Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2014 IBM Corporation
2014 IBM 보안 뉴패러다임 솔루션데이
2014년 7월 17일
Trusteer Fraud Detect System해킹과 스미싱에 의한 인터넷(모바일) 뱅킹과
전자상거래의 금융사기 방지 방안
김상환실장
보안솔루션사업부
한국IBM 소프트웨어그룹
2014 IBM 보안 뉴패러다임 솔루션데이
1. Background
2. 금융사기를 막기 위한 시스템 구성 (AS-IS)
3. Trusteer’s Values In FDS
4. Trusteer Product
Contents
2014 IBM 보안 뉴패러다임 솔루션데이
Security Map
��
내부 서버팜(Application)
��
인터넷
네트워크장비
방화벽
IDS/IPS
메일서버
바이러스 월안티스팸
SSL 암호화 통신
바이러스 백신개인 방화벽
VPN
SSO / EAM
PKI
PC / 문서보안 솔루션
Secure OS
웹서버 DB서버
내부사용자
외부사용자
2014 IBM 보안 뉴패러다임 솔루션데이
주요 금융 해킹 사고, 개인정보(?)
일시 사고사례 개요 Trusteer 대응
2014년 5월
모바일 앱카드 첫 금융사고,
삼성카드 300건 명의도용
6천만원 피해
Trusteer의 Mobile sdk를 사용 (Persistence Device Id로 대응)
2014년 4월
단 1주일간 탈취된 PC용
공인인증서 유출
(확인된 인증서만 6,947건)
Trusteer의 ATO(Account Takeover)에 의한 방어
2013년 6월 신종금융사기 메모리 해킹Trusteer 이용 시 메모리의 비정상적인 활동 시
malware 감지 및 치료
2013년3월내부 직원 PC악성코드감염을 통한
시스템파괴Trusteer의 Apex로 금융사 내부직원 PC 보안
2012년12월이용자 PC해킹을 통한
ISP 정보유출
Trusteer 이용 시 메모리의 비정상적인 활동 시malware 감지 및 치료
2014 IBM 보안 뉴패러다임 솔루션데이
지능화된 해커는 가장 약한 부문을 공격
Customer Accounts
Cyber Criminals
해커가 겹겹이 쌓인중앙시스템 뜷기가 힘듦
대신 일반 고객의 PC에 접근하여중앙시스템 공격
쉽다
Retail/BusinessCustomer
2014 IBM 보안 뉴패러다임 솔루션데이
Malware and PhishingCommon threat to Customers and Employees
1JPMorgan: 2012 Online Fraud Report , 2Gartner: 2290415, 3Ponemon Institute: 2012 Cost of Cybercrime Report: US
Three Losing Battles
• Humans will always make mistakes
• System and application vulnerabilities continue to emerge
• Malware detection will always lag
Two Major Impacts
Widespread Fraud
•$3.4B est lost to online fraud in 20121
Advanced Threats and Breaches
•85% of breaches go undetected2
•$8.9M average cost of cyber-attacks3
Social Engineering (Phishing)
Vulnerability Exploit
Malware Infection
Fraud Scheme
Execution
Money Loss
Enterprise Breach
DataExfiltration
2014 IBM 보안 뉴패러다임 솔루션데이
Live attack of Zeus on a major U.S. bank
Capture Token for real-time Transaction Verification금융감독원 가이드: PC포멧 후 Anti Virus설치
Before After
신종해킹: 메모리해킹2 step 인증 통과
2014 IBM 보안 뉴패러다임 솔루션데이
Fraud Risk
WWW
Phishing and Malware Fraud
Advanced Threats (Employees)
Online Banking
Enterprise Apps
Account Takeover, New Account Fraud
2014 IBM 보안 뉴패러다임 솔루션데이
• 금융사기를 막기 위한 시스템 구성
“FDS + PC 보안 + Mobile 보안 + 기타 보완책”
2014 IBM 보안 뉴패러다임 솔루션데이
Step1: FDS (Fraud Detection System)
2013. 7. 11 금융전산 보안 강화 종합대책 발표
FDS의 핵심은?
DeviceID + Context(문맥)정보 + 이력 정보 => 사기방지 룰 설정
FDS의 핵심은?
DeviceID + Context(문맥)정보 + 이력 정보 => 사기방지 룰 설정
2014 IBM 보안 뉴패러다임 솔루션데이
Step2: PC (End point) 보안
Ahnlab
(PC Firewall)
nProtect
(Phishing
Protect)
Inisafe
(Data
encryption)
K-Defense
(Secure
Keystroke)
은행 입장: 금감원 권고사항 다 수행했다
���� 그런데 메모리해킹은?
은행 입장: 금감원 권고사항 다 수행했다
���� 그런데 메모리해킹은?
