DIY Anti-Phishing Kit
I’ve been doing some thinking about online banking and what, if anything, an average user can do to make the online banking experience more secure. I want something that has tangible protection for banking credentials (even if slightly inconvenient) without waiting for your bank to provide a solution.
A huge amount of malicious code and phishing activity is targeted at acquiring your personally identifiable information; bank accounts, passwords, credit card numbers, mother’s maiden name, etc. The motivation behind all of this activity is financial gain. The bad guys want to get into your account and perform a few money transfers.
Despite the pressures from industry and regulatory bodies there is still a logic that banks will use to determine if it is in their interest to deploy strong authentication for their online customers. It goes something like this:
Let X be the cost of deploying a strong authentication solutionLet Y be the estimated cost of not deploying a solution (direct losses to fraud, account resets, legal actions, etc.)If X is less than Y then it is worth deploying. Otherwise they will tolerate the fraud and any impact it might have on their customers (at least until online reputation becomes something of value on the Internet).
Sometimes banks will provide their high net worth customers with strong authentication (such as one-time-password) tokens and leave the rest of us to make do with static login credentials. I happen to be in the second class of online bankers. I worry every time I login about some man-in-the-middle (MITM) or man-in-the-browser (MITB) stealing my credentials. Even if I did qualify to get an OTP token from the bank I know that MITM attacks that have been proven to defeat them so I’d still be somewhat worried.
What can you do if you want better protection? Here’s a do-it-yourself recipe for a solution that will give you pretty good protection against MITM attacks and some protection against MITB. Before I give the recipe, let’s look quickly at the nature of the attacks I’m talking about.
Some MITM attacks are transparent to the end user and require no social engineering. These include protocol downgrade and cipher downgrade attacks on SSL that weaken the encryption enough so that an attacker can discover the keys (with some effort) and decrypt all of the captured traffic. Another transparent attack can occur from within the browser. By having a malicious certificate installed in the browsers certificate store the attacker can spoof web sites without causing any certificate warnings so the attack can really go unnoticed.
That being said, many people don’t know how to deal with certificate warnings and often say “OK” and to trust the certificate anyway. Unfortunately, many legitimate servers really do have problems with their certificates, such as being expired, having non-matching common name with the server host, or they are self-signed. As a result many users are accustomed to accepting certificates with problems for legitimate servers. Exploiting this tendency an attacker to presents a spoofed certificate in the start of an SSL session in the hope that a user accepts it out of habit. If the user accepts, the attacker simply relays all the traffic between the client and the server that it sees in the clear.
Recipe:
1) Obtain a USB flash drive with some security features. At a minimum, it should be configurable with a true read-only area where you can lock down software.
2) Obtain a good portable browser (I’ll use Portable Firefox for this recipe) and unpack it somewhere on a “trustworthy” machine.
3) Go into the encryption tag under Advanced Options and make sure that the Use SSL 3.0 and TLS 1.0 options are checked (this prevents older versions SSL to be used).
4) Go into the Security options and enable security warnings for information that is submitted that’s not encrypted.
5) Configure the browser certificate store to contain the certificates of the sites you want to interact with. You can do this by visiting the site, viewing its certificate and adding it to your trusted certificates.
6) This is the longest step but if you really want to lock things down so that only the sites you want to visit won’t give you a warning, go into the certificate manager on all certificates in the authorities list and disable the “This certificate can identity web sites” option.
7) Package up this configuration and install it on the read-only area of the flash drive.
Now you’re ready to do your online banking with the following security defences.
1) Your portable browser is resistant to MITB attacks. Because it is installed in a read-only area, it cannot be permanently infected. Any malware that attacks it will only survive until the device is removed.
2) You have a white list of trusted SSL web sites. Any other site that you visit, even legitimate sites with valid certificates, will present you with a warning.
3) You will also be presented with a warning if you are on a login page that allows credentials in a non-encrypted session.
Provided you use this configured browser from the USB device you can visit your banking site, establish a trusted SSL session, enter your banking credentials (even an OTP) and be safe from MITM.
You should still exercise caution. No other site should be asking for your bank login credentials except sites that you trust. So don’t visit URLs from suspicious sources without using your secure browser. You’ll know if it isn’t trusted because your browser will tell you. Pay attention to the warnings because now they really do mean something shouldn’t be trusted!
Unfortunately, there are nastier problems on the horizon besides phishing and MITM. The next wave of attacks will come from malware in the machine and the bad guys won’t even care about capturing your login credentials. Instead, these attacks will wait until you’ve logged in and will then go to work behind the scenes altering your transactions and setting up their own money transfers from your account. But that’s a problem to solve for another day.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply