Gone Phishing...

Author: Paul McGowan
Draft for comment - 5/5/2005
Comments to

Epimetheus - a system for reducing the risk of phishing attacks.

So, what's this all about? It seems to me that many phishing attacks can be prevented from doing any damage, with some fairly straightforward measures.

Epimetheus was the greek titan, whose name means hindsight, or afterthought. It seems to me that too many banks fall into the trap of trying to prevent fraudulent access rather than simply mitigating its risk. It's very easy to see what the right thing to do was in hindsight, so lets use it. Intrigued? read on...

What this document is
This is a set of ideas, intended to provoke thought in the right direction. It should be used to get you into the frame of mind that will allow you to see what it is about fraudulent transactions that makes them different, and hence detectable. Every system is unique, though they all have some common characteristics. The way to get the answer you need for your particular system is to learn how to ask the right questions. Hopefully, the techniques discussed here can assist in that direction.

What this document is not
This is not intended as a simple how-to document. ie. Follows steps 1 - 10 and all your phishing worries are over. Sorry, it doesn't work that way. The bad guys are in this for money, and they are thinking very hard about ways to get it. Until you are willing to invest at least at much thought into ways of preventing them, they will continue to successfully steal from you (or more precisely, from your customers, through you).

Basic requirements
Stop the "bad guys" from stealing money, without making it harder for customers to use the system.

So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bad guys will get valid usernames and passwords somehow (and you won't know when they do). You cannot prevent this happening, so stop wasting your energy trying. Concentrate on fighting the battle where you have complete control - inside your own system. Do what world renowned security expert Bruce Schneier describes as "authenticate the transaction, not the person". While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country.

It's all about choosing the battleground, and shifting the balance away from the protection only happening at the user's PC. The user's PC is possibly the worst place of all to try to secure the banking system, as the bank has no say whatsoever about what software is installed, who uses it, what other things are done with the machine and so on. It's a lost cause. I will say now that there is no way you can prevent access credentials being stolen. There are as many points of failure as you have customers. So, some banks are adopting what is known as 2 factor authentication, but this isn't really much better. It still leaves 100% of the security for the system in the hands of the users. This is wrong in so many ways.

When something goes wrong, the bank will tell you that you "authorised" the transaction, where in fact the party who ultimately "authorised" it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer. The problem is, right now the only information they are basing this decision on is a username and password. What they apparently don't realise is that they have access to a huge amount of other information that can help to determine whether this is _really_ what the customer wants. Some of this information is immediately available with each transaction, and some can be readily inferred from historical context. The bank has access to all of it, and the more you use the system, the _harder_ it should be for a thief to take your money.

Consider the following:
There exist today (and have for several years) publically available databases (albeit for a modest fee) of IP address blocks matched to country and even city. That is, for not very much effort at all, it is possible to determine the location (to the nearest major city) of anyone accessing the bank, via their IP address. Now consider *most* internet banking customers. Where do they do their online banking? Two places. At home, and at work. Further, in *most* cases, these two places are in the same geographic region. So, when I access my account, it is done (pretty much without exception) from Melbourne, Australia. Now, consider where the phishing fraud comes from. I am led to believe that for the most part it comes from places other than Melbourne, Australia. Why then, I ask you, should my bank (which knows where I live) accept, without question, a request for a transfer of funds out of my account from anywhere else, especially somewhere not in Australia. "Oh, but you might be travelling", I hear you say. Yes, I _might_ be, but then again, I am probably not travelling in Eastern Europe, and wanting to transfer several thousand dollars to an account in the Cayman islands am I? How *likely* is that to be a legitimate request? Yes, it is *possible*, but not *probable*. So we file that likelihood away and go on to the next piece of unused information.