2014 IBM 보안 뉴패러다임 솔루션데이
Step3: Mobile (End point) 보안
Ahnlab
(PC Firewall)
nProtect
(Phishing
Protect)
Inisafe
(Data
encryption)
K-Defense
(Secure
Keystroke)
은행 입장: 금감원 권고사항 다 수행했다
���� 그런데 모바일 카드앱 도용과 같은 사건은?
은행 입장: 금감원 권고사항 다 수행했다
���� 그런데 모바일 카드앱 도용과 같은 사건은?
2014 IBM 보안 뉴패러다임 솔루션데이
Step4: 기타 보완책과 이에 대한 공격
Device Identification Challenge Questions Malware
OTP DevicesMan in the Browser,Real Time Phishing
Out of bandVerification
Man in the Mobile
LoginSigning
Social Engineering
Malware
Virtual Browser on Stick
Memory Injection Malware
ClickstreamDetection
Malware Adopts
Human-like behavior
x
Bypass
가능가능가능가능
여전히 취약??여전히 취약??
2014 IBM 보안 뉴패러다임 솔루션데이
ID Protection & ID Fraud Detection
WWW
Phishing and Malware Fraud
Advanced Threats (Employees)
Online Banking
Enterprise Apps
Account Takeover, New Account Fraud
ID Protection On PC
ID Protection On PC
ID Protection On Mobile
ID Protection On Mobile Device IDDevice ID
FDS: 1)Device ID, 2) Acct History, 3)Session ID, 4) End Point Risk FactorFDS: 1)Device ID, 2) Acct History, 3)Session ID, 4) End Point Risk Factor
End Point Security On Employee PC
End Point Security On Employee PC
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer’s Values In FDS
1. End point 보안에서메모리해킹문제(PC)
� Algorithm Inspection + Application Protection
2. End point에서의하드웨어기반의 device id 확인방법의취약점
(PC & Mobile)� Persistent Device ID
3. FDS risk scoring factor로서의악성코드감염여부(PC & Mobile)
� Risk scores from Pinpoint ATO(or Rapport TMA)
for PC and Mobile Risk Engine for Mobile
4. 2nd channel 인증방법인 SMS의취약점 (PC)
� Secure Dual Authorization
2014 IBM 보안 뉴패러다임 솔루션데이
메모리해킹 - 방어책1: Algorithm Inspection
Legacy: What it is?
Files and Signatures (1000000s)
? ?
Anti-Virus
Exploit Infect Hook Inject Access Theft
Trusteer: What it does?
Crime Logic (100s)
1. 높은 오탐율과 이로 인한 피해2. MITB 전문 방어 경험이 적음
기존
메모리해킹
문제점
2014 IBM 보안 뉴패러다임 솔루션데이
Device ID for PC
�Trusteer’s Strong Device ID on PC
Hardware(CPU type, IP, Screen, Font, etc.)
+ Software(Browser, language, Character Set, etc) + Session(Browser history, Cookies, Http headers)
+ Random numbers
Hardware 기반의 보호 방법은 취약함 (appendix 참조)
1)Hardware 정보를 변형하는 hacker tool이 존재
2)Hardware 정보를 bypass하는 방법이 존재 (메모리해킹)
Hardware 기반의 보호 방법은 취약함 (appendix 참조)
1)Hardware 정보를 변형하는 hacker tool이 존재
2)Hardware 정보를 bypass하는 방법이 존재 (메모리해킹)
2014 IBM 보안 뉴패러다임 솔루션데이
� 현재서버에기기id 정보를저장하는방식은안전하지않음
� 모바일기기는많은유사한정보를가지고있어서범죄자들은기기id정보를쉽게속일수있음
� 기기자체의정보(H/W, OS, browser, etc)를신뢰하면안됨
• “Persistent Device ID”(SW+HW결합 방식의 ID)
� 앱이나 OS*가재설치시에도 Persistent Device ID는유지
� 범죄자의 Device 사용시바로탐지가능
MACMAC
CPUCPU
IMEIIMEI
Battery IDBattery ID
Chip IDChip ID
Traditional Device ID
Unique and Persistent Device ID
* Some limitation with iOS7
Persistent Device ID for Mobile
[Mobile]모바일 기기 인증의 문제점
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer's Risk Score on PC
Bank FDS
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer's Risk Score on Mobile
Backend Website
Your Mobile Banking App
Trusteer Mobile SDK
TR
X
API
API
Trusteer Mobile Risk EngineTrusteer Mobile Risk Engine
TR
X
Cross Channel Risk Factors
Cross Channel Risk Factors
TrusteerSecure Mobile
Browser
Trusteer Mobile SDK
Customer Risk
Engine
Customer Risk
Engine
•Suspicious Geo-location
•IP geo velocity
•Cross channel event correlation
•Compromised credentials
•Fraudster database
Bank FDS
2014 IBM 보안 뉴패러다임 솔루션데이
Non-SMS based OOB (Out of Band) 시스템
SubmitSubmit
Payee Account: 12345-67890
Payee Bank: Ourbank
Amount: $5743.22
Den
ied
Mobile Banking backendDenied
Trusteer MobileRisk Engine
Trusteer MobileRisk Engine
TRX
TRX?
