Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | vasanth-vasu |
View: | 221 times |
Download: | 0 times |
of 44
8/2/2019 Banking Security Magazine 2 20112
1/44
8/2/2019 Banking Security Magazine 2 20112
2/44
Check out our website and subscribe to Data
Center magazines newsletter!
Visit: http://datacentermag.com/newsletter/
Want to have all the issues of Data Center magazine?
Need to keep up with the latest IT news?Think youve got what it takes to cooperate with our team?
8/2/2019 Banking Security Magazine 2 20112
3/44
Dear Readers,
T
he newest Issue of Banking Security Magazine has been released. This time our ma-
gazine is added as a bonus to Hakin9. However, for this issue our authors have pre-
pared even more interesting content and topics than previously. I am sure that all of
you, dear Readers, will nd something that will attract your attention.
The main article in this issue is Analyzing the Biggest Bank Robbery in History written by
Pete Herzog. Most of you know movie Oceans Eleven, which was based on that robbery.
The author is analyzing and presenting how the open source security testing can help to pre-
vent such theft.
In this issue you will also nd articles about network security, online banking frauds and to-
pic that should be of interest to the users of Iphone. In (In)security of using Iphone FinancialApplications the author tries to assess how secure it is to use your mobile for banking appli-
cations and what threats await for unwary users of mobile nancial software.
I hope that the content of this issue will meet you expectations, and you will spend some good
time with the articles published in Banking Security Magazine.
Enjoy your reading,
Grzegorz Tabaka
& Banking Magazine Team
Managing: Grzegorz [email protected]
Senior Consultant/Publisher:Pawe Marciniak
Editor in Chief: Ewa Dudzic
Art Director: Marcin Zikowski
DTP: Marcin ZikowskiGraphics & Design Studio, www.gdstudio.pl
Production Director: Andrzej [email protected]
Marketing Director:Grzegorz [email protected]
Proofreadres:Donald IversonMichael Munt
Elliott BujanFlemming Laugaard
Publisher:Software Press Sp. z o.o. SK02-682 Warszawa,ul. Bokserska 1Phone: 1 917 338 3631www.bankingmag.net
Whilst every effort has been made to ensure the high quality ofthe magazine, the editors make no warranty, express or implied,concerning the results of content usage.
All trade marks presented in the magazine were used only forinformative purposes.
All rights to trade marks presented in the magazine are reservedby the companies which own them. To create graphs and diagramswe used program by Mathematical formulas createdby Design Science MathTypeDISCLAIMER!
The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.
8/2/2019 Banking Security Magazine 2 20112
4/44
2/2011
C ssu 02/2011
Data Sharing BetweenBankS For BetterriSk aSSeSSment UnDerthe BaSel ii Framework 23Yuval Shalheveth
online Banking FraUD 26Max DerMann
SeCUre weBSite
Development & DeSign 30SebaStian Zuber & torSten aDler
the growing pitFallSoF remote aCCoUntopening 35bob lYDDonS
henDerSon gloBalinveStorS 40henDerSon Global inveStorS
applying iSo/ieC 27001:2005
to a Banking
inStitUtion 5
Florencio cana GabarDa
SeCUre weB Filtering 7Steave JenkinS
SoCial engineeringin Banking SeCtor 10DaviD Montero abuJaS
inSeCUrity oF FinanCialappliCationS on iphone 13MritYunJaY GautaM
analyzingthe BiggeStBank roBBeryin hiStory 17Pete herZoG
8/2/2019 Banking Security Magazine 2 20112
5/44
Applying ISO/IEC 27001:2005 to a banking institution
2/2011
Online Banking Security Magazine
Wht is ISMS? Wht is ISO 27001?ISMS stands for Information Security Management System.
ISO/IEC 27001:2005 (also known as ISO 27001) is an inter-
national standard that defines the requirements for an ISMS. If
your organization implements an ISMS that covers ISO 27001
requirements, your organization can get certified by being au-
dited by an accredited certification body. This certification aims
to demonstrate to interested parties that your organization im-
plements rigorous controls to mitigate the risks to information
security in your business.
ISO 27001 historyISO 27001 is a young standard compared with other ISOs.
In 1992, the Department of Trade and Industry (DTI) pub-
lished a Code of Practice for Information Securitythat BSI, three
years later, amended and republished as BS7799.
In 1999, the first schemes appeared and LRQA and BSI be-
came the first accredited certification bodies.
In 2000, ISO converted, by a fast track procedure, BS7799 in
ISO/IEC 17799:2000.
It is important to note that BS7799 and thus ISO/IEC
17799:2000 talked about code of practice or best practices.
It is in 2002 when the ISMS specification appeared as BS7799-
2. This standard was very aligned to ISO 9000.
In 2005, ISO/IEC 27001:2005 was published and BS7799-
2 was withdrawn. This standard aligns with ISO 17799 and is
compatible with ISO 9001 and ISO 14001.
Th bkig istitutio csBanks are huge organizations that process very valuable in-
formation. Managing information security is a big deal and in
fact financial institutions spend lots of money in it. This sector
is investing primarily on identity, access management tools anddata loss prevention according to Deloittes 2010 Financial Ser-
vices Global Security Study. All of these security requirements
appear in ISO 27001 as security controls. The main benefit of
ISO 27001 is not allowing the security tasks to be independent
but to obligate the certified company to have a security strategy
based on controlling known risks.
Implmtig ISO 27001Defining the objectives and scope
The first step to implement an ISMS in an organization is defin-
ing objectives. Objectives should be SMART: specific, measur-
able, attainable, relevant and timely. The objectives will guide
the implementation in order to focus on the important points. Asthis standard should be maintained and continual improvement
is a fundamental requirement, it is important that the company
and its employees notice the improvement. Accomplishing ob-
jectives is a good motivation driver for all interested parties.
When objectives are defined, documented and approved,
the company should start thinking about the ISMS scope. After
good objective definition work has been completed, the selec-
tion of the scope for the ISMS will be easier. The ISMS scope
is a set of processes and locations. ISMS public scopes can be
found at http://www.iso27001certificates.com/Taxonomy/Sco-
peResults.asp.
All the information assets that support these processes in
these locations will be affected by the ISMS policies and proce-
dures. A smaller scope helps to implement the ISMS by reducing
the quantity of work needed but it is important to remember that:
Ifaninformationassetisoutsidethescope,theinforma-
tionowbetweenthisassetandanassetinsidethescope
Applying ISO/IEC
27001:2005 toa banking institution
8/2/2019 Banking Security Magazine 2 20112
6/44
Online Banking Security Magazine
2/2011
should be well dened and controlled. Assets outside
the scope are treated similarly to external suppliers.
Processesinthescopeshouldbecoreprocessesofthe
company. If a company tries to implement an ISMS in
ascopethatisseeminglyinsignicant,validityofthescope
can be compromised.
When doubts exist about whether a process should be inside
the scope, it is probably because it should be inside it. (May
need to check with author about intent here. Is this statement
correct?)
Determining the scope is not a trivial task and it is a phase
that should not be taken lightly, because a lot of extra work will
have to be completed if we do it incorrectly.
Risk lysisBanks are companies that work with the concept of risk in al-
most all the operations they do. Risk also appears in Informa-
tion Security in order to try to model the probability of something
bad happening to our data. One fundamental concept in ISO
27001 is that risks should be identified through a risk analysis
and that they should be mitigated, avoided, transferred or ac-
cepted by management.
Risks can be mitigated or reduced by applying security con-
trols from the ISO 27001 annex A or others. Risks can also
be transferred. A company can transfer a risk associated with
a process by outsourcing the process, for example. When you
transfer the risk, the risk never disappears. The risk is com-
bined with other risks associated with controlling the supplier.
Usually, in order to avoid a risk, the only way to do it is to avoid
the process or information asset that has the risk. At the end
there will still appear risks that management can choose toaccept.
Risk lysis mthoologisThere exist a multitude of risk analysis methodologies previ-
ously developed, but ISO 27001 does not require using any of
them. A bank can adapt its own methodology to the ISO 27001
requirements and use it to assess its information asset risks.
Two very important risk analysis methodologies are Magerit
and OCTAVE.
Chg mgmtChange management is fundamental in the banking industry.
It is a concept not very developed in ISO 27001 compared toother standards, but still very important. In ISO 27001 change
management appears in control A.10.1.2 Change Management
that says that changes to information processing facilities and
systems shall be controlled.
One way to control changes in an organization is by defin-
ing and implementing the concepts of a configuration base-
line and the request for change. The configuration baseline
is the initial state of configuration of an organization assetthat should be under change control. From this point, any
change that should be done in the asset configuration should
be proposed through a request for change that must be ap-
proved after being analyzed by a designated responsible
entity. The change is done and the configuration baseline
is updated.
Having a change procedure established is essential in any
banking industry. Being an industry very accustomed to for-
mal procedures helps in the ISO 27001 implementation. The
main focus should then be adapting and integrating currently
established procedures in ISO 27001, and improving them if
possible.
Busiss cotiuityWhen talking about the banking industry, business continuity
is a major preoccupation. In ISO 27001 all business continu-
ity requirements are defined by the controls of the 14 domains
called Business Continuity Management. In addition, the bank-
ing industry is flooded with numerous laws that enforce business
continuity requirements.
Lgl complicLegislation is different in each country and the team that is go-
ing to implement ISO 27001 in a bank must know that without
compliance with the laws ISO 27001 cant be issued.
CoclusiosImplementing ISO 27001 in an organization is always a huge
task. Implementing it in a bank is not an exception. There ex-
ist a number of factors that facilitate the implementation of ISO
27001 in such companies. For example, this business is already
very regulated and procedural. By its very nature, it is logical
to expect that every bank has already implemented a lot of the
ISO 27001 requirements because they are very obvious when-
ever you are worried about security. The main work should be
to adapt, integrate and improve the already established proce-
dures and security controls so they can be aligned with the ISO
27001 requirements.
FLORenCIO CanO GaBaRdaI studied Computer Engineering in Politechnic University
o Valencia (Spain). I specialized in operative systems and
networking or later ocusing in computer security. I cre-
ated the startup SEINHE where we oer security consul-
ting and auditing
References
BankinfoSecurityhttp://www.bankinosecurity.com/
GoogleGroupsISO27001securitygroup
ISO27001Securityhttp://www.iso27001security.com/
GoogleGroupsSeguridaddelainformaciongroup
SCMagazine http://www.scmagazineuk.com/fnancial-institutions-
increase-security-spending-as-threats-and-regulatory-penalties-
rise/article/171986/
8/2/2019 Banking Security Magazine 2 20112
7/44
Secure Web Filtering
2/2011
Enter the software intended to create order out of the
chaos by cataloging the web and providing control over
access to web sites based on their category. Schools
have adopted the technology to keep students from download-
ing pirated music and viewing mature content. Businesses have
adopted the technology to reduce the amount of time employees
waste playing games, watching movies and to reduce liability
from lawsuits by employees exposed to offensive web pages or
copyright holders whose unlicensed material was downloaded
to a company computer.
Web filtering has become a massive undertaking as the web
has exploded into billions of web pages. With the popularityof Web 2.0, many of those pages are updated continuously
by users around the world. Youtube hosts videos that can be
posted by anyone; Wikipedia hosts articles and images that
can be added or edited by anyone; Facebook, Bebo, Blogspot,
Flickr, Geocities, and hundreds of thousands of other sites are
similarly driven by a constant influx of unmoderated, user sub-
mitted content.
Adding to this explosion is the shift to the web as the pre-
dominant method of distributing malicious software (malware)
such as computer viruses to innocent web surfers. The volume
of malware found on the web has exploded while the methods
used to infect users computers have become more devious.
At the same time there has been an explosion of websites,
dubbed phishing sites, designed to trick users into entering
passwords, bank account numbers, credit card numbers and
other personal info.
The result of this is that the web is an even scarier place and
the job of web filters is more difficult than ever before with few
web filters able to adequately keep up with these new chal-
lenges. This white paper addresses what it takes to be a se-
cure web filter and to meet the challenges of the modern web
environment.
Scur Wb Filring vs. Classic Wb Filring andAni-VirusClassic web filtering is mainly effective at blocking websites ded-
icated to social networking, pornography, gambling, etc. Secure
web filtering is effective at identifying and blocking those same
areas, but with an added emphasis on blocking sites that host
malware, phishing, exploits or anything that risks the securityof company information. Another distinction is that classic web
filtering will take a site like Facebook or Wikipedia and give the
entire site one category, but secure web filtering will examine
every page of the site and separately categorize pages that are
different from the rest of the site such as pages that host mal-
ware or nude pictures.
It has been common over the last several years for compa-
nies to use classic web filtering in combination with anti-virus
programs. The anti-virus programs are relied on to detect ma-
licious web pages and block malicious downloads, but, in prac-
tice even the best anti-virus software has several hours of lag
time between when the virus is first seen in the wild and when
the anti-virus company deploys signatures. This window of time
when protection is lacking is the window of time virus writers
try to exploit.
These days it is common to see thousands of new virus vari-
ants in a day with numerous variants being posted to the same
distribution point. The virus writer preps a number of viruses not
Secure
Web FilteringThe web is a scary place. The best thing about the weband the worst thing about the web amount to the samething: you can find anything on the web. Movies, pictures,Christmas shopping, software, games, friends its allthere. So also are computer viruses, pornography, con-artists, casinos, militant radicals and hate groups. Most ofthe web is open-access there are no doors, no warnings,no clearly marked safe areas. Children and adultsalike can find themselves in unintended places lookingat content that is offensive, time wasting, fraudulent ordangerous.
Online Banking Security Magazine
8/2/2019 Banking Security Magazine 2 20112
8/44
Online Banking Security Magazine
2/2011
caught by top AV scanners, and then deploys them one at a time
as protection comes online for each variant. However, once the
distribution points for the series of virus variants are detected,
access can be blocked regardless of the changing payload. In
other words, secure web filtering, if done right, bridges the gap
between virus release and anti-virus protection.
This new environment means that security best practicesneed to evolve to match the evolution of threats. Without good
secure web filtering computers are constantly at risk. Secure
web filters are now required components in best practice secu-
rity deployments along with anti-virus, intrusion prevention, fire-
walls, log monitoring and other now well established products.
Hallmars of a Scur Wb FilrIt is common for web filters to advertise that they provide anoth-
er layer of security, but it can be difficult to gauge how effective
that protection is. As a first measure, consumers should look
for these hallmarks of secure web filtering without which their
web filter cannot truly claim to be secure.
Targeted Categorization
With billions upon billions of web sites in the wild, it is impor-
tant for a web filter to have the most commonly visited sites
categorized. The Active Web is comprised of web sites that
receive the most traffic and are the most requested by Internet
users. A secure web filter must have a very high percentage
of these Active Web sites categorized, and categorized on a
granular scale. A secure web filter still must carry out the func-
tions of the classic web filter blocking access to inappropriate
sites, while allowing access to critical sites. With that said, an
emphasis on accuracy, particularly as it pertains to the Active
Web, is needed to ensure the effectiveness and usability of aweb filter in a business environment.
Ral-im CagorizaionA secure web filter must have real-time or very near real-time
updating or it cannot block malicious websites as they come
online. The average lifespan of a phishing website is less than
twenty-four hours. Many threats, from anonymizing proxies to
P2P file sharing nodes come on and offline that fast or faster.
In addition, malware is increasingly using the HTTP protocol to
call home to get instructions or send information back to their
publisher.
To prevent access or transfer of information to these sites,
website classification should take place on-the-fly using dynam-ic reputation services, heuristics, content and image scanning,
as well as other indicators. This is often called auto-classifica-
tion; the key to this is making the categorization available in
the cloud immediately. This can prevent worms such as Con-
fiker from spreading or inflicting damage by preventing the call
home process of the virus.
Zro-Hour Malicious Si ProcionMalicious sites pop on and offline very rapidly; often containing
malware and multiple variants to ensure they can get past defini-
tion based anti-virus undetected. In many cases, the distributionpoint is the same, or there will be multiple distribution points for
the same malware. These sites can contain drive-by threats
requiring no user interaction, hidden iframes that download mal-
ware to the computer, or any number of other Web 2.0 threats.
No longer is just the computer the target, the user and their
sensitive personal information is increasingly the primary target.