Most people who use internet banking do it during their waking hours. And most people are awake during the day and alseep at night, that's why the roads are so quiet then, and so horrible in peak hour. So, it is more likely that I will be doing my internet banking during the normal waking hours for Australians. That is, between about 8am and 10pm. Moreover, if I am doing it at work, it is more likely to be during a break of some sort, lest the boss get shirty with me for wasting company time. However, what is probably more important than me trying to speculate about when you will do your banking, is the fact that the bank should know when they are usually busy, and when they are not. They have all the data they need to say "Gosh, 4am is certainly an odd time of day to be doing your banking Mr McGowan. Oh, and look, you seem to be in Nigeria, that must be interesting for you... Yes, no problem we'll send your funds to that account in Nigeria immediately, as you've proven to us by entering your password that you _really_ want us to." And on we go to the next exciting piece of the puzzle.

Most people don't have access to a large and ever changing group of computers. They have access to one or two. Typically, one at home, and one at (you guessed it) work. By and large these are the same PC's every day. Many years ago, a technology known as cookies was introduced to the world by Netscape Communications (bless them). Using this simple, ubiquitous technology, it is trivial to place an identifying mark on a computer for the purpose of knowing when the same computer accesses your web site again. Please don't confuse this with identifying people, as that is an entirely different use of technology, which I don't want to go into here. Routinely, cookies keep records of sessions, track multiple visits across days or months, and are even used to store login information (somewhat foolishly, IMHO). What I would propose is that a cookie used by a bank (and accessible only to the bank) can be used to identify a computer, or at least a particular browser on that computer (and as most people don't routinely swap browsers, it effectively identifies a computer) Then, if the bank were to notice (which would first require they open their eyes) that a large number of hitherto unrelated accounts are all being accessed from the same computer, I would have thought that might be a little suspicious. Wouldn't you? Moreover, if the computer in question appears to be somewhere outside of Australia, then it might not be the best idea to let said PC keep logging in to more and more accounts... Is it just me who sees this? Further, as the bank should be able to tell if this is one of the handful of computers you usually use to access your account, even other machines in Australia (or apparently in Australia, but that's another thing) should cause a raising of alertness in the bank's systems to the possibility of fraudulent activity.

So far, and as we continue, the legitimate users of internet banking have not had to see _any_ change in the way they interact, or been forced to jump through pointless hoops to "make the system more secure" for them... read on.

Going back a step or two to IP addresses, and following on from the point about the PC's usually used. The IP addresses _usually_ used don't change much either. Even on dialup lines, the same netblock is used, as the addresses come from a pool owned by the ISP. So, when, for the last 12 months my account has been accessed from the same IP address (assigned to my cable modem by Optus), I would think that the bank should regard as suspicious any login attempt coming from anywhere else. Simply by using the system, I have demonstrated a clear pattern that ought to be noticed by an observant service provider and taken into consideration when a large withdrawal request is made.

Similarly, if, for the last 12 months, my internet banking has (90% or more of the time) been done between 8pm and 10pm on a weekday, a sudden shift to 3am Sunday morning really ought to ring alarm bells (figuratively speaking). Now I'm not saying that there is no chance this is a legitimate login, but taken in conjunction with all the other factors discussed above and below, even a computer should be able to figure out if something phishy(!) is going on.

What's more, if there is nothing at all wrong with a login from Nigeria, at 3am, on a Sunday, requesting a transfer of 100% of my money to an account in Lagos, then it can still go ahead, but given the reservations the bank _really_ ought to have about such a request, they could easily send me an email (at the address they have on file for me) letting me know about the request and asking me to contact the bank by some other means (other than a login) to confirm it. I could phone, reply to the email, fax with a signature. Given the likelihood of the transaction being fraudulent, this would make the bank look really good, no matter whether it was genuine or not. It's basically just good service. And it doesn't have to be done every time, just when there is good reason to be suspicious.

Further, for the ultra paranoid internet banking customer, it ought to be possible to introduce a delay on outbound transfers. While this delay is in progress, notification of the pending transfer can be sent to the customer by email giving them time to contact the bank if they did not authorise it. The bank would love this as it means they get to hold the money longer. Provided the customer has sufficient time to contact the bank, the transfer can be cancelled without any harm. It also gives the bank and the customer immediate evidence that the account login details have been compromised so appropriate steps can be taken to fix it. I would certainly like to have the option, but it has never been offered to me. It doesn't even have to be all transfers either. It would certainly be a pain if I had an urgent bill to pay and I couldn't do it for 24 hours. But if it is someone I have never paid before, an amount which seems quite high, or just odd for any of the reasons listed above, send it through the tarpit. If it is a payee on my payee list to whom I regularly make payments (like the phone or gas company) and it's about the same order of magnitude as usual, it's most probably fine and doesn't need the same checks applied.

