Research

Application security testing, analysis, and metrics

From the 10 Years Ago Today Department

Posted by Chris Wysopal in RESEARCH, October 2, 2009 | Comments (2)

From the L0pht Archives:

Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC

9.30.1999
The lack of client side security for internet transactions poses a huge
security risk that online banks and others just seem to ignore. Tools such
as BO2K and even simpler keystroke loggers can cut through the
authentication used for “secure” web transactions to allow an attacker to
authenticate as the hapless consumer.

Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch
Cult of the Dead Cow demonstrate the attack and Weld Pond from the
L0pht talk about whatis really going on.

It is shocking how little has fundementally changed in the way consumers perform high value banking transactions over the web. Looking back with 10 years hindsight I have a slightly different way of describing the situation. Banks assume the network is compromised so they use end to end encryption. Banks don’t assume the endpoint is compromised so there is no security protection. In 2009 what is more likely, that your upstream is compromised or the endpoint is compromised? I would say for the average internet user the endpoint is more likely to be compromised.

Has the endpoint water slowly come to a boil and we are happy frogs slowly getting cooked?

Veracode Security Solutions

Vulnerability Assessment
Website Security
Application Analysis
Dynamic Analysis
Internet Security
Malicious Code

Security Alternatives

HP Fortify
Whitehat Security
IBM Rational AppScan

Security Threat Guides

CSRF
LDAP Security
Mobile Security
SQL Injection
What is Cross Site Scripting?

Written by: Chris Wysopal

2 Comments »

What I think is even more amazing is that the attack performed in that video is STILL how compromise happens to this day, a simple email. It’s just moved from attachments to links.

Comment by Rob Fuller (mubix) — October 2, 2009 @ 12:44 pm

Hi,

I’d politely disagree, things have progressed in the world of internet banking security in ten years.

I believe some european banks issue OTPs for performing transactions http://en.wikipedia.org/wiki/Transaction_authentication_number which is quite secure but does not provide protection against simple phishing attacks, which would ask the user for their username, password and next TAN.

A few of my customers here in Australia are using two factor authentication with hard tokens to authenticate to internet banking or authenticate the transfer of funds to 3rd parties for consumer internet banking. Swiss banks have been using two factor for many many years. Two factor authentication is even required by government in Singapore I believe.

Some are even using SMS to a mobile phone as out of channel confirmation of a 3rd party transfer. Other institutions globally are even starting to check the security of the endpoint and determine what transactions can be processed on that endpoint from that check.

The even smarter ones delay 3rd party transactions and have sophisticated monitoring in place to identify suspicious transactions, resulting in no increased complexity for the customer, yet managing their losses (as banks have to wear the losses and reimburse customers for fraud)

Have you seen solutions similar to http://www.emue.com that are starting to enable signing of transactions from a two factor device? Rather than authenticating access to the banking website, or authenticating executing the 3rd party transfer transaction, they are authenticating the content of the transaction.

By signing the transaction from a secure offline device (i.e. providing a hash of source account reference destination account number and value to funds to transfer to with the seed in the token) if there is a phishing attack, man in the middle, credentials compromised etc. you will have a very strong security control.

This may even provide enough security for you to use an insecure communications channel to perform a banking transaction (e.g. twitter).

The challenge is making a device and transaction signing method that is easy to use by the consumer that is cost effective.

Comment by Matthew Hackling — October 2, 2009 @ 5:58 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

Follow @veracode

Subscribe by RSS

Schedule Demo Veracode Trial

Mobile Security

Categories

Archive

Powered by WordPress