My Yahoo account hacked!

Last week my Yahoo account was hacked. I didn’t realise it until some people asked me why I was sending them some funny urls. I still don’t know what was sent though I’m half-afraid it’s something pornographic :(

Identity theft is something I read and write about some time back and this is something that hit me the second time. Although generally I’m quite relaxed with my identify and credentials, this has taught me to be more cautious about my accounts and my general outlook on security.

There were some reports of phishing in some local and foreign banks, particularly Citibank and OCBC. As I have written before, phishing is only the tip of the iceberg, nastier things lurk at the bottom of that particular cesspool. It’s been some time since I wrote about that, maybe I’ll continue that again.
You’ll never know who’s out there, waiting for you to make that misstep, waiting to pounce on your mistakes.

CardsAsia::Payment World 2006

Was at the CardsAsia today, some pretty interesting topics discussed during the conference. The exhibition was disappointing though — it was much smaller than I thought, and there were practically no terminal vendors or card vendors. Ingenico, Hypercom, Verifone etc were all missing, Gemplus, Axalto, G&D, Obethur weren’t there at all.

The conference items were an eye opener though. More in another post. In the meantime, took a snapshot of the Asian payment bootcamp session, which had Aneace as a moderator.

[Securing Internet Banking] Part 5 – Trojan Attacks

In Greek mythology, the Greeks tricked the Trojans into believing they have won the war building a large wooden horse outside the city and hiding in it. When the Trojan soldiers celebrated their victory by carrying the horse into city, the Greeks launched a surprise attack from within the city and destroyed Troy. Trojan attacks on computer systems are based loosely on the same principles and often just as deadly.

The Trojan can be in any form – executable application code, music files, documents, emails or even images, with the sole purpose of getting the unsuspecting bank customer to install or execute or view it on his personal computer. Trojan attacks can be directly obvious, for example, attachments in emails that promise something ‘exciting’ found in the file (usually with pornographic connotations). The file attachments can be executable applications or common file formats such as Word or Excel, MP3 audio files or even JPG images[1]. Another common way for Trojans to gain entry is to pretend to be useful software (including shareware, open source software and even normal commercial software that come in CDs) or plug-ins or file viewers. Any method that can propagate viruses can also be used to propagate a Trojan in the system. The Trojan can even start its life as a worm or a virus and replicates itself throughout a network, so the entry point might not obvious.

As Trojans are only the carriers, the real harm is usually done by the Trojan’s payload. Common Trojan payloads include viruses, worms, rootkits, keyloggers and screenloggers. Trojans are a generic tool used by hackers to penetrate computer systems, and their intent varies in the payload that comes with the Trojan. The earlier Trojans were mostly used to propagate viruses that cause immediate damage (by deleting files or defacing web sites or launching denial-of-service attacks) but these have eventually moved on to more insidious theft-based eavesdropping attacks that cause financial damage. While virus-based Trojans are usually generic and widespread with the intention of spreading to as many systems as possible, eavesdropping Trojans are usually more specific. In a recent case in Israel, a married couple was arrested for corporate espionage using Trojans[2]. Such Trojans are harder to detect as they are geared towards a specific environment and cannot be normally detected by anti-virus or anti-spyware applications.

Eavesdropping Trojans are usually offline attacks – the Trojan will capture information on the computer and stores or sends it for later usage by the hacker. For Internet banking systems, eavesdropping Trojans are an obvious threat to the bank customer’s personal computers as they compromise the integrity of the communications between the Internet banking system and the bank customer. According to the Anti-Phishing Working Group (APWG), there were 180 unique phishing-based Trojans (keyloggers) and 1912 websites spreading password-stealing Trojans detected and recorded by APWG researchers in December 2005 alone[3]. A report released by Counterpane Internet Security and MessageLabs in March 2006 found that financial services and banking industry organizations suffered the largest percentage of Trojan attacks in 2005 with close to 40 percent of all Trojans focussed on them[4].

Keyloggers are a common payload in Trojan. Keyloggers monitor the keys that are pressed at the breached computer. They are typically used to trap data that is keyed in at the computer and to relay the information to the hacker. Many keyloggers use a feature in Microsoft’s Internet Explorer called Browser Helper Object (BHO) to detect the sites that are visited in order to collect the needed set of data. Keyloggers, like remote monitoring software, are not inherently malicious. In fact, many keyloggers are sold as commercial software for legitimate purposes such as monitoring and controlling a network of personal computers within a corporate environment. For example, it is ironic that the software ‘Perfect Keylogger’ used by the teenage hacker in Singapore described below is software that is sold commercially for security purposes[5]. Screenloggers are a variant of keyloggers that capture the screen as well as the keystrokes, and is basically used to overcome counter-keylogging measures that display on-screen security features.

