Only the Easiest Way is the Secure Way

We, being security professionals, are often “just” looking for the most secure way to implement a certain task. Often we tend to forget the user when we implement these measures. I once visited a customer showing me their ultimately secure solution to do VPN and access mail:

  • Boot the computer

  • Log on

  • Start Virtual PC

  • Start the secure OS

  • Log on

  • Within the secure OS, open VPN

  • Within the secure OS, start the mail client

Tell me the average user who understands, what I just described. And the next question is just rising: How do you transfer data from the “secure” VM to your machine? I know that this works but how to tell the average user…

A similar problem is discussed with the banks: The least trustworthy part of Internet banking is outside the control of the bank: The user and the user’s PC. So, how to address this? Well in Western Europe two-factor authentication is definitely the standard which addresses at least part of the phishing attacks – but unfortunately they get more and more sophisticated: We see targeted Trojans just attacking a single bank, installing a Browser add-in and doing a Man-in-the-Middle just within the Browser. How to address this? The banks are thinking about virtualization. So, the same scenario as described above – and you will definitely lose my mother as a customer as she will not understand, what to do. Internet Banking is a huge saving for the banks and therefore they are really reluctant to change anything at their systems that would make customers moving back to traditional banking – rather risk losing some money.

So, what are the approaches we see?

  • Accept the fraud and live with it

  • Make the customers pay for the loss of money as well if they act irresponsibly (today, the banks usually refund the lost money)

  • Use virtualization and risk losing some customers

  • Use something like Terminal Server Application Mode, where the user just accesses the application sitting on a Terminal Server. In the future he/she will not see a difference between online or offline

  • Boot from a special CD

Option 1, is what we are doing today: Close the eyes and make sure the press does not talk too much about it. This is paradise for the bad guys – they will never get prosecuted…

Personally, I think that option 2 will start to come up (in combination with other measures)– at least partially and I think it is right. Why should the Internet Banking users care about PC security if there is nothing in for them? However, this is dangerous. We saw already successful attacks on Windows XP SP2 machines, where one would have to say that the user did everything we told him/her to do: The firewall was on, the machine was patched and AV as up-to-date. The only problem he had: He was local Admin – but who isn’t at home? Windows Vista will make it definitely harder to have malware installed but up until then, we should not make these users’s pay for getting malware installed. But there are a lot of other users who do not care at all and they shall pay for their negligence!

Option 3 and 4 will have some future as the application is not within the control of the user anymore – but it has to be seamless for the user. My mother shall not see the difference between Microsoft Word on the local PC and the Banking Application remote of virtual.

Option 5: Well, tell me mother that she shall prepare her paying on the PC, then reboot with a special CD to do Internet Banking – and by the way, how does the file with the payings come over to the “Secure OS”? Mount the original disk? How does my mother then find the file? She just goes to “My Documents” normally… There is some research around this: Bootable disc eliminates viruses for safer banking – but in my opinion, we are addressing this problem from the wrong angle…


Comments (6)

  1. rhalbheer says:

    Don’t get me wrong: I am a firm believer that 2-factor auth is a basic requirement for Internet banking. Which device/technology the banks use: I do not care. However, there are definitely ways that are more or less resiliant against Phishing: Strikelists are easier to phish than a smartcard.

    However, we see new, targeted attacks that go for one single bank and use targeted trojans to attack just this one single bank. This leads us to the question how to build a trusted environment on top of the twofactor auth (or aroudn it or how ever you want to phrase that)


  2. rhalbheer says:

    Well, both of your suggestions address the authentication and therfore phishing problem. This is definitely one but not the biggest problem "that keeps me up at night". Whatwe see are Man-In-The-Middle attacks in your browser by using browser add-ins. Therefore kicking in AFTER the authentication. Therefore the banks aretrying to find a way to make the user use a "clean" PC. Virtualization could be an approach, as we could delete all the changes on the VM after having used the banks. Therefore the PC would have to be infected during the session which raises the bar significantly


  3. Steve Dispensa says:

    The virtualization approach is interesting, certainly, but even it is subject to MITM problems, albeit more sophisticated ones. It’s certainly possible to MITM a guest VM from a host, or terminal server session from a host, etc.

    Hardware-based two-factor solutions can make a major dent in traditional phishing attacks, but none can fix "active" MITM phishing attacks, where the user’s credentials (two-factor and all) are silently gatewayed through to the bank’s website, along with a hidden transaction or two in realtime.

    Bank websites could, in principle, do a lot about active phishing attacks, just by adding some sort of obfuscation to their sites such that they are easy for a human to parse but impossible to code to for a phishing attack. Think CAPTCHA here – not perfect, but dramatically better than nothing.

    My company just launched a hardware-based two-factor product in the US market that uses mobile phones as the second factor, in an attempt to address passive phishing. Hopefully it will be available for EMEA soon.

    Interesting article.

    -Steve Dispensa (MVP – Windows DDK)

  4. Schlum says:

    How about this technology that I found on you tube

    Mutual Authentication with the bank server… Apparently no software to download etc…


    Found a bit more info at

    I sent an email to the address there and someone contacted me.. Looke like this may do the job for our bank!

  5. Steve Dispensa says:

    I see your point, but I think a hardware-based two-factor solution can still be effective even against browser toolbars and the like.

    Think about our PhoneFactor product: no matter what information is stolen from the end user, *including* username and password, the thief still can’t log into the user’s bank account later, because the user’s phone (not the thief’s) would ring the instant the login was attempted.

    Now, there is indeed a second class of "active" phishing attacks, where the thief manipulates the bank account in real-time after the user answers the confirmation call and presses # to allow the log-in. These attacks require a much higher level of sophistication, and there aren’t really any solutions on the table that don’t involve major changes to the browser access paradigm.

    In the end, I’m obviously a strong believer in two-factor as a mitigation against a lot of phishing, including exactly the kind of toolbar phishing you point out. But, like any security technology, there are always some contexts into which a particular solution doesn’t fit.

    More about PhoneFactor:

    -Steve Dispensa (MVP – Windows DDK)

  6. Steve Dispensa says:

    There’s a chicken-and-egg problem here that’s very hard to avoid.

    Imagine a Virtual PC image that has known-good software for accessing online banking. You could even restrict the client software so that it would strongly authenticate the server (and *only* the real server) using some form of public key crypto.

    Then, the bad guy starts distributing his own VPC image that looks *just like* the image that comes from the bank. Except, it’s slightly modified… bang, you’re dead.

    You could have the user get a DVD with the VPC image directly from the bank, of course, which makes the problem much harder for thieves. Eventually, though, you have to rely on people’s common sense and intelligence.