So a long time ago (25 years ago actually!) in a research centre not so far away, I helped to write a paper that described an old Internet banking hack, outlined how the authentication systems that were used by browser-based internet banking applications could be bypassed and presented some options for reducing the corresponding level of risk. Now, 25 years on I’ve just finished reading a really good report (written just a few months ago actually!) about some recent attacks using keyboard loggers to enable Internet banking credential theft. The report, which I summarise below, is great and as I found myself remembering our old Internet banking hack, memories of the good old days came flooding back!
Anyhow, I guess we were a bit naive at the time as rather than thanking us for demonstrating the vulnerabilities (as we had hoped), the bank rep became quite angry, apparently thinking the on-line (LAN-only, and air-gapped) Darth Vader demo had actually stolen money from his account.
Ah well, the follies of youth.
You can read the paper here but in summary my co-author Dean wrote code that used two techniques in order to capture the internet banking users credentials:
Remember that the keyboard could be anywhere on the screen for any mouse click but even so, the final captures looked something like this:
Each circle showed an image of the screen that was centred on the location of the cursor when the user clicked their mouse button; in the above example, the user’s PIN would have been 4435. I expect that it would have been possible to push the images through some image-processing scripts to convert the captures to a string but that wasn’t the point: The point was that we had the credentials and it was very cool indeed!
And although we did not mention web browsers in our paper, today’s browsers are leaps and bounds ahead of those of the late 90s and typically support features like Web Cryptography APIs, Content Security Policy (CSP), Same-Origin Policy (SOP), and Sandboxed iframes.
So considering all these solutions, why are we still 25 years later, talking about screen-scraping credential stealers?
I think it’s because security “solutions” that focus on just one vulnerability have never worked (except in some really special, physically-controlled environments), and never will work. Our paper focused solely on strong authentication (and supporting) mechanisms which is fine because that’s all we were interested in at the time. But no single mechanism (strong authentication included) will prevent the kind of attack described in the Proofpoint report.
So what will work? Well funnily enough, the same as what worked in 1998! A risk-driven approach that relies on well-accepted and understood, holistic security frameworks, standards or guidelines, all of which cover off on topics like:
Of course, a complete framework will also include other important considerations such as encryption for data both in transit and at rest; regular updates and patching; security awareness training and testing; and intrusion detection and prevention systems using extensive log-collection and analysis.
But which framework to choose?
My PhD supervisor was Professor Kerry Raymond, a great teacher and mentor. And as she cheerfully explained back in about ‘94, “The best thing about standards is that there are so many to choose from!” Aside: She also had this sign behind her, facing the door, so you could not miss it when you approached her desk. I loved that sign!
So, what we recommend is to use the CIS Essential Controls, in conjunction with selected controls from the Australian Privacy Principles (APPs), and some GRC-related controls from Annex A of ISO/IEC 27001:2022. It’s our view that this approach will allow an organisation to take advantage of the best features of the standards and frameworks listed above, while also overcoming any shortcomings that exist in each individual case.
But that’s enough for now, and so we’ll come back to discuss our preferred mix of controls in another blog post.
It was certainly interesting to read the Proofpoint report and remember the old DSTC paper from 1998. DSTC was a great organisation full of very clever people, and it was nice to think about it again and to find scraps of the old days still there on the WayBack Machine!
Which brings me to the end of this post: I got to start off with some reminiscing about credential-theft demos, and then finish up with some sermonising about control frameworks.
What a day! There have to be some benefits to growing older you know! 🙂