April 02, 2007

Threatwatch: MITB spotted: MITM over SSL from within the browser

A long awaited browser MITB attack -- in essence an MITM against SSL launched within the browser -- has been spotted (by Lynn) in Netherlands:

...customers opened an email attachment that resulted in a virus being executed on their machines. This virus changed their browsers' behaviour so when they went to open the real ABN Amro online banking site, they were instead re-directed to a spoof site.

The customers then typed in their passwords, which the attacker in turn used to access the bank's real Web site. The customer's own transactions were passed along to the real site, so they didn't notice anything wrong right away, while the attacker simultaneously made their own fraudulent transactions using the bank's urgent payment feature.

ABN Amro has issued its customers with two-factor authentication tokens for several years. But the man-in-the middle attack gets around this security measure by passing the ever-changing part of the password from the token to the bank along with the never-changing part - essentially piggybacking on a legitimate log-in.

Now, if it has been spotted here, it has been going on for some time. The first signs seen of an attack on SSL were late 2004. In essence it was still an uneconomic attack, but the proof of concepts were there. What remains to be seen is whether we are about to see a large scale shift into browser MITM attacks (known as Man-in-the-Browser) or whether we are seeing only tentative experimentation.

Meanwhile, over at Mozilla, "our man in the SSL/UI security team" Johnath is trying to draft up a proposal to work with Firefox. State of play so far:

Creating a simple UI to repair the padlock is no easy matter. EV is a complicating factor in that we need at least 3 states, and that means we need more than 3. This ain't new, but it is easier said than done.

Further, nobody has any hope that EV changes anything. Firstly, it is very confusing, too small, rare, and ultimately spoofable. So people are looking to Mozilla to see whether it will break away and start working on the far stronger user-bank relationship, directly, a.k.a Petnames and Zooko's Triangle and all that.

Maybe. As Gervase does not tire of pointing out, users won't do that. Worse, the above attack slices its way through both of those approaches, because it changes the browser from the inside.

The number of balls in the air is now too many. We've all noticed the migration away from Microsoft to Mac because of security failures. (The press worms bury deeply into the wet soil on this one.) Will there be a wholesale migration away from online banking as all browsers are declared no more solid than swiss cheese in a fondue?

This was what the European banks were worried about when we reported MITB earlier in 2006. One year later there has been no epidemic, and that gave them time to respond. Hopefully they are ready. Chances are, nobody else has or is. To live in interesting times...

Posted by iang at April 2, 2007 02:44 PM | TrackBack
Comments

Yes this is a hot topic in Holland now.

The bank claims that there were only 200 people who reacted to the email and only 10 victims (10K euro or more).

Posted by: Teus at April 2, 2007 05:20 PM

My whole financial life I've maintained my accounts running at ABN-AMRO and I've never, never, never received any e-mail from them. To put it even stronger, I believe (?) no Dutch bank will communicate with its customer by e-mail. But I do receive a lot of information, advertising, invitations etc by (snail) mail.

Forever I've advised everybody in my family to never, ever open an e-mail coming from a Dutch bank, however serious it looks.

If you do internet banking with a Dutch bank, and for the ABN-AMRO I know this from my own experience, all electronic communication is done by a message "area" visible when you access your account on-line.

What puzzles me that I can't recall that any Dutch bank communicates that they will not use e-mail ...

Posted by: TTTT at April 3, 2007 08:47 AM

I would add: as far as I have seen I did not see a message that the attack was a middle man attack and essentially the way the ABN-AMRO bank is using their security measurement (token and chip card usage) has a problem...

Thing is that the explanation of the problem is easy and understandable by most persons.

Posted by: Teus at April 3, 2007 08:47 AM

I'm confused - is the browser being affected or some network element like the hosts file?

And is the SSL cert for the bank shown or is a valid ssl cert for a fake site?

I have looked at viruslist, etc, but can't find too many details.

Posted by: Nick at April 3, 2007 05:24 PM

> Further, nobody has any hope that EV changes anything. Firstly, it is
> very confusing, too small, rare, and ultimately spoofable. So people
> are looking to Mozilla to see whether it will break away and start
> working on the far stronger user-bank relationship, directly, a.k.a
> Petnames and Zooko's Triangle and all that.
>
> Maybe. As Gervase does not tire of pointing out, users won't do that.

There has been at least one study showing that users won't use some kinds of
"anti-phishing toolbar".

http://www.emergentchaos.com/archives/2007/02/why_johnny_cant_bank_safe.html

I still hold out hope that they will use Ping Yee's and Tyler Close's inventions, since those are designed from the start to be easier to use than the current browser is.

Regards,

Zooko

Posted by: Zooko at April 4, 2007 06:02 PM

Boarding Pass Hacker Targets Bank of America
http://it.slashdot.org/it/07/04/12/1444204.shtml

slight paranoia: A Deceit-Augmented Man In The Middle
Attack Against Bank of America's SiteKey Service
http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html

from above:

Whereas a normal man-in-the-middle attack identically replicates the attacked site, a deceit-augmented man-in-the-middle attack may present the user with a slightly different user interface than the regular interface. Man in the middle (MiTM) attacks are not a new threat - they have been known about for a number of years, and phishers have already used them to target Citibank and other online banks.

... snip ...

and past reference:
http://www.garlic.com/~lynn/2007d.html#26 Securing financial transactions a high priority for 2007

Posted by: Lynn Wheeler at April 12, 2007 12:17 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.