Solutions for Portable Security

I’ve been doing some more thinking about secure online banking. Being in the security industry I’m very familiar with the endless cycle of new threats, attacks and countermeasures and I keep wondering if we’ll ever be able to win the computer security arms race. I wonder if computers will be able to provide more security as they get more sophisticated and powerful. Will phishing become obsolete because artificial intelligence will simply filter all the bad stuff out, or will it become worse because artificial intelligence will be helping to craft phishing emails targeted to you with such precision that its authenticity can’t be distinguished from legitimate emails?

In “The Age of Spiritual Machines”, Ray Kurtzweil predicts that by the year 2019, a $1,000 computing device will be as powerful as a human brain. With the right “software” you’d be able to have your own personal digital assistant equipped with artificial intelligence that could handle mundane tasks such as keeping your LinkedIn profile up to date or interacting with your friends on Facebook when you can’t be bothered. It might even manage your finances. After all, it could do a far better job at paying bills on time, picking the right investment, and minimizing tax implications.

I’m going fast forward to 2019 and paint a scenario. Let’s say my artificial intelligence makes an investment that turned bad due to “unforeseeable” market changes. It’s not to blame but I get upset and decide to change my bank login credentials anyway so it doesn’t have access anymore. Can the personal assistant do anything about it? It can certainly try. It knows my voice and has a really good sound card installed so it calls the bank. The following interaction ensues between the Artificial Intelligence (AI) and the Bank Representative (BR):

BR: Thank you for calling online bank, can I help you?
AI: Um, yeah, it’s Larry Hamid calling and I forgot my login password.
BR: OK Mr. Hamid, can I have your bank ID number?
AI: Sure. Here it is…182938389423965
BR: I need to ask you some questions to confirm your identity if you don’t mind.
AI: No problem.(After collecting basic personal information, the Bank Representative digs for information that should be less commonly known.)
BR: Can you list any products or services that you currently use at online bank?
AI: Yeah. I have a mortgage, a savings account, a checking account, two lines of credit, two credit cards, a…
BR: That’s good enough. Can you tell me some bank transactions or credit card purchases you made recently?
AI: No problem, we can start with the $22.93 purchase at the pharmacy on Wednesday night, seven other purchases totalling $159.24 on the debit card, a money transfer of $2,469.09 into the line of credit which I optimized to reduce the number of minimum payments from 22 to 17, a…
BR: Would you hold on for just a minute?..(music plays on phone)
BR: ….Sorry for the wait Mr. Hamid. I have one more question.
AI: OK.BR: What was the interest accumulated on the credit card balance between the dates of Feb 9 and March 2 on the top 5 most expensive purchases? You have 5 seconds to answer.
AI: That’s easy, $13.98035…oh…
BR: I’m sorry. I won’t be able to reset your password at this time. Thank you for calling.

Lucky for me I included the Turing Test option when I purchased my bank’s fraud prevention service.

I’ve been doing some thinking about online banking and what, if anything, an average user can do to make the online banking experience more secure. I want something that has tangible protection for banking credentials (even if slightly inconvenient) without waiting for your bank to provide a solution.

A huge amount of malicious code and phishing activity is targeted at acquiring your personally identifiable information; bank accounts, passwords, credit card numbers, mother’s maiden name, etc. The motivation behind all of this activity is financial gain. The bad guys want to get into your account and perform a few money transfers.

Despite the pressures from industry and regulatory bodies there is still a logic that banks will use to determine if it is in their interest to deploy strong authentication for their online customers. It goes something like this:

Let X be the cost of deploying a strong authentication solutionLet Y be the estimated cost of not deploying a solution (direct losses to fraud, account resets, legal actions, etc.)If X is less than Y then it is worth deploying. Otherwise they will tolerate the fraud and any impact it might have on their customers (at least until online reputation becomes something of value on the Internet).

Sometimes banks will provide their high net worth customers with strong authentication (such as one-time-password) tokens and leave the rest of us to make do with static login credentials. I happen to be in the second class of online bankers. I worry every time I login about some man-in-the-middle (MITM) or man-in-the-browser (MITB) stealing my credentials. Even if I did qualify to get an OTP token from the bank I know that MITM attacks that have been proven to defeat them so I’d still be somewhat worried.

What can you do if you want better protection? Here’s a do-it-yourself recipe for a solution that will give you pretty good protection against MITM attacks and some protection against MITB. Before I give the recipe, let’s look quickly at the nature of the attacks I’m talking about.

Some MITM attacks are transparent to the end user and require no social engineering. These include protocol downgrade and cipher downgrade attacks on SSL that weaken the encryption enough so that an attacker can discover the keys (with some effort) and decrypt all of the captured traffic. Another transparent attack can occur from within the browser. By having a malicious certificate installed in the browsers certificate store the attacker can spoof web sites without causing any certificate warnings so the attack can really go unnoticed.

That being said, many people don’t know how to deal with certificate warnings and often say “OK” and to trust the certificate anyway. Unfortunately, many legitimate servers really do have problems with their certificates, such as being expired, having non-matching common name with the server host, or they are self-signed. As a result many users are accustomed to accepting certificates with problems for legitimate servers. Exploiting this tendency an attacker to presents a spoofed certificate in the start of an SSL session in the hope that a user accepts it out of habit. If the user accepts, the attacker simply relays all the traffic between the client and the server that it sees in the clear.

Recipe:

1) Obtain a USB flash drive with some security features. At a minimum, it should be configurable with a true read-only area where you can lock down software.

2) Obtain a good portable browser (I’ll use Portable Firefox for this recipe) and unpack it somewhere on a “trustworthy” machine.

3) Go into the encryption tag under Advanced Options and make sure that the Use SSL 3.0 and TLS 1.0 options are checked (this prevents older versions SSL to be used).

4) Go into the Security options and enable security warnings for information that is submitted that’s not encrypted.

5) Configure the browser certificate store to contain the certificates of the sites you want to interact with. You can do this by visiting the site, viewing its certificate and adding it to your trusted certificates.

6) This is the longest step but if you really want to lock things down so that only the sites you want to visit won’t give you a warning, go into the certificate manager on all certificates in the authorities list and disable the “This certificate can identity web sites” option.

7) Package up this configuration and install it on the read-only area of the flash drive.

Now you’re ready to do your online banking with the following security defences.

1) Your portable browser is resistant to MITB attacks. Because it is installed in a read-only area, it cannot be permanently infected. Any malware that attacks it will only survive until the device is removed.

2) You have a white list of trusted SSL web sites. Any other site that you visit, even legitimate sites with valid certificates, will present you with a warning.

3) You will also be presented with a warning if you are on a login page that allows credentials in a non-encrypted session.

Provided you use this configured browser from the USB device you can visit your banking site, establish a trusted SSL session, enter your banking credentials (even an OTP) and be safe from MITM.

You should still exercise caution. No other site should be asking for your bank login credentials except sites that you trust. So don’t visit URLs from suspicious sources without using your secure browser. You’ll know if it isn’t trusted because your browser will tell you. Pay attention to the warnings because now they really do mean something shouldn’t be trusted!

Unfortunately, there are nastier problems on the horizon besides phishing and MITM. The next wave of attacks will come from malware in the machine and the bad guys won’t even care about capturing your login credentials. Instead, these attacks will wait until you’ve logged in and will then go to work behind the scenes altering your transactions and setting up their own money transfers from your account. But that’s a problem to solve for another day.