By Wolfgang Kandek, CTO, Qualys, Inc.
Online banking has become the default way for us to conduct our money transactions, in business as well as in our private life. It combines two important characteristics: it is more convenient and faster for the customer and it is cheaper for the provider. This combination makes it very attractive for both parties, and explains its popularity.
But legitimate users are not the only group interested in online banking, cybercriminals are also attentive to new developments in areas that they can take advantage of, so it should be no surprise that online banking has seen an increasing volume of successful attacks. Companies have lost millions of Euros lost each year, and the banks have worked to combat this growing tendency by improving their security infrastructure around online banking. For example, they have added mechanisms that analyze money flow and react to new and strange patterns on the server side. At the same time, they have worked on the client interface and have come out with new mechanisms to assure the identity of the person logged in and the integrity of transactions itself. You have probably seen a number of these mechanisms labeled as 2FA, TAN numbers, mTAN, chipTAN, etc. But cyber criminals are hard to stop once they have identified an opportunity as large as online banking. They have continuously improved their tools to make sure they have the technical capabilities to counter each of these mechanisms. So today we are in an escalating action/reaction conflict between banks and cybercriminals with the banks tasked with two contradicting tasks, first secure the transaction, which implies a maximum of controls and checks, and second offer ease of use, which means they cannot be too intrusive in their attempts to affirm identity and integrity.
In my role as CTO for Qualys I have interacted with numerous security professionals and IT administrators at companies that are working on improving their online banking security. It is clear that the endpoints that are used for online banking are high value targets. The users of these endpoints can be enumerated by using Xing, Linkedin and other professional networks, which makes them available to phishing attacks. Fortunately we as IT administrators can do a number of things to stay ahead and not become a victim of the struggle. The most important item is to make sure that the computing equipment that we are using cannot be taken over by the cyber criminals. There are a number of technical options for your company to do secure the endpoints that participate in online banking. I will list them least secure to most secure:
- A Windows PC, also in use for normal office tasks
Windows is by far the most popular operating system for desktop and laptops and used widely for e-mail, web browsing and document editing. Unfortunately it is also the most popular operating system to attack, exposed to phishing attacks that come in through your business and private e-mail and “watercooler” attacks that take advantage of your browsing habits. Every month Microsoft and other software vendors such as Adobe (Adobe Reader and Adobe Flash) release updates to their software that address the critical vulnerabilities sought after by cyber criminals. But even in cases where the IT department maintains the Windows PCs fully patched and an updated security suite installed, we have seen that cyber criminals are able to get access and infect these PCs with malware, capable of logging your usernames and passwords and intercepting and redirecting 2FA and TAN requests. The cyber criminals use so called “0-day” vulnerabilities both in Windows and installed application software. 0-day vulnerabilities are unknown to Microsoft and common security vendors and often stay that way for months while cybercriminals use them in their attack campaigns. With our current technology in the PC area 0-days are extremely difficult to defend against.If you have to use a normal office PC for your online banking you can improve the situation somewhat by using a different browser than Internet Explorer for the banking transactions. By using a different browser you can escape a small part of the infections that focus on Microsoft’s Internet Explorer. I would suggest Google Chrome browser as a robust alternative. In the past few years it has been the most resilient in cyber competitions that focus on browser exploitation. But even with Google Chrome I cannot recommend banking with a Windows machine that is used in normal office tasks.
- PCs running other operating systems
PCs running operating system such as Mac OS X and Linux are less likely to be attacked than their Windows cousins. Both operating systems have their own critical vulnerabilities, for example the recent critical “Shellshock” vulnerability that affected Linux in a way that was quite easy to exploit. Nevertheless we have not seen as much focus on these operating systems by the cybercriminals. Exploitation toolkits that are available in the black market are typically only targeted at the Windows operating system. A PC running another operating system than Windows is a decent choice for your banking needs.