A secure web filter works by blocking access to these dis-
tribution points, preventing access to the site before any mali-
cious software can even be downloaded. To determine what
sites should be blocked, web filtering companies should have
expert knowledge of malicious code and methods used to dis-
tribute this code throughout the Internet.A web filtering vendor
in the Web 2.0 environment can no longer be singly focused
on URL categorization they must also be experts in virus and
malware detection.
Classic anti-virus programs or web filtering systems can do
little to prevent infection against these zero-hour threats. Us-
ing a web filter with real-time categorization can significantly
decrease the window of vulnerability to any particular virus.
This window of vulnerability is the time between when a virus is
released and when your anti-virus program is updated to rec-
ognize and block the virus. This can often take hours or days,
whereas a secure web filter can block this traffic very quickly
using cloud-based computing to perform an intensive, in-depth
analysis.
Wb 2.0 InspcionThe Internet has turned into a very dynamic environment, with
each site containing varying types of information including vid-
eos, blogs, forums, pictures and other user contributed informa-
tion. On almost any blog or social networking page anonymous
users can post content. This content can often be used with
good intentions; on the other hand it could contain offensive
material, links to malware downloads, malicious images or code.
These sites need to be scanned regularly, looking for malware
and offensive material so that they can be appropriately filtered.
Prior to Web 2.0, a classic web filter would take a site like
google.com, call it a search engine and trust the site and any re-sults it returned unconditionally. While this approach may have
worked in the past, it is no longer sufficient. Because users are
searching on Google, they often assume the results are safe
however, Google searches can also return pornographic im-
ages, links to malware downloads and malicious pages. Some
worms can even redirect Google search results to their own
malicious websites to download even more malware. While
a secure web filter will prevent access to these dangerous
searches, the classic web filter will not. The shift to the web as
the predominant method of malware distribution combined with
the current web atmosphere makes secure web filtering an ab-
solute necessity.
Granular CagorizaionAs was touched on previously, a Web 2.0 site may have pag-
es with all different types of content. Classic web filters might
take a site like www.wikipedia.org and classify the entire site
under education. While the majority of the site is inherently
8/2/2019 Banking Security Magazine 2 20112
9/44
Secure Web Filtering
2/2011
educational, many pages on the site should be categorized dif-
ferently or have additional categories assigned to them. For
example, the Wikipeida page on Naturism (advocating social
nudity) contains a several nude images which might be consid-
ered offensive to some and inappropriate for school age chil-
dren. This page requires an additional category, such as nudity,
to correctly prevent access to the page in a work environment,or where young children could view the page. Due to the vary-
ing content from page to page across a site, many sites can no
longer be grouped into one category. Each web page on a site
should be inspected and classified based on the content on that
given page. Granular URL classifications across a variety of cat-
egories must be used for specific pages, paths, subdomains,
and parent domains. This in-depth inspection and granular cat-
egorization is required for the Web 2.0 world and any web filter-
ing company hoping to provide a comprehensive solution must
inspect all page content across the entire site.
Challngs of Scur Wb FilringSecuring the web is more challenging now than ever before.The new dynamic nature of the web, rapid global expansion
and constantly evolving technology and threats invoke a very
demanding undertaking for web filtering companies. Read on
to determine how well your web filtering solution is measuring
up to some of these challenges.
Siz of h WbAt this point, no one knows how many pages or sites the web
actually consists of. As recently as last year, Google announced
they had indexed 1 trillion unique URLs but how many have
they not indexed? How many were not unique and led to the
same content? How many have been removed or are no longeraccessible? It is amazing to think that hundreds of millions of
pages are changed and added to the web per day. At the same
time, this presents a difficult scenario for companies trying to
index or categorize the web.
Its safe to say that under current conditions the entire web will
never be fully categorized. The goal of a web filtering company,
and the most important part is to categorize the sites people
are actually visiting. This brings back the concept of the Ac-
tive Web, or sites people are actually visiting. Sure, there may
be millions of dormant sites available on the internet; but if no
one has visited these sites in 10 years, and there is no security
threat, how important is it to have them categorized? Its not
only the sites people are actually browsing to are important. Toaddress the challenge a web filtering company must focus their
coverage on the active web and getting these active sites and
pages categorized correctly.
Qualiy and FrshnssAccuracy is as important as anything else when considering
a web filtering solution. With the enormous size of the web,
and sites constantly changing as contributions and updates are
made to Web 2.0 pages there is a perpetual struggle to main-
tain accurate categorizations. What was once a personal web
page could be filled with pornographic images the next. How
long would it take to catch the changes and block this page?
It is easy for a web filtering company to categorize a site, but
once that categorization has been assigned, how often is a page
revisited?
These are some important questions. Rescanning of already
categorized web sites is a requirement for web filtering compa-
nies and should take place frequently. This is especially true for
vendors claiming to provide secure web filtering. If these com-
panies arent rescanning sites to ensure that they have not been
compromised, that they dont host malware, and verify that they
havent become phishing sites, then these companies cannot
claim to provide secure web filtering.
LanguagAs the web continues to grow and become more accessible
to various regions throughout the world, the percentage of
non-English sites continues to rise. This will be a continuing
trend and becomes an important consideration for web filter-
ing companies and consumers. Disregarding these sites is no
longer an option and has left many vendors scrambling to find
solutions to this new challenge. Companies are now required
to gain competence in dozens languages to achieve appro-
priate coverage of the web. Moreover, these vendors need to
integrate these languages into their technologies used to filter
and categorize these sites. The resources required for this
can be extensive, not only in terms of technology and devel-
opment time, but also in terms of language experts and web
analyst personnel.
PrformancWith billions of web sites, constant monitoring, in-depth analy-
sis, malware scanning, language analysis and other consid-
erations, performance becomes a major concern. In the world
of high-speed internet, users are no longer willing to wait for
categorizations to be delivered and pages to load. Web filtering
vendors are challenged with the proposition of creating a fast
and simultaneously secure web.
The performance aspects of web filtering are endless. Cloud
based lookups require datacenters located around the worldwith large amounts of bandwidth, redundancy and comput-
ing power. On-disk database systems require large amounts
of space, constant updates and available system resources to
perform fast lookups. Hybrid approaches, which are often con-
sidered the best solution, require both. At the same time, a se-
cure web filter is expected to stop viruses, malware and other
threats. Building the infrastructure and providing web filtering
solution to accomplish this is very demanding and requires inno-
vative capabilities, planning, intellectual property and execution
to match the needs of todays users. Few web filtering vendors
have been able to rise up and meet this challenge.
Proc Your Nwor wih SofSecure web filtering is an integral security deployment for any
business network, large or small. eSoft network appliances
with Web ThreatPak provide comprehensive security coverage
against the newest web based threats. For more information
on how eSoft can help to secure your network, email and web
traffic, visit our website at http://www.esoft.com, or contact our
sales team at 888-903-7638.
SteVe JeNkINSVP EMEA, Q1 Labs
8/2/2019 Banking Security Magazine 2 20112
10/44
Online Banking Security Magazine
2/2011
The banking sector is subject to this third type of motiva-
tion, a sector that has become a target for hackers. On
the other hand, social engineering, as practice for obtaining
confidential information by manipulation of legitimate users, it has
become one of the greatest threats from many quarters, especially
the banking sector. The aim of this paper is to lay the foundations of
social engineering applied to the banking sector, the most commonattacks, and other less common, in addition to the formulas that we
have to defend ourselves.
Scial giigSocial engineering is a technique that allows an attacker to ob-
tain sensitive and confidential information of an organization
taking advantage of a known safety slogan people (users) are
the weakest link in the chain.
An organization can invest tens of thousands of dollars on secu-
rity devices and systems, that investment will be useless if a user
or an administrator inadvertently gave his password to an attacker.
We do not want to miss this opportunity to recall the principles set
out by one of the most renowned social engineer Kevin Mitnick, toexplain the success of this technique.
Weallwanttohelp.
Therstmovementisalwaystrustedtheother.
Wedonotliketosayno.
Weallliketobepraised.
These principles represent a declaration of intent, and also a
revelation to any attacker with minimal computer knowledge
and social skills.
In relation to the types of social engineering attacks available, at-
tacks by physical and electronic media are the most common. The
types of social engineering attacks by electronic means used are:
Phonecalls.Thus,askilledattackercanpersuadethevic-
tim to provide users, passwords, network names, etc
Massemailsorspecic.Thisisthemostfrequentwayvic-
tims enter a phishing attack or bank fraud.
