SlideShare ist ein Scribd-Unternehmen logo

Man in-the-browser tectia-whitepaper

Hai Nguyen
Hai Nguyen
TechnologieBusiness
1 von 7
Downloaden Sie, um offline zu lesen
© 2010 Tectia Corporation. All rights reserved. Tectia® and ssh® are registered trademarks of Tectia Corporation in the United States and in certain other jurisdictions. The Tectia and SSH logos are trademarks of Tectia Corporation and may be registered in certain jurisdictions. All other names and marks are property of their respective owners. Eliminating Man-in-the-Browser Threats in Internet Banking White Paper September 2010 The “Man-in-the-Browser” is a Trojan horse that infects the user’s web browser and has the ability to modify pages and transaction contents, unbeknownst to both the user and the web server application. This white paper discusses the man-in-the-browser attack and introduces a Tectia solution to increase security in Internet banking.
Eliminating Man-in-the-Browser Threats in Internet Banking 2 www.tectia.com WHY YOU SHOULD BE CONCERNED? The increase in the popularity of Internet banking has seen a corresponding rise in methods for stealing personal and banking data. The cyber criminals have refined their techniques to match the growing sophistication of modern security solutions. One of the first methods of cyber crime was to use software for logging the keystrokes made by the user. This was followed by more elegant mechanisms, such as phishing and pharming where users are directed to a false web site to obtain their secure information as they unsuspectingly provide it. The latest critical threat is known as Man-in-the-Browser, a completely invisible and hard to detect attack that allows cyber criminals to hijack web browser connections and gather and alter users’ secure information and transaction details. As banks have enhanced their authentication systems, phishing attacks have become less and less effective. Conversely Man-in-the-Browser attacks are set to increase, heavily affecting consumers, businesses, and financial institutions, and resulting in large financial losses and litigation. A recent FBI study highlighted that potential losses from Trojans and other attacks against financial institutions have already exceeded $ 100 million [1]. The Anti- Phishing Working Group (APWG) recently reported more than 56,000 unique phishing sites in August 2009 alone, along with extremely rapid growth in malware variants [2]. WHAT IS A MAN-IN-THE-BROWSER ATTACK? The “Man-in-the-Browser” is a Trojan horse that infects the user’s web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. Since the Man-in-the-Browser attack happens at the application layer, the attack will be successful regardless of whether security mechanisms such as SSL/PKI and/or two or three factor authentication solutions are in place. For example, as described in Figure 1, in online banking transactions the customer is shown, via confirmation screens, the correct payment information as entered into the browser. The bank, however, will receive a transaction with altered instructions, a different destination account number and possibly a different amount. The use of strong authentication or transaction authentication numbers through the web-browser interface simply creates a false sense of security for both the customer and the bank that the transaction is secure.
Eliminating Man-in-the-Browser Threats in Internet Banking 3 www.tectia.com Because of its silent and invisible nature, most traditional defenses are rendered completely ineffective. It operates between the web-browser security protocols and the input of the user which makes it very difficult to detect through traditional virus-scanning methods. Examples of well-known man-in-the-browser attacks include Zeus and Silentbanker Trojans, each of which have been successfully installed on millions of PCs around the world, and which have a proven record of successful fraud. One example is an uncovered Zeus 3-driven attack that defrauded customers of a major UK bank of more than £ 600,000. [3] HOW TO ELIMINATE THE THREAT? What to do if the traditional virus scanners and tools, or even the strongest authentication methods cannot be effectively used to eliminate this threat? USER-BEHAVIOR-BASED FRAUD DETECTION One approach to solving this problem is to monitor and analyze real-time user behavior on the application interface. These kinds of fraud detection tools analyze all user activity, how the pages are accessed, whether or not the user is navigating too quickly or if there are any suspicious page navigation patterns. Passive safeguards are attractive because they are invisible to end users and do not require any changes in the end user systems or user experience. However, these solutions may not necessarily scale to large environments because of the amount of data that must be analyzed. In addition, they may cause false alerts and interruptions or even worse, may not prevent fraud attempts. Figure 1: Man-in-the-Browser attack changing the web-site content
Eliminating Man-in-the-Browser Threats in Internet Banking 4 www.tectia.com ISOLATING THE WEB BROWSER OR SYSTEM One way to ensure that your web browser cannot be infected is to install the browser executable on a USB stick and set the stick to read-only mode. This may protect the web browser from infection, but what happens if the USB stick browser is run on an already infected system? Advanced Trojans and worms may hi- jack the web connection even if the browser itself is stored on a read-only USB stick. Furthermore, applying this model to a large environment may become a nightmare of USB stick management and browser upgrades. Finally, many organizations have disabled USB ports, making the deployment of this method even more challenging. SIGNATURE-BASED TRANSACTION VERIFICATION Another option is to use a one-time password (OTP) device that can electronically sign transaction details. When the transaction takes place, the user is prompted to enter the transaction details and the signature code is calculated by the device. In this model a special hardware unit must be provided to every user. This may be very challenging for large Internet banking environments and the operating costs of managing, distributing, and supporting this hardware are very high. OUT-OF-BAND TRANSACTION VERIFICATION One of the most effective methods in defeating a Man-in- the-Browser attack is through an out-of-band (OOB) transaction verification process. Out-of-band verification overcomes the Man-in-the-Browser Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the web browser, typically an automated telephone call, SMS text message or a mobile application. In the transaction verification process, the user is not only sent a confirmation code or one-time password, but also a summary of the transaction: ”Money transfer €1,087.00 from account 12345678 to 87654321. Confirmation code 193713”. In this way the user can check the transaction details and continue only if the information is correct. To further enhance the security of this approach, out-of- band transaction verification can also be used to accept confirmation codes only through the out-of-band channel, for example by replying to the SMS text message, making any kind of transaction modification virtually impossible. Figure 2: Out-of-band transaction verification Out-of-band transaction verification is ideal for large deployments since it leverages devices already in the public domain (e.g. landline, mobile phone, etc) and requires no additional hardware devices. Some out-of-band transaction verification solutions can also be used to provide strong two- or three-factor user authentication and transaction signing capabilities. This also makes them ideal for combating other Internet banking threats such as phishing, pharming or other types of account misuse and connection hijacking attempts.