Dual
Authorization
Dual
Authorization
Approved
Approved
Secure Dual Authorization:
http://news.techworld.com/security/3415014/eurograbb
er-sms-trojan-steals-36-million-from-online-banks/
[Mobile] SMS를 통한 2 채널 인증방식의 문제점
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer Deployment within FDS
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer Product
WWW
Phishing and Malware Fraud
Advanced Threats (Employees)
Online Banking
Enterprise Apps
Account Takeover, New Account Fraud
Mobile Fraud Risk
TrusteerRapportTrusteerRapport
Trusteer PinpointMalware Detection
Trusteer PinpointMalware Detection
Trusteer ApexTrusteer Apex
Trusteer PinpointAccount Takeover (ATO) Detection
Trusteer PinpointAccount Takeover (ATO) Detection
TrusteerMobile
SDK/APP
TrusteerMobile
SDK/APP
TrusteerMobile Risk
Engine
TrusteerMobile Risk
Engine
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer 제품 분류
Financial Malware(일반 고객용)
Enterprise Malware(내부 직원용)
SW
(에이전트설치)
핸드폰
모바일용
Trusteer MobileSDK
일반 PC용 Rapport(APT) Apex(APT)
SaaS Cloud
Pinpoint ATO,Pinpoint MD,
Mobile Risk engine
2014 IBM 보안 뉴패러다임 솔루션데이
Trusteer Delivers Hard Results
Reduction in
Cross Channel
Fraud in 6 months
30%Top 5
US Bank
Before After
Reduction in
Phone Channel
Fraud in 2 weeks
80%Top 10
UK Bank
Reduction in
Risk Engine False
Positives
50%Top 5
UK Bank
Reduction in
Online Fraud100%
Many Custome
rs
2014 IBM 보안 뉴패러다임 솔루션데이
Quotes from the Magic Quadrant Report
Web Fraud Detect 솔루션 업계 리더
“고객들은 Trusteer Rapport와Trusteer Pinpoint Malware Detection를 사용함으로써
확실한 성공을 보고”
“제품 설치가 매우 쉽다”
Trusteer 는 웹 사기 탐지 분야에서
연속 2년간 리더로 평가 - 2013 Magic
Quadrant for Web Fraud Detection
매직 쿼드런트
보고서로부터 인용
“제품이 악성코드 기반의 사기손실을 성공적으로
감소시키는데 사용된다.”
2014 IBM 보안 뉴패러다임 솔루션데이
Fraud 제품 비교표
Trusteer RSA SilverTail 41stGuardian
AnalyticsVersafe ThreatMetrix
Real-time Malware
PreventionYes No No No No Limited No
Automated Malware
RemovalYes No No No No No No
Real-time Phishing
DetectionYes No No No No Limited No
Real-time MitB
DetectionYes Limited Limited Limited No Limited Limited
Conclusive ATO
Detection
Yes,
Device ID+
Malware +
Phishing
Device ID
Only
Device ID
Only
Device ID
OnlyNo
Device ID
OnlyDevice ID Only
2014 IBM 보안 뉴패러다임 솔루션데이
About Trusteer
Global
전세계금융고객만 450
전세계1억대에 Trusteer설치되어 있음.
Solutions
고객과 내부 직원용금융사기방지보안솔루션
Leader
보안 전문가에
의하여
20분마다 update
Leading Global Organizations Put Their TRUST In Us
7/10Top US Banks
9/10Top UK Banks
4/5Top Canadian
Banks
MajorEuropean Banks
2014 IBM 보안 뉴패러다임 솔루션데이
1. Bank of the Ryukyus
2. Bank of Tokyo Mitsubishi UFJ
3. Chugoku Bank
4. Hachijuni Bank
5. Hokkoku Bank
6. Hyakujyushi Bank
7. Japan Net Bank
8. Juroku Bank
9. Mitsubish UFJ Trust
10. Miyazaki Bank
11. Mizuho Bank
12. MUFG Trust and Banking
13. Musashino bank
14. Seven bank
15. Shinsei Bank
16. The Joyo Bank, Ltd.
17. Yamaguchi Financial.
18. Hachijuni Bank(June 2014)
일본 고객: 17 은행
2012년 11월 진출, 2013년 12월 첫 고객
미즈호 은행(20억/년사용료)외 20곳
© 2014 IBM Corporation
IBM Security Systems
30
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.