Building Secure Apps
Defending In-House Apps
March 5, 2012 – As banks battle financial malware, they strive against human nature. "The biggest threat, no matter what the device, is people themselves, who can be fooled by rogue applications or rogue messages," says Chip Tsantes, principal, Ernst & Young. "That's true in the online world and it's becoming true on the mobile platform."
The Anti-Phishing Working Group estimates that 39% of all computers are infected with financial malware (malicious software designed to steal account information). Online banking account takeovers are growing at more than 150% per year, according to the Financial Services Information Sharing and Analysis Center. Gartner estimates that cybercriminals have robbed banks, businesses and municipalities of more than $3 billion.
The goal of many malware attacks is identity theft, which rose 13% in 2011, according to Javelin Strategy and Research. Tim Rohrbaugh, who works with the Financial Services Roundtable's Victim's Assistance Center, which provides case management for victims of identity theft, says this is the most popular avenue of crime today. "We see the net effect of what's going on out there," says Rohrbaugh, who is also vice president, information security at Intersections, a provider of credit-monitoring protection services that banks white label. "It's a bad, bad world."
A Thriving Malware Industry
Some cybercriminals who develop financial malware are sophisticated — they use trendy programming methods like agile development and outsource portions of code development to cheaper labor markets.
The less sophisticated can buy a Zeus malware toolkit for as little as $3,000 and build a Trojan horse program that appears legitimate but actually is ready to attack. The toolkit lets criminals add fields to forms at the browser level, so the user sees a legitimate website but might be asked to fill in an additional blank with specific information. According to the security software vendor Trusteer, 77% of personal computers infected with Zeus Trojans have up-to-date antivirus software.
"Since spring of last year, we've been seeing offshoots, variants and mutations of the Zeus codebase appear," says Amit Klein, Trusteer's chief technology officer. The company estimates that Zeus variants, including Ice IX and SpyEye, a malware toolkit similar to Zeus, can be found in around 0.1% to 0.2% of Windows PCs in Western Europe and North America. Experts say banks should assume that their customers' computers and mobile devices have been compromised.
One strain of "man in the browser" financial malware, which Trusteer discovered last September and saw proliferate in late February, was code-named Shylock because it contains random excerpts from Shakespeare's "The Merchant of Venice" in its binary code to avoid detection by antivirus programs. One Shylock's file description is "give me your blessing I am Launcelot your boy."
The malware can also detect the presence of an antivirus scanner and respond by deleting its own files and registry entries, making it undetectable.
Shylock's authors are targeting a dozen or so large banks, some payment card providers and several Web mail providers, Klein says. The attackers are after payment card data, credentials, account numbers and other information that can be used to commit fraud.
Another top threat to online banking, according to Klein, is a new-ish Zeus variant called Ice IX. When a user whose computer has been infected with Ice IX logs into his online banking account, Ice IX intercepts his user name and password, secret question and corresponding answer, date of birth and account balance.
From there, the Trojan injects a page asking the victim to supply his phone number, service provider and telephone account number.
"The user thinks this is a message from the bank, he thinks he's in the bank's website - the padlock is intact," Klein says. "So the user falls for the message, fills in the missing details and the malware sends a real-time message to a command and control server, where the fraudster can now cause a diversion from the user's phone number to the fraudster's phone number."
The only remedies for a bank are to attempt to detect that the user's PC is affected and act accordingly, or be proactive and push browser security software to customers, according to Klein. (Trusteer provides such software, along with IronKey and others.)
Vishing, Phishing and SQL Injections
Another newer type of attack is vishing — voice phishing. Jacob Jegher has been "vished" three times in the past month. "One was a call from a fellow in a call center in Bangalore, who was attempting to get my information," says the senior analyst at Celent. "He told me he was calling on behalf of Microsoft because he noticed a problem with my computer and that he was going to help me fix it." The caller said Jegher had agreed to provide his information to Microsoft and asked him to go to a particular URL. "The URL had nothing to do with Microsoft," Jegher says. Many of his friends and relatives have also been targeted with similar calls recently.
Such attackers try to send their victims to a website that will install malware on their computer and charge about $30 to "fix" the user's computer. They also try to get the user's credit card information when they charge the fee.
The antidote to vishing is customer education — strongly urging customers not to fall for scams like this and not do things like tweet their user name and password, Jegher says. "I'd like to see financial institutions put more money into customer education in security and training."
Many banks are. In December, for instance, U.S. Bank posted a series of "Oversharers Anonymous" videos on YouTube featuring "TMI Tammie," who uses the same password for all her accounts and shares it along with far too much personal information with people she barely knows.
Phishing is one of the oldest and simplest ways of prying bank customers' mobile or online banking credentials out of them. Typically this involves an email that looks like it comes from the consumer's bank, and when the victim clicks on a link in the email, he's taken to a website that downloads malware to his computer or asks him to share personal information. A phishing site takedown service and real-time intelligence are needed, Klein says. User education and stronger log-in schemes can also help.
In January, Bank of America joined an anti-phishing coalition called Domain-based Message Authentication, Reporting and Conformance that aims to create a standard mechanism for verifying that an email has been sent from the entity it purports to be from. The group, whose 15 corporate members also include Google, Yahoo and Microsoft, will build on existing email authentication standards DomainKeys Identified Mail and Sender Policy Framework.