Eliminating Man-in-the-Browser Threats in Internet Banking 5 www.tectia.com HOW CAN TECTIA HELP? Tectia Security Solutions provide the fastest track to real-time information security. We help our customers secure, automate, manage, and share real-time information in large enterprise environments, both in the intranet and extranet, with little or no modification to their existing infrastructure and no disruption to business. PREVENTING MAN-IN-THE-BROWSER AND OTHER INTERNET BANKING THREATS Tectia MobileID, a key product of Tectia Share Solutions, is a strong two-factor authentication and transaction verification solution that utilizes a wide variety of easy and fast to deploy out-of-band mechanisms such as SMS text messaging, mobile phone applications and e-mail. A typical deployment of Tectia MobileID in a banking environment is described in the diagram below: 1. The user connects to the online banking service using a web browser and logs in using his credentials. The user checks his bank account details and makes an online payment; €50 to account 234567 of an electricity company. The banking service sends the transaction details to the user via the web browser. 2. Before executing the payment, the online banking service also sends a transaction summary to Tectia MobileID Server. 3. Tectia MobileID Server sends an SMS text message containing the transaction summary to the user over the mobile phone network. 4. The user receives the transaction summary on his mobile device, checks that the summary matches the transaction he made (€50 to account 234567) and confirms the transaction either using the mobile device or the web browser (using the confirmation code given in the SMS message). Figure 3: Deployment of Tectia MobileID
Eliminating Man-in-the-Browser Threats in Internet Banking 6 www.tectia.com But what if the user’s web browser is infected and Man- in-the-Browser Trojan is active? A simplified example of a Man-in-the-Browser attack and how it can be detected and eliminated using Tectia MobileID is described below: 1. The user connects to the online banking service using a web browser and logs in using his credentials. a. Because a Man-in-the-Browser Trojan has taken over the web browser, all the information the user types, username, password and strong authentication credentials, passes through the Trojan and is completely invisible to the user or the online banking service. b. Because there is no indication of anything strange, the user checks his bank account details and makes the online payment; €50 to account 234567 of an electricity company. c. Before the information is submitted to the banking service, the Man-in-the-Browser Trojan changes the amount and bank account, and submits the modified form; €150 to account 176671. d. The banking service sends the transaction details to the user via the web browser (€150 to account 176671). e. Again, the Man-in-the-Browser Trojan modifies the information so that it matches the information the user entered (€50 to account 234567). Without out-of-band verification the user is completely unaware that the actual transaction the bank will execute is something completely different from what he intended. 2. Because the bank has out-of-band transaction verification in use, the transaction summary is also sent to the Tectia MobileID Server. 3. Tectia MobileID Server sends an SMS text message containing the transaction summary to the user over the mobile phone network. 4. Before confirming the transaction the user double checks the summary and notices the difference Figure 4: Tectia MobileID prevents a man-in-the-browser attack
Eliminating Man-in-the-Browser Threats in Internet Banking 7 www.tectia.com between what he entered (€50 to account 234567) and what is displayed on the mobile phone (€150 to account 176671). The user realizes something is wrong and cancels the transaction. 5. The bank is informed of the Man-in-the-Browser attempt, either by the user calling customer service or responding to the text message summary. By using Tectia MobileID and out-of-band transaction verification, Man-in-the-Browser attacks can be recognized and eliminated, and customer transactions safeguarded. Furthermore, the same solution can be used to provide strong two-factor authentication to minimize phishing attempts, Man-in-the-Middle attacks and account misuse. CUT COSTS AND ACTIVATE NEW USERS QUICKLY AND EFFORTLESSLY The Tectia solution uses the most readily available and easy to use authentication device, the end user’s existing mobile phone. Since there is no need for any additional hardware, the costs related to distribution, maintaining, and replacing security tokens or other devices are completely eliminated. Tectia MobileID is a tokenless solution offering the easiest and fastest route to secure two-factor authentication and transaction verification. TECTIA MOBILEID FITS ALL CORPORATE NEEDS The capabilities of Tectia MobileID and the Tectia Solution are not limited to securing Internet banking applications. Tectia MobileID can be used to secure all corporate services where strong authentication is needed, such as VPN access, partner portals, remote system administration or web mail access. ABOUT TECTIA Tectia is a modern, sales-driven, customer-oriented organization. Our core focus is on understanding customer problems and on proposing relevant solutions to address their information security challenges while meeting business targets. We help customers choose the right solutions to address their organizational information security needs across a variety of complex environments, in the public and private sectors in multiple industries worldwide. Our suite of information security solutions address four main areas of business and are named accordingly: Secure, Automate, Manage, and Share. Our customers can be confident that our solutions provide: • Fast, flexible and secure real-time information exchange and communication • Visibility and control of vital data exchanges • Confidence in meeting and maintaining audit requirements and beyond • Reduced cost and risk • Solid customer loyalty and brand integrity Tectia solutions ensure that our customers can create a Circle of Trust in which all of their stakeholders can share information and conduct business confidently and securely. As we say: Your People. Your Secrets. Protected. REFERENCES [1] Compromise of User's Online Banking Credentials Targets Commercial Bank Accounts, Internet Crime Complaint Center Nov 3, 2009. [2] Phishing Activity Trends Report, Anti-Phishing Working Group, Q3 2009. [3] Major UK bank's online customers hit by £600 000-plus by Zeus 3 fraud

