Hey TPM, SignMyTransaction
Online banking services have been fighting malware for the last 10 years. However, the emergence of targeted Man-in-the-Browser (MitB) banking malware has given the upper hand to attackers in this fight. MitB Trojans hook themselves into end users browsers, intercept their banking credentials, alter their transaction details, and then transparently alter the HTML of the bank web pages they are viewing. The end user then approves the transaction unsuspectingly. MitB is able to evade traditional defense mechanisms such as intrusion detection systems, anti-fraud policies, as well as strong authentication mechanisms. In this paper, we present a solution aimed at detecting and preventing MitB attacks. The solutions rely on concepts related to the trusted computing paradigm. It defines a trusted path in the end user platform, which allows it to take a screen-capture of the displayed transaction details displayed by the end users screen, and forward it in the same TLS session as the transaction details to the bank. The trusted path is hardware-protected by the TPM, and ensures that the screen-capture has not been altered by any malware. The solution also relies on the TPM PKI in order to give assurance to the bank that the screen-capture originates form a genuine user. The solution is aimed at corporate end users and industries.
RSA, “Cybercrime 2015: An inside look at the changing threat landscape,” EMCorporation, Tech. Rep., 2015.
P. Krysiuk and S. Doherty, “The World of Financial Trojans,” Symantec, Tech. Rep., 2013.
C. Cain, “Analyzing Man-in-the-Browser (MITB) Attacks,” SANS Institute, Tech. Rep., 2014.
IBM, “Man-in-the-Browser (MitB) Glossary,” IBM, Tech. Rep., 2013, http://www.trusteer.com/glossary/man-in-the-browser-mitb.
Entrust, “Defeating Man-in-the-Browser Malware: How to prevent the latest malware attacks against consumer and corporate banking,” Entrust, Tech. Rep., 2014.
W. Alcorn, C. Frichot, and M. Orru, The Browser Hacker’s Handbook. Wiley, 2014.
Finjan, “Cybercrime intelligence: Cybercriminals use trojans & money mules to rob online banking accounts,” Finjan Malicious Code Research Center, Tech. Rep. Cybercrime Intelligence Report, Issue 3, August 2009.
G. Ollmann, “Man in the Browser Attack Vectors,” IBM – Computer Security Institute, Tech. Rep., 2008, presentation at CSI2008.
A. Martin, “The Ten Page Introduction to Trusted Computing,” University of Oxford Tech. Rep., 2008.
J. Lyle and A. Martin, “Trusted computing and provenance: Better together,” in Proceedings of the 2Nd Conference on Theory and Practice of Provenance, ser. TAPP’10. Berkeley, CA, USA: USENIX Association, 2010.
TCG, “Trusted Platform Module (TPM) Summary,” Trusted Computing Group, Tech. Rep., 2011.
TCG, “TCG Specification: Architecture Overview,” Trusted Computing Group, Tech. Rep., 2007.
Symposium, ser. SS’07. Berkeley, CA, USA: USENIX Association, 2007.
TCG, “TPM Main: Part 1 Design Principles,” Trusted Computing Group, Tech. Rep. Specification Version 1.2, Revision 116, 2011.
TCG, “TPM Main: Part 2 TPM Structures,” Trusted Computing Group, Tech. Rep. Specification version 1.2, Level 2 Revision 116, 2011.
TCG, “Endorsement Key (EK) and Platform Certificate Enrollment Specification: Frequently Asked Questions,” Trusted Computing Group, Tech. Rep., 2013.
TCG, “Attestation Identity Key (AIK) Certificate Enrollment Specification.Frequently Asked Questions,” Trusted Computing Group, Tech. Rep., 2011.
Lyle and A. Martin, “On the feasibility of remote attestation for web services,” in Proceedings of Computational Science and Engineering, 2009. CSE’09 (Volume:3), 2009.
A. Jøsang and B. AlFayyadh, “Robust WYSIWYS: A Method For Ensuring that What You See Is What You Sign.” in The Proceedings of the Australasian Information Security Conference (AISC2008), Wollongong, Australia, January 2008.