Mitja Kolsek talked about the security and risks of online banking at the DeepSec 2011 conference: We've all heard of - or have even been a victim of - attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules' accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims' accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. These factors create incentive for criminals to focus on online banking servers. Incidentally, that's where - as famous bank robber Willie Sutton might say "all the money is". Now, Mr. Sutton lived in the times of physical currency and had to rob the banks the old fashioned way with guns and actual physical presence, risking his life and endangering lives of others. Today, 90% of all money is in a digital form inside banking databases. It therefore shouldn't surprise us if tomorrow's Suttons will break into banks disguised in malicious server requests that sneak past the predictable e-guards and force the compliant bank e-tellers to hand over the money or send it to a foreign account. An online banking server application is an implementation of the business logic that provides online banking services to remote users on PCs or mobile devices. Security requirements are plenty and diverse, for instance: making sure who the user is, preventing users from accessing data or funds from another user (unless authorized) and limiting payments to available funds and preventing unauthorized overdrafts. And stakes are very high: a single error in such application can potentially provide a way to steal large sums of money from personal or corporate users, to instantly borrow an unlimited amount without authorization, to enter a maliciously-doctored legally binding agreement with the bank or even to create new money out of thin air. This presentation will reveal future attacks against online banks, which we continually find possible in our security reviews. We'll show how e-bank robbers of tomorrow will approach the targets, hide their reconnaissance and attacks, cloak their identities and retrieve the stolen funds. You will also see how a frequent error in online banking applications allows users to make serious profits on simple automated operations "without ever breaking the law". The bankers in the audience will have a rare opportunity to get a heads up about future attacks before these are mounted against their systems, and those developing online banking systems will get a list of most critical security flaws they absolutely have to avoid. The attacks presented will be a mix of surprising triviality and devious cleverness, leaving the audience slightly worried about the fragility and vulnerability of today's financial systems. Bank robbers are kindly asked not to attend.

Be the first to comment