combat the latest two-factor authentication evasion techniques

© 2014 IBM Corporation

IBM Security

1© 2014 IBM Corporation

Combat the Latest Two-Factor

Authentication Evasion Techniques

Ori Bach

Senior Security Strategist

IBM Trusteer


IBM Security

2

Agenda

Background

Second factor authentication bypass methods

Mobile bypasses

Biometric authentication

Rebuilding trust in your authentication process

Q&A

3 © 2014 IBM Corporation

Second factor authentication

overview


IBM Security

4

Authentication is about trust

Doctor Jacob Bach (1912-2006)


IBM Security

5

Authentication in history

Thunder

Lightning


IBM Security

6

Single factor authentication - something you know


IBM Security

7

Phishing emails broke single factor authentication

Something you know = something fraudsters can steal


IBM Security

8

Second factor authentication to the rescue ?

Once a user receives the one time password it becomes

something he knows


IBM Security

9

Biometrics to the rescue ?


IBM Security

10

QUESTION

Which of the following 2FA methods does your institution use

1. Paper code / Bingo / Scratch card

2. One time SMS password / Authentication via Mobile

App

3. Physical Token / USB Token

4. Biometric authentication

5. Other


IBM Security

11

2FA breaches in the news


IBM Security

12

The fraud prevention challenge: Cybercriminals don’t sleep

Fraudoperation costs

Authentication challenges

Transaction delays

Account Suspensions


IBM Security

13

Compliance driven authentication requirements


Bypass methods


IBM Security

15

Social engineering via the phone

Hi this is Microsoft support.

Our records show your windows license

is about to expire. We would be happy to

renew it for you…


IBM Security

16

Fake chat

The system couldn't identify your PC. You will be contacted by a representative

of bank to confirm your personality.

Please pass the process of additional verification otherwise your account will be

locked. Sorry for any inconvenience, we are carrying about security of our clients.


IBM Security

17

Man-in-the-browser injected screens


IBM Security

18

Man in the browser automated transaction

• To restore brand reputation several U.K. banks issue smartcard reader devices to online banking users

• At login users asked to insert card to create unique key, valid for 30 seconds

• Multi year, expensive rollout

• Degraded user experience

• Cybercriminals circumvent 2FA using simple man-in-the-browser malware


IBM Security

19

Fake Banking Website Banking WebsitePhishing Email

Redirect attack

1 2 3 4 5 6

Navigation

to online

banking website

Victim’s device

gets infected

with malware

Credentials

and PII

are sent

to criminal

DNS routing

diverts user

to fake website

or proxy

Money transfer

to mule

account

Login

to online

banking


IBM Security

20

Fake website: Can you tell them apart?

A

B


IBM Security

21

Fake website: Can you tell them apart?

A

B


IBM Security

22

Age of the RAT

Remote Access Trojan


IBM Security

23

Traditional account takeover

Criminal

Victim

Credentials

Transaction

Online Bank


IBM Security

24

Account takeover using a RAT

Transaction

Criminal

Victim

Credentials

Remote Access


IBM Security

25

Fraud toolkit example – victims desktop


IBM Security

26



IBM Security

27


brazilian_remote_overlay_final.mp4

brazilian_remote_overlay_final.mp4


IBM Security

28

Fraud toolkit – Criminals control panel


IBM Security

29

Fraud toolkit example - Summary

The toolkit circumvents all methods of 2FA

Question: how much does this toolkit cost on the

underground:

A ) 10,000 USD

B) 1000 USD

C) 500 USD

D) Less then 100 USD


IBM Security

30

Malware infection on a desktop breaks the trust of 2FA

OPERATOR

MALWARE

Use stolen credentials

Criminal Device

Banking

LandingPage

LoginPage

MyInformation

MoneyTransaction

Website

Remote Control Tools

Ride the session

Man-in-the-middle / Man-in-the-browser

Fake Chat

Fake Support

Steal

Credentials

Automated

Transaction

Redirect

and Overlay

Infect mobile device


Mobile 2FA Bypasses


IBM Security

32

SMS stealers


IBM Security

33

Underground discussions


IBM Security

34

SMS stealers for sale

User Name + Password

OTP SMS

Credentials

OTP SMS

TOR C&C


IBM Security

35

Server-side Device ID is not effective for mobile devices

Mobile devices share many identical attributes

Mobile devices have the same attributes: OS, browser, fonts etc..