Empfohlen

Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
9 3
9 39 3
9 3Hai Nguyen
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guideNis
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 

Empfohlen

Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
9 3
9 39 3
9 3Hai Nguyen
 
Paper id 35201568
Paper id 35201568Paper id 35201568
Paper id 35201568IJRAT
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guideNis
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxM Nadeem Qazi
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177Engineering Research Publication
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Fusion Informatics
 
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 
IRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking SecurityIRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking SecurityIRJET Journal
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactionsSejahtera Affif
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsBMI Healthcare
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
Ib final project
Ib final projectIb final project
Ib final projectManasi Deliwala
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogITrust - Cybersecurity as a Service
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Hai Nguyen
 
Man in-the-browser-in-depth-report
Man in-the-browser-in-depth-reportMan in-the-browser-in-depth-report
Man in-the-browser-in-depth-reportHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 

Weitere ähnliche Inhalte

Was ist angesagt?

Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxM Nadeem Qazi
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Fusion Informatics
 
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 
IRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking SecurityIRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking SecurityIRJET Journal
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactionsSejahtera Affif
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsBMI Healthcare
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogITrust - Cybersecurity as a Service
 

Was ist angesagt? (19)

Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020
 
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
IRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking SecurityIRJET- Enhancement in Netbanking Security
IRJET- Enhancement in Netbanking Security
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactions
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-payments
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTP
 
Ib final project
Ib final projectIb final project
Ib final project
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
The financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlogThe financial sector under siege from vicious banking malware @ReveeliumBlog
The financial sector under siege from vicious banking malware @ReveeliumBlog
 

Andere mochten auch

Man in-the-browser-in-depth-report
Man in-the-browser-in-depth-reportMan in-the-browser-in-depth-report
Man in-the-browser-in-depth-reportHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
презентація
презентаціяпрезентація
презентаціяshenmue85
 

