Ancamanan Keamanan Informasi Pada Industri Finansial Universitas Bina Darma Palembang – 20 Juni 2014 Digit Oktavianto digit dot oktavianto at gmail dot com
IT Security Enthusiast (Opreker) Member of Indonesian Honeynet Chapter Member OWASP Indonesian Chapter Linux Activist (KPLI Jakarta) IT Security Consultant
Who? Commercial Banking Service Investment Service Foreign Exchange Service Insurance Leasing Service Stock Exchange
Worldwide Issue : Phishing Malware Banking (PC, Mobile) ATM Hacking ATM Skimming Attack on Infrastructure (Server, Application) Attack on third party service (Merchant, Payment Gateway)
Local Issue : Phishing ATM Skimming Malware Banking (Recent Issue) Insider Threat (Disgruntle Employee)
Account Takeover › Phishing › Malware End Point Infrastructure Attack › ATM Skimming › ATM Hacking Third Party Payment Process Breach › EDC Vendor › Payment Gateway › Disgruntle Employee Mobile Banking Exploitation › Fake Mobile Apps › Malware in Mobile Device Attack in Infrastructure Server › Attacking Ibanking Server › DDoS
Who is attacking you and why?
Phishing › Selalu bermula dari › Biasanya memberitahukan adanya perubahan sistem, atau perbaikan, dan meminta mengklik link yg di sertakan pada › Biasanya juga menyertakan attachment › Link referal pada body atau attachment biasanya merupakan fake URL Bank ybs, namun ketika di klik tampilannya persis sama dengan Bank ybs
How it Works?
How it works? Capture your data from your card Capture your PIN Information
How it works? › Operating System Vulnerability › Malware › Insider Threat
What are they doing? Keylogging Form data capture Screen captures and video recording Injection of fraudulent form fields Injection of fraudulent websites Redirecting of banking websites Man-in-the-middle technique (Man In The Browser)
How it works? You are infected by Exploit Kit Exploit Kit bring Botnet / Banking Trojan to your computer Banking Trojan monitor everything you do on the Internet, including your online banking and credit card transactions Banking Trojan records everything you type in, including userIDs, passwords, bank-account numbers, credit-card and PIN numbers and sends them back to the cyber- criminal’s computer where the information is stored in a sophisticated database Banking Trojan steal your one time password from hardware token, two factor authentication SMS.
Skenario : 1. Anda login ke halaman Website Ibanking. MITB Malware bisa mendeteksi apa saja jenis Bank yang anda gunakan (case study targeted customer di Indonesia) 2. Ketika browser memproses Ibanking website anda, Trojan akan melakukan intercept, dan menyisipkan javascript ke browser anda (Man In The Browser) dan meng-intercept username + password anda
Skenario Transaksi : Prosedur transaksi menggunakan layanan internet banking pada sebagian besar bank menggunakan Hardware Token 1. Customer A ingin melakukan transfer ke Customer B. 2. Cust A memasukkan nomor rekening tujuan, dan jumlah transaksi 3. Pada proses dimana Bank meminta Cust A memasukkan challenge key yang diberikan pada website, maka Cust A akan memasukkan challenge key tsb pada token hardware. Output response dari token hardware tsb di masukkan pada kolom PIN transaksi.
Pada proses tahap ke-3 tadi malware akan melakukan intercept data pada browser. Dimana seharusnya challenge key yang dikeluarkan 4 digit terakhir adalah 4 digit terkahir rekening penerima, namun karena nomor rekening tujuan sudah di rubah, yang awalnya ke B, maka di rubah tujuannya ke si C. Rekening C ini merupakan rekening the bad guy. Customer harus aware dimana ada challenge code yang diberikan bada website Ibanking, 4 digit terakhir harus sama dengan 4 digit terakhir rekening si penerima yang seharusnya 4 digit pertama merupakan angka random, jadi yang harus diperhatikan adalah 4 digit terakhir pada challenge code yang diberikan
For End User / Customer : Keep your operating system and application fully patched Make sure your anti-virus definitions, which the software uses to detect new strains of malware, is always up to date. Use Web content filters that block ads. Many anti-virus suites now incorporate this feature. The most important : Information Security Awareness
For Financial Industry : Protect end point infrastructure › Update / patch OS and application in ATM Machine › Add new technology to prevent ATM Skimming › Enhance physical security protection Create policy to strengthen security feature in Internet Banking transaction Implement fraud management to detect anomaly behavior from customer transaction Assess / Audit third party partner to make sure there is no “hole” in their infrastructure
For Financial Industry : Perform Audit and Assessment to the infrastructure and application Enhance security perimeter to detect and prevent the “bad guy” Perform Security Monitoring Threat to the infrastructure Educate User / Customer about information security awareness
Q & A