How Can I Bank Online Securely?

Bradford Rand

V.P. Information Technology

Infrastructure Manager

Information Security Officer

Online Security Approach• Online Security Is Not A Single Solution.• The Best Security Is A Layered Approach• “Defense In Depth”

• Internet• Firewall

• Intrusion Detection / Prevention• Open Port Limitation

• Local Workstation• Anti-Virus• Anti-Malware

• Security Patching• Operating System• Third Party Applications

• Education• Email Phishing• Phone Calls “Vishing”

How Do I Bank Online Securely?• The safest PC is one that is not connected to the internet.• Once a PC is placed “online” with the internet, it will be

compromised within 7 minutes.** SANS Survival Times https://isc.sans.edu//survivaltime.html

• A dedicated workstation, used just for online banking, is the most secure solution for performing online transactions.

• Patching is critical. Most compromised PC’s were not up to date with Operating System updates.

• Email: Phishing / Trojan Malware is overwhelming.• Hosting Banks / FI’s have multiple Security Controls

Who Is Responsible?• Both the Client and the FI share responsibility.

• FI has many policies and procedures that are closely followed.• Documentation and constant audits of controls / processes.• Will not call you and ask for any NPI. (Non Public Information)• Work with Clients to know the customer.• Complies to stringent rules regarding web hosting.

• PCI Compliance (Payment Card Industry)

• Extended Validation on web sites. (HTTPS://greenbar)• Good SFA (Second Factor Authentication) controls.

• FI can not control the Client’s Workstation• Patching• Email Configuration / Filtering• Web Browsing• End User Access

How Does It Happen?

• Every compromised incident I have been involved was initiated from the client / end user workstation.

• The compromised computer was the result of inadequate patching and / or email phishing.

Local Workstation• Can Download Malware From Many Areas

• Phishing:• Email sent to you appearing as a known source

• Contains attachment: Word / PDF / Excel / Text File• Contains hyperlink to contaminated web site.

• Click on the link and download the program• Downloaded program takes advantage of known vulnerabilities.

• Portable Media• USB sticks carry malware

• Seeding / Leave one in the parking lot. • Has label “Payroll” / Eye Candy• You plug it in at work, it autoloads.

• Browsing Web Pages• Ads on the sidebar

• Google does not verify “clean” sites well.• Redirect to compromised sites.• Download application.

• P2P File Sharing• Music download / Bit Torrent

“Trojan” Malware• Trojan Horse

• Free Gift / Special Offer• Email or Web Browsing• Click on Link• File Appears as “Friendly”• Request to Open File• Allow Execution / Installation• Wrapper Opens and Runs a Script• Sets Up Shop• Cloaks Itself• Calls Home• Begins Data Transfer

Keystroke Loggers• Most Common Form Of Malware

• Easy To Deploy• End user does the work by loading the application

• “Calls Home” When Set Up• Sniffs All Traffic From PC Going Out To Web

• Has search criteria (Filters)• Login ID / Passwords• 9 digit socials• May use a dictionary

• Records Any String Of Data Behind Keywords• Send back data in complete format• Complete report of compromised data at end of the day• Programmable application

• Possibility Of Remote Control • Removes IP location restriction in “cookies”• Performs banking from your PC.

Keystroke Logging Example

• Switch Over To Compromised Computer

• Keystroke Logging Questions?

What Can I Do?• Keep Operating System up to date.

• Microsoft – Upload of patching for a reason.• Patch Tuesday / second Tuesday of the month.• Remediates known vulnerabilities.• Set Updates to automatically update.• MS Office updates. (Recently compromised) • Browser

• Internet Explorer – (Now becoming “Spartan”)• FireFox – Automatically Updates• Chrome – Automatically Updates

• Third Party Application Patching• Adobe Products

• Reader / Writer / Flash / Air / Shockwave• Be careful of “Toolbar” baggage applications.• Ask / Google / default checked off to load with patch.• Result is more crowded browser and slower PC.• Adware follows your browsing habits.• Google ads on the sidebar change to fit you.

What Can I Do?• Dedicated Workstation is the best solution.

• Can be outdated PC.• Will run quick enough, minimal applications running on it. • Needs Windows 7 and up.• Anti-Virus / Malware Detection• Keep up on Operating System Patching!

• Limit Access To Local Workstation• Location, location, location

• Keep it close.• Lock it up when not in use.

• Require separate local accounts.• Create Administrative account.• Limit “Basic” user accounts to not allow running of executables.• “Run As” will require administrator password to install applications

• Disable “AutoRun” • Will require a double click on the file to execute.

