Thursday, February 14, 2013

Discretionary Controls and Realtime Deception Attacks

Nowadays banking authentication systems are getting more and more sophisticated in order to counterattack the increasing number of hack attempts, but unfortunately attackers follow the same trend by forging new and more refined attack systems, we can define this as a classical never ending battle between good and evil forces.
In this blog post we will talk about the threats posed by the lack application of the proper standard (ISO 15022, 8583) which regulates controls on banking transaction details.

We can summarize this lack of standard with the following statement: “Banking transactions details are checked discretionally by the receiving institute”.

An in depth view of Discretionary Controls could be checked here [1].
The immediate effect of this behavior is that an attacker could choose a bank with weak controls to commit fraudulent transactions.

In this post we describe a scenario where an attacker takes advantage of a bank accepting incoming wire transfers omitting the surname of the recipients. Too many financial institutes allow incoming wire-transfers to "Giorgio" instead to "Giorgio Rossi" as a recipient.

The immediate effect of this behavior is that an attacker could choose a bank with weak controls to commit fraudulent transactions.

 Another very important consequence of a weak control on transaction details is that it could disrupt the effectiveness of authentication mechanisms especially transaction detail verification ones because is possible to accomplish Social Engineering attacks, for example on the recipient Name.

More details will be given in a
specific paragraph that will clarify how discretionary controls could be abused. To clarify the whole attack process let's clarify what is an OOB authentication system.

Overview of OOB Transaction Detail Verification devices

The OOB (Out-Of-Band) Transaction Detail Verification authentication system sends to the banking customer a set of details about the transaction that he should approve. Those details could be for example Iban, Amount, Recipient, Country, if the requested transaction matches the expectation of the customer (seems legitimate) he will validate the transfer by generating an OTP code.

Follows an example of a typical transaction detail verification hardware device:

If the transaction is correct, the user will validate it by generating an OTP code to finalize the operation.

Let’s see how an attacker could abuse the weaknesses in deriving from discretionary controls in realtime thanks to the technology offered by the most modern banking malware.

The first step is to clarify what is a realtime-deception attack and how is accomplished.

ATS and Realtime Deception Attacks

Most modern malware banking implements a webinjection technology called ATS [2] which stands for Automatic Transfer System. Thanks to the ATS system attackers could automatically commit fraudulent transactions or modify and substitute in realtime sensitive details like Iban and Recipient of a legit transaction requested by the victim with malicious detail one.

A realtime-deception attack creates a condition, in which the victim is convinced to authorize a legitimate transaction, when in fact will be validating the fraudulent transaction desired by the attacker.  

Realtime-Deception applied to Discretionary Controls

The following picture summarizes the attack process:

It’s clear that a realtime-deception attack could be a serious threat if applied to a bank that implements weak discretionary controls.

  1. First step involves in the infection of the victim with a banking malware which supports MiTB (Man in The Middle) and makes use of ATS technology.
  2. When the victim fills details to commit a legitimate transaction, the webinjection will substitute the proper Iban and other details, with a malicious ones owned by the attacker. The attacker automatically chooses thanks to ATS the proper money-mule to adopt, in the case of the example Giorgio “Mule”. Attackers needs a mule with the same name (not surname) of the intended recipient chosen by the user.
The victim will receive in the OTP device details about the transaction, but will hardly notice the change of the Iban code, so finally the victim is convinced to validate your transaction. OTP will also provide the code necessary to validate the fraudulent transaction.

Realtime-Deception attacks are suitably constructed according to the device and transaction details exposed to the victim.

However it’s possible to provide a categorization of the possible combinations of detail alteration and relative weak discretionary control that could lead to a successful attack. This combination involves the security design of the OOB device screen:
  1. Substitution of Recipient, Iban and Amount – This substitution could be used for example against phone call authentication which does not reveal transaction details.
  2. Substitution of Recipient and Iban – This substitution could work for example against devices that does not show the Name between transaction details.
  3. Substitution of Recipient’s Name and deletion of the Surname – This substitution could work for example against devices that only show only the Recipient Name.
Let’s suppose for example that we are in the third case, the hardware device shows only Amount and Name and let’s also suppose that the banking transaction detail controls does not care about the recipient Surname.
An attacker could exploit this flaw to substitute for example
The ATS automatically chooses the best fitting money-mule, in this case the mule has the same name of the legitimate recipient, the Surname difference is rendered useless due to the nature of this specific control weakness: example Giorgio (Real) -> Giorgio (Mule).
Where “Giorgio Mule” is a money-mule owned by the attacker.
From a victim point of view would be impossible to distinguish Giorgio “Real” from “Mule”, this behavior will finally lead the customer to validate the fraudulent transaction.

The scope of this simple attack scenario is to show that it’s possible to meet a specific banking institute which has poor controls, for example by allowing transactions that contains a wrong beneficiary name. For an attacker will be an easy task to change Iban code and leave the same recipient name.

Each kind of substitution/modification typology strictly depends on the weak discretionary control applied by the specific bank.

It’s interesting to put in evidence the fact that a correct mix of Social Engineering, webinjection capabilities and knowledge of the details validation flaws could pose a serious threat for the vast majority (hardware and software) of OOB transaction detail verification authentication systems.

From a defense point of view became clear that adopting the proper transaction detail verification standards [3] [4] represents a significant increase in terms of security.

Written by Giorgio Fedon and Giuseppe BonfĂ 


No comments :

Post a Comment