Trusteer Fraud Detect System - IBM · 해킹과 스미싱에 의한 인터넷(모바일) 뱅킹과 전자상거래의 금융사기 방지 방안 김상환실장 [email protected]

© 2014 IBM Corporation

2014 IBM 보안 뉴패러다임 솔루션데이

2014년 7월 17일

Trusteer Fraud Detect System해킹과 스미싱에 의한 인터넷(모바일) 뱅킹과

전자상거래의 금융사기 방지 방안

김상환실장

[email protected]

보안솔루션사업부

한국IBM 소프트웨어그룹


1. Background

2. 금융사기를 막기 위한 시스템 구성 (AS-IS)

3. Trusteer’s Values In FDS

4. Trusteer Product

Contents


Security Map

��

내부 서버팜(Application)

��

인터넷

네트워크장비

방화벽

IDS/IPS

메일서버

바이러스 월안티스팸

SSL 암호화 통신

바이러스 백신개인 방화벽

VPN

SSO / EAM

PKI

PC / 문서보안 솔루션

Secure OS

웹서버 DB서버

내부사용자

외부사용자


주요 금융 해킹 사고, 개인정보(?)

일시 사고사례 개요 Trusteer 대응

2014년 5월

모바일 앱카드 첫 금융사고,

삼성카드 300건 명의도용

6천만원 피해

Trusteer의 Mobile sdk를 사용 (Persistence Device Id로 대응)

2014년 4월

단 1주일간 탈취된 PC용

공인인증서 유출

(확인된 인증서만 6,947건)

Trusteer의 ATO(Account Takeover)에 의한 방어

2013년 6월 신종금융사기 메모리 해킹Trusteer 이용 시 메모리의 비정상적인 활동 시

malware 감지 및 치료

2013년3월내부 직원 PC악성코드감염을 통한

시스템파괴Trusteer의 Apex로 금융사 내부직원 PC 보안

2012년12월이용자 PC해킹을 통한

ISP 정보유출

Trusteer 이용 시 메모리의 비정상적인 활동 시malware 감지 및 치료


지능화된 해커는 가장 약한 부문을 공격

Customer Accounts

Cyber Criminals

해커가 겹겹이 쌓인중앙시스템 뜷기가 힘듦

대신 일반 고객의 PC에 접근하여중앙시스템 공격

쉽다

Retail/BusinessCustomer


Malware and PhishingCommon threat to Customers and Employees

1JPMorgan: 2012 Online Fraud Report , 2Gartner: 2290415, 3Ponemon Institute: 2012 Cost of Cybercrime Report: US

Three Losing Battles

• Humans will always make mistakes

• System and application vulnerabilities continue to emerge

• Malware detection will always lag

Two Major Impacts

Widespread Fraud

•$3.4B est lost to online fraud in 20121

Advanced Threats and Breaches

•85% of breaches go undetected2

•$8.9M average cost of cyber-attacks3

Social Engineering (Phishing)

Vulnerability Exploit

Malware Infection

Fraud Scheme

Execution

Money Loss

Enterprise Breach

DataExfiltration


Live attack of Zeus on a major U.S. bank

Capture Token for real-time Transaction Verification금융감독원 가이드: PC포멧 후 Anti Virus설치

Before After

신종해킹: 메모리해킹2 step 인증 통과


Fraud Risk

WWW

Phishing and Malware Fraud

Advanced Threats (Employees)

Online Banking

Enterprise Apps

Account Takeover, New Account Fraud


• 금융사기를 막기 위한 시스템 구성

“FDS + PC 보안 + Mobile 보안 + 기타 보완책”


Step1: FDS (Fraud Detection System)

2013. 7. 11 금융전산 보안 강화 종합대책 발표

FDS의 핵심은?

DeviceID + Context(문맥)정보 + 이력 정보 => 사기방지 룰 설정

FDS의 핵심은?

DeviceID + Context(문맥)정보 + 이력 정보 => 사기방지 룰 설정


Step2: PC (End point) 보안

Ahnlab

(PC Firewall)

nProtect

(Phishing

Protect)

Inisafe

(Data

encryption)

K-Defense

(Secure

Keystroke)

은행 입장: 금감원 권고사항 다 수행했다

�� 그런데 메모리해킹은?


�� 그런데 메모리해킹은?


