ONLINE BANKING: STILL AS UNSAFE?

Let's start this article with a quick quiz, but no prizes for the right answer. But the outcome from this right answer could be better than any prize, because after reading this article, you will feel much more secure in the online world.

Here's the quiz:

1. Do you remember the exact link of your online banking website's login page?

2. Do you remember who is the SSL Certificate Signing authority of most online services where you do your monetary transactions?

In all probability, the answer will be "No". Even if you do somehow have the answer for the first question, I'm pretty sure you won't have it for the second one! That's because there are so many websites we all visit and do monetary transactions on that it's physically impossible to remember this info. For that matter, we would hardly remember people's mobile numbers and email ids, because they're all fed into address books that make it convenient to find them by their actual names.

Now, the reason I asked these questions was to illustrate a very dangerous and most often targeted online hack-attack. This attack is actually a mix of many hacking techniques, but is one of the most successful. If you are an old PCQuest reader, then you might remember that way back in July 2005, we did a story on how someone can do a DNS poisoning attack and phish any banking website from within a LAN and steal passwords. The only way for a smart user to save himself/herself was by making sure not to proceed on a link when there is a SSL Certificate warning.

But today, things are different. Banking websites have come a long way in securing their websites from virtually any kind of attacks by using multiple levels of authentication and very secure code practices. But not all websites that do online transactions are that safe. For that matter, even today some Banking websites can be phished, so if a user accessing the bank's website is not smart enough, then there is complete possibility that a certain share of his/her financial information could be hacked or stolen.

Though it would be difficult for a hacker to actually go ahead and do transactions on the victim's behalf due multi-level authentication required by banks. So the hacker would need to copy/clone the victim's debit card, mobile number, and steal both login and transaction passwords for a successful transection. But getting into the victim's account and checking his account details would be a cake walk comparatively. And to scare you a little more, not all banks with online banking services provide multi-level authentication, and it's non-existent in third party payment processing websites and e-commerce sites where you go and disclose your credit/debit card information!

Let's now take a simple scenario and see how such things are possible. In this article we try to make sure that we do not disclose the actual steps of hacking and phishing, but for explanation purposes, we might be discussing some actual tools and techniques used by hackers. So, please "Don't Try This at Home or anywhere else", and if you do, then you are solely responsible for any legal implications that may follow.

Let's assume that one fine day you reach your office, open your laptop and remember that you need to pay your mobile phone bill. You quickly enter http://yourbank.com and proceed to the login page.

When the login page pops up, you see the exact same page which you always see. The page also shows a valid https certificate, but hey, wait a second! What's with the domain name--it says http://iamhacked.in!!!

You get the scariest of chills and kill the browser and rush to your Company's System/Network/Security Administrator.

Not such a bad end of the story. Right? But the truth is that hackers wouldn't be so blunt and forthcoming with their attacks.

So now comes the tricky part. Let's assume that the domain name was https://login-yourbank.com, instead of the real login page's FQDN, which is, say https://login.yourbank.com (the "." was replaced with "-" in the FQDN by the hacker). Would you still have noticed and rushed to your System Administrator?

Most probably you would not have even noticed, and to scare you more--while writing this article, we tried looking for similar sounding domain names of some leading banks, and guess what--we found several of them that could be purchased for a mere Rs. 199. See the screenshot for Infinity-icicibank.co.in.

Let's try to understand how exactly such a thing could have happened. Such an attack is a combination of social engineering, phishing, arp spoofing and DNS poisoning.

Social Engineering

In simpler terms, Social Engineering is nothing but ways of conning people--Online or Offline. And there are many ways to do so, and the trick is simple. Technically, you can get a valid SSL certificate for any domain that you own. So a hacker could easily go, book a similar sounding/looking domain for a website he is trying to Phish, and then get a SSL certificate generated for the same. There are many small and big SSL certificate signing authorities. For our demo, we used a signing authority called Start SSL - http://startssl.com/. Here you can actually get a SSL certificate for any domain for free, and this certificate is valid on most current web browsers.

So, we went ahead and booked a domain by the name "iamhacked.in" and got a valid SSL certificate for it in no time. We could have happily booked infinity-icicibank.co.in as well, but we didn't because we are not here to do an actual phishing attack.

