Banking Review

Seduced by Zeus

These are testing times for Internet banking security as the Zeus Trojan
and botnet bewilders, blights and burgles millions of PC users

BY STEPHEN WILSON

The Zeus Trojan and botnet have bedevilled Internet banking for 18 months now. Specially designed to steal logon details, Zeus has infected millions of PCs worldwide. You can think of it as a supercomputer, maintained by a highly organised development team (whereabouts unknown) and licensed to criminals to execute their own attacks.

Yes, licensed! Depending on the version, Zeus licences sell for between US$700 and US$3,000. The software is bought as a special kit, and installed under the control of a hardware-specific key, preventing the malware from being pirated!

Earlier this month, the FBI announced it had arrested a number of suspects in its biggest cybercrime investigation to date. They allege that US$70m had been stolen from US bank accounts using Zeus.

While the scale and commerciality of the Zeus enterprise are staggering, from a security point of view, none of this is fundamentally new. But now researchers have discovered that Zeus is the likely vector for the long-feared Man-in-the-Mobile or ‘mitmo’ attack on SMS authentication for Internet banking.

SMS authentication is a clever trick. To confirm certain browser transactions, a one-time password (OTP) is sent as a text message to the customer’s mobile phone, usually along with a prŽcis of the transaction for confirmation. To complete the transaction, the OTP is re-keyed into the browser, proving that the actual customer is in charge.

This method combines several important security techniques. First, it provides true two-factor authentication. As a second factor, the handset is nearly ideal. Customers almost always have it close at hand (and turned on); they’re usually immediately aware of any theft; and they tend to report losses very quickly. Further, mobile numbers have historically been relatively secret, so social engineering attacks (in which deliberately confusing security messages might be sent to a target’s phone) were unlikely.

Second, the SMS authentication message is sent over a different channel from the main transaction. This redundancy is important because it means for an attacker to succeed, they must subvert two channels in concert.

Yet there has always been a logical flaw in SMS authentication, a weakness waiting to transpire. Simply, it was assumed that the mobile phone channel was resistant to compromise. Inevitably, criminal ingenuity, propelled by the ever growing rewards to be had from mounting an attack, has now caught up. And ironically, new vulnerabilities in the mobile channel can be blamed on smartphones, for their complexity and power provide a plethora of new attack vectors.

Analysts from the Spanish security company S21sec have recently explained how SMS messages sent to a compromised smartphone can be redirected to an attacker’s computer, and then replayed on a bank site to manipulate online transactions. The attack is complex and multi-layered, but readily perpetrated, thanks to the sophistication of the Zeus botnet. Such attacks are increasingly lucrative.

Lured into temptation
The first step is to lure the customer (through spams sent via Zeus) to a ‘pharming’ site, where they are somehow tricked into entering their phone number and mobile device details. The ruse might be a request to update a contact database or answer an online survey. The attacker will look for certain smartphones known to be amenable to malware; victims found with the right phones are sent a bogus SMS – or ‘phext’ message – which directs them to another fake site, this time one that surreptitiously installs a malevolent app on to their mobile. And now the target is ready to be hit.

The next time they visit their Internet banking page and execute an SMS-authenticated transaction, the hapless customer’s phone will receive the code but then route it to the attacker, who also has the account number and password, thanks to conventional keyboard sniffing. The attacker then has a complete set of credentials plus OTP, with which they raid the customer’s account.

S21sec sees the mobile carriers as important allies in the battle against this attack, since carriers have the ability to detect malware in at least a proportion of smartphones. Yet I wonder if the time will come when carriers seek to shift their position – and potential liability – around SMS authentication. The SMS protocol was never designed to be used as a security measure. For one thing, there is no message delivery guarantee in the GSM cell phone standards. So if an OTP sent by SMS fails to get through, this is arguably a normal condition of the network. What does this mean for the fine print in any Internet banking security promise?

As an aside, as mobile banking takes off, we will paradoxically see a return to just a single electronic channel, which will further stimulate criminals to target phones and phone networks.

SMS authentication was always a stop-gap measure, insofar as there are long term options to directly secure the primary channel (be it Internet or mobile phone), chiefly by asymmetric cryptography and transaction signing. So once again, banking security is at a crossroad, where we can choose between hardening the transactions themselves, or piling on more clever tricks.