Additionally, this is also used to introduce some kind of malware
into an organization. The combination of attacks by physical
and electronic banking is rare but can cause a great impact on
any organization.
Operationally, outside of the principles of Mr. Mitnick, there are
two or three additional premises so we can give a more accurate
picture of why these attacks work:
Thesenseofhumorisessentialinsocialengineering,be-
cause a user becomes relaxed, and this lowers the level
of alertness in the victim.
Gainingthetrustofauserisnotalwaysaconsciousdeci-
sion made by the victim, usually it is instinctive
Why it wks i th bakig sct?The banking sector has two features that work best in social
engineering attacks: trust and delocalization.Financial institu-
tions need to build trust and closeness in dealing with customers,
more than any other sector, since there is a large amount of finan-
cial services available in the market place, customers tend to gowhere they feel safe. If an employee or office manager does not
attempt to gain the trust of a client, they are unlikely to retain that
client as a customer. It is precisely this confidence that initially the
worker provides the hook for a potential attacker through the figure
of a social engineer. On the other hand, there is a huge geographi-
cal delocalization ofvarious offices that usually make up the network
of any bank. The geographic delocalization means that they can
spend months or years until two workers from two different offices
actually meet or talk on the phone.
Obtaining personal data of a specific employee of a bank can pro-
vide a social engineering attack in another office that is geographi-
cally far, just based on this delocalization. These aspects, combined
with the use of electronic banking systems, provide an environment
that greatly facilitates social engineering attacks.
ImpactFor the banking sector, social engineering attacks should repre-
sent the main threat in a formal risk analysis. Although in most
SOCIAL ENGINEERING
IN THE BANKINGSECTORAny computer attack is usually for one of three motives: ego,ideals and / or money. By ego the youngest hackers make
mistakes, as well as seeking recognition by their peers. Byideals people carry their actions to the bitter end, defendinghis political, religious or other reasons. By money...
8/2/2019 Banking Security Magazine 2 20112
11/44
SOCIAL ENGINEERING IN THE BANKING SECTOR
2/2011
cases the targets of the attacks are their customers and financial
losses are for them, the attacks have a significant impact on the
reputation and customer confidence of the financial institution
that is successfully breached.
MassThe banking industry has implemented various preventivemeasures to minimize the risk and impact when subjected to
social engineering attacks. These measures include the estab-
lishment of security protocols, digital signatures, and of course,
training and awareness. We find particularly relevant SMS confir-
mations bank transfers that have been imposed in certain organiza-
tions, and to provide an effective defense against phishing attacks.
On the other hand, the establishment of coordinate cards for ac-
cess to the account or authentication operations is rampant among
the various banks. The establishment of specialized units in infor-
mation security within organizations in the banking sector has made
efforts to centralize the management of risks, but there is still a long
way to go, especially in small and medium-sized banks.
Tstd mply attackAfter seeing a formal introduction to social engineering attacks
we will see many very effective social engineering methods with
which an attacker can obtain sensitive information which is im-
portant for more sophisticated attacks.
Begin to harness the trust of unsuspecting employees, with an
example, although it could be called suspicious customers.
In an office of a financial institution comes a potential customer
who wants to open a bank account, and is likely to operate a high
usage bank account. The office manager asks you to bring your
documents in physical form, and the customer says if it can be
submitted electronically, which for him is easier because everythingis scanned. Additionally, we sought information electronic safety
measures of the bank, emphasizing unpleasant past experiences
in other financial institutions: credit information theft, phishing, etc.
Some bank employees reveal a lot, others show less, but all reveal
something, because in a proper environment for dialogue, everyone
wants to win the confidence of potential customers, potential and
evil. When the client sends the evil director of the office documents
to their corporate email, and requires an electronic confirmation of
reading. This fact, which any person can be considered as normal to
ensure the reception has a hidden purpose, read the email header
back, along with information of ICT infrastructure that accompanies
it:emailmanagersystem,servers,firewallsIPaddresses,etc..This
ss another form of fingerprinting, but faster and first-hand.Additionally, employees of bank branches usually like to explain
to a customer about the banks internal operations, like: you look at
the application X rating is bad, we have communication problems
with the application And ... If prior to this the director or employee of
a bank is authenticated before us, we can obtain a variant of shoul-
der surfing, username and password in an instant.
After a while, and some visits to the same office, tens of thou-
sands of dollars of banks investment in computer security systems
are bypassed by a trusted employee... and a suspicious customer.
We can assure you that this works, from experience. The formula
to protect against this attack, like other types of social engineering
attacks is the same, two parts of awareness and training.
Phishig attacksPhishingorelectronicbankingfraudiscurrentlythemaincon -
cern for banks, since supplanting the corporate website of a
bank, the attackers get users to provide their usernames and
passwords.
Over recent years several rootkits have appeared with which to
create phishing attacks mimicking the interfaces and functionality of
the pages of electronic banking. These rootkits can be obtained via
the Internet or by money, but are easily accessible, quite a problem
that leads to the proliferation of such crimes.
Analyzing a little phishing figures, the study of the second quarter
2010ofAPWG,thesectorshardesthitbyphishingarethefinancialand payment services, with 71% of phishing attacks. This gives us
a good indicator of where we are focusing the efforts of hackers.
Regarding the geographic distribution of phishing servers, ac-
cording to the same study shows that U.S. accounts for 68.17% of
phishing servers worldwide, it does not imply that computer attack-
ers belong to those countries, but that they are the attack platforms.
These values are usually quite stable, especially those related to
the high percentage associated with U.S.As for the rest of values
tend to fluctuate in and out of European and Asian countries.
A phishing attack does not directly affect the bank, but their online
banking users, without their knowledge by providing access codes
to computer attackers bank account, which are then used to transfermoney or buy on the Internet without authorization.
Phishingattacksareusuallycombinedwithabarrageofspam,
because you have to convince thousands of potential users of the
bank that something has happened, and to connect to a web page,
which obviously contains the malware phishing.
Experience tells us that the attackers computer platforms are
often ride their phishing attacks and spam in a unified way, utiliz-
ing previously attacked foreign servers. I remember recently a
small company in Spain whose owner, owner in turn hired Internet
line, was charged in dozens of cities across the country, because
they had used the company server to mount this kind of platform,
committing turn to bank robbery offenses for legitimate users, and
running the allegations in the hometowns of the victims. (not surewhat he means to be saying here This case is one of hundreds that
occur worldwide each year.
The methods that have been set up by banks to minimize the
risks of phishing is the awareness and training of users of online
banking, through manuals and information documents, to a greater
or lesser extent depending on the size bank. Therefore, computer
attackers do not usually focus on large banks, but banks, small and
medium size, with fewer safeguards and lower levels of awareness
of users of electronic banking.
On the other hand, we have implemented coordinate cards or
SMS confirmations that minimize risk rather than a users bank is
the victim of a phishing attack.
Organized crime has focused on this type of crime, since theyare white collar, and the benefits are enormous. In fact, have you
heard of Hackerville? Well, maybe not, is the nickname (bad posi-
tion because being a hacker is another matter) of a small town in
Romania has gone from motorcycle dealers to low cylinder luxury
car dealerships and high-powered, what is the reason this change?
Internet users are not aware and weak security measures in some
organizations of banking and financial sector ...
Fals mply attackThis attack was created by our company due to the circum-
stances faced by banking institutions: trust and delocalization.
The false employee attack is a mixture of social engineering
by electronic means and physical media, the basis is to create
a false identity for the attacker. It is difficult to mount the full at-
tack, since it is subject to obtaining prior information and tech-
nical circumstances, but if they get together these factors, it is
really effective. The first thing you do is get the email address of
the technical service or service to internal users of the bank, you can
8/2/2019 Banking Security Magazine 2 20112
12/44
Online Banking Security Magazine
2/2011
get in a couple of visits to any office of the entity, by charlatanism or
shoulder surfing. Can also be obtained by any former employee,
contact the bank or otherwise, the world is not as great as one might
think, nor as secure corporate data ...