Andere mochten auch (8)

Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Man in-the-browser-in-depth-report
Man in-the-browser-in-depth-reportMan in-the-browser-in-depth-report
Man in-the-browser-in-depth-report
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
презентація
презентаціяпрезентація
презентація
 

Ähnlich wie Man in-the-browser tectia-whitepaper

E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security SolutionMobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solutionguestd1c15
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank ReportYogesh Kumar
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptxbabepa2317
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Two aspect authentication system using secure mobile
Two aspect authentication system using secure mobileTwo aspect authentication system using secure mobile
Two aspect authentication system using secure mobileUvaraj Shan
 
Two aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesTwo aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesUvaraj Shan
 
A Review of Information Security from Consumer’s Perspective Especially in On...
A Review of Information Security from Consumer’s Perspective Especially in On...A Review of Information Security from Consumer’s Perspective Especially in On...
A Review of Information Security from Consumer’s Perspective Especially in On...Dr. Amarjeet Singh
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
 

Ähnlich wie Man in-the-browser tectia-whitepaper (20)

E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security SolutionMobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
 
Network security
Network securityNetwork security
Network security
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Two aspect authentication system using secure mobile
Two aspect authentication system using secure mobileTwo aspect authentication system using secure mobile
Two aspect authentication system using secure mobile
 
Two aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesTwo aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devices
 
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORDSECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
 
A Review of Information Security from Consumer’s Perspective Especially in On...
A Review of Information Security from Consumer’s Perspective Especially in On...A Review of Information Security from Consumer’s Perspective Especially in On...
A Review of Information Security from Consumer’s Perspective Especially in On...
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 

Mehr von Hai Nguyen

Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210Hai Nguyen
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 

Mehr von Hai Nguyen (20)

Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Man in-the-browser tectia-whitepaper

