provide secure identification and user authentication by using password or other mechanism. Users unique account access and transaction capabilities are provided by user authentication.
II) Safe Confidentiality of Transferred Data: Eavesdropping of the communication between client and his bank is avoided by confidentiality mechanism.
II) Integrity of Transferred Data: Providing integrity mechanism ensures that information transferred between bank and its client can't be forged or modified by an attacker.
IV) Undeniable Responsibility For Transactions Made: This mechanism ensures that message sender is responsible for message he has sent and this sender can't deny that he has sent this message. Typical use of this mechanism is in active transactions, where client sends message of transaction into his bank. Receiver of message of transaction (bank) can easily proof that this message was created and sent by the specific client and this client can't deny responsibility for this message. Most common way to ensure this mechanism is electronic signature.
89
Modern ways of authentication, such as smart cards, authentication calculators, biometrical authentication and cryptographic authentication should remove the weaknesses of authentication by password. Some of them are called as systems with one time password. For example smart card or authentication calculator generates the challenge, which is used instead of password. Authentication calculator, or smart card, cooperates with workstation and generated challenge is unique for each authentication. That is why this challenge is useless for an attacker [63].
The second problem related to the identity is problem, which can be solved just after the authentication is solved. This problem is called expression of will. In some application is needed to maintain and clearly express the will of user, by which the user express his will to provide some transaction. This expression of will must be [63]: Clear in identity and attributes Capable of representation will of the user Auditable and un-impugn-able
One of the main problems noticed here is huge difference between human non digital communication and computer communication. Human non digital communication uses different mechanism for identification and for will expression like name, password, handwritten contract etc, than the electronic or digital communication. The electronic or digital communication uses for identification and will expression different means such as digital signature or other authentication methods mentioned in this article.
Other Security Measures
Most Internet banks offer other protective measures to ensure your information is kept safe and secure. Some examples of other security measures in place include:
90
Secure Logins: You will create your own online access account number and code that you will need each time you log in.
Limited Logins: Many banks limit the number of times you can attempt to log in per day and lock you out if you exceed this. That way someone can't attempt to break your login code easily.
Limited Sessions: Most banks offer limited sessions that require you to re-login after you have been inactive for a period of time preventing anyone from viewing your information if you leave your computer for too long.
When exploring towards solutions users can minimize risk by improving password complexity; implementing security measures such as personal firewalls, anti-spyware, anti-phishing features and up-to-date antivirus application; and installing the most current client software, browsers and operating system patches and updates.
As technology evolves, end users will be able to minimize risk through trusted federated directory structures and stronger authentication and cryptographic applications. The solutions to the security issues require the use of software-based systems or hardwarebased systems or a hybrid of the two. Due to the need of fighting against money laundering, nowadays most financial institutes are maintaining AML (anti-money laundering) software as part of the e-banking system to monitor transactions and detect suspicious money laundering activities [44]. In the coming sections we have discussed some antivirus techniques to locate and eliminate viruses but none of these has proven to be 100% effective and therefore, there is actually no way to know if our system is free of viruses [31].
91
3.2.2 ANTIVIRUS TECHNIQUES
Antivirus software has been the chief defense mechanism since the creation of viruses started. Most antivirus solutions are comprehensive security solutions that can be centrally monitored. They can also be configured to remove administrative rights from client machines. Antivirus programs normally manage the life cycle of viruses in four steps [43]:
1. Prevention or avoidance of virus outbreak; 2. Suppression or control of virus outbreak; 3. Reinstallation of the affected nodes; and 4. Reporting and alerting all the complementing perimeter security systems.
3.2.2.1 VIRUS SCANNING
Scanning for viruses is the oldest and most popular method for locating viruses. In this method scanners search for specific code which is believed to indicate the presence of a virus. Scanners have an important advantage over other types of virus protection in that they allow one to catch a virus before it ever executes in our computer. Depending on the virus type, the anti-viral software will search only in .COM files, or .EXE files, in the boot sector. But long back in the late 1980s, when there were only a few viruses floating around, it was easy to write a scanner. In the present days, with thousands of viruses, and many being written every year, keeping a scanner up to date is a major task. Another major problem is that, from the moment the virus is created to when the antiviral software is able to detect it; it can spread and cause a lot of damage [31].
92
3.2.2.2 BEHAVIOUR CHECKERS
A behavior checker is a memory resident program that a user loads in the autoexec.bat file and then it sits in the background looking for unusual behavior for virus-like activity, and alerts user when it takes place. But even this is not enough to detect all possible viruses [31].
3.2.2.3 INTEGRITY CHECKERS