Email Phishing Examples

• Contained In Email• Mouse Over Hyperlink To Reveal Actual Site Address

• not www.verizon.com - instead• www.clownpages.hk/nothinghere/

• Attachment could be .pdf / .exe / .gif

Top Level Domain Extensions• “Normal” Business Usage

• .gov• .com• .net• .edu• .org

• “New” But Not Used As Much• .tv• .biz• tax• mobi

• On The Horizon• .bank

Internet Country Codes• “AF - Afghanistan • AL - Albania • DZ - Algeria • AS - American Samoa • AD - Andorra • AO - Angola • Av - Anguilla • AQ - Antarctica • AG - Antigua and Barbuda • AR - Argentina • AM - Armenia • AA - Aruba • AU - Australia • AT - Austria • AZ - Azerbaijan • BF - Bahamas • BH - Bahrain • BB - Barbados • BD - Bangladesh • BY - Belarus • BE - Belgium • BZ - Belize • BJ - Benin • BM - Bermuda • BS - Bahamas • BT - Bhutan • BW - Botswana • BO - Bolivia • BA - Bosnia and Herzegovina • BV - Bouvet Island • BR - Brazil • IO - British Indian Ocean Territory • BN - Brunei Darussalam • BG - Bulgaria • BF - Burkina Faso • BI - Burundi • KH – Cambodia (Internet)• CB - Cambodia (CIA World Fact Book) • CM - Cameroon • CA - Canada • CV - Cape Verde • KY - Cayman Islands • CF - Central African Republic • TD - Chad • CL - Chile • CN - China • CX - Christmas Island • CC - Cocos (Keeling) Islands • CO - Colombia • KM - Comoros • CG - Congo • CD - Congo, Democratic Republic • CK - Cook Islands • CR - Costa Rica • CI - Cote D'Ivoire (Ivory Coast)

HR - Croatia (Hrvatska) CU - Cuba CY - Cyprus CZ - Czech Republic CS - Czechoslovakia (former) DK - Denmark DJ - Djibouti DM - Dominica DO - Dominican Republic TP - East Timor EC - Ecuador EG - Egypt SV - El Salvador GQ - Equatorial Guinea ER - Eritrea EE - Estonia ET - Ethiopia FK - Falkland Islands (Malvinas) FO - Faroe Islands FJ - Fiji FI - Finland FR - France FX - France, Metropolitan GF - French Guiana PF - French Polynesia TF - French Southern Territories MK - F.Y.R.O.M. (Macedonia) GA - Gabon GM - Gambia GE - Georgia DE - Germany GH - Ghana GI - Gibraltar GB - Great Britain (UK) GR - Greece GL - Greenland GD - Grenada GP - Guadeloupe GU - Guam GT - Guatemala GN - Guinea GW - Guinea-Bissau GY - Guyana HT - Haiti HM - Heard and McDonald Islands HN - Honduras HK - Hong Kong HU - Hungary IS - Iceland IN - India ID - Indonesia IR - Iran IQ - Iraq IE - Ireland IL - Israel

IT - Italy JM - Jamaica JP - Japan JO - Jordan KZ - Kazakhstan KE - Kenya KI - Kiribati KP - Korea (North) KR - Korea (South) KW - Kuwait KG - Kyrgyzstan LA - Laos LV - Latvia LB - Lebanon LI - Liechtenstein LR - Liberia LY - Libya LS - Lesotho LT - Lithuania LU - Luxembourg MO - Macau MG - Madagascar MW - Malawi MY - Malaysia MV - Maldives ML - Mali MT - Malta MH - Marshall Islands MQ - Martinique MR - Mauritania MU - Mauritius YT - Mayotte MX - Mexico FM - Micronesia MC - Monaco MD - Moldova MA - Morocco MN - Mongolia MS - Montserrat MZ - Mozambique MM - Myanmar NA - Namibia NR - Nauru NP - Nepal NL - Netherlands AN - Netherlands Antilles NT - Neutral Zone NC - New Caledonia NZ - New Zealand (Aotearoa) NI - Nicaragua NE - Niger NG - Nigeria NU - Niue NF - Norfolk Island MP - Northern Mariana Islands

NO - Norway OM - Oman PK - Pakistan PW - Palau PA - Panama PG - Papua New Guinea PY - Paraguay PE - Peru PH - Philippines PN - Pitcairn PL - Poland PT - Portugal PR - Puerto Rico QA - Qatar RE - Reunion RO - Romania RU - Russian Federation RW - Rwanda GS - S. Georgia and S. Sandwich Isls. KN - Saint Kitts and Nevis LC - Saint Lucia VC - Saint Vincent and the Grenadines WS - Samoa SM - San Marino ST - Sao Tome and Principe SA - Saudi Arabia SN - Senegal SC - Seychelles SL - Sierra Leone SG - Singapore SI - Slovenia SK - Slovak Republic Sb - Solomon Islands SO - Somalia ZA - South Africa ES - Spain LK - Sri Lanka SH - St. Helena PM - St. Pierre and Miquelon SD - Sudan SR - Suriname SJ - Svalbard and Jan Mayen Islands SZ - Swaziland SE - Sweden CH - Switzerland SY - Syria TW - Taiwan TJ - Tajikistan TZ - Tanzania TH - Thailand TG - Togo TK - Tokelau TO - Tonga TT - Trinidad and Tobago TN - Tunisia