  • 1. © 2010 Tectia Corporation. All rights reserved. Tectia® and ssh® are registered trademarks of Tectia Corporation in the United States and in certain other jurisdictions. The Tectia and SSH logos are trademarks of Tectia Corporation and may be registered in certain jurisdictions. All other names and marks are property of their respective owners. Eliminating Man-in-the-Browser Threats in Internet Banking White Paper September 2010 The “Man-in-the-Browser” is a Trojan horse that infects the user’s web browser and has the ability to modify pages and transaction contents, unbeknownst to both the user and the web server application. This white paper discusses the man-in-the-browser attack and introduces a Tectia solution to increase security in Internet banking.
  • 2. Eliminating Man-in-the-Browser Threats in Internet Banking 2 www.tectia.com WHY YOU SHOULD BE CONCERNED? The increase in the popularity of Internet banking has seen a corresponding rise in methods for stealing personal and banking data. The cyber criminals have refined their techniques to match the growing sophistication of modern security solutions. One of the first methods of cyber crime was to use software for logging the keystrokes made by the user. This was followed by more elegant mechanisms, such as phishing and pharming where users are directed to a false web site to obtain their secure information as they unsuspectingly provide it. The latest critical threat is known as Man-in-the-Browser, a completely invisible and hard to detect attack that allows cyber criminals to hijack web browser connections and gather and alter users’ secure information and transaction details. As banks have enhanced their authentication systems, phishing attacks have become less and less effective. Conversely Man-in-the-Browser attacks are set to increase, heavily affecting consumers, businesses, and financial institutions, and resulting in large financial losses and litigation. A recent FBI study highlighted that potential losses from Trojans and other attacks against financial institutions have already exceeded $ 100 million [1]. The Anti- Phishing Working Group (APWG) recently reported more than 56,000 unique phishing sites in August 2009 alone, along with extremely rapid growth in malware variants [2]. WHAT IS A MAN-IN-THE-BROWSER ATTACK? The “Man-in-the-Browser” is a Trojan horse that infects the user’s web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. Since the Man-in-the-Browser attack happens at the application layer, the attack will be successful regardless of whether security mechanisms such as SSL/PKI and/or two or three factor authentication solutions are in place. For example, as described in Figure 1, in online banking transactions the customer is shown, via confirmation screens, the correct payment information as entered into the browser. The bank, however, will receive a transaction with altered instructions, a different destination account number and possibly a different amount. The use of strong authentication or transaction authentication numbers through the web-browser interface simply creates a false sense of security for both the customer and the bank that the transaction is secure.
  • 3. Eliminating Man-in-the-Browser Threats in Internet Banking 3 www.tectia.com Because of its silent and invisible nature, most traditional defenses are rendered completely ineffective. It operates between the web-browser security protocols and the input of the user which makes it very difficult to detect through traditional virus-scanning methods. Examples of well-known man-in-the-browser attacks include Zeus and Silentbanker Trojans, each of which have been successfully installed on millions of PCs around the world, and which have a proven record of successful fraud. One example is an uncovered Zeus 3-driven attack that defrauded customers of a major UK bank of more than £ 600,000. [3] HOW TO ELIMINATE THE THREAT? What to do if the traditional virus scanners and tools, or even the strongest authentication methods cannot be effectively used to eliminate this threat? USER-BEHAVIOR-BASED FRAUD DETECTION One approach to solving this problem is to monitor and analyze real-time user behavior on the application interface. These kinds of fraud detection tools analyze all user activity, how the pages are accessed, whether or not the user is navigating too quickly or if there are any suspicious page navigation patterns. Passive safeguards are attractive because they are invisible to end users and do not require any changes in the end user systems or user experience. However, these solutions may not necessarily scale to large environments because of the amount of data that must be analyzed. In addition, they may cause false alerts and interruptions or even worse, may not prevent fraud attempts. Figure 1: Man-in-the-Browser attack changing the web-site content
  • 4. Eliminating Man-in-the-Browser Threats in Internet Banking 4 www.tectia.com ISOLATING THE WEB BROWSER OR SYSTEM One way to ensure that your web browser cannot be infected is to install the browser executable on a USB stick and set the stick to read-only mode. This may protect the web browser from infection, but what happens if the USB stick browser is run on an already infected system? Advanced Trojans and worms may hi- jack the web connection even if the browser itself is stored on a read-only USB stick. Furthermore, applying this model to a large environment may become a nightmare of USB stick management and browser upgrades. Finally, many organizations have disabled USB ports, making the deployment of this method even more challenging. SIGNATURE-BASED TRANSACTION VERIFICATION Another option is to use a one-time password (OTP) device that can electronically sign transaction details. When the transaction takes place, the user is prompted to enter the transaction details and the signature code is calculated by the device. In this model a special hardware unit must be provided to every user. This may be very challenging for large Internet banking environments and the operating costs of managing, distributing, and supporting this hardware are very high. OUT-OF-BAND TRANSACTION VERIFICATION One of the most effective methods in defeating a Man-in- the-Browser attack is through an out-of-band (OOB) transaction verification process. Out-of-band verification overcomes the Man-in-the-Browser Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the web browser, typically an automated telephone call, SMS text message or a mobile application. In the transaction verification process, the user is not only sent a confirmation code or one-time password, but also a summary of the transaction: ”Money transfer €1,087.00 from account 12345678 to 87654321. Confirmation code 193713”. In this way the user can check the transaction details and continue only if the information is correct. To further enhance the security of this approach, out-of- band transaction verification can also be used to accept confirmation codes only through the out-of-band channel, for example by replying to the SMS text message, making any kind of transaction modification virtually impossible. Figure 2: Out-of-band transaction verification Out-of-band transaction verification is ideal for large deployments since it leverages devices already in the public domain (e.g. landline, mobile phone, etc) and requires no additional hardware devices. Some out-of-band transaction verification solutions can also be used to provide strong two- or three-factor user authentication and transaction signing capabilities. This also makes them ideal for combating other Internet banking threats such as phishing, pharming or other types of account misuse and connection hijacking attempts.