Integrity checkers simply monitor for changes in files. Typically, an integrity checker will build a log that contains the names of all the files on a computer and some type of characterization of those files. That characterization may consist of basic data like the file size and date time stamp, as well as checksum, CRC, or cryptographic checksum of some type. Each time the user examines each file on the system and compares it with the characterization it made earlier. An integrity checker will catch most changes to files made on your computer, including changes made by computer viruses. But there could be thousands of viruses in our computer and integrity checker would never tell us as long as those viruses did not execute and change some other file. Moreover the problem is that this method does not assure that the software has not been infected on its way from the programmers computer to the final users computer. Therefore, it is a good system for controlling the reproduction of viruses but it cannot do a thing against programs that are installed infected from the first moment. Moreover a virus installed as a Trojan horse can modify the code of the antiviral so it will not detect any virus and we will think that the system is free of viruses [31].
93
Thus Antivirus is a good way to protect against viruses, but as we know that signatures are used with the antivirus database that means that antivirus is unable to discover new attacks until and unless we will remedy the database of existing antivirus by updating it periodically. Beside this antivirus stays helpless against different kinds of attacks like hijacking, Denial of Service etc. Therefore we need other softwares also along with the use of antivirus and there are a variety of tools that can be used for this purpose like firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), honey pots etc [32].
3.2.2.4 FIREWALLS
Firewalls stops any suspicious data before it enters in our system; there are three kinds of firewall and two architectures based on it named DMZ (De Materialized Zone).
Firewall offers great advantages in the field of security but still has its limits: the main reason is that it can never close its port totally. Certainly it must have even one open port to communicate with the Internet and this single port can be considered as a door for attacks. This means that anytime our computer maybe under attack [32].
3.2.2.5 INTRUSION DETECTION SYSTEM (IDS)
Intrusion Detection System is used to detect the presence of an attack in our system. The alarm of IDS is launched when an intrusion / interference have break in/enter the system. There are two types of IDS: HIDS and NIDS. HIDS is more reliable way as compare to NIDS because it can detect illegal access easily but at the same time HIDS delivers all the collected information to a central computer .
94
This means that in an internal network if we have a big number of machine with HIDS then it may be risky because big flow of information could diminish the performance of the system, thats why NIDS is preferred in that kind of network even that he could miss some illegal access that HIDS can see.
3.3.2.6 INTRUSION PREVENTION SYSTEM (IPS)
We need something that prevents the attacks before it happens. IPS identifies and stops the malicious codes before they penetrate in our system; this type of softwares provides the 4h layer of protection shield to the system.
It is advisable that user should not eliminate the firewall from our system even if it has limited capacities compared to IPS or IDS, because a firewall reduces the amount of the bad traffic that can reach the IPS and IDS, which will reduce the alarms and the suspicious data [32].
3.2.2.7 HONEY POTS
One major objective of honey pot is to gather as much information as possible. Generally, such information should be done silently without alarming an attacker. All the gathered information leads to an advantage on the defending site and can therefore be used on productive systems to prevent attacks. All the methods of detecting and preventing are based on known facts, and known attack patterns. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. Another purpose of the honey pot is to divert hackers from productive systems or catch a hacker while conducting an attack.
95
Compared to IDS, honey pots have the big advantage that they do not generate false alert as each observed traffic is suspicious, because no productive components are running on the system. Compared to an IPS a honey pot doesnt prevent any attack, at the opposite sometimes it pushes hackers to attack a system, by deceiving them or by faking them that this system is easy to penetrate [32].
3.2.3 ANTIPHISH APPROACH
AntiPhish is an application that is integrated into the web browser. It is a novel browser extension and it is free for public use with the intension to protect inexperienced users against spoofed web site-based phishing attacks. AntiPhish tracks the sensitive information of a user and generates warnings whenever the user attempts to transmit this information to an untrusted web site.
Main Functionality of AntiPhish: The development of AntiPhish was inspired by automated form-filler applications. Most browsers such as Mozilla or the Internet Explorer have integrated functionality that allows form contents to be stored and automatically inserted if the user desires. This content is protected by a master password. Once this password is entered by the user, a login form that has previously been saved, for example, will automatically be filled by the browser whenever it is accessed. Anti phish takes this common functionality one step further and tracks where this information is sent [55].
96
3.2.3.1 BROWSERS ALERTING USERS TO FRAUDULENT WEBSITES
Another popular approach to fighting phishing is to maintain a list of known phishing sites and to check websites against the list. Microsoft's IE7 browser, Mozilla Fire fox 2.0, Safari 3.2, and Opera all contain this type of anti-phishing measure. Fire fox 2 used Google anti-phishing software. Opera 9.1 uses live blacklists from Phish Tank and Geo Trust, as well as live white lists from Geo Trust. Some implementations of this approach send the visited URLs to a central service to be checked, which has raised concerns about privacy. According to a report by Mozilla in late 2006, Fire fox 2 was found to be more effective than Internet Explorer 7 at detecting fraudulent sites in a study by an independent software testing company [56]. Following similar, browser-based plug-in solutions were provided by Stanford University to mitigate phishing attacks [55]:
