Thursday, September 8, 2011

Security of Internet Banking (Part 2) - Possible Attacks against an Internet Banking System

An attacker can target on user equipment such as tokens (smart cards), password generators and actions of the user himself. These types of attacks include:

Procedural Attacks

  1. Hidden code - A hidden code within a web page that installs malicious software in user’s terminal. The exploit may target Java runtime support, ActiveX support, multimedia extensions and automated download and running of software through the browser.
  2. Worms and bots – Worms usually search for vulnerabilities and exploit those automatically. This may be an exploitation of instant messaging and chatting communication software which may automatically be deployed using bots.
  3. E-mails with malicious code – This is e-mail with malicious content such as executable files or HTML code with embedded applets.


Token Attack tools

  1. Smartcard analyzers – These expose the security of the smartcard by revealing cryptographic keys and passwords. These include analyzing power consumption of the smart card or time analyzing. These attacks are not easy to implement but very effective.
  2. Smartcard reader manipulator – This attack is applicable to noncertified smartcard readers with insecure interfaces, which may expose the contents of the smartcard.
  3. Brute force attacks with PIN calculations – These attacks mainly focused on breaking the security of tokens that generate random PINs.

Phishing

  1. Social engineering – These attacks are based on manipulating user to give up the password, login information or sensitive information through phone calls and other social hangouts.
  2. Web page obfuscation – These are links that are not directing the user to corresponding destination that it describes or the using Internet Protocol (IP) addresses instead of universal resource locator (URL) to confuse the user. And this maybe a hidden frames in a web page by using several frames with malicious content, while user only sees the URL of the master frameset. Other method of this is using graphics that spoof the interface of a web browser like the address bar.

Attacks focuses on communication links

  1. Pharming: This is compromising of domain name servers (DNSs), altering DNS tables and connecting the user to another site other than the banks official web site and user will perform all tasks in the fraudulent site and give all information such as login details.
  2. Sniffing: This attack can be used to capture information such as user name and password. This is masquerading of communication between user client and the bank server).
  3. Active man-in-the-middle attacks: The attacker sends malformed user packets or make more traffic to the web site such as transfer commands, from one account to other.
  4. Session hijacking: session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

IBS attacks: These are offline attacks against the servers that Internet banking applications hosted

  1. Brute force attacks: Brute force attack is based on distributed zombie personal computers, hosting automated programs for username or password based calculation.
  2. Bank security policy violation: Changing the banks security policy such as making access control and logging mechanisms weak.
  3. Web site manipulation: Exploiting the vulnerabilities of of bank’s web server and permit the alternation of its contents such as links to the login page and redirect user to a fraudulent web site and capture users credentials.

No comments:

Post a Comment