Internet Security Systems - AlertCon(TM)

Beating the Man-in-the-browser with a ZTIC

Posted by Gunter Ollmann on October 29, 2008 at 11:33 AM EDT.

For those of you that aren’t already in the know, there’s a more insidious specialization of the classic man-in-the-middle attack that focuses on inserting an attackers code (typically a scriptable proxy technology) in to a Web browser – ultimately usurping core functionality of the browser, and allowing the attacker to view and manipulate any in-bound and out-bound data going to and from it.

This type of attack has picked up the name of “man-in-the-browser”, and has been increasingly popular with banking Trojans since it first reared its ugly head a couple of years back.

The malware out there today that implements man-in-the-browser functionality to target banking customers is extremely advanced, and is capable of bypassing practically all existing authentication and authorization processes that require the banking customer to interface directly through the browser (e.g. typing in passwords, answering questions, etc.). Through a mix of social engineering and complex Web application design, the attackers have even constructed ways of defeating multi-factor and out-of-band authentication systems.

Note: the stat-of-the-art banking Trojans were discussed in my presentation at OWASP last month. You can access the presentation here.

So, if this threat is already so advanced, what can be done? Well, my colleagues over at the IBM Research labs in Zurich have come up with a pretty good solution – beating the man-in-the-browser with a ZTIC!

The ZTIC

The ZTIC (standing for "Zone Trusted Information Channel") is a specialized USB security device designed to handle the secure communications of transactions (and their authorization) with the customers bank – essentially bypassing the customers infected PC.

By migrating key parts of the customers authentication and subsequent authorization of banking transactions away from the Web browser, it is impossible for a banking Trojan (and its man-in-the-browser proxy functionality) to view and modify the data. By also encrypting the communications with its own SSL/TLS processes internal to the ZTIC, it also means that the confidential communication cannot be altered or observed through more classic man-in-the-middle vectors.

What I also really like about this solution is the fact that it not only looks pretty cool (ok, so I like the LCD display sohowing the transaction approval), but it also has some pretty simple buttons to allowing/disallowing any transaction the banking application is trying to make – thereby making it obvious to the banking customer precisely which transaction they are validating (which is really important! – check out the OWASP presentation as to why).
 
Another key component of the device is the fact that it is smartcard friendly, so it can also take advantage of much stronger authentication processes than those legacy passwords that banks still insist upon.

Finally, I also like the fact that it was designed to be secure from conception as well as highly flexible – meaning that, in principle, you could use the same device for managing multiple banks account (since, as a customer of multiple banks myself, the thought of having to carry around multiple authentication devices for each and every bank – like a keychain – would suck).


 
It’s a new invention which I hope to see my own banks taking up in the future – because I’m not a great fan of those Chip&PIN calculator devices (which can already be defeated with man-in-the-browser attack vectors), nor those other out-of-band authorization systems that still have customers trying to key in data from one device to another; making it incredibly complex for the average customer.

Overall, I wish that online banking was just more secure overall and that those banking applications were less vulnerable to man-in-the-browser attack vectors (which really leverage social engineering to be successful).

So, in the meantime, while I’d rather not have to carry around another bit of 21st Century gadgetry everywhere I go, this is the best invention so far that I’ve seen in this banking space – for a threat in which all of todays online banking customers are exposed to.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.