Editors Note: Protecting our computers and information from attack is becoming an increasingly dangerous and dodgy game in the Internet age. This article is the beginning of a series that will explore the issues surrounding fraud, identity management and computer security. I hope that you will find it informative and entertaining, and that it will help set the tone for more security-related articles and reviews.
The cost to business of online fraud is over $50 billion a year in the US alone. Fraud directly aimed at the online consumer is averaging about $5 billion a year.
Think about that. We attend the cinema and are treated to an advisory before the show about video and music piracy potentially benefiting terrorism, and the specter of the 9/11 attacks is never far from our minds. So where are those online fraud billions going? And what are we doing to stop them from funding criminals and terrorists?
The truth is that for a decade or more, the online financial industry, banks, credit card companies, payment gateways, merchants, wealth management agents and so on, have all had it within their power to eradicate the majority of online fraud. Online banking and card payment consumers are being attacked primarily through techniques called phishing, pharming, trojans and spyware, man in the middle (MITM) attacks, and social engineering. We will examine the specifics of many of these techniques throughout the series. What is most worrying is the progression and sophistication of the attack methods, the widening of the scope of these attacks to include targets other than large financial institutions, and the difficulty in apprehending the perpetrators.
In this series, we will explore many types of threats, and attempt to simplify the detail so that readers from all backgrounds can better understand what all the fuss is actually about. We aim to look beyond the headlines, which spout the usual advice about having multiple "strong" passwords and watching out for trojans and other malicious software. We will see how hackers ply their trade, and from there teach you how to protect yourself.
In this world, as with most others, knowledge is power.
A Wealth Of Data For The Taking
People surfing the net leave an incredible amount of personal information and profiling data around. This includes information about pages that they read, parameters they use to search, what they buy and download, places they visit, emails they receive and send, and people they chat with. The management and employees of an Internet Service Provider (ISP) have the potential to reap a huge amount of personal data if they were to violate their users' privacy.
Shopping online? The merchant site has the user's name and address details, and (usually) other marketing data from small questionnaires that are innocuously answered. That also includes all sites that are part of the online shop and delivery service.
And then there is the matter of the employees in the payment gateways, who verify credit card details. Another issue is the employees of the bank, who handle connection details, the administrators and staff that manage the bank's databases, and handle customer queries on accounts.
Combine so much data with personal identity management details, and it is actually possible to comprehensively steal the identity of an active online user. Considering the number of people who potentially have access to sensitive information, and you can see that this is a truly daunting challenge.
Identity fraud is a term that encompasses a wide variety of crimes perpetrated against the person. At first we will focus on the theft of personal data and subsequent financial loss, since these are the primary concerns for the ordinary online user. Later, we will look at strategies and computer software/hardware that is available to provide layers of defense that may protect us from certain types of attack.
Most banks with an online facility use a fully or partially transmitted PIN or password. This is your basic ordinary level security that has been the backbone of Internet security since its creation. That means that the user is requested to input either a full PIN, or individual digits from it; for example, you might be asked to enter the first, third and fifth digits from your six digit PIN.
Some banks are now engaging methods that create one time passwords (or PINs), and there is an increasing trend towards adoption of such techniques. That's particularly the case since the US Federal Financial Institutions Examination Council (FFIEC) set down 'guidelines' to financial institutions regarding minimum standards of security.
There are a couple of hacker terms that you should know: "owning the desktop" and "root". These refer to the ability of a hacker to 'listen' to activity on another user's desktop PC. This is achieved by placing programs on your PC that can intercept data as you browse, or information that you type in. With this capability, the hacker can break your login details within two or three successful login attempts.
Using this information, a hacker targeting you then can call you pretending to be a representative of your bank. Having 'listened' and determined your login, and seen screenshots of your private account pages, he can discuss and 'confirm' information required for telephone banking.
The hacker can now act against your accounts by calling the bank and setting up transfers in your name. At this point they have combined the desktop attack with what is called "social engineering" (the direct phone call to you) to great effect. Our hacker now has a strategic hold on your bank account data and hasn't even broken a sweat.
But it's not just banks that are at risk. Think of those prominent sites that allow you to store your credit card details for convenience. If you use these and log in through a conventional login page, as above, the capture of those details will lead a hacker to your credit card, and allow unauthorized purchases to be made on your account.
This leads us nicely to another type of social engineering that has held media attention for some time: phishing. This term refers to hackers who send out waves of emails to thousands of online users purporting to be from banks, eBay, PayPal and other finance-related sites. Victims are redirected to very genuine looking but fake sites, and too many unsuspecting souls actually log in, disclosing their usernames, PINs and passwords to unsavory characters.