TR - Turkey TM - Turkmenistan TC - Turks and Caicos Islands TV - Tuvalu UG - Uganda UA - Ukraine AE - United Arab Emirates UK - United Kingdom US - United States UM - US Minor Outlying Islands UY - Uruguay SU - USSR (former) UZ - Uzbekistan VU - Vanuatu VA - Vatican City State (Holy See) VE - Venezuela VN - Viet Nam VG - Virgin Islands (British) VI - Virgin Islands (U.S.) WF - Wallis and Futuna Islands EH - Western Sahara YE - Yemen YU - Yugoslavia ZM - Zambia (ZR - Zaire) - See CD Congo, Democratic Republic ZW - Zimbabwe

Phishing Demonstration

• Switch to Compromised PC.

What Can I Do?• Use Email and Common Sense:

• Never a “free” gift. (Too good to be true)• Do I know you?• Do I perform business with you?• I don’t remember applying for that?

• Opening Attachments:• Malware can be contained in:

• Word / Excel / Adobe pdf’s / Pictures• Usually asks to load the file• That is the clue, never allow an application to run !• Use: “Save As” Download file locally, scan for viruses before double

clicking.

Email Security Questions?

What Can I Do?• Change Your Passwords Frequently

• Use Complexity, not your dogs / Children / Birthdates• Personal FaceBook? Reveals Passwords by “Creeping” on your page.

• Do Not “AutoSave” or “Remember” Passwords In Browsers

• Ensure Anti Virus Is Installed• Auto update of definitions• Threat detection installed• IPS / not just IDS• Free AV will cost you in the long run!

• You get what you pay for

Windows Versions• Windows XP EOL / EOS

• April 8th, 2014 • No Auto Update / Reboot• Critical Patches Ceased• Call In Support Terminated• Windows 7 or 8.1

• 7 Is Very Compatible• 8.1 Is Better Version Than 8.0• Shock Factor / “Skins” Can Be Installed• classicshell.net Skin makes it look like XP or 7.

Financial Institution Controls• Many Online Security Measures Available

• Administration:• Dual Control (One user creates / edits users, another approves.• Administrators and users “Principal of Least Privilege” applies

• Minimal set of tools to perform your job, no more.

• IP Restriction – Can only log in from one location.• “Someplace you are” Authentication Mechanisms

• Day / Time Restrictions for access.

• Wires / ACH:• Dual Control: (One user creates a transaction, the other approves.)• Transaction Limits• Daily Limits• Email Alerts / Warns of transaction created or sent.

• Ensure information@yourfi.com is whitelisted in email.

Other Resources• Malwarebytes.org

• Anti-Malware Scanning Application• Free Version Download• Auto Update When Installed• Very Powerful Scanning Engine• Reveals “Cookies” and Temp Internet Files• Best Of Breed In “Free” Applications

Other Resources• Microsoft Removal Tools

• http://support.microsoft.com/botnets• http://support.microsoft.com/security/scanner/en-us/default.aspx

• Be Careful – Creates “Best Practices” On Your PC.• Firewall Turns On• Sets Up Automatic Update For Windows• Enables Internet Explorer’s Privacy Settings• Turns On User Account Control (UAC)• Cleans Out Your Internet Cache and Browsing History

• May Shut Off Other Applications• Seek I.T. Support If Available

Good Too Great• Current:

• SFA Tokens (number on display)• Cell Phone – SMS Texts a number to enter• “Sandbox” Application USB / Icon

• Near Future: (Here now)

• Remote Web Server will scan your computer. • Detect and report malware.• Prevent transaction from processing.• IBM PinPoint / Trusteer combination.

Smart Phone Payments• Is Using a Smart Phone Safe?

• Apple Apps are screened for malware and viruses • Droid Apps can contain malware and viruses

• Anti Virus available

Thank You!

• Malwarebytes.org• http://www.malwarebytes.org/

• Microsoft Removal Tools: • http://support.microsoft.com/botnets• http://support.microsoft.com/security/scanner/en-us/default.aspx

• Download This Presentation: • www.bradrand.com/presentations

• Windows Shell (Appearance of XP / Vista)• http://www.classicshell.net/