Read this article till the end if any of these situations fit you:
- Your token screen is small (less than 40 characters). If you cannot see transaction amount and beneficiary customer name in your token then you are vulnerable, MITB (Man-in-the-Browser) can fool you!
- Or, you are using a hardened browser via Laptop/PC. Secure browser or hardened browser can safe you from MITB. But wait, your computer can still be infected by trojan, and trojan can fake your computer’s screen and keyboard, so your transactions are still vulnerable against computer trojans. Once the trojan impersonates your computer’s screen, you will never know whether your Laptop is truly running a hardened browser in the foreground, or it is running in the background and doing the trojan’s transaction instead of yours.
Internet banking trojan is so advanced that it can impersonate the computer screen, it can intercept whatever a user type on keyboard, and it can intercept mouse clicks. This kind of trojan is known as man-in-the-browser (MITB), although this trojan is not a real person, but to the bank such trojan appears like a real customer doing a valid transaction via internet banking. And the bad news is the Banks in Indonesia has already under attack, with the famous “sinkronisasi token” screen.
The big question is it still possible for a bank to provide a secured online banking to its customers?
The answer is quite disruptive:
Yes it is! As long as the customer can authorize a transaction without believing the computer screen, and if he/she can approve/reject a transaction without using the keyboard or mouse.
However, since we can always attach a security device to computer/iPad, it is not too hard to imagine the applied solution for the answer. Imagine if there is a security device, which can be attached to computer/iPad by using Bluetooth or audio jack, and it must have these criteria:
- It must be read-only, thus it can’t be infected by any virus ever.
- It must have its own screen that can display the transaction details, since we can’t trust the computer screen anymore
- It must have its own approve/reject button, since we can’t trust the computer keyboard and mouse
- It must have its own secured communication, since we can’t trust the browser
Digital Signature Token
Digital Signature Token sometimes is called Public Key Infrastructure Token (PKI Token), has a screen to display transaction details, an OK Button to approve a transaction, and a Cancel Button to reject. Despite its simplicity, this kind of token shows a giant leap in term of security and convenience. However, this token also has a limitation, it can only be used online, therefore it can only applicable for securing online transaction in internet banking or mobile banking, because the banking application has to be online as well.
When Digital Signature Token is used to secure an online transaction, the end user usage scenario would be as follow:
- The customer submits the transaction details to the Internet Banking Portal
- Internet Banking Portal calculates the transaction details hash, and creates a Digital Signature by using Bank’s Private Key, and replies both the Digital Signature and Transaction Details back to the customer
- If there is a trojan in the customer’s computer, it still can’t change the Transaction Details, because the Bank’s Private Key is invisible to the customer’s computer
- Digital Signature Token validates the Digital Signature with Bank’s Public Key, and shows the transaction details on its own screen (not the computer screen)
- Customer press OK to authorize the transaction, or Cancel to deny the transaction
- Digital Signature Token creates a Digital Signature by using Customer’s Private Key, and transmit it via an encrypted communication
- If there is a trojan in the customer’s computer, it still can’t create a valid signature, because the Customer’s Private Key is located in the Digital Signature Token and invisible to the computer itself.
- The bank validates the authorization with Customer’s Public Key, if match then the Bank executes the transaction
Unlike legacy security tokens which are prone to man-in-the-middle-attack and MITB, because it doesn’t require any information from the computer screen and it doesn’t rely on computer keyboard to authorize a transaction, therefore Digital Signature Token doesn’t have such vulnerability until now and perhaps it is still secure for the next few years.
PT Global Innovation Technology is an Internet Banking Token vendor in Jakarta Indonesia, sells Nexus Digital Signature Token with 3 data communication options:
- Bluetooth (wireless) for computers / smart phones / tablets / other smart devices whose users prefer simple and convenient use
- USB cable for Windows and Mac whose users are not convenient with wireless security risk
- Audio jack for iPad/iPhone/Android users
Nexus Digital Signature Token is built on the top of proven protocols such as: RSA-2048, AES, SHA-256, X.509v3, and IPSec/IKE. Nexus has been developing Public Key Infrastructure (PKI) for more than 15 years, and has been used as national eID in many European Union countries.
Legacy Security Tokens
There are so many Legacy Security Tokens available on market, including hardware tokens, software tokens, and mobile tokens. Some of these tokens are very well accepted in Indonesia market, such as : RSA SecurID, Vasco Digipass, and HID ActivIdentity. Although they come in various shapes, in general they serves only 2 important functions, first is to authenticate the person, and the second is to authorize a transaction.
For the authentication, legacy Security Tokens usually uses One Time Password (OTP), which can be justified as what the person has, thus it complies with two factor authentication (2FA) standard. However, since the person is required to enter the OTP to the computer’s keyboard, it can easily exploited by man-in-the-middle (MITM) attack, or even worse a man-in-the-browser (MITB) attack if the computer has been infected by trojans.
While the authorization usually uses a challenge-response, which is mathematically very secure, but in practice it is still vulnerable to modern MITB trojan like Zeus that attacked some major banks in Indonesia.
The common usage scenario when a customer uses a legacy Security Token can described as follow:
- The customer submits the transaction details to the Internet Banking Portal
- Internet Banking Portal calculates a challenge code, and displays both the transaction details and challenge code on the customer’s COMPUTER SCREEN
- If there is trojan in the customer’s computer, the trojan can display a fake message such as “Sinkronisasi Token”, and provide a phishing challenge code to authorize the fraudster transaction
- The customer types the challenge code to the Security Tokens (based on what he/she sees on the computer screen, please note that computer might display fake challenge code if it has an impersonating trojan)
- The Security Tokens calculate the response code, and displays it to the customer. However, the customer doesn’t know whether the response code will be used to authorize his transaction or fraudster transaction
- The customer types the response code to the Internet Banking Portal (using his/her keyboard which can be stolen by MITB trojan to authorize the trojan’s transaction).
- If the response code is valid, then the Bank will execute the transaction. The bank never know whether the response code comes from the real customer, or from trojan, the bank will still execute as long as the response code match the submitted transaction.
It can be concluded that the trojan can fool the customer, even though the Security Token is very secure. Since man-in-the-browser can impersonate Internet Banking Portal’s screen, the customer wouldn’t know if the challenge code is tied to his/her transaction or the trojan’s transaction. And also the response code is still typed using the native keyboard thus it can be stolen by the MITB trojan. By the end of the day, the fraudster still drains the customer’s account, and soon the bank will appear in the news headline again.
The newer version of this token is QR Code Token, it has a camera which can read the challenge code from computer screen (which can be impersonated by trojan), thus it simplifies the user experience (step no 3). However, the user still needs to type the response code to the Internet Banking by using his/her keyboard (which can be stolen by MITB trojan). Thus it doesn’t help much.
On the other way, Digital Signature Token doesn’t read anything from the computer screen (thus it is immune against screen impersonation), and the transaction can only be authorized by the device’s OK button (thus it is immune against key logger). Therefore Digital Signature Token is immune against Zeus and other MITB.
So, would you stay using your legacy Security Tokens, and see your bank in the news Headline everytime the customers robbed by trojan?
Or would you adopt a new technology to conveniently protect your customer, and live peacefully for the next few years?