3.2.3.1.1 PwdHash
It is an Internet Explorer plug-in that transparently converts a users password into a domain-specific password so that the user can safely use the same password on multiple web sites. A side-effect of the tool is some protection from phishing attacks. Because the generated password is domain specific, the password that is phished is not useful. The problem, however, is that the solution only works for protecting passwords and does not work for sensitive information that is needed in unaltered form by a web site such as credit card information and social security numbers.
97
3.2.3.1.2 Spoof Guard
It is a plug-in solution specifically developed to mitigate phishing attacks. The main difference between Spoof Guard and Anti Phish is that Spoof Guard is symptom-based. That is, the plug-in looks for phishing symptoms such as similar sounding domain names and masked links in the web sites that are visited. Alerts are generated based on the number of symptoms that are detected. Anti Phish, in comparison, is user input-based and guarantees that sensitive information will not be transferred to a web site that is untrusted.
3.2.3.1.3 Veri Sign
It has recently started to provide an anti phishing service. The company is crawling millions of web pages to identify clones in order to detect phishing web sites. As a solution several companies like AOL has recently announced that it is planning to integrate black list-based anti phishing support into the Netscape browser, furthermore black lists of phishing web sites are maintained. The browser will not allow the user to connect to web sites that are black-listed. [55].
3.2.4 COMMON STRATEGIES USED FOR SECURED AUTHENTICATION
Financial institutions engaging in any form of internet banking should have effective and reliable methods to authenticate their customers. These methods include, Authentication using passwords, cryptographic authentication, digital certificates using public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTP), USB plug0-ins, transaction profile scripts, and biometric identification. Moreover, most internet banks offer other protective measures to ensure information is safe and secure such as secure logins, limited logins and limited sessions.
98
3.2.4.1 Authentication Using Passwords
Passwords are still the most common security mechanism although it is well known that this method alone is not good enough to provide adequate protection. These passwords can be easily discovered by a dictionary attack. Online dictionary attacks are easy to detect by counting the number of failed access tryouts, but offline dictionary attacks are more complex and difficult to treat. However, there are other ways to compromise these passwords. Capturing keystrokes has been used in some situations for compromising the passwords introduced by the users. This method works even when using a secure connection over SSL. The only system based on passwords that can compete with cryptographic authentication methods is the one-time-pad (OTP) where each key is disposed of after use, thus making it a dynamic password scheme. However, even these authentication methods can he compromised [47].
3.2.4.2 One Time Password (OTP) Generators
This method generates codes synchronized with an application running on the server in a way that makes it practically impossible to know the next code from the previous codes generated. In order to do so, the OTP generator and the server application share a seed that is used in the generation process. They are normally implemented as a small hardware device, but sometimes it is possible to find them in software. They are a good way to verify the identity of anyone that connects to a server. However, this is not enough for many critical operations such as bank account transfer orders, as an attacker executing code at the clients computer can use this authentication information to place different orders to the server on behalf of the client. Hardware OTP generators are more secure than those implemented in software because they dont have to store data on the computer [47].
99
Similarly in One-Time-Pad Scheme other banks provide their customers a login and one or two passwords that follow a one-time-pad scheme. This way, a different code is required for each transfer operation. For example: The customer could have a login, a table with 80 one-time-pad passwords and another table with 18 codes. The customers must keep track of the one-time-pad codes (by scratching them, for example) so that they are able to authenticate a transaction. Sometimes this one-time-pad code must be introduced to confirm a transaction after the first validation, but they are all based on the same basic idea and require the customer to buy a hardware device (a custom piece of hardware with a smart card) for accessing the service. This device allows the user to navigate on the Internet and therefore connect to the bank web server [31].
Fig 3.2.1: SMS-Short Message Service, OTP-One-Time Password
3.2.4.3 Challenge / Response (C / R) Calculators
They take a challenge value and calculate the corresponding response that is different for each user. A secret key cryptographic algorithm is normally used to generate the response value. The knowledge of the correct response for a random challenge authenticates the user. This challenge can he passed to the C/R calculator either manually through a keyboard or using any other kind of communication link such as a cable connection.
100
This method is equally vulnerable because the user has to rely on the computer to handle the C/R generated making it possible for the attacker to send data to the server using the identity of the real user [47].
3.2.4.4 Two Factor Authentications
