Malware includes: viruses, spyware, adware, hacking software.
But for this case study, we're concerned with phishing and Man-in-the-Browser Trojans.
Phishing -
Definition: the activity of defrauding an online account holder of financial information by posing as a legitimate company.
So the idea is that someone tries to make a (banking, mainly) website look exactly like the real on in order to capture the user name and password of users. They then use those user names and passwords to steal money.
To do the basics, it's not that hard, since the "phishers" can just copy and paste the source code into a web design application like Dreamweaver and go from there. And in terms of the url, they will try to register one which is close in name to the original, such as bankoamerica.com, instead of bankoFamerica.com. The next step is often to send out spam e-mail with a link and request to sign in to the fictitious site, after which, Bingo, they have the user's name and password.
Broswers using the lack of proper certificates and SSL certification will alert the user to such attempts, as seen in the above example.
You'll recall one way my Bank of American website prevents phishing attacks; each user has to pick a particular picture which they are to remember, and only sign in when they see that picture. This way, a "phisher" cannot make a website look exactly like theirs, including that specific picture.
(Somewhat related to phishing is identity theft used to gain money; here an here's a real example from Mr Rayworth.)
Man-in-the-Browser Trojans -
(JSR: Sticking with mainly Wikipedia with this one - again, since this is a single use webpage, for this 2015 May exam only.)
(First of all Man-in-theMiddle definition: Simply, it's where internet traffic is intercepted between two individuals, and the interceptor either just "listens in", or actaully pretends to be the intended recipient, thereby stealing information.
And Trojan horse definition: malware which "sneaks" onto a computer and then either does harm or steals information, sending it on to the one who placed the trojan horse there. Unlike a virus it generally does not self-replicate.)
Man-in-the-browser (MiTB) a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful in spite of SSL being used, since the changes are made on the user's computer, rather than interception in transmision being the problem. And two or three-factor Authentication solutions makes no difference, since the problem is not with an un-authorized user of the bank account, for example.
A MitB attack may be countered by utilising out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware nfection on the mobile phone.
Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009 The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking
Example: in an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount.
The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.
So in summary, there's no problem with Authentication, and there's no problem with Transmission Security - the two things this Case Study is most focused on - never-the-less, fraud occurs via the functioning of the browser Trojan.
Out-of-band Verification -
Using another authentication method other than the browser - server connection. Note this is not necessarily to do with Man-in-the-Browser attacks, and does not help in this regard - rather it's for authentification mainly.
A good means of out of band verification is the phone, either by voice or SMS. Here's an explanation and some advantages from http://authentify.com/solutions/authentication-concepts/band-authentication/:
By definition, out-of-band authentication is the use of two separate networks working simultaneously to authenticate a user. Out-of-band authentication works well because even if a fraudulent user gains all security credentials to a user’s account, a transaction cannot complete without access to the second authentication network.
In Authentify’s case, this means using the phone to verify the identity of the user involved in a Web transaction. Phone-based out-of-band authentication works well because:
- No additional hardware, software, or training is required for the end user
- Users already carry phones and keep close track of them
- Phone communication can occur in true real-time
- Phone authentication can require interaction with a human being
- The Public Switched Telephone Network (PSTN) is a secure network
- A strong, humanly understandable audit trail of the transaction is captured
So, basically, when the user logs in, they get either an SMS or a phone call confirming they are in the process of doing on-line banking. (As was the case when I logged on to my KB account, and they sent me an SMS with a TAN.)
Here's more on Out-of-band-Verification (pasted from the Internet)
In financial transactions done over the internet it is essential that the information being exchanged between the person making the payment and the bank is not accessible by a third person. A customer can verify their identity by the use of a password to start the transaction. Most payment gateways require the use of multiple passwords to ensure that only the person that owns the account is able to transfer any funds from it. The information exchange is encrypted to ensure that even if a third person had access to data stream they would not be able to extract any information from the 1s and 0s being exchanged.
Though strong encryption methods have made online financial transactions relatively secure these are not sufficient to prevent losses occurring due to the presence of malicious software on the device being used for the transaction. A computer virus or similar malware can alter the information after a request is initiated by the account holder. This could be used to alter the amount of money that is transferred or the recipient of the funds being transferred.
Out of band verification is one that involves verification by means that employ networks other than the data stream between the account holder and the bank. One way of doing this is by making a phone call to the account holder's registered phone number or by sending a one time password to the phone that has to be entered to complete the transaction. Out of band verification is the introduction of a second layer of security. A criminal eager to steal funds with this system in place would need access to passwords of the account holder as well as be able to track calls and messages made to their phone.