OWASP NYC AppSec 2008 Conference-SPEAKER-GunterOllmann

Multidisciplinary Bank Attacks

Online Web banking applications have evolved considerably in the last decade; however the financial losses by their customers due to account compromise appear to be increasing. While the banks have invested in their application security, organized criminal teams appear to have been investing more - and are coming up with new vectors that emphasize attacks that take place on the customer’s host.

Attacking a bank and its customers is a multidisciplinary activity engaged by well organized and well funded international criminal teams. Advances in authentication processes – whether they be multi-factor, temporal-based combinations of one-time pads, or other backend validation processes – have proved ineffective since the attackers have focused upon the financial transaction itself. The combination of drive-by-download infection vectors, custom “Swiss-army knife” malware, banking application logic flaws and end-user complexity are all now leveraged to conduct a successful attack.

Security professionals need to provide a multidisciplinary understanding of the threat to their clients. The use of malware and social engineering cannot be divorced from Web application vulnerabilities any longer.

This session examines how malware is successfully leveraged within organized online banking attacks to bypass even the most sophisticated application logic. I will explain how current state-of-the-art man-in-the-browser technologies have overcome advanced authentication techniques and transaction validation processes. We will discuss how banking application complexity and ill thought-out logic changes can (and are) leveraged by criminals to socially engineer the customer in to falling for their criminal deception. And, finally, I will explain how even out-of-band multi-factor authentication systems such as SMS-based tokens are likely to be bypassed in the future.

What does Web application security look like if you cannot trust anything that goes to, or comes from, your customers host?

About the Speaker

Gunter Ollmann serves as Director of Security Strategy for IBM Internet Security Systems. With two decades of service within the information technology field, Ollmann is responsible for IBM ISS’ overall strategy for handling next generation security threats. As the former director of X-Force, Ollmann was responsible for ISS’ security research and development efforts, including all security content for ISS' products and services, zero-day vulnerability analysis, observation and analysis of global security trends, and vulnerability discovery. Ollmann was previously the former head of X-Force security assessment services for EMEA. In his role Gunter managed a distributed team of highly skilled consultants in multiple locations throughout Europe, pioneered specialist methodologies and techniques for the successful assessment of custom software solutions and increased the growth and application of the ISS global center of excellence in security assessment and penetration testing.

Prior to joining Internet Security Systems, Ollmann was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. He was responsible for the development of business relationships, including building NGS’ international clientele, and helping define the direction of research activities and development of the company’s vulnerability-based knowledge services. Ollmann grew NGS consulting service while dispensing cutting-edge security advice to product vendors to aid them in the development of commercial technology.

Ollmann has been a contributor to multiple leading international IT and security focused magazines and journals, including a dedicated monthly “Consultants Corner” column in SC Magazine. He has authored, developed and delivered a number of highly technical courses on Web Application Security. He has provided technical advice to various government agencies and is an invited to speaker at many international security conferences.