Another strategy is the use of two passwords, only random parts of which are entered at the start of every online banking session as well as passwords are confirmed through tokens or SMS messages. Two factor authentications require smart card and password and it is usable with any smart card reader. It provides strong authentication and it is nonrepudiation for sensitive application such as e-banking, electronic commerce, and other financial transactions. One of the popular techniques is e-Token PRO smartcard technique-which stores users private keys, passwords and certificates, using 1024- or 2048-bit RSA authentication and digital signature. Example of products providing twofactor authentication, using AES (Advanced Encryption Standard) or RSA ( Rivest, Shamir, and Adleman) technique are- key fob, card, PIN pad and USB(Universal Serial Bus) hardware. Software tokens available for windows, pocket PC, Palm OS, Blackberry, and Ericsson, Nokia, and NTT Do Como cell phones [35].
Fig 3.2.2 : RSA ( Rivest, Shamir, and Adleman) Technique
101
3.2.4.5 Smartcard System
Smartcard System is a mechanical device which has information encoded on a small chip on the card and identification is accomplished by algorithms based on asymmetric sequences. Each chip on the Smartcard is unique and is registered to one particular user, which makes it impossible for a virus to penetrate the chip and access the confidential data. Thus Smart cards are small, portable, tamper resistant devices providing users with convenient storage and processing capability. Because of their unique capability, smart cards are proposed for use in a wide variety of applications such as electronic commerce, identification, and health care. For many of these proposed applications, cryptographic services offered by digital signatures would be required. To be practical for widespread use, however, smart cards also need to be inexpensive. However, practical limitations in the Smartcard system prevent it from broad acceptance for major applications such as home banking or on-line distribution. One draw-back for the Smartcard is that it can not handle large amounts of information which need to be decoded. Furthermore, the Smartcard only protects the users private identification and it does not secure the transfer of information. For example, when the information is keyed into the banking software, a virus could attack the information, altering its destination or content.
The Smartcard would then receive this altered information and send it, which would create a disaster for the user. Nevertheless, the Smartcard is one hardware-based system that offers confidential identification [16]. The only one way to break the security of this system is to steal the smart card jointly with the pin code, which reduces the risk to that of an ATM [31].
102
Fig 3.2.3: Cryptographic Smart Card
3.2.4.6 Chip Card Readers: A third option is providing customers with chip card readers capable of generating single use passwords unique to the customer's chip card. Many problems arise because of unprotected data transfer between clients and servers. For example in systems such as NFS, AFS, and Windows NT, there is no authentication of file contents when information is sent between the client and server [35].
Fig 3.2.4: Chip Card Reader
103
3.2.4.7 Conventional Encryption Schemes
In this scheme one key is used by two parties to both encrypt and decrypt the information. Once the secret key is entered, the information looks like a meaningless jumble of random characters. The file can only be viewed once it has been decrypted using the exact same key.
3.2.4.8 Public Key Encryption
In this method, there are two different keys held by the user: a public key and a private key. These two keys are not interchangeable but they are complementary to each other, meaning that they exist in pairs. Therefore, the public keys can be made public knowledge, and posted in a database somewhere. Anyone who wants to send a message to a person can encrypt the message with the recipient public key and this message can only be decrypted with the complementary private key. The private key remains on ones personal computer and cannot be transferred via the Internet. This key is encrypted to protect it from hackers breaking into the personal computer.
3.2.4.9 Digital Signature
Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University. A digital signature transforms the message that is signed so that anyone who reads it can know who sent it. The use of digital signatures employs a secret key (private key) used to sign messages and a public key to verify them. The sender encrypts the message by using the private key can only be verified by the public key and when receiving the message, the receiver decrypts the encrypted message with senders public key. This ensures that the message was actually from the appropriate person.
104
Besides uniquely identifying the sender, the digital signature also ensures that the original message was not tampered with in transit. The receiver can use the original hashing algorithm to create a new message digest after decrypting the message and compare the new message digest to the original digest. If they match each other, it can be sure that the message has not been altered in transit. Because of the signature contains information are produced by one-way hashing algorithm, it is impossible to duplicate a signature by copying the signature block to another message. Therefore, it is guaranteed that the signature is original. For example First Digital Bank is using digital signature in the ebanking industry to provide more secured and authentic transactions [16].
A digital signature is produced by first running the message through a hashing algorithm to come up with the message digest. Next, by encrypting the message digest with senders private key, this would uniquely identify the sender of the message. Digital signature technology requires a public key infrastructure (PKI), under which each individual has a pair of private and public keys [58].
3.2.4.10 Secure Socket Layer (SSL) Technology