A rootkit is a set of software tools used by intruders to conceal their activities after the computer has been compromised. Rootkits helps the intruders to maintain their access to the system without the owner’s knowledge. Trojans that install rootkits often install other payloads and uses rootkits to prevent detection. Rootkits are also often used in the creation of botnets or zombie networks of computers captured by hackers. Such botnets are often used in launching other attacks such as phishing or sending out spam mails.

A recent infamous Trojan is the Sony rootkit controversy[6]. A piece of software called Extended Copy Protection (XCP) used for copyright protection and digital rights management in audio CDs was used on some audio CDs that were distributed by Sony BMG. In this case, if a user attempts to play the music on a Windows system, XCP will be installed in the computer without knowledge or permission from the user. It will then remain resident in the user’s system, intercepting all accesses of the CD drive to prevent any other media player or ripper software other than the one included with CD from accessing the music tracks of the Sony CD. More ominously it also alters the operating system registry settings which render the CD drive inoperable if any attempts are made to remove the software. While the controversy drags to messy legal disputes, it is worth noting that Trojans do not necessarily come from hackers across the Internet. If instead of DRM software an audio (or video) CD or DVD installs other malicious software such as keyloggers or screenloggers, the entire system can be compromised. It does not take large leaps of creativity to imagine some teenager or child popping in a nice looking CD he gets from a schoolmate into the family personal computer leading to identity theft and security breaches.

Another trick used by Trojans work more insidiously. When a user clicks on a hyperlink to an Internet website or types in the URL to the site, the web browser requests the operating system for a translation of the URL to a set of numeric IP addresses that are the ‘real’ addresses used by the network to find the correct server. The operating system would first go to a local hosts file to check if a local translation is available. If it is not, (and that is usually case unless the website is a part of the Intranet), it will reach out for the nearest Domain Name Server to request for a translation. Some Trojans modify the local hosts file to add in redirection to a phishing site. For example, if the bank customer types and the hosts file has been ‘poisoned’ to redirect to a phishing site, the bank customer will not be able to tell that it is not the correct web site. With a simple command to remove itself after the attack, this attack is almost invisible. When paired with an efficient phishing site, these hosts file poisoning attacks are extremely dangerous.

Trojans are so common that it has even been offered as packaged software. Researchers from PandaLabs found a system that offers a custom-made Trojan for sale[7]. For only US$990, the system offers a personalized Trojan, complete with tech support. If the file is discovered the designer provides a guarantee to alter it so that it may continue to avoid detection from updated antivirus software.

Another sobering fact is that Trojans are not only installed from malicious websites but are often injected by friends or someone the user knows and normally trusts. In a recent case in Singapore[8], a teenager invited some friends via email to play some computer games that embedded a keylogger. Using this Trojan the teenager managed to acquire the Internet banking user names and passwords from his friends and successfully paid his phone bills using his friend’s account.

[1] See Declan McCullagh, Robert Lemos, Trojan horse exploits image flaw (September 2004) at


[3] See Phishing Attack Trends Report – December 2005 at



[6] See Mark Russinovich, Sony, Rootkits and Digital Rights Management Gone Too Far (October 2005) at

[7] See Peter Pollack, Malware moves up, goes commercial, Arstechnica (Feb 2006) at


[Securing Internet Banking] Part 4 – Phishing

Phishing is probably the most well-known and familiar method used to compromise Internet banking sites. The Gartner Group estimated that the direct phishing-related loss to US banks in 2003 to be $1.2 billion though indirect losses are much higher. The word ‘phishing’ comes from the analogy that Internet scammers are using email lures to ‘fish’ for passwords and financial data from the sea of Internet users[1]. The term was coined around 1996 by crackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users[2].

There are various phishing methods but at a basic level phishing tries to get the Internet user to reveal personal, financial or password information by pretending to be something else. The phisher will usually pretend to be the official website of the bank or organization and tries to persuade by fear, threat or working on the greed of the Internet user, to reveal his personal details.