To get a handle on the full extent of phishing, look at this page from Fraud Watch. Keep in mind that each instance listed potentially represents a wave of many thousands of emails.
From Phishing To Pharming
The phishing epidemic is increasingly moving towards pharming, a superior hacking technique that requires technical expertise.
Pharmers redirect users from legitimate commercial websites to malicious ones. These bogus sites have the same look and feel as the sites they impersonate, but when users enter their login names and passwords, the information is captured by hackers.
There are several methods associated with pharming, but hackers commonly use trojans: stealthy programs that are created to perform illicit tasks on your computer. The following is a typical example of the procedure.
Hackers email viruses, such as the Banker Trojan, which rewrites the PC's local host file. This is a file that records and matches the common names (URLs) of Internet sites such as Google.com, with their associated numerical Internet addresses (like 18.104.22.168). By altering the Internet address linked to a bank website, the unsuspecting user is routed away from the proper site that they wish to visit, in favor of an illicit site that appears identical to the one intended. When you click on your browser favorites link to get to your bank's Internet login page you are actually rerouted to the hacker site without knowing it.
Domain Name Server (DNS) poisoning can cause a large group of users to be herded to bogus sites. DNS is similar to an Internet phone directory and is responsible for routing URLs (remember those common Internet site names like Google.com) to their destinations. When you disrupt DNS, you get Internet chaos; it is the equivalent of changing all the road signs to lead travelers in the wrong direction. As long as the journey still feels right, and the destination looks the same, the user has little suspicion that anything is wrong. After all, they clicked on their banking sites just yesterday and they were fine...
The Man In The Middle
Another problem is the man in the middle (MITM) attack, which is absolutely insidious - and incredibly effective. The attack occurs when an attacker places himself on the network by means of a physical device, or engages in a technique known as ARP Spoofing. We'll discuss this term in more detail in the next article, but by way of summary, ARP is used by computers to identify each other. ARP spoofing allows one computer to pretend to be another; the hacker identifies the two points on the network that are being targeted, usually individual computers. Freely downloadable programs are then used to reroute traffic to and from the target PCs, through the hackers PC.
The danger here is obvious - the hacker is sitting in the middle between the PCs and so can eavesdrop on all the traffic. As an example of how serious this threat is, imagine that you attempt to logout from the bank website. The MITM can provide a seemingly valid logout confirmation page to you, while actually suppressing your logout command and holding the connection to the bank open.
Credit Card Fraud
Okay, let's lay off the banks for a moment and consider the common, garden variety credit card:
- Each credit card has a 13 to 16 digit number that is constructed in a particular manner governed by a mathematical algorithm called a Luhn Formula. This is designed to ensure that only certain numbers are usable; you can't just make up any old number and have it be considered valid.
- A freely downloadable program can be obtained that will prompt for a real card number as a base, and then generate a bunch of similar Luhn-validated numbers as directed. If the range specified is 500, the program generates 500 credit card numbers from the base entered.
- It is reasonable to assume that such a short range of numbers will have a similar expiry date to that of the base card.
- The hacker visits a merchant and purchases an item for download.
- The hacker enters a fake name and address, a fake security number (from the rear of the card), and a card number from the range delivered, along with the expiry date of the base card.
- If the bank has actually issued the card number to a customer, then depending on the level of diligence of the payments gateway, the payment might go through. How can this be? Simple, because many payment gateways receive security numbers, names and addresses, and store that data upon receipt, but never actually check it for validity. So if the card has been issued, and the card structure and expiry date are fine, then the payment is passed and the download proceeds.
- If the actual card holder doesn't spot the hack, then it will never be detected.
A procedure named 3D Secure is now being instituted by Master Card and VISA. In its current form, it employs usernames, passwords and PINs as described earlier, so it will be subject to all of the attacks outlined above. Interestingly, it shifts the burden of responsibility onto the card holder and his/her issuing bank. So now, if you get defrauded through online credit card theft, you're going to get stuck with the bill as well! We will take an in-depth look at this later in the series.
To the systems administrator and security systems architects, the Internet is a battlefield. You are always hoping that you will not get hit, and must quickly move into damage control mode if you are. The secret here is to actually realize that you have been hit, detect the intrusion, and close off the breach before word gets out. Once the hacker jungle drums go off, a perpetual swarm of NMAPpers and other trouble arrives on the scene. (NMAP is a very famous 'security' scanner program that allows a hacker to engage a number of very clever techniques to probe a system with a minimum of disturbance.)
