Saturday, March 01, 2008

Identity Theft and Phishing and How Affects Financial Institutions

MiTM attack to a bank:

In the USA, online fraud has overtaken viruses as the greatest source of financial loss (Symantec threat report )
Among on-line fraud threats, phishing represents a major threat for financial institutions and according to the Anti-Phishing group organization, 93.8% of all phishing attacks in 2007 are targeting financial institutions. Also a recent study indicates that phishing attacks in the USA alone soared in 2007 to 3.6 Million victims for a total reported customer loss of USD 3.2 Billion. In 2006 , the USA had 2.3 Million victims of phishing and USD 500 million in losses (Gartner study:

Recent research on phishing by Rachna Dhamija at Harvard and J.D. Tygar and Marti Hearst at US Berkeley "Why Phishing works" indicates the phishing is a very effective attack (how could not, target human factor that is the weakest!), and that the best phished sites were able to spoof 90% of participants in the study.

We tend to forget that most of web site phishing controls are "trust indicators" that are try to tell the user that indeed this is a trusted site. Among the controls, showing the address bar with a branded domain and obliviously prompting the user to recognize SSL are the most effective but from the user perspective can be ignored and from the hacker perspective can be spoofed. Therefore this is an area where better controls need to be addressed from usability and security perspective: if I force the user to use mutual authentication via SSL I will implement an effective control for phishing but I will impact usability (scaring my customers away) as well as my costs (for PKI for example). Deploy PKI for each customer is a cost that most financial institutions cannot afford today.

So there is a need to design a antu phishing solution at the application layer that addressed both usability and security. A possible solution could be using multi-layerd security such as to deploy multiple controls:anti-phishing deterrent controls and multi factor authentication preventive controls. The problem with phishing today is that the threat exploit is cheap to make. For example right now is very easy for an hacker to phish a site by exploiting web application vulnerabilities: it does not require an hacker to spoof the legitimate site and recreate all web pages but rather to send a malicious link to the user (the legitimate one) with the attack vector (for example an XSS vector) as part of the URL. Another very dangerous attack is phishing with a web proxy for a Man in the Middle Attack (MiTM). Assuming that the hacker get the opportunity to phish a victim via a malicious link that point to one or more web proxies (such as via a botnet), this attack will be very effective in breaking MFA authentication controls too.
Since a large amount of phshing attacks exploit web application vulnerabilities it is important to test that you build your web site immune from these vulnerabilities. Examples of vulnerabilities that you should tackle for mitigating phishing attacks are weak authentication and authorization controls, weak session management and especially input validation vulnerabilities. The OWASP Top Ten provides a mapping to vulnerabilities to attacks for phishing, privacy violations, identity theft, system alteration and data destruction, financial loss and reputation loss
An example on how XSS vulnerabilities can be exploited for phishing is via a login page that uses frames: a malicious user can inject a malcious frame to collect username and passwords via the legitimate login web page. This attack has been used for identity theft with bank sites in Europe and has been covered on the February 2008 edition of the in-secure magazine

Unfortunately, phishing attacks through MiTM via a web proxy are not mititigated with one countermeasure alone such as a strong authentication control. For example the strongest multi factor authentication MFA solutions commercially available right now such as RSA OTPs, Cyota Risk Authentication, SiteKey etc are still vulnerable to these attacks. By RSA's Uri River admission, any type of token, if deployed as a single layer of security, is vulnerable to good social engineering and a MITM attack so the threat has to be addressed with multi layer controls and not MFA alone: The best way to respond to these threats is do a threat analysis and address the risk with multiple countermeasures such as multiple layer security controls not just MFA.

Regarding identity theft threats, a must read for information security practitioners that work for financial institutions is the recently published data from UC Berkeley Center for Law and Technology. This study is the first attempt to quantify risk of identity theft among institutions. Being the financial institutions the largest target for phishing I was not surprised to see some of the largest banks in USA being on the top of the list for number of reported identity theft incidents in 2006 by the FTC (Federal Trade Commission). The most surprise on my opinion was to see the largest telco At&t/Cingular/SBC coming #2 after BofA/MBNA. Among the largest financial institutions (based upon number of bank deposits) , HSBC has the highest number of incident reported then BofA, ING Bank with only one single event had the lowest no. of incidents of identify theft reported. The bank that I work for, Citibank ranks #7 among the top 25 in this study:

These metrics should drive US banks to reconsider how effective are the countermeasures. Assuming that most US banks had MFA solution rolled out because of FFIEC compliance by 2006 these data tells us that the threat is still not adequately mitigated. IHMO this is a call for banks CIOs to change strategy and update the necessary audit controls by signing off new policies for mititigating the threat, for CISOs to implement more effective security review processes for threat analysis and for security practioners to test the effectiveness of current controls so that new countermeasures can be implemented as required.

No comments: