On-line Banking - which way?

I tried Trusteer on my XP x86 SP3 installation and noticeably affected performance both browser and non-browser. And I have 8 GB on memory although XP will only use 3 GB of that. After fooling around for a while with solutions their tech support offered, I dumped it.

If you want a lightweight solution, get Zemana Antilogger. I picked up my copy for $17 US and there always seem to be free giveaways for it. Check out Malware Research Group web site for their latest tests on banking security software. Less than a handfull passed and Zemana was one of them.

http://www.mrg-effitas.com/current-tests/

 

No troll. Look up Comodo & Diginoir hacks. Trusteer cannot protect you against these types of attacks. + multiple router hacks that give you MiTM capabilties. Nothing can help you with those hacks.

 

Hi,

Can you explain in detail how such a MiTM attack works to compromise a home user?

thanks,


----
rich

 

https://www.owasp.org/images/2/21/Main_the_middle.JPG

OWASP good explanation. I doubt Trusteer can be effective in such instances where CA's are compramised.

 

In keeping with the topic of on-line banking, how could I be compromised by this type of attack when going to my banking site?

thanks,


----
rich

 

I'll check in tomorrow for your description of being compromised when doing on line banking.

Meanwhile, I'll just say that speaking for myself as a home user, I've not been too concerned about such an attack. But I'm always open for further enlightenment.

One reference:


http://www.windowsecurity.com/articles/understanding-man-in-the-middle-attacks-arp-part3.html

----
rich

 

Can your prove it? or we have to assume that everything you imagine is true?
Trusteer says that they protect against MITM and they have prove it (see the blog), you say they don't because...?

Do they need to hack my router, the banks router/firewall...? probably would be easiest, cheaper, safest and faster go to your house and put a gun on your head.

 

As a home user, I'm more than content with DefenseWall's banking & shopping browser. It a bonus feature in the DefenseWall package. Besides, one look at my account balance would see a hacker move off to greener pastures.

 

Because it's just common sense. I dont believe that anybody can mitigate MiTM attacks despite what the AV companies/Trusteer say. If it's a valid hacked cert you will be MiTM'd.

Cisco/Cyberroam have come out with some huge bugs lately that gave the attacker the availability to MitM you. So if the router is compramised you won't have a chance. If you log in behind a VPN you can also get MiTM. PPTP has huge bugs in it and there is no easy work around.

You also have things like SSL strip to sniff SSL connections if you want proof look what Moxie Marlinspike to with his TOR relay & then you have Keyloggers which I doubt Trusteer can help you with.

Then you have things like the BEAST attack and problems with SSL's compression bug which has just been announced.

 

Trusteer mitigate and prevent MITM attacks, but of course nothing is 100%. For all the methods your mention you don't need malware, your need a professional hacker dedicated day and night only for you. BTW hacking a router is not something trivial, even if it has a bug that you can't exploit that doesn't mean that you can control it, or you won't be blocked by any other security method in the network, NIDPS (Network-based intrusion detection and prevention systems), NBA (Network behavior analysis), virtualized routers, whitelistIP's...

Keylogging and Kernel Keylogging is blocked by trusteer through encryption

And please stop saying what trusteer is able to do or not and read at least the following links.
http://www.trusteer.com/support/user-guide/3.5.1201/index.htm#375.htm
http://www.trusteer.com/support/user-guide/3.5.1201/index.htm#305.htm
http://www.trusteer.com/support/user-guide/3.5.1201/index.htm#786.htm

 

hi,
To answer to the original question first.
In a statistical point of view, reliable online banking/shopping is possible without the listed products (DW, Trusteer, BD/Avast).
Simply by using a liveCD, specialized or not, or an alternative(Linux, OpenBSD etc) or exotic (AROS, Haiku etc ) operating system.

Now with which software, and which one is better than others...well...that seriously does not matter.
For a critical task like online banking, all the process must be secured.
But as many factors are involved, it is virtually impossible to circumsribe all the possible threats (malwares and attacks) that could occur during this critical task.

The minimum requirement is of course to begin the banking task from a clean machine.
For the average user, that means the need of an antivirus, even if they are far from being able to certify that a pc is 100% clean.
DW is a modern and reliable HIPS, and Trusteer a Security as a Service solutions based on browser focused HIPS.
It is possible for DW users to get the same features as Trusteer by using a VPN, plus some browsers security addons against phishing, pharming etc.
Again and again, the most important is not which software you use, especially when these softs have a good reputation, but what kind of protection your bank uses to secure the transaction/shopping/banking process.
For more reliability, hardware token authentification factor is a must, and provided to financial institutions by some specialised campanies.
I can mention Vasco, Entrust, Ironkey or Identrust for instance
http://www.vasco.com/verticals/banking/onlinebanking.aspx
http://www.entrust.com/strong-authentication/identityguard/
https://www.ironkey.com/trusted-access-banking
https://www.identrust.com/banks/index.html
The latest generarion of SpyEye for instance include a kind of sms authentification spoofing.

Now regarding Trusteer and its evangelists...well...i would not recommend it as a first line defense.
Bypassing and defeating its protection is not a real challenge.
A member of Kernelmodeboard has already posted a way and video
http://www.google.com/search?q=trusteer rapport and false sence of security
Some security blog have reported in the past that some malware were able to bypass it or which integrate an anti-Trusteer trick
http://securityblog.s21sec.com/2010/04/killing-enemy.html
http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html
Now if we are like some Trusteer evangelists and then believe in all what vendors say, then i am wondering why Trusteer have been released if i consider that antivirus vendors claim since years and years how powerfull is their products...
It is up to Trusteer to forget marketing blah blah and become as serious as Google and MST by providing a Trusteer vulnerability prize instead...

Regarding possible MitM attacks suggested by ComputerSaysNo, i personnaly say Yes...discuused a few weeks on an Unix/Linux toppic...
More on the latest Defcon talk
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
Already known in France http://esec-pentest.sogeti.com/challenge-vpn-network/decipher-mppe-breaking-ms-chap-v2
Crime attack by a Google guy http://www.ekoparty.org//2012/thai-duong.php
More over, SSL Strip, known by any Backtrack user, might be considered as quite obsolete regarding the latest MitM frameworks...
But here again, if the threats are important, the banking process can be reliable since the user has taken seriously in consideration his host security by using a good av, HIPS, and surf with caution (encrypt sockets, use hardened browser settings, a virtual keyboard etc).
More on this toppic
https://www.wilderssecurity.com/showthread.php?t=323371&highlight=On-line Banking
https://www.wilderssecurity.com/showthread.php?t=310963&highlight=On-line Banking
https://www.wilderssecurity.com/showthread.php?t=330438&highlight=livecd paranoid

Nice to see the teacher from California posting here again

rgds

 

Same here with being content with DefenseWall's banking & shopping protection.

And one look at my balance, a hacker would probably make a donation.

 

I installed Trusteer on my laptop. However, Avast Pro and Trusteer have a conflict using the Avast Sandbox.
Jerry

 

I have attended numerous security seminars over the years and also seen multiple Internet articles that say the same thing; there is no such thing as safe Internet banking. The major banks want you to believe Internet banking is safe since they save millions of dollars by using the Internet.

The best one can do is use a PC with a recently loaded OS and a stripped down browser with no adds-ons or anything else loaded. Set the browser home page to your bank's home page. Clear everything browser cookie, temp file, etc. before and after each banking session. Physically connect to the Intenet prior to each Internet banking session and immediately disconnect after session ends.

And most important, do not install anything on this PC other than the OS and browser. Paid AV is optional since your only connecting to one site. No free stuff; almost all of them have tracking software. Do not use the PC for anything other than Internet banking. Do not connect any external devices to the PC other than keyboard, mouse, and maybe a printer if you trust the manufacture's drivers.

Extreme but safe. Also a use for all those old PCs you have lying around collecting dust.

 

@kareldjag

Talking about evangelist xD

1) nobody mentioned trusteer rapport as the only line of defense or first line of defense, if you have any other alternative and free let us know.
2) Regarding those attacks that your mentioned about how trivial is bypass TR (jaja) that makes you look as a pro: one of them is 2 years old and it's already fixed (few days later after report it) and the other is 1 year old and the only thing that was able to do is to prevent trusteer rapport from being installed (already fixed) in any case wasn't able to bypass trusteer rapport if it was already installer.

So please at least the next time try to read what you post here, so we don't need to deal with obsolete news.

Nobody has said that Trusteer rapport blocks the 100% of banking attacks.
Trusteer Rapport is quite explicit about what is able to do and what not, instead to image what it does read the links that I posted previously.

 

Will someone explain in her/his own words, how I can be a victim of an online banking attack when I log on from my home computer to my bank's web site. Details of the attack, please.

thanks,


----
rich

 

The feeling I get is most people think it can't be that easy to avoid a banking attack. BTW, I suggested this valid and sensible approach in another thread, but it seems to lack the dramatic appeal necessary to warrant attention

 

Well, yes, your approach is sensible.

Perhaps the reason it doesn't warrant much attention is that many people don't really know how they can become a victim of an online banking attack, so can't refute your sensible approach.

Perhaps that's the reason others haven't detailed attacks in their own words, as I asked above.

And so, many will rely on security products that purport to create a safe online banking session. There is nothing wrong with that. Much of security is having a comforting peace of mind, and we like to feel that our security measures give us the necessary protection we want.

For myself as a home user, I've simplified what I know about online banking attacks into two categories:

1) Those where the user is already compromised with malware. I cited in an earlier post, the trusteerrapport.com summary of the various attacks in this category.

I've noticed that some of the products that offer online banking protection have a HIPS component that would prevent such malware from infecting in the first place, which, of course, is the ideal approach.

Such products would prevent the Zeus banking trojan in this scenario:

Zeus (Trojan horse)
http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)

This article also notes that Zeus is spread via phishing schemes. Other social engineering tricks can be included in this category.

2) Redirection to a bogus site, where the cybercriminals trick the user into thinking it's the legitimate financial site.

A common technique used in this type of attack is DNS spoofing/poisoning, aka, Pharming:

DNS spoofing
http://en.wikipedia.org/wiki/DNS_spoofing#Cache_poisoning_attacks

Most articles on prevention address the DNS problem itself:

DNS Cache Poisoning and Prevention
http://techtrigger.wordpress.com/2012/01/11/dns-cache-poisoning-and-prevention/

Even Google addresses the problem at the name server level:

Introduction: DNS security threats and mitigations
https://developers.google.com/speed/public-dns/docs/security

But I have no control over this, and must rely on trusting at the DNS level, whether trusting the ISP's DNS, or some other, such as Open DNS.

A very simple preventative measure for me has been to use my firewall browser rules.

I create two Browser rules,

• #1, for everyday use, where the Browser can connect out unrestricted
  
  
• #2, which uses a Custom Address Group containing the specific IP addresses for my financial sites.

Before connecting to my Banking Site, I disable Browser Rule #1, so that any attempted redirection to an IP address not authorized by the firewall will be flagged by my Browser Rule #2.

To demonstrate, I disble Browser Rule #1 and attempt to connect to Wilders:



Since Wilders is not in my Custom Group of IP addresses, the firewall alerts.

(Astute readers will note that a firewall Custom Address Group is a White List)

By contrast:

Poisoning “Pharming” Attack Hits Santander Bank Customers
http://blog.ironkey.com/?p=1305

Brazilian bank targeted by phishing site and DNS poisoning
http://research.zscaler.com/2011/07/brazilian-bank-targeted-by-phishing.html

Related to this is the use of rogue CA certificates, which was in the news earlier this year:

Creating a rogue CA certificate
http://www.win.tue.nl/hashclash/rogue-ca/

But if such a scheme was somehow used when I connected to my banking web site, I assume the attack would stop at the redirection phase, and I wouldn't see the rogue CA certificate at all.

I'm open to correction on that assumption.

There is a lot of alarmist literature on the topic of online banking attacks. For better or worse, as a Home User, I've not gotten too excited about it.

I recall one of my favorite quotes. It's from "Beyond Fear" by Bruce Schneier:

regards,


----
rich

 

@ Rmus

Hi, i've posted in & started a number of threads over the years about MITM attacks, & as yet have failed to receive 100% info on how to totally prevent it

A great idea IMO would be for someone, or some vendor, to provide a dedicated MITM www that we could test our comps/settings/apps etc against. I've mentioned this before but got NO response from vendors. Makes me wonder why ? This would be an ideal way of Proving their claims, or not Up to now, NO takers ! Once again, why not ?

Certain Apps like WSA check the DNS to discover whether or not it's correct, but it would nice to confirm it with a test www.

Certs can & have been faked, as we know Most of the time i don't expect them to be, but if one or more are, the normal indicators etc would fail. So how to detect those ?

How about creating a new thread to explore All this further ?

 

The bank I deal with offers 100% reimbursement for unauthorized transactions, and all I have to do is follow a few basic steps, not even including banking from home only:

-http://www.rbcroyalbank.com/online/online-banking-security-guarantee.html

Clearly they must not be overly concerned about rampant mitm attacks.

Is it really necessary to boot off a specialized Linux disk or mobilize an elaborate concoction of security tools for home online banking?

 

As I understand it from trusteer.com, the tester would have to have malware already installed for MiTM and MiTB attacks to work:


http://www.trusteer.com/Solutions/man-in-the-middle-mitm

If I can prevent with the firewall, redirection from my bank's site, a DNS spoofing attack fails.

Speaking for myself: If I have protection for the attacks in the two categories I listed in a previous post, what more is there to explore?

(Of course, I may have missed something!)

----
rich

 

One can answer this question academically, and prove that it is not really necessary.

Yet, psychology is a huge factor in security of any type, and often determines the preventative measures one takes.

Look at houses on a street: some have barred windows and metal security screen doors. Others do not.

Same thing with computer security, and computer security vendors play the psychology game as do vendors selling home security.

Same thing with insurance, extended warranties, and the like.

We take the preventative measures necessary for us to feel comfortable and secure.


----
rich

 

I would take that guaranty with a grain of salt. The web is full of articles on how banks weazeled out of reimbursing funds. If the amount lost is substantial, the first thing they will demand is their computer forensic expert examine your PC for malware. And guess what, they will find something. If you have the money to fight their high priced and power attoneys in court, you might have a chance on getting part of the money back. But after legal fees, you will probably be out more money.

 

Interesting:

https://www.wilderssecurity.com/showpost.php?p=2123416&postcount=90

 

http://abcnews.go.com/US/hackers-block-us-banks-online-service-bank-america/story?id=17343055