Under the new standard, participating email providers such as Google would check that email addresses are registered with the proper digital signature for the sender's domain (e.g., firstname.lastname@example.org). The standard could take five years to introduce into the marketplace and would only be truly effective if all email providers adopt it.
Last year, the SQL injection had its 10th anniversary. This code-injection technique exploits a security vulnerability in a website's software and often attacks by inputting SQL statements in a web form to get the software to perform operations on the database, such as dump the database content to the attacker.
"If an organization hired a contract programmer for SQL coding and was not set up securely, this could easily happen," says Michael Mitchell, vice president, global network operations for American Express Merchant Services and chairman of the PCI Security Standards Council. "Hackers sit in their basements attacking with scripts; it's all they do all day."
But this type of attack can be thwarted. "SQL injections can be attributed to poorly designed or poorly developed software," says David Ladd, principal group program manager, trustworthy computing, at Microsoft. Cross-scripting, in which attackers inject client-side script into web pages viewed by other users, is another.
To block attacks, code can be scanned for vulnerabilities, and banks can assess their own applications or hire professionals to do it.
Staying a Step Ahead
Old Second National Bank, a $2.1 billion-asset institution in Aurora, Ill., is fortunate enough to have not been a victim of any online or mobile banking attacks — yet. The bank recently invested an undisclosed sum on online banking-security software anyway, to be safe.
"Other banks in the Chicago market have been targets of wire fraud," says Keith Gottschalk, executive vice president and COO, responsible for operations, retail and IT. "We're trying to be very proactive about this. We have not experienced anything so far, but we know it's out there, as other institutions and their customers are getting hit. We're trying to be proactive."
The bank is currently deciding whether the IronKey software and USB device it offers, which provides a secure browser to customers for online banking, should be optional or mandatory for business customers. "We would like every customer to begin using this product," Gottschalk says. "Right now we can't take a chance."
Old Second also plans to set up a fraud-security website for customer education. "We're trying to find ways to educate customers and staff on everything from phishing to ID theft and account takeover," Gottschalk says.
Building Watertight Apps
Hackers typically try several approaches to find the spot where an application or database is vulnerable, Ladd says. "It's not usually the case that you'll find an application that a hacker can directly exploit right off the bat. Usually they have to poke around the edges and look for vulnerabilities, errors or configuration problems, and use each as a means by which to get a little closer to their ultimate goal."
"Business as usual is not good enough," says Ladd. "A lot of the things that have been tried up to this point, such as antivirus software, firewalls and intrusion detection systems, have been an expensive game of whack-a-mole. Developers need to bring a sense of secure development to their organization."
To guide the building of secure applications from the ground up, a group of bankers and technologists who are members of BITS (the Financial Services Roundtable's digital arm) recently issued a set of guidelines called the BITS Software Assurance Framework.
Susan Koski, managing director, global IT risk, information security and vendor risk assessments at BNY Mellon and an author of the framework, says one step is to assess the potential risk of each application to a firm and its clients. "You need to make sure you're risk-ranking those apps and applying the right level of testing and software assurance based on the risk," she says. An application that hosts a cafeteria menu would be at one end of the risk spectrum; a program that processes billions of dollars in transactions would be at the other.
Threat modeling, in which software architects, developers, project managers and testers come up with all the threats that an app could face, helps.
Developers need to be educated about developing secure code, as do app managers and CIOs.
Mobile banking apps require special care. The simple fact that they're relatively new and being rapidly adopted by consumers makes them vulnerable to attack. Few consumers have anti-malware software on their mobile devices. Several strains of malware, including Zitmo (Zeus in the mobile) and Spitmo (SpyEye in the mobile) steal banking credentials that customers receive via SMS.
A 2011 Aite survey of 24 global financial executives found that 75% believe the mobile channel poses fraud and security risks, and 88% believe the mobile channel will be the next big point of fraud exposure.
Mobile users may be more likely to fall victim to phishing, as the phone's small screen size means lengthy URLs are not displayed totally, so they may inadvertently enter their credentials on a fake website.
Mobile devices have built-in vulnerabilities; for instance, some mobile operating systems are set up to share information between applications, such as geolocation, notes Tsantes. "It's more difficult for mobile app programmers to turn those features off permanently so your personal or financial information isn't inadvertently shared with some other application on your device."
Each operating system has its own idiosyncracies, Tsantes says: "If you're developing applications for multiple platforms, you need experts in each of those operating systems who understand the subtle differences to help with protecting and encrypting that information." Also important are following the right procedures, testing rigorously and making sure apps aren't launched before they're ready to go, versus racing to meet a previously announced marketing deadline.
The same transaction-fraud detection systems used for online banking and card transactions need to be applied to mobile banking. "Transactions that originate on your mobile device should be fed into the existing fraud detection systems so that the bank has a clear picture of all your transactions, no matter what platform they're conducted on — understands your behavior, understands whether it's a micro- or macro-level fraud flag and how to deal with it," Tsantes says.
This story originally appeared at Bank Technology News.