A typical trick is to send an official looking email or instant message to a bank customer that links to a website that looks like the actual Internet banking application, but is in fact, a replica of it. The replica is designed to steal passwords when the bank customer tries to log into the Internet banking application. The replica can be exactly the same as the original website down to the images that are linked directly from the original website. The only difference could be that any forms submitted from that website would be posted to a different application than expected, which will harvest the personal and confidential information of the bank customer.

Figure 1 – Typical phishing attack

If done well, the bank customer will not even realise that he has been ‘phished’ as the fake application will redirect him to the real application. Phishing is not unique to Internet banking – it is widespread in many Internet-based applications including PayPal and eBay and the information that is phished varies from credit card numbers to bank account numbers to identification numbers such as social security or passport numbers.

Most methods of phishing use some form of diversionary deception that tricks the user to believe that the email or website belongs to the actual organization. Phishers often use misspelled URLs such as or sub-domains. Another common trick uses the @ symbol. In the URL syntax the @ divides the actual URL from a username and password. A casual observer might assume that this is the bank’s website whereas it is actually the scam website, which replicates the bank’s website. A variant of this trick inserts a null or other unprintable character before the @ symbol, which prevents the host information from being displayed at the address bar. These methods have since been closed off in the new browsers. In a simpler trick, some phishers do not even put in a URL, instead they use an IP address, which normal Internet users will not check for its validity.

Type of deception Example
Misspelled URL
Using @
Using @ with null (will be shown as
Using IP address http://

Table 1 – Common URL deceptions

These methods work for some because links are often (and designed to be) clicked than typed, and there is no correlation between the text on the website and the actual link that it will go to when clicked, other than a small status bar display at the bottom of the browser.

Slightly more sophisticated tricks use Javascript, the client-side scripting language used by many web applications, for various deceptive hiding or camouflage. For example, the phisher might use the onMouseOver event handler to show a fake URL in the status bar. Other tricks with Javascript include using Javascript to close the address bar, while the fake site contains a very similar looking ‘address bar’ that is in fact part of the web page, or even open another smaller browser that completely covers the address bar.

Another related phishing attack is IDN spoofing or a homograph attack[3]. IDN stands for internationalized domain name and is a method that allows characters other than English to be displayed as the domain name of the website. However in some languages the characters look the same as in another English character but in fact represent a different character. For example, газета.ру is the Cyrillic equivalent of The Russian letters а,е,р,у are indistinguishable in writing from their English counterparts. Some of the letters (such as a) are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter ? is actually pronounced like English r, but the glyphs of the two letters are identical. This leads to situations where the URL might look the same on the browser but in fact are completely different websites!

Many people make the mistake by assuming that phishing attacks on Internet banking services does not cause harm if no unauthorized transactions or funds transfers occur. Funds transfers is probably the lesser harm done because generally if money is taken from an account, the account owner will likely know relatively quickly and act to stop the transfer or prevent further harm. Also, funds transfers will normally go to another bank account and is often traceable and recoverable.

The greater harm comes in the form of identity theft activities. The phished account might be used for money laundering or other illegal activities. Other information might also be extracted such as credit card information, account and personal information. There is also evidence that ATM cards are falsely reproduced from information ‘phished’ from the unsuspecting victim[4]. The kind of damage and the extent of the damage are not immediately evident and can be dormant for a long period of time, which will make it very difficult to trace and stop these illegal activities. For example, money can be transferred from a larger corporate account that is compromised, to more than one phished accounts, after which ATM card transactions and withdrawals can be made throughout the country or even outside of the country using cross-borders electronic funds transfers facilities such as PLUS or Maestro.

Phishers usually actively target multiple systems and organizations at the same time, and are well organized[5]. There is also evidence that organized crime is getting increasingly active in phishing and a thriving market for phished data trading exists[6]. Amateur phishers who were previously balked by their inability to convert the data to monetary benefits are now able to Phishing was originally predominantly by amateurs and adolescents, but this activity has ‘grown up’ and is considered one of the more dangerous online security threats[7].

[1] From Word Spy at

[2] From the Anti-Phishing Working Group at

[3] See Evgeniy Gabrilovich and Alex Gontmakher (February 2002). The Homograph Attack. Communications of the ACM 45(2): 128 and Johanson, Eric. The State of Homograph Attacks Rev1.1. The Shmoo Group. URL accessed on August 11, 2005.

[4] See Christopher Abad, The Economy of Phishing : A survey of the operations of the phishing market (2005) at

[5] See The Honeypot Project & Research Alliance, Know Your Enemy: Phishing (2005) at

[6] Id.

