Indian bank customers
especially internet banking customers are being made aware of the
need for efficient security practices.
As the number of
internet banking users is on the use, the threats t internet banking
too is in on the increase.
It is a cat and mouse
game between Indian Banks and the internet fraudsters in the
cyberworld.
The most common terms in
internet security is the MITM(Man-in the Middle) or MITB (Man in the
Browser) scenario.
Safenet, the 'Data
Protection Company', as it's punchline, announced the launch of a
Comprehensive Solution for Addressing all Risk Levels in Online
Banking.
The Solution is 'SafeNet
eToken 3500'.
The main differentiator
between
'SafeNet eToken 3500' and its competitors is the ability of
eToken 3500 to read transaction data from the web browser and than
generates a unique electronic signature that is used to validate the
transaction.
Yes,
'SafeNet eToken 3500' ,
reads the transaction data from the web browser. Well, check out the
demo @ Demo
The following are the
steps to secure the financial transaction by 'SafeNet eToken 3500'
- User logs into the Bank's internet banking site by signing with his/her login id and OTP(One time Password) generated by 'SafeNet eToken 3500' .
- User inputs the Sum of amount tobe transferred along with the Account number.
- The 'SafeNet eToken 3500' is to be held to the computer screen and 'SafeNet eToken 3500', reads the amount and the account number.
- Basing on the same, an Electronic Signature is generated by 'SafeNet eToken 3500'.
- The Electronic Signature I.e an number is keyed into the Banks internet banking site.
- If the details tally, the transaction is approved.
The
'SafeNet eToken 3500' adds an additional security layer to the transaction. The
advantage of logging into the banks website with
'SafeNet eToken 3500' , OTP is that the user need not remember his/her password. This
frees the banks from investing in Password generation, storing etc
job and also ensures that the log-in is safe 100% every time.
Hm, not sure, when this
will be introduced in India?
What is (Man in the Middle attack) MITM scenario?
(Man in the Middle attack) MITM is an attack in the
cyberworld, which involves intercepting a communication between two
systems.
The motive is to
intercept the exchanged data and inject false data. The false data in
internet banking can be a change in the intended beneficiary or the
amount of the respective transaction.
The man in the middle
attack is one in which the attacker intercepts messages in a public
key exchange and then retransmits them, substituting his own public
key for the requested one, so that the two original parties still
appear to be communicating with each other.
How did the (Man in the Middle attack) MITM gets
its name?
The attack gets its name
from the ball game where two people try to throw a ball directly to
each other while one person in between them attempts to catch it. In
a man in the middle attack, the intruder uses a program that appears
to be the server to the client and appears to be the client to the
server.
What are the various
techniques to thwart (Man in the Middle attack) MITM?
Popular protection
techniques against MITM attacks use authentication tools that are
based on:
Public key
infrastructures : -
such as:
- Secret keys (which are usually high information entropy secrets, and thus more secure), or
- Passwords (which are usually low information entropy secrets, and thus less secure)
- Latency examination, such as with long Cryptographic hash function calculations that lead into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party
- Second (secure) channel verification
- One-time pads are immune to MITM attacks, assuming the security and trust of the one-time pad.
- Carry-forward verification
What is (Man in the Browser) MITB scenario?
In (Man in the Middle attack) MITB, a trojan
infects the web browser, and has the ability to modify pages, modify
transaction content or insert additional transactions, all in a
completely covert fashion invisible to both the user and host
application.
Security mechanisms such
as SSL/PKI and/or Two or Three Factor Authentication solutions, will
not thwart (Man in the Middle attack) MITB attacks.
The only way to repulse
a (Man in the Middle attack) MitB attack is by utilising transaction verification.
As the (Man in the Middle attack) MitB Trojan works
by utilising common facilities provided to enhance Browser
capabilities such as Browser helper Objects, Extensions and User
scripts etc., it is therefore virtually undetectable to virus
scanning software.
In an example exchange
between user and host, e.g. an Internet banking transaction such as a
funds transfer, the customer will always be shown, via confirmation
screens, the exact payment information as keyed into the browser. The
bank, however, will receive a transaction with materially altered
instructions, i.e. a different destination account number and
possibly amount. T
Authentication, by
definition, is concerned with the validation of identity credentials.
This should not be confused with transaction verification.
Transaction Verification has to be done by an Out of Band (OOB)
mechanism to counter (Man in the Middle attack) MITB attacks.
No comments:
Post a Comment