Biggest phishing attack reaches Swedish bank

One of the biggest banks in Sweden, Nordea, has recently become the victim of a large-scale phishing attack. The attackers managed to get around $1M USD, and this has been labeled as the biggest internet based bank heist to this date.

So, why was Nordea targeted? Could it perhaps be for their use of one-time-pad numbers, which are only used by Nordea? They work by having the bank send you a sheet full of numbers, and for each time you log into the bank, you scrape out a new one-time number to enter – much like a lottery ticket.

Other banks in Sweden are using hardware tokens such as the ActivIdentity, which has a keypad and PIN number and works by letting the bank send you a challenge. You then have to first unlock your hardware token by entering a PIN, and then enter the challenge numbers. The response is sent back to the bank, and you are given access if the response was correct.

The problem with using the “lottery tickets” for authentication is that they are not session based. A user could potentially enter a number of these one-time numbers on a phishing website. The attackers can then just use those without caring about a challenge from the server.

I am not saying that solutions such as ActivCard is a perfect protection against identity theft, just that they are more secure than simply using one-time-password.

The phishing attack was executed using a trojan horse on the victims computers. The main problem here is that Nordea first of all are using these scratch-cards, but they are also not authenticating the transaction once the user has logged in and wants to perform said transaction. Using products such as ActivIdentity makes it possible to actually authenticate the transaction itself, and not just the login-sequence.

Another Swedish bank does exactly this. You login with your Swedish social security number equivalent, and enter the response of the challenge presented by the server. You then go about your business in the bank and when it is time to execute a transaction, you will see the pending transactions as well as a challenge. It is then necessary to respond to that challenge using the ActiveIdentity, thus authenticating the transaction itself.

Users might of course still become victims of these kinds of attacks if they are not trained properly. An online man-in-the-middle attack is quite possible to execute, even with security measures such as hardware tokens, but it requires the user to proceed even when the web-browser presents a warning about a false certificate. The possibility also exist that a user has clicked on a link to a fraudulent website mimicking the original.

This is why education is the most important thing to have when designing a secure system. Users need to know that they should not click on links on various websites or emails, but instead just type the address themselves. They should also never trust any kind of communication which seems to originate from the bank. All notices should instead be readable from within the banking application after logging in. There could of course be a notice sent out by the bank, telling the customer that a message is waiting.

Should mandatory education perhaps be a necessary part of the enrollment for online banking?

Would you like to know more?

• The Failure of Two-Factor Authentication
• Mitigating Identity Theft
• Swedish bank hit by ‘biggest ever’ online heist
• Largest Ever Online Robbery Hits Swedish Bank

Formal verification of security protocols using OFMC

These last years, formal verification of the security properties of protocols have been analyzed and tools are being developed. There are of course different methods to analyze the security in a protocol, but the OFMC (On the Fly Model Checker) is the fastest and one of the best known one.

You begin by designing the protocol in a special language which is based on temporal logic. The AVISPA project, which supports various backends such as OFMC and SATMC, uses HLPSL (High Level Protocol Specification Language). It uses the Dolev-Yao intruder model, meaning that all messages sent through a channel may be eavesdropped, replayed, changed, or injected by the intruder. It also assumes perfect cryptography, meaning that all encryption and hashing algorithms are flawless.

The specification langugage itself is fairly simple, and is based on game-play. You specify different basic roles for all the involved nodes, as well as a session and environment role. All basic roles have transition states, where the roles exchange information through various channels. For more information, have a look at the AVISPA tutorial and user manual.

The success of these kinds of model checkers are significant, and they have found weaknesses previously unknown to the cryptographic community.

If you want to try this tool yourself without actually installing anything, just head over to the AVISPA Web Interface and have a look at the various protocols listed.

Social engineering attacks

Even if you spend millions on modern security technology and services, your network and systems may still be vulnerable to mind games. This type of attack is called “Social engineering” and I will describe what it is and how we can protect us from it.

Mankind has throughout history used manipulation or deception in order to get information from others. Today, this information consists of data from Information Systems. The basic idea of social engineering is to persuade users into revealing information to the attacker, which can be used in a variety of ways.

Dumpster diving

Dumpster diving is an extremely popular method of social engineering. There is a wealth of information in trashed phone books, company policies and printouts of classified data. There are of course lots of other things to be found, but these are the most common targets.

From, for example a printout of log-in credentials, an attacker can learn user names, and the type of naming convention used within the corporation. If passwords are printed out and found by an attacker — Game over.

Shoulder surfing

An attacker may sit behind you while working on your laptop. This can be at cyber cafes, air planes and other public places. He records everything that you type, including passwords. What this can lead to is quite obvious.

By phone

If executed right, a regular call may be an extremely easy way into a company. The attacker must of course have some inside knowledge on who to call and how to speak the “lingo” in that particular environment, but that is quite easy to master.

A very common way is to fool the victim into believing that the attacker is calling from the help desk and needs the user’s log-in credentials for a made-up reason.

How do we protect us?

Be very careful on what you throw in your trashcan. All confidential information should be destroyed in a secure way, by for example using a paper shredder. To protect against shoulder surfing, be very suspicious on who is watching you and do not leave confidential documents out for everyone to see.

To be able to protect against attackers using the phone to do social engineering, education and awareness should be mandatory for all personnel involved in answering phones.

Conclusion

All the company’s assets are managed by common people. Often, people are easier to attack than machines due to the sophisticated firewalls and intrusion detection systems available today. By using good judgement and common sense together with education and awareness, most of these attacks may be mitigated.

Further reading

If you are interested in further studies in this subject, have a look at the famous book The Art of Deception by the famous Kevin Mitnick. He discusses social engineering in a very interresting way and the book is well worth reading.

