BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS



Similar documents
How To Protect Your Online Banking From Fraud

DETECT MONITORING SERVICES MITIGATING THE EPSILON BREACH SUMMARY

Beyond passwords: Protect the mobile enterprise with smarter security solutions

A brief on Two-Factor Authentication

ACI Response to FFIEC Guidance

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Phishing Activity Trends Report for the Month of December, 2007

Protect Your Business and Customers from Online Fraud

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Where every interaction matters.

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Five Trends to Track in E-Commerce Fraud

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Sophistication of attacks will keep improving, especially APT and zero-day exploits

How CA Arcot Solutions Protect Against Internet Threats

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

September 20, 2013 Senior IT Examiner Gene Lilienthal

Guide to Evaluating Multi-Factor Authentication Solutions

Using Entrust certificates with VPN

The Key to Secure Online Financial Transactions

ACCEPTABLE USE AND TAKEDOWN POLICY

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Stay ahead of insiderthreats with predictive,intelligent security

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Protecting Against Online Fraud with F5

Supplement to Authentication in an Internet Banking Environment

How To Comply With Ffiec

ONLINE AND MOBILE BANKING, YOUR RISKS COVERED

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

How To Secure An Rsa Authentication Agent

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Trust Digital Best Practices

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Phishing Trends Report

Types of cyber-attacks. And how to prevent them

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Layered security in authentication. An effective defense against Phishing and Pharming

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Designing a CA Single Sign-On Architecture for Enhanced Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

DMZ Gateways: Secret Weapons for Data Security

IBM Security re-defines enterprise endpoint protection against advanced malware

What the Future of Online Banking Authentication Could Be

Business ebanking Fraud Prevention Best Practices

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Cisco Advanced Services for Network Security

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

MITIGATING LARGE MERCHANT DATA BREACHES

Two-Factor Authentication

Security Evaluation CLX.Sentinel

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The Importance of Patching Non-Microsoft Applications

WHITE PAPER. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Acceptable Use Policy. This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name.

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

INTRODUCING isheriff CLOUD SECURITY

Jim Bray, Cyber Security Adviser InfoSight, Inc.

Guidelines for Web applications protection with dedicated Web Application Firewall

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Securing Virtual Desktop Infrastructures with Strong Authentication


Quarterly Report: Symantec Intelligence Quarterly

Acceptable Use Policy and Terms of Service

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

isheriff CLOUD SECURITY

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Transcription:

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

TABLE OF CONTENTS BEST SECURITY PRACTICES Home banking platforms have been implemented as an ever more efficient 1 channel through for banking transactions. However these web-based applications are exposed over the Internet making their users a very appealing target for mal-intentioned individuals. EASY SOLUTIONS FOCUS ON PROTECTION Easy Solutions recommends implementing robust authentication strategies 2 to strengthen the authentication process, not only for pressure in meeting with regulations, but also for the high exposure of e-banking platforms to attacks. DetectID DetectID is the only authentication platform that combines the potentiality 3 of detecting malicious processes during the authentication process with the objective of shielding the authentication cycle from malware. 4 ABOUT EASY SOLUTIONS, INC Easy Solutions is the only security vendor focused exclusively on fraud prevention; providing anti-phishing services and research, multifactor authentication and anomaly transaction detection. 2

BEST SECURITY PRACTICES 1 For several years now, electronic banking platforms have E-banking Platforms are been implemented as an ever more efficient channel Internet; through which banking transactions can be done without The users are very appealing, since ultimately their openly exposed over the intention is to carrying out a financial transaction; having to leave the house or office. The evolution history of these attacks began more than 7 In the end, however, these home banking platforms are years ago initiating what quickly became known as web-based applications that are exposed over the Internet phishing. Its sophistication has increased on par with the making their users a very appealing target for mal-intentioned individuals. These are some reasons why e-banking platforms are such an alluring objective for criminals to attack: new security technologies adopted by the bank industry intended to mitigate the problem. The following graph shows the evolution of the security problem affecting the e-banking platforms over the last years. TREND: Shift towards blended malware attacks Evolution of Threat Increasing Sophistication Increasingly Personalized 3