The next step is to play with the mail server of the financial institu-
tion,youtelnettotheSMTPserviceandmanuallycreatingane-mail
we sent to the director of the bank office. The origin of email is theinternal technical service electronic address that is a valid address
for the mail server, and the body of the message is something like
this: Hello, tomorrow we are checking the equipment of his office.
As a security measure, please note that the person who will review
your equipment is: D. XXXXXXXX .... We just created a false email
used for the purposes of the director of the office, that 90% of cases
does not prove, since the sender address is the usual and has much
work to do on a day to day.
The next step is again on the physical environment, presents the
false employee with the name specified in the mail to the director
of the office, and handles sensitive information and / or copies of
documents from the teams, depending on who are entitled or USB
ports on computers, information can also be obtained during the
first phase of the attack.
Its surprising the possibilities and variations that have this attack,
whichisbasedonexploitingtwoconcepts:theSMTPservervulner -
abilities and trust that provides a known email address.
We can increase the effectiveness of this attack if you select an
office manager who is confident, and this is ascertained by visiting
several different offices to give to our victim.
BaitigIt is an attack that lights take the curiosity or greed of employees
in the form of USB memory, CD-ROM or similar device prop-
erly labeled with corporate logos and a good hook text such asConfidential: Wages HR2012 or personal forecast2012, but
actually is infected with malware. To be honest, you could even
call this a Trojan Horse attack, because the basis is the same.
The malware infects your computer once you access this me-
dium and then the attacker can obtain sensitive and confidential
information of the same. It is an attack that works especially well
with employees who often work with laptops, as safety is usually
lower than desktops.
The defense against this attack goes through the formula of
awareness, and complete protection with anti-malware software
each and every one of the information processing equipment of the
organization, including laptops.
Facig th hash alityThe measurement of actual levels of awareness and training
within a bank or financial institution in the field of social engi-
neering can lead to real headaches for those responsible for
information security, not for their process but by its results.
We venture to say, without risk of error, that nine out of ten work-
ers in the banking sector think that social engineering is something
else, something far more benevolent than it really is. Security Of-
ficers not only have to educate users of electronic banking, rather
complicated in itself, but also employees of the organization. There-
fore the task for the security officers of banks to minimize the risks of
such attacks is hard, especially because it is very difficult to change
user behavior, especially the natural resistance to change we all
have. But everything is complicated when you have to convince
them to maintain minimum levels of alert when dealing with their
own environment.
The reality is harsh in relation to social engineering by electronic
means, although much less in relation to social engineering attacks
by physical means. In fact, it is difficult to establish an effective attack
rate by the middle of Hi, I am the Customer Support Center to take
a look at the teams, we encountered some problems.
The reasons for the decrease in effectiveness of social engineer-
ing attacks by physical means are related to several factors: cred-
ibility, eloquence and physical presence.
AdicsThe formal management of incidents on which phishing has be-
come a priority for the banking sector, by building on the work
ofcompaniessuchasPhishTank,orcreatingyourownrecord.
In the case of creating a record of their own, either individually or
collectively, should be as current as possible with false addresses
phishing affecting the bank, and communicate via a secure chan-
nel for electronic banking users. Thus, we not only educate, but we
can report what happens.
This record can be maintained in a common way with the various
CERTs present in each country. The key to operating this type of
registry is the refresh rate, since from an attacker sends a massmail-
ing to a legitimate user connects to the fake page may take a few
minutes at most. The highest point on the crime occurred between
the time and three hours after the mailing is sent.
On the other hand, we must educate and train internally to em-
ployees, from first to last. The creation of a stable political security of
Social Engineering is an enormous contribution to minimize internal
risk of attack. This fact, as part of a System Security Management
(ISMS) based on ISO /IEC27001,will allow us to efficiently manage
an information security within our organization.
CclsisSocial engineering in the banking sector has become a concern
not only about the potential impact on domestic assets, but alsothe impact to your users and customers, in terms of economic
losses and loss of image. This is in keeping with the loss of con-
fidence in your environment, something that no bank can afford.
Measures to minimize the risk and impact go through improv-
ing awareness and training of users of electronic banking and the
creation of various internal policies and implementing security con-
trols required in the field of social engineering. This combined with
operating ISMS we can provide a significant reduction in the com-
panys internal risk.
In relation to security checks, we believe very effective implemen-
tation of coordinate cards for authentication of users of electronic
banking and SMS confirmation of all bank transfer is made from
the customers account.Just remember is something we all know, we invest in our organi-
zation tens of thousands of dollars on devices, applications, pen-
etration testing or expertise, but with an effective social engineering
attack, all this investment will be futile, because the social engineer-
ing always hits the weakest link in the chain, man.
Mr. DAvID MonTero ABujAS (1976),aka Raistlin, is CISA, CISM and CRISC by ISACA, as well as the only one degree
ISMS Lead Auditor issued by IRCA in Spain. OWASP Andalucia chapter leader and
belongs to the ISO subcommittee JTC1/SC27/WG1 of Spain, where he has worked
in the edition of ISO 27001, ISO 27007, ISO 27010 and other standards of ISO 27000.
In 2006 he founded and now runs as CEO, Grupo iSoluciones, a group of consul-
ting companies specializing in information security and ethical hacking, with he-
adquarters in Spain and Uruguay, providing services worldwide. He can be con-
tacted [email protected]
8/2/2019 Banking Security Magazine 2 20112
13/44
(In)Security of Using Financial Applications on iPhone
2/2011
Needless to say, the store is a very rich source of all kinds
of applications. Some of these are utility based apps and
some are games. Apple store has a significant section
called Finance apps which contains a huge list of applications
used for banking, credit card transactions, money transfer and
related usage. Some of the applications which I could spot at a
quick glance of Apple store are Western Union, Barclaycard,Bank of Oklahoma Mobile Banking, Citibank SG, Union Bank,
Bank of America Mobile Banking, U.S. Bank Mobile Wallet, Pay-
Pal, Etrade, Fidelity, ING Direct, J.P. Morgan etc. In this article,
we would discuss about the insecurities of iPhone, and try to as-
sess that how secure is to use mobile for banking applications.
False Secrit of iPhone HardwareWhen the consumers use iphone as a device, they do so be-
cause of the marketing buzz-words like Remote Wipe and
Hardware Encryption. These words are mere marketing terms
intended to create a false sense of security among the consum-
ers. The sales person would tell you that if your iphone is lost,
you can initiate the remote wipe of the device, hence ensuring
that no part of your confidential data is compromised. What
they fail to mention is, this can be done only if the SIM card is
present inside the iphone. Think like a thief and tell, what is the
first thing you would do when you steal an iphone? Yes, you
would remove the SIM card and throw it away. And along with
that, you successfully by-pass the Remote Wipe feature of
iphone. What is left is just your confidential data, at the mercy
of the thief.
Another buzz word was Hardware Encryption (3GS). What
does it mean in practice? All it means is that the iphone hard-
ware ensures that your entire data is encrypted automatically.
Someone who is a bit knowledgeable would be able to use anyof the standard jail-breaking technologies of iphone which would
invoke the hardware chip responsible for encryption to go ahead
and decrypt the data by itself before transferring it to the com-
puter. So, even if the data is stored encrypted on the iphone,
when you mirror that image on the computer, it is unencrypted.
Platform Secrit of iPhone Operating SstemWhile we are discussing about the topic of jail-breaking, we
must know that jail breaking of iphone happens because there
is no encryption of PKI based protection on the iphone boot
loader. Once the jail is broken, the bunch of security features
provided by the iOS (iphone OS) goes for a toss. But before we
describe the effect of jail breaking, let us take a look at some of
the security features that the IOS provides.
1. Application Sandboxing
The idea of a sandbox is to jail any process in a folder so that
it is unable to access any resources on the file system beyond
(In)Security
of Using FinancialApplications
on iPhoneDo you have an iphone ? This is a very small questionwhich has a much deeper connotation. Today, iphone isslowly becoming a requirement of the youth as well as thecorporate professionals. This device bearing an Apple logois a status symbol in developing nations. With iphone,comes a variety of apps which are provided by the AppleStore.
Online Banking Security Magazine
8/2/2019 Banking Security Magazine 2 20112
14/44
Online Banking Security Magazine
2/2011
those folders. If you are a Linux user, you may want to revisit
you chroot command which is typically used to jail the process.