This technology has been adopted by many banks. This technology encrypts the information that user send over the Internet. That means the data user sends from one computer to another is encrypted to prevent it from hacking. This technology is now accepted or compatible with most browsers including Internet Explorer and Netscape Navigator. Usually we can see a little yellow padlock (lock//security device) in the right lower hand corner of our screen, indicating that a page is being secured using this technology
105
3.2.4.11 Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) software system, the global standard for secure card payments on the Internet, which is defined by various international companies such as Visa MasterCard, IBM, Microsoft, Netscape Communications Corp., GTE, SAIC, Terisa Systems and Veri-sign. SET promises to secure bank-card transactions online. Lockhart, CEO of MasterCard said, We are glad to work with Visa and all of the technology partners to craft SET. This action means that consumers will be able to use their bank cards to conduct transactions in cyberspace as securely and easily as they use cards in retail stores today. SET adopts RSA public key encryption to ensure message confidentiality. Moreover, this system uses a unique public/private key pair to create the digital signature. Although the public key encryption and the digital signature ensure the confidentiality and the authenticity of the message, there is still a potential danger existed in that the information the sender provides may not be real. For example, the sender may encrypt a bank card number which belongs to someone else by using his/her own private key. To ensure the true authentication, there is a need for a process of certification. A third party who is trusted by both the sender and the receiver will issue the key pair to the user who provides sufficient proof that he is who he claims to be. Thus SET can become a better solution by using encryption, authentication and certification.
3.2.4.12 Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP), created by Philip Zimmermann, is a hybrid crypto system that combines a public key (asymmetric) algorithm, with a conventional private key (symmetric) algorithm to give encryption combining the speed of conventional cryptography with the considerable advantages of public key cryptography.
106
PGP is a well established privacy/authentication technique created by Philip Zimmermann in 1991, which enables both encryption and signing of e-mails. Each user of PGP has both a private and a public key, with the private key the user can encrypt and sign the e-mails they send out. The receiver of a signed e-mail needs the public key of that sender to control the signature. If companies would use a similar technique to sign their e-mails this would make it impossible for malicious people to spoof their e-mails as long as only the company has access to the private key. This would make it possible for users to securely authenticate any sender of an e-mail by clicking a button [65]. The advantage of PGP is that it does not require a trusted channel of transmitting the encryption key to the intended recipient of our message. Furthermore, it has the ability to sign the messages by encrypting them with senders private key which can not be replaced by any other key. Once the receiver received the message, he/she can then decrypt the message with the senders public key which can not be forged and represents the true identity of the sender.
The biggest part of todays anti phishing applications is to more clearly inform the users of the security of the site they are visiting. Anti phishing applications most often use black-list containing the URL of known phishing-sites to compare the requested URL. But new anti phishing applications e.g. Microsoft Internet Explorer, use both black-list and white-lists (containing known authentic URLs) and checks remaining sites after known phishing characteristics. This can be considered an efficient way to even discover unknown phishing-sites and by the fact that all features are dynamic the protection can follow phishings development [65].
107
3.2.4.13 Kerberos
Kerberos is named after the three-headed supervisory body of Greek tradition and it is one of the best known private-key encryption technologies. Kerberos creates an encrypted data packet, called a ticket, which securely identifies the user. To make a transaction, one generates the ticket during a series of coded messages by making exchanges with a Kerberos server, which sits between the two computer systems. The two systems share a private key with the Kerberos server to protect information from hackers and to assure that the data has not been altered during the transmission. One example of this encryption is Net-Cheque which is developed by the Information Sciences Institute of the University of Southern California. Net-Cheque uses Kerberos to authenticate signatures on electronic checks that Internet users have registered with an accounting server.
The following four popular anti-virus applications: McAfee Anti-Virus, Kaspersky AntiVirus Personal, AntiVir Personal Edition, and Ikarus Virus Utilities [64].
3.2.4.14 Cryptographic Authentication
These methods provide higher security than static passwords. They are based on the idea that it is possible to prove the identity of a person by doing some cryptographic operation over some given information which is different for each operation. This way the access code generated is different each time, making it worthless to steal them, as the code will be different next time. Even if the attacker can collect hundreds or even thousands of codes from the same user, it is still impossible to obtain the value of the cryptographic key used to generate them. Therefore, as in all cryptographic systems, the main problem is the protection of the keys from the attacker.
108
Public key cryptography is normally used, but in cases where the communication is established between entities that have a previous relationship (like the clients of a bank), private key cryptography can also he used. Both, public and private key cryptography can provide authentication, data encryption and digital signature [47].
3.2.4.15 Public Key Infrastructure (PKI)
PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over the increasingly insecure internet. PKI consists of methods, technologies and techniques that together provide a secure infrastructure. PKI refers to the use of a public and private key pair for authenticating and proof of content. The public key cryptography uses two pairs of mathematically related cryptographic keys. If one key is used to encrypt the message then only the related key can decrypt that message. Public keys are stored in digital certificates along with other relevant information. Since the certificate is publicly available, preventing access is not an issue; however, it should be protected from corruption, deletion or replacement.
No one should be able to access someone elses private key, so access to private keys is generally protected with a password of the owners choice. Hence, PKIs main problem is the management of private keys. They need to be stored somewhere like a PC, a server, or smart cards, etc, and be protected with a password. In this manner, accessing a private key requires knowledge of the password not being the right person, so it is vulnerable to attacks of hackers.
This problem can be solved by using biometrics in PKI. One way of doing so is generating the private keys directly from the biometric templates. Since private keys can be generated dynamically from ones biometric template, there is no need to store private keys anymore, which solves the PKIs private key storage problem [58].
109
3.2.4.16 Public-Key Cryptosystems (PKC)
The use of public-key Cryptosystems (PKC) received considerable attention. They are beneficial in encryption as well as signing that plays an essential role in e-banking and financial transactions. Elliptic Curve Cryptography (ECC) is one of best public key techniques because of its small key size and high security [34]. Public key, with the enormous growth of the computer and communication industry, became the type of cryptography that controls electronic mail, ecommerce and Internet. It is beneficial in encryption as well as digital signing which plays an essential role in electronic money transactions and identity verification. Public key systems solve the key management problems associated with symmetric-key encryption; however, and even more importantly, public key cryptography offers the ability to efficiently implement digital signatures. The digital signature of a person uniquely identifies that person in a transaction. Today, three types of systems, classified according to the mathematical problem on which they are based, are generally considered both secure and efficient. The systems are: Integer factorization systems (of which RSA is the best known example) Discrete logarithm systems (such as the U.S. Governments DSA).
3.2.4.16.1 Elliptic Curve Discrete Logarithm Systems / Elliptic Curve Crypto Systems
Today ECC offers those looking for a smaller, faster public-key system a practical and secure technology for even the most constrained environments. This is why ECC is well suited for low bandwidth and low memory applications such as mobile communication and smart cards. ECC delivers the highest strength per bit of any known public-key system because of the difficulty of the hard problem upon which it is based.
110
This greater difficulty of the hard problem - the Elliptic Curve Discrete Logarithm Problem (ECDLP) - means that smaller key sizes yield equivalent levels of security. [34].
3.2.4.16.2. Elliptic Curve Cryptography (ECC)
ECC is a public key cryptography algorithm. In public key cryptography, each party has a key pair (a public key and a private key) and a set of operations associated with the keys for cryptographic operations [58]. Secure applications in smart cards present implementation challenges particular to the platforms memory, bandwidth, and computation constraints. Unique properties of ECC makes it especially well suited to smart card applications. ECC systems provide the highest strength per bit of any cryptosystem known today. Here author presents a new method for smart card implementation of elliptic curves explaining how ECC can not only significantly reduce the cost, but also accelerate the deployment of smart cards in new applications. ECC permits reductions in key and certificate size that translate to smaller memory requirements especially for EEPROM, which represent significant cost savings. This added functionality can play an effective role in electronic payment and online banking technologies. The protocol described here depends on the security of the elliptic curve primitives, e.g., key generation, signature generation, and signature verification. These operations utilize the arithmetic of points which are elements of the set of solutions of an elliptic curve equation defined over a finite field. The security of the protocol depends on the intractability of the elliptic curve analogue of the discrete logarithm problem, which is a well-known and extensively studied computationally hard problem [34].
Summarizing, ECC key size advantages afford many benefits for smart cards, and the superior performance offered by ECC implementations make applications feasible in low end devices without dedicated crypto hardware.
111
3.2.4.17 Biometric
A biometric is a measurable physiological and/or behavioral trait that can be captured and subsequently compared with another instance at the time of verification. Biometric based systems are being used in authentication and identification of an individual by processing his/her biometric data. A biometric identifier comes from something the user is and it is created through fingerprint, retina or iris scan, hand geometry, voice patterns, vein patterns or any other such technologies. An individuals biometric data can then be stored in a database. In identification by biometric based systems, individuals must first enroll in the biometric system. A process in which their biometric data is collected by an input device, specific to each type of biometric, and a master template is built and stored from that data. From this point on, in each identification instance, the biometric data is collected from the individual and a new template is created. This template is then compared with the master template and based on a threshold of matching rate the system decides to accept or reject the claimed identity [58].