Step3: Mobile (End point) 보안

Ahnlab

(PC Firewall)

nProtect

(Phishing

Protect)

Inisafe

(Data

encryption)

K-Defense

(Secure

Keystroke)


�� 그런데 모바일 카드앱 도용과 같은 사건은?


�� 그런데 모바일 카드앱 도용과 같은 사건은?


Step4: 기타 보완책과 이에 대한 공격

Device Identification Challenge Questions Malware

OTP DevicesMan in the Browser,Real Time Phishing

Out of bandVerification

Man in the Mobile

LoginSigning

Social Engineering

Malware

Virtual Browser on Stick

Memory Injection Malware

ClickstreamDetection

Malware Adopts

Human-like behavior

x

Bypass

가능가능가능가능

여전히 취약??여전히 취약??


ID Protection & ID Fraud Detection

WWW



Online Banking

Enterprise Apps


ID Protection On PC

ID Protection On PC

ID Protection On Mobile

ID Protection On Mobile Device IDDevice ID

FDS: 1)Device ID, 2) Acct History, 3)Session ID, 4) End Point Risk FactorFDS: 1)Device ID, 2) Acct History, 3)Session ID, 4) End Point Risk Factor

End Point Security On Employee PC

End Point Security On Employee PC


Trusteer’s Values In FDS

1. End point 보안에서메모리해킹문제(PC)

� Algorithm Inspection + Application Protection

2. End point에서의하드웨어기반의 device id 확인방법의취약점

(PC & Mobile)� Persistent Device ID

3. FDS risk scoring factor로서의악성코드감염여부(PC & Mobile)

� Risk scores from Pinpoint ATO(or Rapport TMA)

for PC and Mobile Risk Engine for Mobile

4. 2nd channel 인증방법인 SMS의취약점 (PC)

� Secure Dual Authorization


메모리해킹 - 방어책1: Algorithm Inspection

Legacy: What it is?

Files and Signatures (1000000s)

? ?

Anti-Virus

Exploit Infect Hook Inject Access Theft

Trusteer: What it does?

Crime Logic (100s)

1. 높은 오탐율과 이로 인한 피해2. MITB 전문 방어 경험이 적음

기존

메모리해킹

문제점


Device ID for PC

�Trusteer’s Strong Device ID on PC

Hardware(CPU type, IP, Screen, Font, etc.)

+ Software(Browser, language, Character Set, etc) + Session(Browser history, Cookies, Http headers)

+ Random numbers

Hardware 기반의 보호 방법은 취약함 (appendix 참조)

1)Hardware 정보를 변형하는 hacker tool이 존재

2)Hardware 정보를 bypass하는 방법이 존재 (메모리해킹)

Hardware 기반의 보호 방법은 취약함 (appendix 참조)

1)Hardware 정보를 변형하는 hacker tool이 존재

2)Hardware 정보를 bypass하는 방법이 존재 (메모리해킹)


� 현재서버에기기id 정보를저장하는방식은안전하지않음

� 모바일기기는많은유사한정보를가지고있어서범죄자들은기기id정보를쉽게속일수있음

� 기기자체의정보(H/W, OS, browser, etc)를신뢰하면안됨

• “Persistent Device ID”(SW+HW결합 방식의 ID)

� 앱이나 OS*가재설치시에도 Persistent Device ID는유지

� 범죄자의 Device 사용시바로탐지가능

MACMAC

CPUCPU

IMEIIMEI

Battery IDBattery ID

Chip IDChip ID

Traditional Device ID

Unique and Persistent Device ID

* Some limitation with iOS7

Persistent Device ID for Mobile

[Mobile]모바일 기기 인증의 문제점


Trusteer's Risk Score on PC

Bank FDS


Trusteer's Risk Score on Mobile

Backend Website

Your Mobile Banking App

Trusteer Mobile SDK

TR

X

API

API

Trusteer Mobile Risk EngineTrusteer Mobile Risk Engine

TR

X

Cross Channel Risk Factors

Cross Channel Risk Factors

TrusteerSecure Mobile

Browser

Trusteer Mobile SDK

Customer Risk

Engine

Customer Risk

Engine

•Suspicious Geo-location

•IP geo velocity

•Cross channel event correlation

•Compromised credentials

•Fraudster database

Bank FDS


Non-SMS based OOB (Out of Band) 시스템

SubmitSubmit

Payee Account: 12345-67890

Payee Bank: Ourbank

Amount: $5743.22

Den

ied

Mobile Banking backendDenied

Trusteer MobileRisk Engine

Trusteer MobileRisk Engine

TRX

TRX?

