From CastleCopsWiki

Contents 1 Dangers 1.1 1. Keylogging 1.2 2. Basic Phishing 1.3 3. Advanced methods 1.3.1 3.1 XSS attacks 1.3.2 3.2 Pharming 2 Defenses/solutions 2.1 Separation of activities - ensure clean state when doing online banking (various methods from weak to strong) 2.2 Other defenses

[edit] Dangers

[edit] 1. Keylogging

1.1 Browser based keylogger.

1.2 System keylogger.

Defenses : Virtual web keyboards , antikeylogging techniques to block web based keystrokes.

[edit] 2. Basic Phishing

2.1 Social engineering

Defenses: education (enter url directly (check for typos!) or use bookmarks (but ensure bookmarks are not altered), antiphishing tools based on blacklisting sites and heuristic check of sites.

2.2 Using Idn char collision

[edit] 3. Advanced methods

[edit] 3.1 XSS attacks

Insert basic idea/concept of what this is.

Simplest defense is to clear browser cache, restart browser Or even machine and go straight (and only) to bank site. NoScript might help as well.

[edit] 3.2 Pharming

• 3.21 DNS cache poisoning

Simple layman explaination.

Defenses : flush dnscache, cross check with independent dns server, use crypto secured ips and go direct to ip bypassing dns. Or similarly secure host files with correct ip.

• 3.22 Driveby Pharming (exploitation of routers configuration or firmware)

Defenses : Use a password for the router (none-default one!)

• 3.3 Hosts file mantipulation.

Defenses : Hosts file guard.

• 3.4 Advanced system mantipulation, Supplements the above methods, by making Man in the middle attacks more effective by installing rogue root certificate or displaying false certificate with correct info. This will trip up even alert users who read SSL certs.

Defenses : Check root certificate, not much can be done if system is so compromised that you no longer have control of system (rootkits) that they can overlay certificates with fake details.

[edit] Defenses/solutions

[edit] Separation of activities - ensure clean state when doing online banking (various methods from weak to strong)

• Resetting browser - clearing browser and java cache - Mainly stops 3.1. Might stop 3.21 and 3.22 if user flushes dns cache, checks dns settings and hosts. Further paranoia, check root certificates installed and browser plugin/addons for rogues.. will allow defending against more.

• Using seperate browser for online banking (maybe even different user accounts). Much easier than above (no need to do so much checking). Joanna's method.

• Using different (virtual) machine for online banking and other methods or vice versa. if keylogger exists in host machine, might not help much.

• Using LiveCD for online banking - Will stop almost all including 1.1 and 1.2. Same notes about 3.21 and 3.22 apply if on same network.

• Using a seperate physical machine for online banking - Same as LiveCD.

• Using a seperate physical machine for online banking on a different network! - Most secure.

[edit] Other defenses

• Independent dns lookup with another dns server (opendns etc)

• Progams for monitoring changes in dns cache.

• "Secure network mode" - Only allows network connection to hardcoded/heavily protected ip address

of bank addresses during banking session (Online armor)

• Various antiphishing methods like "SMS challenge code" , "Image verification", "Dynamic Security Skins", "Domain hashed passwords" , "cryptographically signed database of ip addresses", "PKI based software/hardware solution".

• limited use accounts.

Watch out for Man in the middle attacks!!! - trojan can install rogue root certificates, or display false certificate with correct information assuming it is already in...