Biometric Signatures: A biometric signature is formed by means of generating a private key from a biometric sample and using that private key to create a digital signature. Biometric signatures have all of the advantages of both PKI and biometrics, as well as some additional advantages such as no storage requirement for the biometric template or the private key. This biometric template must be swiftly recognizable and very accurate in order to create the same private key every time. Iris scan has such a low Equal Error Rate (ERR) (one in 1.2 million) and it seems to be a good choice for this mechanism. Iris scan generates a 512 byte iris template for user authentication [58].
Biometric Methods: Some other authentication methods are like Biometrics: example of this method is retina scan, fingerprints/handprints, voice prints; DNA (Deoxyribonucleic acid), face recognition, lip movement, signature etc.
112
These technologies are good but not perfect nor foolproof. Similarly online authentication models are- one time password scratch card, one time password tokens, smart cards (requires readers, drivers, operating system etc), OOB (Out -of Band authentication); in this method a telephone call will be made to complete a financial transaction. Similarly another online authentication model is IP address and geo-location method; in this method IP address is compared with customers known location and if the customer informed location is questionable then this method requires additional authentication information, another method is Mutual authentication method; this method is based upon public-key infrastructure and uses SSL (Secure Sockets Layer) so that client and server can exchange certificates [35].
Fig 3.2.5: Biometric Sensors Example (Out-Of-Band authentication)
3.2.4.18 MeCHIP: MeCHIP which developed by ESD is connected directly to the PCs keyboard using a patented connection. All information which needs to be secured is sent directly to the MeCHIP, circumventing the clients vulnerable PC microprocessor. Then the information is signed and transmitted to the bank in secure coded form. A closed, secure channel from the client to the bank is assumed in this case. All information which is transmitted and received is logged and verified to ensure that it has not been tampered with. If there are any deviations, the session is immediately terminated. This hardwarebased solution offers the necessary security at the personal computer to transfer confidential information [16].
113
3.2.5 COMPARISION BETWEEN HARDWARE-BASED SYSTEM SOLUTIONS AND SOFTWARE BASED SYSTEM SOLUTION
Following are two possibilities to provide secure PC banking system are [31]:
A) Using a custom hardware platform for accessing the bank from home: This would act as an ATM connected to the Internet: as long as the communications are encrypted, an on-line attack is not possible nor an inside attack, as the browsing software is stored in a ROM memory and therefore cannot he infected. This option looks better, although it still has a high cost and most users wont make intensive use of it for PC banking operations. For example Argentaria bank in Spain and West Fargo bank in the US provides a hardware Internet navigation platform for this purpose.
B) Using a PC from a ROM disk: Booting up the computer from a CD-ROM disk can ensure that no viruses or hostile software have been introduced after it is delivered by the bank. Under these conditions, it is perfectly safe to use a password-based authentication system even for doing funds transferences. But it requires shutting down the computer each time the user wants to order funds transference, hence generally not preferred.
HARDWARE BASED SYSTEM
Hardware-based systems offer a more secure way to protect information, but, it is less portable and more expensive than software-based systems for example Smartcard and the Me-CHIP provide better protection for the confidentiality of personal information. Thus the hardware-based security system creates a secure, closed channel where the confidential identification data is absolutely safe from unauthorized users.
114
SOFTWARE BASED SYSTEM
Many systems today use some form of software-based protection. Software-based protections are easily obtained at lower costs than hardware-based protection. Consequently, software-based protection is more widely used. But, software-based protection has many potential hazards. For software-based systems, there are four ways to break in the system:
i)
First of all, attacking the encryption algorithms is one possible approach. This form of attack would require much time and effort to be invested to break in.
ii)
A more direct approach would be using brute force by actually trying out all possible combinations to find the password.
iii)
A third possible form of attack is to the banks server which is highly unlikely because these systems are very sophisticated. This leaves the fourth possible method, which also happens to be the most likely attack.
iv)
Forth method is to attack the clients personal computers. This can be done by a number of ways, such as planting viruses (e.g. Trojan Horse) as mentioned above. But, unlike the traditional viruses, the new viruses will aim to have no visible effects on the system, thus making them more difficult to detect and easy to spread un-intentionally [16].
115
In software-based security systems, the coding and decoding of information is done using specialized security software. Encryption is the main method used in these softwarebased security systems. Thus encryption is a process that modifies information in a way that makes it unreadable until the exact same process is reversed. In general, there are two types of encryption. Due to the easy portability and ease of distribution through networks, software-based systems are more affluent in the market. These software-based solutions involve the use of encryption algorithms, private and public keys, and digital signatures to form software packets known as Secure Electronic Transaction (SET) used by Master card and Pretty Good Privacy.