To the hacker, the Internet is a chess board. The structure of the game is defined by systems and hardware designers, and the movement of pieces is defined by systematic probing and well-defined attack strategies.
PINs And Passwords - For The Ten Millionth Time, They're One Of The Biggest Holes
Consumer habits are another hacker's playground. Where people have a choice, they reuse PINs and passwords for multiple applications. For instance, a PIN for a credit card is often also the PIN for an ATM, the online bank, and potentially even the owners home alarm system! This means that a PIN or password broken in one site may grant access to many sites and utilities.
There are several important questions to ask here. Into how many sites do users enter password and PIN details? Do users keep separate passwords and PINs for each site? If users do keep separate identity management information for each site, where do they record their connection details?
Administrators and ordinary workers in many sites will have access to connecting users PINs and passwords that are retained in databases at those sites. Banks, gateways and vendors who hold credit cards on-site, or who give access to user financial accounts, must realize that protecting access to their site may not be enough if the user's ID is stolen somewhere else.
Login Pages - The Flaw In Challenge/Response
Virtually all username and password vulnerability is predicated on the fact that the vast majority of user-to-site communication follows a distinct pattern:
- Upon requesting entry to a site, a user is challenged for a username and password.
- After verifying a user, the site and user engage in a sequence of navigation and transaction management.
Most online financial institutions use a combination of username, password, and a partially transmitted PIN in a standard HTML (type) page. This is a very simple solution that is central to the success of online thieves, because it offers no practical resistance to phishing or spyware/trojans.
Once the user has succeeded in logging in, it is assumed that the user is who they say they are for the duration of the session. This is where the man in the middle attack gains an advantage. There is no need for the MITM to read or break the username and password; the user is allowed to successfully login and the session is piggybacked and/or hijacked.
SSL: Utterly Useless
"But SSL will save us, every place I use to purchase stuff says that I'm using 128-bit encrypted SSL, and that I'm completely safe."
SSL is an acronym for Secure Sockets Layer, a technology created to encrypt data traveling between two points on a network, such as two computers on the Internet. You can see SSL at work when you connect to your bank; a small padlock symbol typically appears in the bottom status line of your browser to show that SSL is in use. You may also see "https:" at the start of the Web address instead of the usual "http:".
SSL does improve security between two network points, but here is the catch; one of those points could be a computer controlled by a MITM. Another vulnerability with SSL is pharming, which redirects you somewhere that you don't expect. So you could connect to the false site and get their SSL icon in your browser; you feel protected, but are still at risk.
Desktop attacks occur on the user's own computer, where SSL has no actual practical application. This is because SSL works between your browser and the Internet site to which you are connected. If a trojan or spyware is working on the desktop, the data will be captured as it is entered into the computer, before it is encrypted.
And as if this weren't bad enough, all the SSL in the world isn't going to defend against rogue employees who have access to personal and sensitive data. It will protect against phishing if the user knows what to do when presented with an unauthorized certificate notification. How many ordinary users do, however?
So If We Understand The Problem, Why Can't It Be Fixed?
The problem is real, and fairly well understood, but not simply solved. The current situation is tolerated because of two important reasons. First, the costs are insured, and the threat spread across such a wide spectrum of institutions that it is not entirely prohibitive to 'allow' it to occur. Second, consumers are generally apathetic and ambivalent if they have not been personally affected by online fraud, and are therefore less inclined to deal with the learning curve necessary to resolve the issue.
In a nutshell, the cost and difficulty of marketing, selecting and implementing a solution has been greater than the extent of the problem. At least, until now!
The US FFIEC has produced guidelines for a minimum standard of security called 2 Factor Authentication.
In the subsequent articles in this series we will continue to look at online fraud and means to defend against it. As we proceed, the focus will be on security hardware and strategies, and at that point the content will get more technical. However, the articles will continue to use plain language, for the benefit of an audience that is not conversant with hacking.
Pat McKenna is a Security Consultant and CTO with 2SA Plus, a company specializing in 2 Factor Authentication and matters of identity management. He is 45 and has been in the IT business for 15 years, during which he has held many positions including company director. Prior to a career in IT, he worked in the security and intelligence field. He is proficient with many computer languages, old and new, and has trained hundreds of programmers.
His hobbies are chess and penetration testing (aka ethical hacking).
You can contact him at email@example.com (web:http://www.2saplus.com)