  • 5. Eliminating Man-in-the-Browser Threats in Internet Banking 5 www.tectia.com HOW CAN TECTIA HELP? Tectia Security Solutions provide the fastest track to real-time information security. We help our customers secure, automate, manage, and share real-time information in large enterprise environments, both in the intranet and extranet, with little or no modification to their existing infrastructure and no disruption to business. PREVENTING MAN-IN-THE-BROWSER AND OTHER INTERNET BANKING THREATS Tectia MobileID, a key product of Tectia Share Solutions, is a strong two-factor authentication and transaction verification solution that utilizes a wide variety of easy and fast to deploy out-of-band mechanisms such as SMS text messaging, mobile phone applications and e-mail. A typical deployment of Tectia MobileID in a banking environment is described in the diagram below: 1. The user connects to the online banking service using a web browser and logs in using his credentials. The user checks his bank account details and makes an online payment; €50 to account 234567 of an electricity company. The banking service sends the transaction details to the user via the web browser. 2. Before executing the payment, the online banking service also sends a transaction summary to Tectia MobileID Server. 3. Tectia MobileID Server sends an SMS text message containing the transaction summary to the user over the mobile phone network. 4. The user receives the transaction summary on his mobile device, checks that the summary matches the transaction he made (€50 to account 234567) and confirms the transaction either using the mobile device or the web browser (using the confirmation code given in the SMS message). Figure 3: Deployment of Tectia MobileID
  • 6. Eliminating Man-in-the-Browser Threats in Internet Banking 6 www.tectia.com But what if the user’s web browser is infected and Man- in-the-Browser Trojan is active? A simplified example of a Man-in-the-Browser attack and how it can be detected and eliminated using Tectia MobileID is described below: 1. The user connects to the online banking service using a web browser and logs in using his credentials. a. Because a Man-in-the-Browser Trojan has taken over the web browser, all the information the user types, username, password and strong authentication credentials, passes through the Trojan and is completely invisible to the user or the online banking service. b. Because there is no indication of anything strange, the user checks his bank account details and makes the online payment; €50 to account 234567 of an electricity company. c. Before the information is submitted to the banking service, the Man-in-the-Browser Trojan changes the amount and bank account, and submits the modified form; €150 to account 176671. d. The banking service sends the transaction details to the user via the web browser (€150 to account 176671). e. Again, the Man-in-the-Browser Trojan modifies the information so that it matches the information the user entered (€50 to account 234567). Without out-of-band verification the user is completely unaware that the actual transaction the bank will execute is something completely different from what he intended. 2. Because the bank has out-of-band transaction verification in use, the transaction summary is also sent to the Tectia MobileID Server. 3. Tectia MobileID Server sends an SMS text message containing the transaction summary to the user over the mobile phone network. 4. Before confirming the transaction the user double checks the summary and notices the difference Figure 4: Tectia MobileID prevents a man-in-the-browser attack
  • 7. Eliminating Man-in-the-Browser Threats in Internet Banking 7 www.tectia.com between what he entered (€50 to account 234567) and what is displayed on the mobile phone (€150 to account 176671). The user realizes something is wrong and cancels the transaction. 5. The bank is informed of the Man-in-the-Browser attempt, either by the user calling customer service or responding to the text message summary. By using Tectia MobileID and out-of-band transaction verification, Man-in-the-Browser attacks can be recognized and eliminated, and customer transactions safeguarded. Furthermore, the same solution can be used to provide strong two-factor authentication to minimize phishing attempts, Man-in-the-Middle attacks and account misuse. CUT COSTS AND ACTIVATE NEW USERS QUICKLY AND EFFORTLESSLY The Tectia solution uses the most readily available and easy to use authentication device, the end user’s existing mobile phone. Since there is no need for any additional hardware, the costs related to distribution, maintaining, and replacing security tokens or other devices are completely eliminated. Tectia MobileID is a tokenless solution offering the easiest and fastest route to secure two-factor authentication and transaction verification. TECTIA MOBILEID FITS ALL CORPORATE NEEDS The capabilities of Tectia MobileID and the Tectia Solution are not limited to securing Internet banking applications. Tectia MobileID can be used to secure all corporate services where strong authentication is needed, such as VPN access, partner portals, remote system administration or web mail access. ABOUT TECTIA Tectia is a modern, sales-driven, customer-oriented organization. Our core focus is on understanding customer problems and on proposing relevant solutions to address their information security challenges while meeting business targets. We help customers choose the right solutions to address their organizational information security needs across a variety of complex environments, in the public and private sectors in multiple industries worldwide. Our suite of information security solutions address four main areas of business and are named accordingly: Secure, Automate, Manage, and Share. Our customers can be confident that our solutions provide: • Fast, flexible and secure real-time information exchange and communication • Visibility and control of vital data exchanges • Confidence in meeting and maintaining audit requirements and beyond • Reduced cost and risk • Solid customer loyalty and brand integrity Tectia solutions ensure that our customers can create a Circle of Trust in which all of their stakeholders can share information and conduct business confidently and securely. As we say: Your People. Your Secrets. Protected. REFERENCES [1] Compromise of User's Online Banking Credentials Targets Commercial Bank Accounts, Internet Crime Complaint Center Nov 3, 2009. [2] Phishing Activity Trends Report, Anti-Phishing Working Group, Q3 2009. [3] Major UK bank's online customers hit by £600 000-plus by Zeus 3 fraud