By Pedro Fortuna, Co-founder and CTO Jscrambler
How would you know if your users were being compromised on the client-side whilst logging on to their bank account online? How confident can you be that the content and components they are seeing and interacting with are precisely the ones that you deployed for them? Up until now, it has been difficult to know for sure. The many advances in security techniques have proved to be successful in protecting the server side from cybercriminals. However, hackers are now increasingly targeting the end users on the client side of applications. Man-in-the-Browser (MITB) attacks, for example, are worryingly very much underestimated by e-banking organizations. This lack of preparation and understanding on behalf of many financial organizations results in unsafe web platforms and exploited customers. Bad news on both fronts if you consider the potential reputational damage and financial losses incurred.
So what actually happens then in a typical MITB attack? In most cases, users are completely unaware that they have had their device infected with malware (a Trojan), which is usually injected by a phishing campaign, a malicious browser extension or some kind of social engineering offensive. It stays silently in the background, waiting for the user to visit a target website. When this happens the Trojan, which is embedded in the browser, can start to harvest sensitive information. Users remain unaware of the attack, as their interactions appear to be valid and true. Similarly, the bank remains equally in the dark as the user appears to be behaving normally and no red flags appeared at the login stage.
These attacks set out to commit some kind of financial extortion whether it ’s to steal credentials or data such as a user’s credit card information – and this can still happen even if other authentication factors are in play. Banks must not underestimate the reputational damage that such incursions can inflict. Customers need to feel reassured that they can access e-banking services via safe and secure technology platforms. Building and maintaining trust is critical for those organizations operating in the financial services sector.
Ironically, even though banking Trojans have been around for a decade or so, most banks still lack the tools that would give them the correct level of insight into the frequency and scale of such intrusions. The degree of bank hacking activities seems never-ending; indeed, gangs are looking to hack bitcoin and cryptocurrency exchanges these days, still using a good old man in the browser techniques though.
So what then can banks do to protect the browser side of their e-banking services? How can banks protect users who are accessing their online banking sites using their computers and devices that might well be compromised without their knowledge?
Fraud monitoring can offer some help. If a bank is screening transactions then they might detect that something is awry. However, if an attacker is simply waiting for the user to carry out a transaction and then only modifying the destination account number, this activity will not trigger anything. Similarly, bot detection or behavior-based detection will yield no results as the user is commanding the navigation. Everything will seem normal. How about device fingerprinting or
geo-location? Unfortunately, these cannot be considered viable solutions because, under such attacks, the user is using their own device in its usual location.
What about a totally different approach then? For example, you could monitor the application in real-time for modifications to the DOM, to Native APIs, and to events. Since anything could be potentially malicious, a whitelisting approach combined with machine learning is needed in order to tackle false positives. Such a system can generate real-time notifications to the backend of the application, with useful data that can drive automated responses.
The proposition of application real-time monitoring provides solid defense. It can detect changes produced by MITB (as well as other injection/tampering attacks such as MITM, malicious extensions, malicious or compromised third-party modules). It does n’t matter how these attacks are implemented, this approach works by detecting changes made to the web page without user knowledge. It allows financial institutions to react in real-time by having set policies in place that act upon the alerts in the metadata. It also detects zero-day threats.
These days banks have no excuses for getting security right across all access points. The financial losses stemming from cyber attacks can be severe and the damage to both reputation and brand could potentially prove to be even more so.
About the Author
Co-Founder and CTO of Jscrambler, where he leads the application security research activities and lays out the technical vision for all the products developed by the company. Pedro holds a degree in Computing Engineering and an MSc in Computer Networks and has more than a decade of experience researching and working in the application security area. He is a regular speaker at cybersecurity conferences and software development events, including multiple-time speaker at OWASP events. His research interests lie in the fields of Application Security, Reverse Engineering, Malware, and Software Engineering. Pedro is also the author of several patents in application security. Pedro can be reached online at email@example.com and at the company website www.jscrambler.com