La aplicación avanzada de autenticación móvil es un componente de un enfoque de seguridad de capas para frustrar los ataques maliciosos de software Man-in-the-Browser - como el vil Zeus Trojan - y está ya disponible como parte de la versión más reciente de Entrust IdentityGuard 9.3.
"Para combatir con efectividad las cadenas cada vez más sofisticadas de software malicioso, incluyendo los ataques Man-in-the-Browser, las instituciones financieras deberían utilizan un enfoque por capas dirigido por soluciones de seguridad basadas en identidad demostradas",
"Además de los sólidos métodos de autenticación y fraude, la verificación de transacciones fuera de banda mediante una aplicación móvil puede demostrar ser efectiva para ayudar a combatir los ataques Man-in-the-Browser".
4. How does it work? 3 User initiates ACH or Wire Transfer 4 Malware intercepts user’s request, substitutes alternate amount and destination Bank receives malware’s request, sends transaction details for review and requests one-time-passcode (OTP) 5 Malware intercepts site’s transaction detail confirmation, modifies them to correspond to user’s initial request 6 7 User views transaction details (which look fine) then enters OTP token code into Web browser Bank receives and validates OTP, transacting the malware-modified transaction without the user ever knowing 8 User visits bank and logs into account 1 Malware ‘wakes up’ based on URL watch list 2
5. Alternative approaches to capturing user information… Malware modifies web pages to prompt for OTP so it can silently execute a wire transfer or send OTP to criminal via Instant Message
6. La Alternativa: la verificación de transacciones fuera de banda mediante una aplicación móvil H. Chen
24. Multiple Identities, one device Mix of Soft token only and Transaction Notification Independent activation and control Customizable branding per identity Multiple Identities
25. Entrust Mobile - Soft Token only OATH compliant Time-based soft token 30 second time window Brandable interface
26. IDG Mobile - with Transaction Verification (TVS) OATH Time-based Soft Token Transaction details confirmed out of band on mobile device No data entry OATH signature of transaction contents User confirms transaction or acts on suspect details
27.
28. How Transaction Verification Works User attempts to undertake a risky transaction (ex: Wire Transfer) 1 2 Banking application requests OOB Transaction Verification from on-premise IDG User opens Entrust Mobile Application 3 IDG Mobile retrieves transaction details from bank’s IDG & displays to user 4 5 User confirms details and enters OTP in web browser OR reads how to deal with a suspect transaction Customer Banking Application Self Service Module IdentityGuard
29. How the Optional Notification Service Works Transaction Notification Service Transaction Notification Request Transaction Notification Request Apple Notification Service User attempts to undertake a risky transaction (ex: Wire Transfer) 1 2 Banking application requests OOB Transaction Verification from on-premise IDG 3 IDG sends notification message to Entrust cloud service 4 Entrust cloud service sends notification to appropriate provider Provider sends message to device & wakes up IDG Mobile 5 IDG Mobile retrieves transaction details from bank’s IDG & displays to user 6 7 User reads details and enters OTP in web browser OR reads how to deal with a suspect transaction Q4, 2010 Customer Banking Application Self Service Module IdentityGuard
30. CONFIDENTIAL Time-based OTP Transaction Confirm & Sign August 2010 August 2010 Q4/2010 Early 2011 TBD Early 2011 Early 2011