Authentication and Online Trust Summit 2007 Presentations

A number of presentations from the Authentication and Online Trust Summit are now available online.

Here is the agenda and the links to the available presentations. Day 1, Day 2

Below I listed a couple of the most relevant presentations relating to authentication and anti-phishing:

“E-commerce and Online Banking Fraud Issues, Challenges & Solutions”
Karim Noorali, Sr. Product Manager, eBay
Victor Talamo, VP & Director Risk Management, JPMorganChase
Marcelo Camara, Banco Bradesco, Febraban – Brazilian Banking Organization

“How to Fry A Phish & protect your brand domain & infrastructure – Evolving technologies and countermeasures. “
Laura Mather, Ph.D. Senior Scientist, Mark Monitor
Jens Hinrichsen, Product Marketing Manager, RSA
Rod Rasmussen, Director of Operations, Internet Identity

Brandhijacking on the rise

MarkMonitor did a four-week study on cybersquatting (in which illicit sites usurp popular trademarks – false association with a particular brand). They monitored the online content referring to the top 25 brands, which amounted to about 134 million public Web records. They registered 286,000 examples of cybersquatting directed towards these brands.

In terms of phishing activity, they noted a 104% rise during the month of Mach from the same month in 2006. 229 brand name companies were targeted in those attacks.

Statistics: 41% of all phishing attacks are targeting financial institutions in Q1 2007. “The latest quarter was the first time banks had outpaced online auctions such as eBay Inc. as targets. Auctions suffered 36% of phishing attacks.”

(Full article here)

Keyloggers exploit Google AdWords

“Google has removed paid links that advertised seemingly legitimate Web sites but actually tried to install nefarious programs on PCs.

The links were displayed as “sponsored links” after visitors entered specific queries into Google’s search service. Clicking the links would ultimately go to a legitimate site, but by way of another site that attempted a “drive-by installation” of password-stealing software. Miscreants placed the links using Google’s AdWords service for advertisers.”

(Full article here)

The Sound of Phishing – Call Forwarding

Phishers stated to use an new technique – routing a person’s incoming phone calls to a number controlled by the attackers (full article here).

“Victims are told to confirm their phone number with their bank by dialing *72 followed by a series of numbers. In the US, the sequence will cause most phones to forward all incoming calls. Once completed, the victim hears a message saying the confirmation has been successful.

The call-forwarding ruse is included in a more traditional phishing email that attempts to dupe victims into divulging credit card information and personal identification details. Successful phishing attempts allow the attackers to use the victim’s credit card, then provide the victim’s identification credentials in the event a banking representative calls to confirm the transaction.”

Call for harsher punishments for phishers

“A White House task force led by Attorney General Alberto Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras on Monday urged Congress to enact a variety of new laws designed to punish identity fraud, even though it is already illegal.

The new national strategy, which spans two volumes and 190 pages, calls for rewriting existing criminal laws to penalize use of malicious spyware and keyloggers, to expand mandatory minimum prison sentences for certain levels of electronic data theft, and to allow identity theft victims to receive monetary compensation not only for their direct financial losses, but also for the time they spent piecing their lives back together. “

Full article here

Two-factor system compromised – hijacking OTPs

ABN Amro was just hit with a phishing attack similar to the one at Citibank in July of 2006. The Register (full article here) reports:

“Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.

As soon as the hackers received these details they were able to log into a customer’s account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer’s money.

Security experts have warned that such “man in the middle” attacks cannot be prevented by security tokens.”

Chip-and-pin for online banking? Size matters!

Barclays bank seems to think that if chip-and-pin good enough for retail business, it’s good enough for online business. They are sending Pinsentry machines to 500,000 customers – machines that look like calculators and read chip-and-pin cards – generating one-time-passwords (OTPs). (Full article here)

So, here is the current multi-layered approach at Barclays:

• Debit Card (2nd factor)
• PIN number (1st factor)
• Pinsentry device (second 2nd factor)
• 8-digit one time password generated by the machine

Is this really a good design? The logistical support for this kind of system must be insane. How much does it cost to manage this operation? How long will the batteries last in those readers? Can I have one for my home and one for my office?

Besides, haven’t those guys heard of the Citibank phishing attack on their 2nd factor. Just look at this article in the Washington Post Blog.

Last year Bruce Schneier commented on Shell suspending Chip & Pin payments at their gas stations after losing £1m when fraudsters inserted little devices into the readers, which copied the cards’ magnetic strips and recorded customers’ pin numbers. Also, another article on hacking chip & pin here.

So, Chip & Pin is not safe, and hardware OTP systems are also vulnerable and costly. Why keep implementing these? Marketing perhaps? I am sure lots of people will feel better by having a bigger authentication device in their hands . . . size matters . Isn’t that the same argument that the MIT/Harvard study said about BofA implementation – “Sometimes the appearance of security is more important than security itself.”

Donuts for passwords?

About a year ago some office workers were offered $3 Starbucks cards in exchange for their passwords. 85% of people would rather have more coffee than online security.

A recent attempt to do a similar test in the UK showed that people will happily trade their passwords for chocolate bars. (Full article here). “Researchers asked commuters (in London) if they knew what the most common password was and then asked them to reveal their own. About 40 per cent of commuters revealed their computer password straight away, with a further 22 per cent giving up details with a little further probing from the female researchers.”

What next? There is a great need to find out which foods are most relevant to getting people’s passwords. Don’t we all want to know how many donuts it takes to get the admin’s password? Cokes? Burgers, Fries?

WoW – It’s a Cursor

The players of Word of Warcraft now have to fear a different kind of threats – still in the virtual world, yet one that has real-word consequences. Hackers are exploiting the cursor flaw (how Windows handles animated cursors) in order to gain login credentials for WoW player accounts. “Malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group.”

In terms of real cash value of these hijacked accounts: “Research … suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data. One card can be sold for up to $6 (£3), but a WoW account will be worth at least $10. An account that has several high level characters associated with it could be worth far more as the gold and rare items can be sold for real cash.

Full article here

Internet Explorer – Trojan download

Here is another type of phishing messages. The email offers you to download the latest version of Internet Explorer. What you end up downloading is an “am.exe” file which in fact is a trojan virus.

Read the security warning on the MX Lab web site.