Web based authentication using PGP

Instead of remembering an infinite number of passwords, the following paper describes a method of using PGP as an authentication form to both verify the client and the server.

A reference implementation will be published once done. If anyone has tried this, please let me know of your results.

Download PDF

Authentication vs authorization

What happens behind the scenes when you log on? By providing your username and password you prove who you are — Which is called authentication. The system then allows you to do certain things within the environment – This is called authorization.

Authentication: Who are you?

Authentication is a way of determining whether someone is who he claims to be. In private and public networks (like the Internet), authentication is usually done using login passwords. Knowing the password is assumed to guarantee that the user is who he claim to be. The username / password technique is usually called basic authentication.

Strong authentication on the other hand however, usually relies on two separate items. This is for example a password and a hardware device of some sort that gives out numbers in sequence with time (hard token). As this relies on two factors (something you know and something you have), it is usually very secure if implemeted correctly.

Authorization: What are you allowed to do?

Authorization is the process of giving someone permission to do or have something. In a multi-user corporate environment and administrator defines what the users are allowed to access. This can even include when to access it, how much space is available to the user and so on.

Make regular backups

Always make regular backups of important data. Always try to keep a copy of your data on the company server or another computer to minimize the risk of loosing it.

The reason for the above statement is quite obvious. File servers are backed up regularly and are often running on fault-tolerance hardware such as RAID which reduces the risk of data loss due to hardware failure. Your PC or laptop on the other hand, does not have these features.

If you are saving your data solely on your PC, your information is exposed to a great deal of risk. If the PC is stolen or if it crashes, you might loose all your valuable data. Just imagine the time needed to recreate all documents located on your computer.

Laptops in particular, should use the “Offline folders” feature available in Windows 2000 and newer, to automatically synchronize data between the server and local computer.

You could also use different media to backup your data, and where file servers are not available; such as a home or small office environment. CD-ROMs, DVDs, or ZIP-drives are good backup media that is quite manageable. Remember though, these types of removable media are error prone, so remember to update the backups often.

How many of you are there?

Have you heard about identity theft? Every day someone’s identity gets stolen, their credit ruined and bank accounts drained, but is there a way to stop it?

“Every 79 seconds, a thief steals someone’s identity, opens accounts in the victim’s name and goes on a buying spree.”
– CBSnews.com, 2001-01-25

“A recent report on identity theft warned that there is likely to be “mass victimization” of consumers within the next two years. The report said consumers should be extra careful to monitor all their financial transactions for unexplained account activity, withdrawals, or fund transfers.”
– The Gartner Group, a technology research group

There is an alarming criminal trend on the rise — identity theft. The two quotes above are echoed almost every day and yet this crime still takes place. What is identity theft and how can you protect yourself from becoming a victim? In this tip I will briefly cover this topic and attempt to provide you with some advice that could help you avoid the damages associated with having your identity stolen.

Identity theft is not a new criminal strategy. It has been around for thousands of years. Before wide-spread usage of the Internet and computers, crooks would use birth certificates of people recently deceased to steal their identity.

Now that we are a “world online”, we transmit sensitive information over the Internet. Though the actual transmission is in most cases secured by encryption, it might be stored on systems that are not up to date with regards to Information Security and might not offer enough protection against an attack. Also, with the increasing number of phone-sales calls (or telemarketing), we are constantly overwhelmed with questionnaires, surveys, offers “too good to pass up” … the list goes on and on.

Identity theft is damaging because the criminal is somehow able to get personal information about you, such as credit card or bank account numbers, social security numbers, etc and essentially become you, allowing them to open up accounts in your name and make purchases using your credit. This is a serious issue, because even if it can be proven that your identity was stolen, it can take years to restore the damage to your credit rating and reputation.

Thankfully there are some things you can do to help protect yourself against this crime:

• Never give out personal information over the phone unless you absolutely know who you are dealing with. It’s always better to take care of that kind of business in person if possible.
• Don’t store sensitive information such as social security or credit card numbers on your computer. It is possible that a virus or trojan program could read this information and send it to criminals.
• If you receive an offer that sounds too good to be true or if telemarketers call and tell you that they need your social security or credit card number for some reason — run!
• Do not give in, no matter what kind of deal they are selling.

Bank account emptied using social engineering

Earlier today I read about an older woman who had left her purse visible from an open window in her home. A burglar had gone in through the window, and stolen the purse containing cash and cards including the ATM card.

The thing that makes this story interesting is that later on the burglar called the old lady, posing as an employee from her bank. He said that they had recovered the card and that he needed her PIN to verify it. Not knowing better, the old lady gave him the code, resulting in an empty bank account.

This little incident reveals the true importance of Protect your passwords, so give it an extra thought before you let someone empty your bank account.

Protect your passwords

Never reveal your passwords to anyone, ever.

Your username and password are personal information and in a corporate environment you are personally accountable for the account. If someone gets a hold of your password and uses your account for malicious acivities, you are held responsible!

There is a common cracker technique called “social engineering” that can be applied to try tricking you into revealing your password. It could be a person calling you posing as a help desk person, stating that he wants to install some software or fix a non-existant problem on your computer.

Social engineering also often includes mail or advertised programs that requests that you enter your username and password.

Lock your unattended PC!

You should protect your account from unauthorized use by locking your PC while you are away from it.

Security incidents are usually associated with crackers attempting to gain access to a corporate network from the outside.

Recent studies, however, clearly shows that most incidents are caused by insiders; meaning full- or part-time employees or consultants. The severity is often much higher than external attacks.

To protect your computer from unauthorized use, set a password on a screen-saver or manually lock your Windows PC by entering ctrl+alt+del and then Enter. Make a habit of locking your computer whenever you leave it and can not see it with your own eyes.