Similarly, there is a concept of sandboxing in web servers where
a securely written web server ensures that the web requests are
unable to get out of the webroot and touch other parts of the
file system. IOS provides application sandboxing which sug-
gests that there is a secure folder which is created separatelyfor each application on iphone. This folder contains files which
are specific to this application, including the temporary files. No
application would be able to access the files in the sandbox of
any other application. For example, the browser cache of Sa-
fari installed on the iphone would not be able to access the files
created by the Banking Application; hence, ensuring the data
which you stored while using the banking app is safe from un-
authorized access. The only way to access the files created by
another application is to explicitly create a link between the two
apps in the code itself.
2. Restricted Bletooth ConnectivitA big way of data loss is though Bluetooth connectivity where
any paired device is able to share files over Bluetooth. The
Bluetooth configuration of iphone restricts it from pairing with
any device other than a second IOS based device. Hence, an
iphone can pair with an ipad but not with your Lenovo based
Bluetooth machine. Moreover, the pairing requires a manual
intervention where a randomly generated 6 digit code has to
be entered on the other device for successful pairing. Even
after pairing, we are only allowed to push files through some
specialized application because a direct access to files is not
possible, as discussed in the next part.
3. No Access to FSIphone or rather any IOS based device like ipad, does not
allow a direct access to the file system if the device is not
jail broken. The underlying file system is HFS but it is com-
pletely shielded from direct user access. Even the browser
application like Safari does not have any menu option like
Save which can initiate the file system browse. Hence, this
is an additional step to ensure that the Application Sandbox
is not invaded.
Looking at just the security features as discussed above, the
device seems to be very reassuring to handle the financial ap-
plications securely. Now, here is where it fails.
iPhone Secrit Flaws
1. 3GS Secrit Broken
The famed 3GS security which claims hardware encryption and
hence implies that the device is ready to handle confidential
information related to your finance as well as your corporate
emails and documents is actually broken. If iTunes is used tobackup the device to a machine, the entire encryption can be
bypassed and we can get an unencrypted copy of the disk data.
Additionally, when the device is booting up, it is forced to unen-
crypt the disk for a successful booting operation. This is a time
when an attacker with correct set of tools can extract out the
entire data from the disk.
2. Files Deleted Are NOT Deleted
Like any standard UNIX based system, any delete operation
does not remove the file from the disk. All it does is to mark the
inode related to this file as inactive and then delete the entry
of this inode from the parent directory inode. Hence, the actual
data blocks stay as is on the disk till the point in time when the
same disk blocks are overwritten by another file. The iphone
device has a huge amount of disk space and hence, the typi-
cal time before this section of disk gets overwritten takes is in
the order of months. If the device is stolen or jail-broken at any
point in time, the attack not only gets the data readily available
from the file system but he can use standard recovery tools to
extract out the deleted files as well. This becomes a serious
concern if the files contained some sensitive information related
to the financial data.
3. Iphone as a Ke-Logger
To enhance the usability features of iphone, the device keepstrack of all the words that were ever typed in the device by the
user. It keeps adding these words to its database to ensure that
word prediction works fine. This is supposed to be a usability
feature to auto-learn the users typing habits. This information
is stored on the device in the form of files which can easily be
accessed by an attacker once the device is jail-broken. Most
users are not even aware of the wealth of data which is getting
stored on the iphone everyday when they use this device. From
a financial data perspective, the attacker finds the record of your
bank account numbers, your credit card related information in-
cluding your CVV number. So, if I am an attacker and I manage
8/2/2019 Banking Security Magazine 2 20112
15/44
(In)Security of Using Financial Applications on iPhone
2/2011
to get hold of your iphone, and I find out that you are using the
Citibank Mobile Banking application, I can be almost sure that
I would be able to extract the credit card details in some time
once the phone is jail-broken.
4. Iphone Animation and Data Leak
When the user presses the Home button on the iphone device,he ends up seeing a nice animation on the iphone which shows
the application going down and another window image coming
up. Yes, it looks good. What is the price that this usability feature
forces us to pay? When the users presses the Home button,
the device takes the snapshot of the display and stores that as
an image file at a specific directory in the file system. This im-
plies that if the user was using any of the financial applications
and maybe he wanted to do a money transfer to some account,
that entire screen would be captured. This can mean some sig-
nificant loss of financial data as well as privacy.
Vlnerabilit Histor of iPhone and IOS DevicesMobile platforms like Blackberry have the entire OS written inJava. Blackberry runs a hardened version of JVM with JNI and
Reflection disabled as the operating system. Though Android
does not have the OS written in Java, the primary application
development happens in Java similar to Blackberry. Using Java
reduces the attack surface significantly because of the various
security constructs which are provided by the language itself.
On the other hand, iphone kernel is a derivative of the MAC
kernel which is written in C and the primary application devel-
opment language is Objective-C which is not very different from
C when it comes to the kind of language based weaknesses it
has to offer. The biggest foe of the software has always been
Buffer Overflow which can be found in an iPhone based appli-cation but not in Android or Blackberry. The nuisances of buffer
overflow are known from decades now, hence, we would skip
that discussion here.
The vulnerability count specific to iphone device in the small
lifetime of the device can be seen in the chart below. The chart
has been taken from the CVE site where the table shows the
type of the vulnerability that was spotted in the device and then,
there is a graphical representation.
Another significant attack surface on an iphone device is
the web browser. Even though there is a concept of Applica-
tion Sandboxing, most of the applications are connected with
the Browser via some IPC mechanism where a file download-
ed from the browser can directly be sent to an application like
a pdf reader, image viewer, or even any network based applica-
tion. Hence the compromise of the Safari web browser can bea significant attack surface on iphone. Leaving aside the brows-
er application, most of the web based vulnerabilities can have
significant impact in terms of compromising your iphone. Just
to get a feel of what the history shows us about vulnerabili-
ties in Safari and other iPhone related applications, here are
some examples of HIGH severity public issues. Please note that
I have excluded the list of medium and low severity issues since
the high example were enough to prove the point.
CVE-2011-1417: Integer overflow in QuickLook, as used in Ap-
ple Mac OS X before 10.6.7 and MobileSafari in Apple iOS be-
fore 4.2.7 and 4.3.x before 4.3.2, allows remote attackers toexecute arbitrary code or cause a denial of service (memory cor-
ruption and application crash) via a Microsoft Office document.
CVE-2011-1344: Use-after-free vulnerability in WebKit, as used
in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod,
and iPad.
CVE-2011-0154:WebKit, as used in Apple iTunes before 10.2
on Windows and Apple iOS, does not properly implement the
.sort function for JavaScript arrays, which allows man-in-the-
middle attackers to execute arbitrary code.
CVE-2010-1817: Buffer overflow in ImageIO in Apple iOS be-fore 4.1 on the iPhone and iPod touch allows remote attackers
to execute arbitrary code or cause a denial of service (applica-
tion crash) via a crafted GIF file.
CVE-2010-1815:Use-after-free vulnerability in WebKit in Apple
iOS before 4.1 on the iPhone and iPod touch, and webkitgtk
before 1.2.6, allows remote attackers to execute arbitrary code.
8/2/2019 Banking Security Magazine 2 20112
16/44
Online Banking Security Magazine
2/2011
The list can continue like this for multiple pages. If you search
for the number of security vulnerabilities till date in iphone, in
the National Vulnerability Database, there is a list of 131 issues
which are already public. Very similar to the iphone chart, here
is a chart showing the trend in the vulnerabilities recorded till
date in Safari web browser.
For Those Who Trst the iPhone KechainMany users who are dealing with banking applications or with
stock based applications find it more convenient to store the
banking password on the iphone keychain. After all, the key-
chain keeps all these passwords secure and encrypted on the
disk. Unfortunately, there is a serious security flaw in the way
this encryption is done in the keychain. The key which is used
for encryption is derived from the hardware related informa-
tion of the iphone and has no correlation with the iphone pass-
word which is set by the user. This implies that this key can
be extracted based on the same iphone hardware information
from a stolen iphone without worrying about cracking the iphone
password. Once the keychain is compromised, your passwords
which are stored in the keychain are compromised as well. This
activity takes nothing more than 6 minutes as demonstrated
by the German security researchers in February 2011. How
can you protect yourself from this attack? You cant. The only
solution is to immediately change all the passwords which are
stored on your keychain in the respective sites. Alternatively, do
not ever store passwords in the keychain. As long as the phone
can be jail broken, the keychain can be broken as well. As we
already discussed, iphone jail breaking is a very common thing
today due to the unencrypted bootloader of iphone.
