Phishing is supposed to be a scam that only the easily-duped fall for. An email turns up in someones inbox, written in English that only vaguely understands how to deploy the definite article, asking recipients to log on to an established banking website with which they may or may not have any relationship. The website is, of course, bogus but following the link risks handing over everything the scammer needs to access and possibly empty a bank account.
The technique continues to find victims but this sort of proxy or man-in-the-middle phishing is now considered pretty much old hat. Now the worry is about Trojans, such as the recent Banker AJ, which are able to phish transparently without the user being aware anything is amiss.
Once the PC has been compromised by such malware (typically also picked up by following a rogue email link) it hides until the point at which a user logs on to a particular online banking site. Users feel secure because they are accessing a legitimate website, little realising that their password and user name are being captured and their log-in screen dumped. Having retrieved the login information, thieves then attempt to empty the account.
The Banker AJ approach uses a form of attack, key-logging, that is not new. The clever part is that it combines this with a number of other attacks methods (the social engineering email) within one design. Banker AJ is most likely the first in a line of fully-fledged criminal software applications that exploit the woeful state of online security in an almost industrialised manner. The banks wont admit it in public but given that almost anyone could be a victim they must be concerned.
Barricades, but which ones?
A number of conventional defences can disrupt this attack. The obvious solution is to stop malware installing in the first place, either by intercepting the Trojan as it drops on to a machine or stopping the email vector for it from getting into a users inbox. These are all viable approaches but far from foolproof in an age where compromised PCs are now an everyday part of the Internet.
Better still is to secure the banking software side. Blue-chip security vendors such as RSA and Secure Computing have long advocated token-based two factor systems. These are identical in principle to the way a customer of a cash ATM uses both a PIN number (the equivalent of a password) and a unique cash card (the token), and work using one-time, time-limited codes. Good though PIN/tokens are, the technology comes at a price which has held back widespread adoption in all but the largest companies. Depending on the design, they also have some theoretical weaknesses.
A clever attempt to solve some of these issues has recently emerged in Bharosas v.Crypt system, launched very recently by the startup . In essence, it is a variation of the token-based method used by conventional two-factor systems, but with a number of interesting features that could make it more secure and affordable for todays banking environment.
The product, which claims to be able to stop phishing dead, is nonetheless a textbook example of how complex it will be to stop its evolution you have to constantly evolve any defence to take account of new attacks. Plugging one hole doesnt mean the phishers wont start focusing on a new weakness if better security elsewhere has made it cost-effective to do so.
How does it work? A website login page using the system (which installs as a web-server add-on) presents the user with a slider graphic of two rows of symbols in addition to the usual password and user name fields. The slider is used to enter a conventional pin number by lining up a chosen symbol (such as a triangle) that corresponds to the users PIN. This sounds elementary but it makes it impossible in principle for a phisher to extract any usable data because all that is actually transferred is a random relationship between the letter or number and a symbol expressed as a displacement in degrees.
This might make straightforward phishing almost impossible but what happens if the user is manipulated into giving away his or her PIN code? According to Bharosa, the system allows banks to specify actual symbols in the code which cant be represented by way of a keyboard, making it impossible for this data to be passed on through social engineering via email.
The idea of incorporating symbols into PINs provides an important extra level of protection because, faced with a banking system using Bharosa-like system, the alpha-numeric PIN becomes an obvious weakness. But what if the user is asked to choose the symbols from a list in a bogus email?
As a countermeasure, Bharosa says its array comprises 3,000 unique symbols, 1,000 of which are actually used for log-in with the remainder used as filler. The symbols, which are assigned to users algorithmically and require no management, cannot be force hacked because doing so would require having not only the symbol but locating this in the correct array of possibilities.
To help explain its system, Bharosa has set up a v.Crypt demonstration website which can be found by visiting this link .
The v.Crypt system is being promoted for use with ATM cash machines and mobile devices as well as through banking software, though in the case of cash points it might slow down queues a bit. CEO Jon Fisher maintains the system is being looked at in this context, however. According to Fisher, the cost for a bank with customers numbering in the hundreds of thousands would work out at between 25 cents and a dollar per head. Scale to millions and price would obviously drop further.
Bharosas system would undoubtedly increase online banking security from todays laughably insecure log-ins. We suspect the phishers would then up the ante by attempting social engineering PIN theft they are not going to give up easily. That would make it likely that symbol-oriented log-ins would then become necessary and so the war would continue.
It is probably the case that Bharosas v.Crypt design or something resembling it is now inevitable as long as phishing continues on its trajectory from amateur scam to industrial crime. Sites not using such a technology could find themselves in big trouble because they will become the weak point. Then again, there are already plenty of experts who think that is is too easy to make a living out of phishing and the time to act is now.