Phishing

Phishing involes cloning a website and making sure that it looks identical to the original one. Just that, when someone puts his credentials, its actually sent to the hacker and the user is either shown a genuine looking error message or he is actually forwarded to the original website, to make sure that the user never realizes he was hacked.

And one more thing--it's fairly easy to clone a website. There are freely downloadable tools that can create a website's clone and even insert a script that harvests user credentials--all this, in just a few clicks. There are data centers that provide free website hosting, which can be used by hackers to host the cloned website, and you just saw how easy it is to get a similar looking domain name for a website. The rest as they say, is history!

ARP Spoofing

First, here's a quick refresher about ARP Spoofing. In such an attack, the attacker can change the ARP-IP table in an Ethernet switches' cache and make sure the data intended for the victim's machine reaches the hacker's machine. Once the data is captured by the hacker, it's forwarded to the victim, to make sure the intended data flow is not hindered. This is also known as Man in the Middle attack. So, in our scenario, what we did was, we spoofed the IP address of the Internet gateway and made sure any that data sent to the Internet was first logged to the hacker's machine and then forwarded out.

As you can see, it's one of the weirdest hacks, not because it's dangerous, but because it uses one of the oldest vulnerabilities in Ethernet switches, which is still widespread on a lot of corporate networks. In most of cases, it goes undetected. Recently we saw this attack going undetected on a network where a Cyberoam UTM was used for security. On raising the issue, Cyberoam informed us that such attacks are not handled or detected by its IDS, and the only way of securing your network against this is by setting up MAC address restrictions, which for a large network might not be feasible. It's not just Cyberoam. Most SMB class UTMs are incapable of handling such attacks.

DNS Poisoning

This technique essentially relies on ARP Spoofing and when all outbound data is intercepted by a hacking machine, it can manipulate the UDP requests generated for DNS querying and change the destination IP of any Domain name. So, it's more like the Hosts file, but acts for the entire network without specifically hacking a client machine. And exactly like the Hosts file, it lets you override the actual Domain name resolution and force the DNS request to return a fake value.

So for instance, with the help of DNS Poisoning, you can return "127.0.0.1" as the IP address for google.com. So a hacker could therefore do the same for any banking website and lead the unsuspecting user to his own site.

How to save yourself

It wouldn't be fair to just scare you and not tell you how to safeguard yourself from such attacks. Basically, there is no technical way of doing it in most cases, so it's mostly about following the best practices. Here is a quick list you can follow:

1. Never ever do online transactions from an unknown or public network--Coffee Shops and Cyber Cafés are a strict No No. Even avoid your office network. Your home would be the safest bet because ARP and DNS poisoning is mostly not possible on Wi-Fi connections. Plus, there are a limited number of users on your home Wi-Fi making it much safer.

2. Always. Yes, always try to remember the actual links of your banking website. If it's not easy to remember, then just note it down and make sure it's the same whenever you access it. In case you see even a minor change, then call you bank or financial institution to verify.

3. Check the SSL Certificate. If you see an error like one below, then you know it's a fake site.

4. It may sound going a bit too far and getting totally paranoid, but as they say--Only Paranoid's survive. You should also note down the SSL Certificate signing authority for all your financial websites. And tally it whenever you are revisiting the website. If it's a decently secure website, it must have the SSL Certificate signed by the top few signing authorities such as VeriSign, Thawte and Geotrust. But if you see an SSL Certificate signed by some other very smaller certificate signatories like the one we used in our test, Star SSL, then it's better to be more cautions and call up the website's call center to verify.

5. A website with Vetted Certificates is more trusted. When you see the green bar on the address bar while accessing an HTTPS page, it means the site uses a validated certificate. This means that the certificate signing authority has vetted the existence and validity of the organization and chances of it being fake is next to zero.

6. This one is for SysAdmins. You might be using an UTM or an IDS/IPS system. Please check with the vendor if the system blocks or at least detects and alerts ARP Spoofing attacks. If they do, great!! Else just use a tool called arpwatch. This will keep sending you alert mails in case your network is attacked by ARP Spoofing. You can read how to setup arpwatch at https://www.pcquest.com/pcquest/news/176927/tools-counter-hack-attack

*We used ICICI Bank's slightly modifed domain name only to explain how easy it is to get similar sounding domain names. We are in no way trying to demonstrate any weakness or vulnerability in the bank's website. Rather, we believe that ICICI Bank provides one of the most secure online banking experiences in the country.