[7] See the Anti-Phishing Working Group at

[Securing Internet Banking] Part 3 – Rationale and Risks

The banking industry could be seen as an odd bedfellow when read together with the Internet. Banks are generally known to be conservative, highly sensitive to security, risk-adverse and values stability and reliability. The Internet on the other hand moves at such a high speed that it prompted the term ‘Internet time’ to be coined. The Internet is usually unsecured, mostly uncontrolled by any single authority, often unreliable and generally seems to be the anti-thesis of everything banks symbolises.

So it is surprising to note that Internet banking services today form a large bulk of the activities on the Internet. In a survey done by Eurostat in 2003[1], about 40% of all Internet users in Europe use Internet banking. This is in comparison with email, which leads at 80%.

There could be a number of reasons why Internet banking became successful. Firstly for the customer Internet banking is an incredible innovation that simplifies the process of transacting with the bank. Previously, a bank customer needs to physically appear before a bank teller in a branch during his office working hours (meaning he will either need to sneak out or take some time off). Internet banking on the other hand can be done any time, any where. Convenience is probably the most compelling reason for the bank customer, driving them to adopt this new technology with relish.

For the bank, there are a few evident reasons. As their customers increasingly demand convenience, it is inevitable that the banks need to bow to their wishes and move into this direction or be edged out by their competition. The fear of being left behind alone is a main driver behind many banks’ move to the Internet banking services.

At the same time, Internet banking allows the banks to extend their current market and to reach out to more customers where it could not have been possible without incurring high costs previously. Traditionally banks are limited by their geographical coverage and their operations increase exponentially as their branches are located further and further away. Internet banking on the other hand is without any real boundaries other than the legal and regulatory restrictions that prevent banks to operate in multiple countries without the approval of that country.

However, the most compelling reason for banks to move into Internet banking is probably the allure of a significant cost reduction in providing the banking services. In 1996 Booz-Allen and Hamilton conducted a survey in the US and found that the cost of a full banking transaction over the counter was $1.07 while it was 54 cents via the telephone, 27 cents for an ATM but only 1 cent for Internet banking[2]!

However, as with most things the benefits of Internet banking is a two-edged sword and comes with a different set of risks that were previously not significant to the banks. As the geographical reach of the bank increases through Internet banking, it becomes more challenging to verify their customers and make good credit decisions. The business case for Internet banking services, especially for Internet-only banks, remains unproven[3] as banks struggle with unforeseen operational costs and issues that they were familiar with.

Regulatory issues on Internet banking are mostly unclear at this point in time, which increases the overall risk of doing business on the Internet. For example, much of the existing legislation around the world still treat Internet banking alongside ATM or phone banking. The bank’s liabilities concerning Internet banking are still unclear today as well. In cases of fraud and security breaches, the liabilities of the bank customer and the bank are still a matter of contention. To protect the consumer, most governments tend to shield the bank customers from any negative effects even though bank-customer contracts usually disclaim liability. In any case, any negative issues with a reputed bank’s Internet banking services will usually drag their name and their brand through the mud. For the bigger and more prestigious traditional banks, this poses a tremendous risk in damaging their brand assets.

Most banks do not have significant expertise on Internet technologies or in implementing and maintaining an Internet banking application. Unfortunately it is also true for most organizations – enterprise-level Internet applications are relatively new and sophisticated. One of the most serious risks faced by the banks however is the issue of securing access to the Internet banking services.

The tremendous number of banking transactions that occur daily over a medium that is basically unregulated is an open invitation for criminal and fraudulent activities. In a 2003 survey of financial institutions around the world, 39 percent of respondents said their computer systems had been ‘compromised’ in some way the previous year.[4]

[1] See Christopher Demunter, Internet use in Europe: security and trust (2005)

[2] Booz-Allen & Hamilton, “Consumer Demand for Internet Banking” (1996)

[3] Robert DeYoung, “The Performance of Internet-Based Business Models: Evidence from the Banking Industry,” Journal of Business, University of Chicago Press, vol. 78(3), pages 893-948. (2005)

[4] See Laura Bruce, Online banking security: Who’s minding the vault?,

[Securing Internet Banking] Part 2 – Internet banking

This paper defines Internet banking as systems that enable bank customers to access banking products and services over an Internet enabled terminal[1]. Internet banking is also known as online banking, e-banking, web-based banking and electronic banking. While some literature has differentiated banks that operate primarily or mostly over the Internet (Internet banks) from traditional banks that offer Internet banking services as part of its overall set of services, Internet banking services in this paper refers to the services themselves and therefore covers both.