Conclding Remarksulnerabilities are everywhere and it is not that laptops and
desktops do not have security vulnerabilities. The only problem
which I see in the usage of mobile for doing any financially sen-
sitive operation is that, the device is far less understood than
a PC. This also implies that the users have much less control
on what they want to save and what actually gets saved. Simi-larly, since most of the devices do not have direct access to file
system, the user cannot secure the folders where he is keeping
the sensitive information. Many a times, with some applications
I have observed, the password gets automatically saved in the
keychain without even asking from the user. Next time when the
user starts the application, he would see the screen post login.
Is this a great feature? Yes, if we consider usability. No, if we
consider security. It is the user who needs to make a tradeoff
between what he values more in what context. I value security
far more than usability when it comes to handling my stocks or
my bank account, or even my professional email address. I do
not mind re-entering my password 10 times in a day if I need to
do any kind of financial or official transaction but I would nev-
er store my passwords in the device. After reading this article,
I hope you would do the same.
Reference:
[1] Practical Consideration o IOS Device Encryption Security; Jens He-
ider and Matthias Boll; Feb 2011. http://www.sit.raunhoer.de/en/
Images/sc_iPhone%20Passwords_tcm502-80443.pd
[2] Jailbreak and Unlock the Iphone; http://www.hackthatphone.
com/3x/bypass_passcode_lock.html
[3] National Vulnerability Database; http://web.nvd.nist.gov/view/
vuln/search-results?query=iphone&search_type=all&cves=on[4] Secure Coding Guidelines or IOS; http://developer.apple.com/
library/mac/#documentation/Security/Conceptual/SecureCoding-
Guide/Articles/BuerOverows.html
[5] Apple iPhone secretly tracking users privacy; http://articles.econo-
mictimes.indiatimes.com/2011-04-21/news/29459336_1_iphone-
apple-location-data
[6] Iphone can take screenshots o anything you do; http://www.wired.
com/gadgetlab/2008/09/hacker-says-sec/
[7] Iphone Insecurity; http://www.iphoneinsecurity.com/
[8] Finance App Store Download on ITunes; http://itunes.apple.com/
us/genre/ios-fnance/id6015?mt=8
[9] Apple Iphone CVE security vulnerabilities, versions and detailed
reports; http://www.cvedetails.com/product/11481/Apple-Iphone.
html?vendor_id=49
[10] Apple Saari CVE security vulnerabilities, versions and detailedreports; http://www.cvedetails.com/product/2935/Apple-Saari.
html?vendor_id=49
MRITyuNjAy GAuTAM
8/2/2019 Banking Security Magazine 2 20112
17/44
Analyzing the Biggest Bank Robbery in History
2/2011
A
s the story goes, it was on a winter morning in Febru-
ary 2002 when a guard in the Antwerp Diamond Center
got quite the surprise. He found the multi-ton, steel safe
door wide open and the resulting chaos of a destroyed safety
deposit boxes inside the vault. Yet no alarm had sounded. With
a quick call to the alarm central he was informed that the system
was running just fine and there were no notifications since it was
armed the night before. There was no clear sign of a break-in yet
$189 million in diamonds were missing (and still are).
We discussed this robbery in detail. While we didnt have clear
details on how the robbery really went down, we did know the
banks security measures. They were robbed despite that they
were two floors underground, had a three-ton steel door, a steel
gate, closed captioned cameras, heat sensors, light sensors,
and a tremor sensor. So how could this happen? With so many
diamonds at stake and ten layers of security, how did Defense
in Depth fail them? This is exactly what this third, new version
of the OSSTMM is great for. Unlike compliance objectives which
Analyzing
the Biggest BankRobbery in History:
Many banks have no idea what a powerful weapon againstattacks they have in the OSSTMM. The Open Source SecurityTesting Methodology Manual is a free, collaborative projectby the international, non-profit ISECOM that is years aheadof traditional security methods. The power and eleganceof the OSSTMM became clear while I was at a cafe in Bern,
Switzerland last year to meet with two other ISECOMers:Nick Mayencourt, a Board Director and Philipp Egli anISECOM trainer and the talk turned to robbing banks.Thats not uncommon because Switzerland is very bigon banking and also very big on security, especially theOSSTMM. So with the biggest diamond heist of the lastcentury in the news again, you may have seen the movie
based on it called Oceans Eleven, we took a look at thecase through the eyes of an OSSTMM Analyst. This is howit went.
Lessons in OSSTMM Analysis
Online Banking Security Magazine
8/2/2019 Banking Security Magazine 2 20112
18/44
Online Banking Security Magazine
2/2011
focus on what you have and how its configured, the OSSTMM
3 scores operational effectiveness- how it works. Some will say
that this is why many organizations employ penetration tests to
get this kind of foresight. They say penetration testing will allow
them to find the effective attacks before the attackers do. Too
bad contemporary penetration tests are not as effective as the
penetration testers want you to believe.The OSSTMM started as a penetration testing methodolo-
gy back in 2001 because penetration testing was the best tool
in the development of a process or system by making the big
picture of operations. The concept was that while quality test-
ing is great for determining how well a component works in a
system, penetration testing will help you understand how well
all the components work together in the system. Like a fire drill
though, penetration tests must be done repeatedly because any
changes in the environment, systems, people, or processes will
affect the results. This is why fire drills are called drills because
its of little good to do them just done once. So the occasional
penetration test may work for the physical and human response
testing of a bank with little change or low turn-over but not for
electronic systems like e-banking web applications which are in
a near constant state of development and improvement. This
is why penetration testing during the development cycle when
the environment is at a constant is it so critical to assuring inter-
operational security gets properly designed into the system.
However, once a system is built and deployed however, pen-
etration testing greatly loses effectiveness. So even a traditional
penetration test of the Antwerp diamond vault would not have
been enough.
Back in 2001 when ISECOM first released the OSSTMM,
penetration testing seemed like the best thing to evaluate op-
erational security. The OSSTMM was created to address whatwere known as the main problems of penetration testing at the
time such as the inconsistency of penetration testing services,
no clear definition or deliverable, penetration testing the skills
of the tester more so than the operations, the cultish promise to
prove a negative (the logical fallacy that if a penetration tester
didnt find problems then system was secure) and the use of
a hidden, proprietary methodology which made it impossible
for a client to really know which tests were performed where.
It was these problems which encouraged a standard security
testing methodology to improve transparency, consistency, and
thoroughness.
As time went on, it was clear this wouldnt solve all the prob-
lems. The biggest problem was that the researchers found therewas no way to quantitatively and accurately measure security
from penetration tests (because of the whole illogical problem
of proving a negative and math being a logical thing). So while a
penetration test can find some of the holes, even some of the big
ones, there is no way they can find them all and certainly no way
they can truthfully say they are finding the ones that hackers
will. Another problem that exacerbated this was that thorough
penetration testing required that the tester gain deep knowledge
of the operations to be sure the right things were being tested
the right way. This was likely the problem that the Antwerp dia-
mond exchange learned the hard way: the winner of any secu-
rity contest is the one who knows more and more deeply about
the systems and operations. So in the development of the third
version of the OSSTMM a new way of thinking about security
emerged which not only corrected these problems with a better,
extremely powerful framework but it took security testing and
analysis far beyond penetration testing. This new way of think-
ing about security requires three main things: 1. Prioritize tests
by shifting the focus from guessing future threats to that which
you have reason to trust; 2. Identify and verify all interactions
and the protections for those interactions; 3. Optimize the bal-
ance between security and operations. It is in applying this new
version of the methodology that the weaknesses of the Antwerp
diamond vault become incredibly, bluntly obvious.
Analyin Oceans ElevenSpectacular bank robberies are part of the standard repertoire
of Hollywood films. Of course realism isnt necessary required.
However, in this case, the character played by George Clooney
as the archetype of the sympathetic bank robber actually did
exist. A year before the robbery of the century, Leonardo No-
tarbartolo drank an Espresso in the Antwerp diamond district.
