<<< Date Index >>>     <<< Thread Index >>>

RE: Defeating Citibank Virtual Keyboard protection using screenshot method



Hi Nick,

Excellent comments.

> -----Original Message-----
> From: Nick FitzGerald 
> Rogier Mulhuijzen wrote:
> 
> > I'm surprised that banks use such simple things as passwords. Banks here
> > in the Netherlands use things like one-time PINs, and challenge/response
> > stuff that uses your chipped bank card. Seems a little safer to me.
> 
> Banks use such simple things because they are cost effective, or
> rather, the cost of doing anything genuinely more effective is so
> prohibitive that they won't be doing it unless required by legislation
> or until the cost of the fraud due to not doing it significantly
> outweighs the cost of doing it properly (I give them about another
> 3-5 years on that criterion).

I agree, but not just because they will suddenly feel they should; they will
be forced by legislation (hopefully). The problem is, as you mention, that
banks look at their costs and then see what is best for them, but many are
simply not aware of all the security problems and their impact. So this
information is not included in the equation and their estimation is
incorrect. 

Also, securing the client and the channel up to the bank's perimeter still
has many drawbacks, as there are still several of points within the banks
where fraud can be commited.

> 
> Sure, they're a lot more expensive and a lot more "high-tech" but
> unless they are doing end-to-end client and server authentication and
> strong crypto _AND_ have their own input and output devices that cannot
> be interfaced from the host OS _AND_ are required for verifying
> (virtually) every step of every transaction (in other words -- if you
> have any of the real-world implementations of banking OTP cards used
> anywhere in the world, the answer is "no"), they are effectively no
> better than the Citi OSK's as they are trivially MiTM'ed via on-client
> malware.

This is true, and doing it right is even harder than what it seems.
Providing an independent hardware security module (i.e. with its own
input/output) for the client would be probably the easier part if we forget
about the cost. But at the other end, within the bank, there are usually
hundreds of applications that have different kinds of interfaces through
which transactions flow. Sometimes these applications and systems are
connected through things like file transfer protocols for batch processing
(let your imagination fly on the security of these systems, you will
probably be correct), where persitance of the client's verification for the
transaction is nearly impossible to maintain.

The right thing to do from an information security point of view is to
maintain audit trails, confidentiality (encrypted content) and athorization
trails for each transaction, at each step, from the client's end of the
channel up to the last server and application (where the transaction is
commited). That would practically require banks to rebuild their systems
from scratch, which wouldn't be a bad idea, but I don't see that coming in
my lifetime.

> 
> Your smug belief in the superior security of your OTP card-based system
> is just as misplaced as that of anyone foolish enough to believe that
> Citi really ratcheted up the bar with its OSK.

The technology is superior, the implementation is flawed. We see this
happening all the time in information security. If you have a smart card
reader with independent pin pad you can further improve the security by
signing and encrypting your transactions on-card (with preinstalled keys in
the card by the bank), thwarting any computer based MITM attack becase
everyithing in between (including the client's computer) acts just as
transport (DoS is still an option though). OSK will stand where it is; it
can hardly be improved if at all.

But you are right, card systems are as useless as the OSK as they have been
implemented right now.

> 
> Now, imagine you have the choice of being a shareholder in your Dutch
> bank or Citi and on every other measure these banks rate the same --
> Citi is a better deal as it uses less expensive tech to implement the
> same level of flawed "security" so should produce a better RoI...
> 
> Now do you see why banks use such simple things as OSK's and your OTP
> card?

Some banks who are now realizing the impact of electronic fraud are
desperate to transfer the responsibility to their clients (as far as law
permits). And I think shareholder's are more interested in that right now
than in the technical solutions or placebos for security that they might
implement.

There have been some discussions on the negative impact on the bank's image
that this might cause, but it might still happen. First, it could happen
that so many banks at some point adopt this strategy, that you won't have
anywhere to run. Second, even if people go back to supposedly traditional
banking, electronic fraud is here to stay. The only thing traditional about
traditional banking is the physical presence of human beings; everything
else has been highly automated (even good old checks are verified
automatically through their magnetic band these days). So, instead of
loosing your bank account details to a trojan in your computer someone might
copy your credit card details with a tampered ATM, or simply get your ID
stolen when you identify yourself to a dishonest bank employee. After all,
when you are moving a relatively big amount of money, carrying cash is not
an option anymore, you will have to use a check at least (e.g. for buying a
new, expensive car).

In the end, people will realize that running away from e-banking is probably
not a safer option after all. This is why my hope lies in legislation (if
done right of course). It is the only thing that can force financial
institutions to adopt better security, so that at least when your bank tells
you that you are responsible for your access credentials to your e-banking
account, at least you know (or hope) that someone with knowledge put several
controls in place that make fraud by other entities (including dishonest
bank employees) a less likely option.

Finally, there are also several institutions that say: "I'll put less
security, and when someone steals you I'll pay back". My opinion is that
this solution won't be very popular in the future if fraud keeps growing at
the same rate of the past 3 years. For instance, if someone else steals your
money or your identity and does something nasty with it, so that you end up
giving explanations to the police, paying back might not be enough for your
inconveniences.

Cheers,

Omar Herrera