Internet Security Systems - AlertCon(TM)

OWASP 2008 - “Multidisciplinary Bank Attacks”

Posted by Gunter Ollmann on August 28, 2008 at 12:37 PM EDT.

In case you haven’t already noticed, the OWASP AppSec 2008 conference is now less than a month away. If you’re in to the cutting edge of Web application security, then this is the conference you really should be attending. While the big conferences like Blackhat and RSA are a security professionals Mecca, they only touch lightly upon what’s really happening in the AppSec world – the New York OWASP conference is where you’ll see and hear about the latest Web application attacks, threats and mitigation strategies.

I’ll be there for the two day conference (September 24th to 25th) – in fact I can’t really escape not attending as I’ll be speaking on the first day, and IBM is a sponsor to the event.

There are a whole bundle of talks I’m planning on attending this year. The ones of most interest to me include Arian Evans “Threading the needle” (because I’m interested in evasion techniques and have published quite a bit on the topic for many years), Daniel Cuthbert’s “OWASP Testing Guide – Offensive Assessing Financial Applications” (because I’m always interested in seeing which methodology components others emphasize, and it relates a little to my talk as well), Arshan Dabirsiaghi’s “Next Generation Cross Site Scripting Worms” (because I want to make sure we already preemptively protect against all these automated vectors) and Tyler Hudak’s “Automated Web-based Malware Behavioral Analysis” (because the title sounds interesting and maybe relevant – but no real details, so I hope it doesn’t prove to be a irrelevant history lesson).

My Talk

So, my talk at the OWASP conference is going to be a little different from the norm. Sure, it’ll have all the scary real-threat examples that I’m notorious for, and will probably have several people questioning whether they should use a Web browser to access their online banking accounts ever again, but ideally it'll also have people rethinking their banking application design.

The talk I’ll be giving, titled “Multidisciplinary Bank Attacks”, concerns the new paradigm shift that is necessary for banks to really begin to counter today’s real-world threats against the customers using their online services. While the talk will be more oriented towards the security professionals responsible for the assessment and penetration testing of online banking portals, it’ll be heavily weighted towards understanding how and why malware attack vectors are so successful – and why all this multi-factor, out-of-band authentication hoopla has been pretty-much defeated for quite some time and largely irrelevant to the cybercriminals.

“Multidisciplinary Bank Attacks” will cover how malware, running on a banks customer’s computer, needs to be factored in to the way the security of an online banking portal is assessed, and the types of Web application design that can help mitigate degrees of the threat. It’s not about how to use malware during a penetration test, but how the pages construction and poor application logic can increase the likelihood of customer fraud.

There’ll be an element of how multi-factor authentication technologies are currently defeated, same too with the out-of-band validation technologies, along with the newer fund transfer transaction signing systems. The “trick” is really in understanding how social engineering is combined with man-in-the-browser technologies to shim the banking portal pages, and factoring in how customers trust page elements for validation.

One thing’s for sure, the attendees will be learning lots of new stuff – some of it scary, but lots of things that can be directly applied to the next generation of online banking application security.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.