Dual

Authorization

Dual

Authorization

Approved

Approved

Secure Dual Authorization:

http://news.techworld.com/security/3415014/eurograbb

er-sms-trojan-steals-36-million-from-online-banks/

[Mobile] SMS를 통한 2 채널 인증방식의 문제점


Trusteer Deployment within FDS


Trusteer Product

WWW



Online Banking

Enterprise Apps


Mobile Fraud Risk

TrusteerRapportTrusteerRapport

Trusteer PinpointMalware Detection

Trusteer PinpointMalware Detection

Trusteer ApexTrusteer Apex

Trusteer PinpointAccount Takeover (ATO) Detection

Trusteer PinpointAccount Takeover (ATO) Detection

TrusteerMobile

SDK/APP

TrusteerMobile

SDK/APP

TrusteerMobile Risk

Engine

TrusteerMobile Risk

Engine


Trusteer 제품 분류

Financial Malware(일반 고객용)

Enterprise Malware(내부 직원용)

SW

(에이전트설치)

핸드폰

모바일용

Trusteer MobileSDK

일반 PC용 Rapport(APT) Apex(APT)

SaaS Cloud

Pinpoint ATO,Pinpoint MD,

Mobile Risk engine


Trusteer Delivers Hard Results

Reduction in

Cross Channel

Fraud in 6 months

30%Top 5

US Bank

Before After

Reduction in

Phone Channel

Fraud in 2 weeks

80%Top 10

UK Bank

Reduction in

Risk Engine False

Positives

50%Top 5

UK Bank

Reduction in

Online Fraud100%

Many Custome

rs


Quotes from the Magic Quadrant Report

Web Fraud Detect 솔루션 업계 리더

“고객들은 Trusteer Rapport와Trusteer Pinpoint Malware Detection를 사용함으로써

확실한 성공을 보고”

“제품 설치가 매우 쉽다”

Trusteer 는 웹 사기 탐지 분야에서

연속 2년간 리더로 평가 - 2013 Magic

Quadrant for Web Fraud Detection

매직 쿼드런트

보고서로부터 인용

“제품이 악성코드 기반의 사기손실을 성공적으로

감소시키는데 사용된다.”


Fraud 제품 비교표

Trusteer RSA SilverTail 41stGuardian

AnalyticsVersafe ThreatMetrix

Real-time Malware

PreventionYes No No No No Limited No

Automated Malware

RemovalYes No No No No No No

Real-time Phishing

DetectionYes No No No No Limited No

Real-time MitB

DetectionYes Limited Limited Limited No Limited Limited

Conclusive ATO

Detection

Yes,

Device ID+

Malware +

Phishing

Device ID

Only

Device ID

Only

Device ID

OnlyNo

Device ID

OnlyDevice ID Only


About Trusteer

Global

전세계금융고객만 450

전세계1억대에 Trusteer설치되어 있음.

Solutions

고객과 내부 직원용금융사기방지보안솔루션

Leader

보안 전문가에

의하여

20분마다 update

Leading Global Organizations Put Their TRUST In Us

7/10Top US Banks

9/10Top UK Banks

4/5Top Canadian

Banks

MajorEuropean Banks


1. Bank of the Ryukyus

2. Bank of Tokyo Mitsubishi UFJ

3. Chugoku Bank

4. Hachijuni Bank

5. Hokkoku Bank

6. Hyakujyushi Bank

7. Japan Net Bank

8. Juroku Bank

9. Mitsubish UFJ Trust

10. Miyazaki Bank

11. Mizuho Bank

12. MUFG Trust and Banking

13. Musashino bank

14. Seven bank

15. Shinsei Bank

16. The Joyo Bank, Ltd.

17. Yamaguchi Financial.

18. Hachijuni Bank(June 2014)

일본 고객: 17 은행

2012년 11월 진출, 2013년 12월 첫 고객

미즈호 은행(20억/년사용료)외 20곳

© 2014 IBM Corporation

IBM Security Systems

30

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Documents

Trusteer Fraud Detect System - IBM · 해킹과 스미싱에 의한 인터넷(모바일) 뱅킹과 전자상거래의 금융사기 방지 방안 김상환실장 [email protected]