He rented an office there to trade in wholesale diamonds. He
kept a regular schedule, smiled at the people who he saw each
day, and was sure to be seen walking down the street with the
Gazzetto dello Sport under his arm. He was one of the nicest
and most clever thieves of the modern times.
With a hidden miniature camera he entered the diamond vault
two stories below ground. You see, he kept his diamonds stored
there for safety. That gave him many opportunities to watch
and record the operations of the bank, the personnel, and most
8/2/2019 Banking Security Magazine 2 20112
19/44
Analyzing the Biggest Bank Robbery in History
2/2011
importantly, its security. He kept his eyes open for the smallest
details- including the entrance code to the vault.
What You Need to KnowHere well pause the story for a moment. What Leonardo is do-
ing is the first step of an attacker: reconnaissance. Hes looking
for all the points of interaction from outside the vault to the in-side. According to the OSSTMM there are only 2 ways to take
something: you either take it or you have somebody give it to
you. These two different types of interactions are defined as
Access and Trust. So why does Leonardo have access to the
vault? Because hes a polite, well-known businessman in the
area, who happens to be a client of the bank. In OSSTMM ter-
minology, hes abusing operational trust.
Opeational TustThe OSSTMM 3 has integrated tests for operational trust. There
are 10 properties which are logical reasons to trust someone or
something. The easiest technique for using the Trust Properties
is to create quantitative rules from the properties with which we
can use to evaluate the target person, thing, or interaction. The
rules are scored on a percentage and the percentages from all
10 properties are averaged. The closer to 100% you get the
safer it is to extend trust. Its a very accurate way to analyze
and extend trust free of bad intuition or unqualified gut instinct.
One condition trust analysts tend to find in this process is that in
day to day life, people are often satisfied with just one or two of
these properties being met. This is likely because social context
makes it uncomfortable for people to challenge untrusted prop-
erties and its considered offensive to challenge someone who
successfully meets some of the properties, especially Transpar-
ency (like Leonardo whos a nice, known businessman in thearea) and Consistency (hes a registered client who visits to
vault with regularity and never causes problems). Meanwhile, he
would score very low on the other 8 reasons to trust him mark-
ing him as an untrustworthy individual.
Safety vs. SecuityA central theme to security is specifically the definition of secu-
rity. The OSSTMM classifies security as a physical separation
between an asset and a threat. Safety, on the other hand, is the
means to control threats at the point of interaction.
In this case, a vault falls close to the definition of security. It
provides a physical separation between that outside the vault
and the assets inside the vault. Except that you also need to beable to have some interaction with the vault to put new assets
in or take assets out. To prove that, Leonardo the diamond thief
is standing in a vault filled to the ceiling with diamonds.
This is now where Safety comes in to play. Since interac-
tions are required for successful operations, there must be
some operational controls to protect the assets from unau-
thorized exit. The OSSTMM findings show 10 operational
controls to protect against all threats. You cannot say one
control is stronger than another since each protects against
a different umbrella of attack types. However, one implemen-
tation of a control can certainly be weaker than another. One
of the places this is obvious is Authentication. Whether its
a lock and key, login and password, or a Do Not Fly List
these Authentication controls require Identification to function
correctly. If the threat can pass itself off as, say a legitimate
diamond wholesaler, then it will receive Authorization for Ac-
cess, bypassing the Authentication in place designed to pre-
vent a criminal from just walking into the vault to size it up.
Authentication alone can be overcome. This why OSSTMM
recommends multiple, different controls for each point of in-
teraction, described as Defense in Width.
Quality Secuity DefensesThe vault was scrutinized for weeks before the robbery took
place. The vault team included the Genius who was a masterof disabling alarm systems, the King of Keys who was an ex-
pert key forger, and a man they called Monster, a huge, strong
man who was also a monstrously good electrician, driver, lock
pick, and mechanic. Each team member had a task befitting
their skills which also coincided with the interaction points that
Leonardo discovered. So what happened was that each team
member knew more about a particular system within the opera-
tion than the bank personnel did. An OSSTMM analysis would
have discovered that the operators of the security mechanisms
knew little about how they worked and if they would have known
what was required of them, maybe they wouldnt have left Leon-
ardo, or anyone else, alone in the vault.
One day before the robbery, Leonardo entered the vault on
legitimate business. Left alone for privacy, as he knew he would
be, he sprayed the motion and heat sensors with hairspray.
Then he packed up his things and stepped out, thanking the
guard and giving his regards to the wife and kids. Why not, he
was a nice guy.
Contols and LimitationsThe OSSTMM describes 10 operational controls. The concept
provided is that the less reason you have to trust someone
or something (trust properties) then the more varied controls
you should have for protection- up to 10 per interaction. That
is called making the perfect balance between operations andprotection. These 10 controls are divided into two classes: in-
teractive and process. Interactive controls react to direct contact
with the threat where process controls do not. What you see
here is that it is important to have controls which are different.
As it is, most controls on their own are fairly ineffective. What
you dont want is that two different security mechanisms, say
heat and motion detectors, both providing incomplete Authen-
tication and both susceptible to being nullified with the same
can of hairspray.
The bank had installed a heat and motion sensor at the en-
trance of the vault, both Authentication controls, an Interactive
control, which were designed to sound an Alarm, a process
control. Since the Alarm control was dependent on the Authen-tication sensors, no alarm could sound if they were blocked.
This is calculated as a Limitation, a flaw defined not by impact
or prevalence as with risk ratings but by what it does and what it
affects. The value of the Limitation is calculated by which opera-
tional controls are in place as well as how many different types
of interactions are allowed with the targets. This makes it a very
flexible and unbiased way to measure any kind of vulnerability
because, as you know, each flaw is fairly unique in how it af-
fects different operations. Not all buffer overflow vulnerabilities
will give root access if attacked- it depends on the protections in
place. In addition to that, its also easy to categorize Limitations.
For example, a Vulnerability is a flaw which provides Access to
an asset, denies Access to an asset, or allows one to hide an
asset within the scope. Its very straight-forward and requires
no guessing about its ease to use or impact. Sometimes though
a flaw will have more than one type of limitation. For example,
a factory default login and password mechanism on a router
would be a Weakness, which is any flaw that affects Interactive
8/2/2019 Banking Security Magazine 2 20112
20/44
Online Banking Security Magazine
2/2011
controls, and a Vulnerability because it provides Access as well.
See, its very straight forward.
There are total of five classifications of Limitations in the OS-
STMM. The last three are Concern, which is any flaw that af-
fects Process Controls; an Exposure, which is any flaw that
provides information of specific attack knowledge or opportunity,
and Anomaly, which is not specifically a flaw however it is anunknown or uncontrolled interaction.
One of the enlightening features of analyzing security accord-
ing to this process is in seeing how poor Controls, that is Con-
trols with inherent Limitations, like login and password schemes
that provide no mechanism against brute forcing, add up to
provide more protection AND more flaws. One can then see
how layers of incomplete or poor controls will actually make
something less secure, especially if the controls they provide
are redundant like two firewalls in a row or just not reliable like
blacklist controls.
What You Need to DoThe team led by Leonardo spared no expense. The bank wasbuilt in what was once a shopping center. The team analyzed
the adjacent rooms and buildings to the vault. The story goes
that the recreated the entire vault ante-room and the vault it-
self in a warehouse in order to study and practice disabling all
the security. Once again, this is the key to security- knowing
the operations at a more thorough and deeper level than those
who apply them. This is what makes penetration testing tool
frameworks with dedicated exploit research teams so valuable
to an organization. Sure, these tools will also help the penetra-
tion tester cover more types of systems and applications more
deeply however, these tools are best used in the hands of the
those who really know the internal operations and processes,the internal employees. Why? Because just knowing how to find
vulnerabilities means nothing if there is little understanding of
the big picture in a complex environment. What are the opera-
tional needs? What are the directions? What are the require-
ments? These are things only an insider can and should know.
However, to avoid being stuck in the vulnerability/patching rou-
tine indefinitely, a cat and mouse game at best, an organization
needs to embrace the hacker role of deeply understanding
how various operational security mechanisms and operational
controls work together for greatest effectiveness. This is where
the latest OSSTMM is strong. Security shouldnt be about just
finding the vulnerabilities known today to quickly patch up but
about finding the perfect balance between security and con-
trols so you are prepared for the vulnerabilities and threats of