12 - Part 3

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

12 - Part 3

Uploaded by

Copyright:

Available Formats

PART III

MATERIALS & METHODS

Common Hacking Techniques

3. MATERIALS & METHODS

3.1 COMMON HACKING TECHNIQUES

3.1.3 New Attacks

Common Hacking Techniques

Common Hacking Techniques

1. Computer Frauds; and

Common Hacking Techniques

Fig 3.1.1: Computer Crimes (Source-www.antifishing.org)

Common Hacking Techniques

ATTACK TO THE PC BANK SYSTEMS

Common Hacking Techniques

Fig 3.1.2: Password Snatching Attack

Common Hacking Techniques

VIRUSES AND ANTMRAL TECHNIQUES

3.1.2 CLASSIC ATTACKS

3.1.2.1 Password Guessing

3.1.2.2 Brute-Force Attacks

Common Hacking Techniques

Fig 3.1.3: Brute-Force Attack Model

Common Hacking Techniques

3.1.2.4 Shoulder Surfing

3.1.3 NEW ATTACKS

1) Off-Line Credential-Stealing Attack And

2) On-Line Credential-Stealing Attack

3.1.3.1 Off-Line Credential-Stealing Attack

Common Hacking Techniques

Fig 3.1.4: Offline Credential Stealing Attack Scenario

3.1.3.1.1 Phishing / Carding / Brand Spoofing

Common Hacking Techniques

Common Hacking Techniques

Common Hacking Techniques

Fig 3.1.5: Information flow of a typical phishing attack

Common Hacking Techniques

TYPES OF PHISHING ATTACKS:

i) Spoofing E-Mails and Web Sites

Phishing attacks fall into several categories like [42]:

Common Hacking Techniques

Common Hacking Techniques

Common Hacking Techniques

ii) Exploit-Based Phishing Attacks

3.1.3.1.2 Spear Phishing

Common Hacking Techniques

Common Hacking Techniques

3.1.3.1.4 Malicious Code / Malware

Common Hacking Techniques

Common Hacking Techniques

Malware And Phishing

Common Hacking Techniques

Common Hacking Techniques

Common Hacking Techniques

3.1.3.2 On-Line Credential-Stealing Attack

Common Hacking Techniques

Fig 3.1.6: Online Channel-Breaking Attack Scenario

3.1.3.2.1 Spyware / Key loggers / Keystroke Logging Worms

Common Hacking Techniques

3.1.3.2.2 Trojans / Back-Door Trojans

3.1.3.2.3 In Session Phishing Attacks

Common Hacking Techniques

Common Hacking Techniques