adsense

Sunday, January 22, 2012

'SafeNet eToken 3500' – New Tool to combat Online Banking fraud. Which Bank will introduce this in India?




Indian bank customers especially internet banking customers are being made aware of the need for efficient security practices.

As the number of internet banking users is on the use, the threats t internet banking too is in on the increase.
It is a cat and mouse game between Indian Banks and the internet fraudsters in the cyberworld.

The most common terms in internet security is the MITM(Man-in the Middle) or MITB (Man in the Browser) scenario.

Safenet, the 'Data Protection Company', as it's punchline, announced the launch of a Comprehensive Solution for Addressing all Risk Levels in Online Banking.
The Solution is 'SafeNet eToken 3500'.

The main differentiator between 'SafeNet eToken 3500'  and its competitors is the ability of eToken 3500 to read transaction data from the web browser and than generates a unique electronic signature that is used to validate the transaction.
Yes,  'SafeNet eToken 3500' , reads the transaction data from the web browser. Well, check out the demo @ Demo



The following are the steps to secure the financial transaction by 'SafeNet eToken 3500'
  1. User logs into the Bank's internet banking site by signing with his/her login id and OTP(One time Password) generated by  'SafeNet eToken 3500' .
  2. User inputs the Sum of amount tobe transferred along with the Account number.
  3. The  'SafeNet eToken 3500'  is to be held to the computer screen and 'SafeNet eToken 3500', reads the amount and the account number.
  4. Basing on the same, an Electronic Signature is generated by 'SafeNet eToken 3500'.
  5. The Electronic Signature I.e an number is keyed into the Banks internet banking site.
  6. If the details tally, the transaction is approved.

The  'SafeNet eToken 3500'  adds an additional security layer to the transaction. The advantage of logging into the banks website with  'SafeNet eToken 3500' , OTP is that the user need not remember his/her password. This frees the banks from investing in Password generation, storing etc job and also ensures that the log-in is safe 100% every time.

Hm, not sure, when this will be introduced in India?


What is (Man in the Middle attack) MITM scenario? 
(Man in the Middle attack) MITM is an attack in the cyberworld, which involves intercepting a communication between two systems.
The motive is to intercept the exchanged data and inject false data. The false data in internet banking can be a change in the intended beneficiary or the amount of the respective transaction.

The man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.

How did the (Man in the Middle attack) MITM gets its name?
The attack gets its name from the ball game where two people try to throw a ball directly to each other while one person in between them attempts to catch it. In a man in the middle attack, the intruder uses a program that appears to be the server to the client and appears to be the client to the server.

What are the various techniques to thwart (Man in the Middle attack) MITM?
Popular protection techniques against MITM attacks use authentication tools that are based on:
Public key infrastructures : -
such as:

  1. Secret keys (which are usually high information entropy secrets, and thus more secure), or
  1. Passwords (which are usually low information entropy secrets, and thus less secure)
  1. Latency examination, such as with long Cryptographic hash function calculations that lead into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party
  1. Second (secure) channel verification
  1. One-time pads are immune to MITM attacks, assuming the security and trust of the one-time pad.
  1. Carry-forward verification

What is (Man in the Browser) MITB  scenario?
In (Man in the Middle attack) MITB, a trojan infects the web browser, and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.

Security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions, will not thwart (Man in the Middle attack)  MITB attacks.

The only way to repulse a (Man in the Middle attack)  MitB attack is by utilising transaction verification.
As the (Man in the Middle attack) MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., it is therefore virtually undetectable to virus scanning software.

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. T

Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. Transaction Verification has to be done by an Out of Band (OOB) mechanism to counter (Man in the Middle attack) MITB attacks.


No comments:

LinkWithin

Related Posts with Thumbnails

Disclaimer

The thoughts in this BLOG are personal, and reflect only my view on the subject.
This are not the views of my Employers.
All images, logos rights rest with the Original TitleHolders

All efforts have been made to make this information as accurate as possible, N Prashant will not be responsible for any loss to any person caused by inaccuracy in the information available on this Website. Relevent Official Gazettes Communications may be consulted for an accurate information. Any discrepancy found may be brought to the notice of N Prashant