In short, behavioural analysis can yield a great deal more information about what is normal, and what is not. By behavioural, I mean, when you bank, where you bank, where your money comes from, where it goes to, and in what sort of amounts it usually moves. These factors will be different for everyone, but far from making the system harder to build, it actually makes it easier. Think about it. Your behaviour is unique (though seen on a larger scale, it could be classified into a number of categories). It is this very uniqueness that should alert the bank to strange goings on. While behaviour x may be quite normal for ABC corporation, it is most certainly not normal for Mrs Jones, of Smithtown. So find out what normal is, and look for it! Don't just try the one size fits all approach, and wonder why it doesn't suit anyone. Just because you have to wait until after something has happened to determine whether it looks normal, doesn't mean it's too late to stop it.

The days of random hackers poking around for fun are gone. The big threat these days is the organised criminals. So, make it hard for them, not the genuine customer. As described above, a computer or IP which appears to be accessing a large number of accounts really ought not be given access to any more. Having determined that the computer is doing something dodgy, restricting access to the system for just that machine should be really simple. Even better, the machine should not have its access restricted, but any transactions it performs should be treated with the highest level of caution. Using this technique, the hackers themsleves will tell the bank exactly which accounts they have compromised, allowing the bank to fix the problem without any money changing hands. Let the bad guys do you a service. Basic self defense, turn the attacker against himself, little effort required. Many years ago I worked as a sysadmin at a girls school. I oversaw the administration of school policy with regard internet surfing. It was easy, watch the proxy logs to see where the students were actually surfing, and block those sites which violated policy. Rather than attempting to create a universal block list all on my own (an impossible task) I simply let the girls show me what I should block. I had 800 willing and very helpful assistants and I didn't have to pay them a cent. Simple, effective, fast. Pretty much all of the block lists available for download were for porn sites, but that was not the problem. I never had to block a single porn site, the girls simply weren't interested. I did, however, have to block several thousand chat sites. All these girls wanted to do when they got internet access was talk to each other...

Next thing. Risk is relative. What do I mean by that? I mean Q: Is $1000 a lot of money? A: It depends who you ask. To me, $1000 transfer out of my account is a big deal. To BHP Billiton, it probably isn't. Ergo, risk is relative. There are many ways to determine whether $1000 is a lot of money from the customer's perspective, but perhaps the simplest one is to look at the individual account for the average balance, credits and debits and how often money goes in and out of the account. If my average outbound transfer is around $150, and $1000 transaction is (literally) 1 in a 100, then there is a high risk (but not a certainty) that this transaction will be a big deal to me. In that case, I would like to think that the bank would be paying close attention to it. So, if, after years of slowly building up my balance to the princely sum of $10,000, the whole lot gets tranferred in suspicious circumstances, I'd like the bank to tell me about it _before_ sending the funds off to some foreign bank. It _may_ be legitimate, but then again, it may not, the likelihood _can_ be quantified, so it really should be.

If it suddenly became harder and took longer the more money you tried to steal, the number of professional criminals doing it might drop a little, but the fact is, at the moment, it's really easy to take the entire contents of an account without question. All you need is the username and password. Adding a token to that list won't slow the thieves at all, as they still get to do anything they like once they are inside. The inside of your account is like the inside of the bank, and the bank really ought to be paying more attention to what goes on inside their own systems. There need to be rules for what you can do inside the account, and those rules need to take into account the likely behaviour of normal legitimate account holders, and the likely behaviour of thieves. Once they look, the bank will find the two behave in very different ways. It is hard to steal $1,000,000 simply by doing what you and I do every day with our accounts.

Summary - what to do

Summary - lessons