- A Windows PC, that is used solely for banking
A dedicated Windows machine is a good option that is very resistant to attacks by cyber criminals. By keeping the machine updated with patches and security software and maintaining the discipline of not using it for any other tasks, you are reducing the number of possible attacks significantly. The remaining attack vectors are then other infected machines on your network,. There the most critical issue are stolen admin credentials, which need to be controlled by configuring different credentials for each machine. A dedicated Windows PC is good choice for your banking needs. By the way, that is not only my opinion, but European and US banking authorities have repeatedly suggested using a dedicated banking PC as well.
- Mobile platforms, tablets and smartphones
Tablets and smartphones run on operating systems that are a generation younger and better than your normal PC. These operating systems were designed taking into account the experience with the general purpose operating systems such as Windows, Mac OS X and Linux. With general purpose operating systems we do not know the exact use that customers will make of the system and we have to allow for maximum flexibility. Attackers typically abuse this power and flexibility and that got us into the situation where we are today, where we are retrofitting operating systems with security programs, such as automatic updaters, integrity checkers and intrusion detection systems. Tablet and smartphone operating system are purpose written starting with strong security – think back to initial versions of Apple’s iPhone/iOS combo which had such strong separations between applications that cut and paste was not allowed. While some of these limitations have been relaxed over time, the strong security posture continues to be in force and infections numbers in the mobile area are at least two orders of magnitude smaller than in the PC area. In Apple’s iPad and iPhones infections are virtually unheard of. A tablet is an very good choice for your banking needs.
- Chromebase and similar
In its quest to make the browser the universal client side application Google has come out with a new operating system called ChromeOS. ChromeOS is in essence the Chrome browser plus a minimum number of capabilities that are necessary to run the browser, such as networking and user management. That makes ChromeOS more limited in its facilities than even a mobile OS. A number of hardware vendors have licensed the new operating system and have come out with computers that run ChromeOS, laptops (so called Chromebooks) and desktops (Chromebox and Chromebase) . These machines can be much less powerful than your average PC, resulting in a long battery life and low price. They boot up in seconds and keep always updated by using the same tried and true continuous auto update mechanism as the Chrome browser itself. So far security researchers have been unable to break into ChromeOS machines, even though the reward offered was quite significant reaching the US$ 100,000 range. A Chromebase/book/box is an excellent choice for your banking needs (Full disclosure: I have been using a Chromebase for my personal banking for almost one year now and while my credit card has been renewed twice in that time I still feel safe in my choice of platform.)
There you have it, my personal ranking for online banking. I am sure there are other options that I have not covered that might be attractive from a security perspective. I have deliberately excluded running PCs off LiveCD. While it is an excellent way to guarantee the integrity of the operating system because it is loaded from a read-only media (a CD or DVD), I think it is impractical for most users to go through the rather slow process that most LiveCDs require. Your mileage may vary, but I believe it to be too cumbersome for most users.
I believe online banking is a great opportunity to implement security measures adapted to the data usage of the user. Usually it is challenging for IT administrators to judge how much business critical data an end user has access to, but in this case both users and loss potential are pretty clear cut. IT administrators can improve the security of their company’s online banking by implementing any of the options listed above, except for the use of a normal Windows PC. But securing the client is only one of the components for your banking transactions. It makes sense to talk to your end users about securing the configuration on the banking application side. If the bank offers 2-factor authentication (2FA) it should be activated. I favor dedicated devices for 2FA, so I give preference to ChipTAN over mTAN as the possibility of an attacker manipulating the transaction becomes much smaller with a dedicated device. Similarly it makes sense to activate notification options for important transactions. Here I favor SMS notifications over e-mail, simply because SMS tends to have a much higher attention rate than e-mail. Encryption is important to protect your company’s data and transactions in transit, so when your end users are logging into your bank’s website, train them to look for an encrypted connection from the very beginning. This means that the page where they type in the credential information, such as account number and or passwords should already be encrypted. They should verify that they see the green lock in the browser’s URL bar and that the URL matches the name of the bank site that they wanted to contact. They should not accept any exceptions on the certificate that identifies the bank’s site, which will assure that they are actually interacting with the site that they wanted to contact.
Again the ranking is subjective and your business situation may well be more constrained. If your opinion differs, please let me know what you are thinking, either in here in the comments, at Twitter @wkandek or by emailing me at firstname.lastname@example.org.