Internet banking is a relatively recent phenomenon and had an uneven growth throughout the world. Different countries and regions had reacted differently to the onset of Internet banking, accordingly to their infrastructure capabilities and their existing banking environment. Before Internet banking was prevalent, home banking using the PC was a service provided by some banks. In PC banking, the bank customer performs his banking transactions using proprietary software that dials into the bank’s private network via a modem. Data is exchanged by the client software on the PC and the server at the bank. In comparison, Internet banking services use web browsers to access the bank’s servers which are on the Internet, a public network.

During the Internet boom years, Wells Fargo became the first bank to offer Internet-based banking services in 1995 and Security First Network Bank started to be the first Internet-only bank in October 1995. Today, most conventional banks of a reasonable size offer some form of Internet banking service.

Typical banking services provided by an Internet banking service provider are:

· Balance enquiry – information on the current account balances

· Funds transfer – transferring money from one account to another, which can possibly include accounts in another bank

· Bill presentment – viewing bank-related billing information (typically credit card)

· Bill payment – paying bills (typically recurrent bills e.g. utilities such as mobile phone or cable)

· Loans/accounts application – initiating the application process for banking products

· Investment activity – investment related banking services such as paying for shares

[1] See US Comptroller of Currency, Administrator of National Banks, Internet Banking – Comptroller’s Handbook (1999), Jaqueline Marcucci, “The Brave New World of Banking on the Internet: The Revolution of Our Banking Practices”, Nova Law Review, (1999), Monetary Authority of Singapore, Internet Banking Technology Risk Management Guidelines (2003) for alternate definitions.

[Securing Internet Banking] Part 1 – Introduction

Not long ago, the commonplace banking experience for the man-in-the-street consists entirely of walking to the nearest branch of bank, queuing up with other bank customers and when it’s your turn, giving instructions to the clerk behind the counter. Your instructions are verbal and direct to the clerk, any unclear instructions are clarified on the spot, and performed immediately. The clerk knows who you are because you hold your bank account book, and your requests are confirmed by your signature that is compared to one that available to the bank. Bank branches were the one stop shop for all banking services.

Although this has not changed, development of technology has moved retail banking services beyond the physical branch into phone banking, 24-hour ATM banking, Internet banking and mobile banking through the mobile phone. The bank branch is no longer the only means of interacting with the bank, although for many banks it is still the primary means. In particular, Internet banking has extended the reach of the bank users tremendously, pushing away borders and limitations of location. For example in 2001, only 4% out of all banking transactions in Europe were conducted on the Internet compared with 79% with a visit to the bank branch[1]. In 2003, this has risen to 20% compared with 30%[2]. In another study by Ipsos-Reid[3] — compiled from more than 6,600 interviews across 12 countries — usage of Internet banking nearly doubled from 20 percent in 2000 to 37 percent in 2002. In the same study it was observed that Internet banking is most prevalent in Canada, the U.K., Germany and the U.S., where more than 40% of Internet users had banked online.

As a result of these changes, the banking services have been transformed and the established procedures that the banks used to manage the services in the bank branches can no longer apply for these newly transformed services. One such process that has changed drastically is how the bank authenticates an account holder, that is, how a bank knows if the person who requests for a banking service is who he says he is. Although the goal of authenticating the account holder is similar, the process by which a bank recognizes a valid account holder is completely different. For example, the account holder is no longer physically present at all but yet can be at any place around the world as long as he is connected. Also, as the Internet never closes, the service request can be occur at any time of the day. At the same time, the regulatory and legal framework under which these new services are offered are relatively new and not well explored. The risks and liabilities faced by the banks and the account holders are still not fully established.

This paper examines the authentication process with Internet banking, focussing on retail Internet banking that is banking for the mass consumers as opposed to banking for companies and corporations. The topics discussed and explored in this paper ranges from the possible security risks faced by the banks, current implementations of the authentication process and various strategies that can be used and their strengths and weaknesses. The regulatory and legal issues are also explored in brief to describe a more complete picture of this aspect of Internet banking. The liabilities of the bank and the account holder are discussed and analysed.

[1] Datamonitor, eBanking Strategies in Europe 2002 (2001)

[2] Forrester 2003, also see Deutsche Bank Research, E-Banking Snapshot (2003) at

[3] See Ipso-Reid, Beyond Surfing: E-commerce and Banking Surge (2003) at