Cybercriminals can easily trick traditional device ID systems

We know less about our mobile users

35


IBM Security

36

Mobile users are less tolerant to cumbersome authentication


IBM Security

37

SVPeng - Example of mobile financial malware


IBM Security

38

The majority of financial apps have been hacked

• Majority of top 100 paid

Android and iOS Apps are

available as hacked versions

on third-party sites

• …as are many financial

service, retail, and

healthcare apps(State of Mobile App Security,

Arxan, 2015)

• "Chinese App Store Offers

Pirated iOS Apps Without the

Need to Jailbreak” (Extreme

Tech, 2013)

http://www-03.ibm.com/software/products/en/arxan-application-protection


IBM Security

39

App Latching (Bundeling)

Source: Dancho Danchev


IBM Security

40

Mobile fraud has moved from threat to reality


IBM Security

41

Malware infection on the mobile device breaks the trust of 2FA

Rogue Apps

SMS Stealers

Mobile Malware

Rooted or Jailbroken

Devices


Biometrics


IBM Security

43

Biometrics bypasses (Replay attacks)


IBM Security

44

Challenges with biometrics for authentication

How accurate is your biometric?

How secure is the enrollment ?

Compliance considerations

What happens when biometrics data is stolen

Riding authenticated sessions


IBM Security

45

QUESTION

Which of the below authentication methods has not been

circumvented as of yet

1. Paper code / Bingo / Scratch card

2. One time SMS password / Authentication via Mobile

App

3. USB Token

4. Biometric authentication

5. All of the above have been bypassed


Further risks of a compromised

environment


IBM Security

47

What happens when authentication fails ?


IBM Security

48

Phone fraud as-a-service


IBM Security

49

Malware compromises email accounts

Example of data pulled by Dyre from infected device

==Programs==

Dyre collects…

• Email passwords

• Services

• Passwords over secure

connection

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0


Rebuilding Trust in Your

Authentication Process


IBM Security

51

Online Banking

Authentication can only happen in a trusted environment

Malware & Vulnerability

Detection

LO

GIN

Threat Awareness

Ap

p

Lo

gin

• SMS stealers

• Financial malware

• Known criminal

device

• Jailbroken / Rooted

• Rogue apps

• Unpatched OS

• Unsecure Wi-Fi

connection

Web Risks Mobile Risks+

• Financial

malware

• Known criminal

device

• Use of proxy

• Spoofed device

• Phishing history 1 2

Web Mobile

Login / Payment

Allow

Authenticate

Deny


IBM Security

52

Prevents Future

Malware Infections

Phishing

Detection

Trusted desktop endpoints

Detects and Removes

Malware

Provides protection

to secure user

devices against

malware infections

Removes existing

financial malware

from end-user

machines

Safeguard personal

information

Protects web

browser sessions

to prevent tampering

with customer

transactions

Secures the browser

to prevent MIB and

MIM attacks

Alerts of device risk

Detects suspected

phishing sites by a

protected user

Enables protection

against phishing of

login credentials and

payment card data


IBM Security

53

Safe Device

Trusted mobile endpoints

Known Device - Persistent client-side device ID

Known geo location

No malware detected

No rogue apps detected

Secure connection

No history of phishing or malware on PC


IBM Security

54

Threat aware authentication

Device Intelligence

UserActivity

Known Fraudsters

Malware / Phishing

Detection • Account Compromise History via Malware and Phishing

Trusteer PinpointCriminal

Detection

• In Session User Activity

• Account Access and Transaction History

• Criminal database

• Complex Device ID• Spoofing, Location, Proxy, Remote Access• Persistent Device ID


Q&A

55


IBM Security

56

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

combat the latest two-factor authentication evasion techniques

Technology

ibm corporationcombat

ibm corporationbypass

authentication process

online banking users

fa methods

userto fake website

browser malware

time password