BEST SECURITY PRACTICES 1 In its report of April 2, 2009 "The War on Phishing is Far From The authentication GAP, which is the technical term Over", Gartner shows the results of this attack methodology commonly used for referring to the intrinsic vulnerability on the U.S. population where 5 million consumers lost of the authentication process. In highly exposed environ- money due to phishing or its variants through the end of ments, such as the e-banking platforms, this GAP is September 2008. reflected in the little or total lack of control the authenticating institution (financial institution) has on the For Easy Solutions, some of the issues that make us authenticating elements (users) since no control exists on conclude the war against Phishing is far from over are the the medium (the Internet and computer connection used following: in accessing the home banking platform); The authentication schemes currently in use base their This opened the doors to malicious people who carry out robustness on the end-user s decisions, which make attacks against e-banking platforms, who focus their efforts them entirely vulnerable to social engineering attacks. on pharming attacks + malware that allows: For example, in authentication schemes based on One Time Password (OTP), the end-users should determine Poisoning the hosts file to add re-directing entries as that they're connected to the right website and conse- shown in the following graph quently log in using their OTP; 4

BEST SECURITY PRACTICES 1 More sophisticated attacks involving malware+pharming +man-in-the-middle Proxy, in which the targeted e-banking sites are re-directed to the loopback address 127.0.0.1 or local host; where a man-in-the-middle Proxy is running listening to the communications between the client and the server which enables the attacker to modify the messages in real time. The following graph shows a real case in Latin America of a hosts file modified by an attack of this nature. The user enters into the real home banking platform through the Man-in-the-Middle Proxy Once the user enters his/her credentials, the Man-in-the- Middle Proxy captures them, as shown in the following graph. Next, a hypothetical example is presented that shows the process of stealing credentials in this type of attack. Credentials entered by the user in the browser 5

BEST SECURITY PRACTICES 1 Credentials captured by the Man-in-the-middle Proxy The capture platform provides the attacker with all the Since December 3 of 2008, when the first great password necessary information to: hijack the session, using the stealing malware appeared as a Mozilla plug-in that stole session cookie, and the access credentials including the information sent out to 100 financial sites including OTP, with which they'll have 30 to 60 seconds to use it anz.com, bankofamerica.com, lloydstsb.co.uk and PayPal, before it expires. the evolution of these types of attacks has been unparalleled. A point worth mentioning is that this same platform allows the attacker to manipulate the data moving between client and server. That way the attacker can wait for the moment a transaction takes place in order to manipulate the data of the account receiving the funds while the transaction is on its way to the e-banking platform. Gartner, in its report New Bank-Targeted Trojan via Firefox Saps Consumer Confidence, considers that these types of attacks will be copied and improved as criminals continue innovating on unauthorized access to financial accounts. 6

EASY SOLUTIONS FOCUS ON PROTECTION 2 Easy Solutions recommends implementing robust authentication strategies to strengthen the authentication process not only for pressure in meeting with regulations but also for the high exposure of e-banking platforms to phishing and pharming attacks which can compromise the organization s image and produce financial losses. When defining authentication strategies, it is important to keep in mind the different vectors of phishing and pharming attacks. Some are presented here: Social Engineering attacks that mislead the end user. Malware attacks that poison the hosts file and/or DNS to re-direct the user to counterfeit sites with the intent of Man in the Middle attacks that listen the communication stealing the end user's credentials; between client and server. Trojan Proxy that installs a http redirector running in the Man in the Browser attacks that re-direct the end-user to local address 127.0.0.1 that re-directs all of the browser s counterfeit sites with the intention of stealing the end traffic to this Proxy making a copy of the messages and user credentials sending them to the attacker; From all of the above, it can be concluded that there is not any single strategy that covers all the different dangers threatening the e-banking platforms. On the contrary, focusing on a multi-layer protection approach is the best alternative for massive authentication processes of applications that are highly exposed on the Internet, including a mix of different factors that allow: Shielding the authentication cycle from malicious processes that can affect the end user's station; Providing user-to-site authentication strategies which allow the end-user to verify that the connection is indeed established with the correct site; Implementing authentication factors that eliminate user decisions from the authentication equation; 7

DetectID EASY SOLUTIONS FOCUS ON PROTECTION 2 Implementing authentication factors based on knowledge (what the bank knows about the end-user); Implementing authentication factors based on something that the user has (OTP, USB Device, etc); Offering complementary protection for the end-user's station; Communicating the occurrence of potential transaction frauds to the end-user; Easy Solutions' Total Fraud Protection (ETFP) combines different technologies that allow it to stop a fraud attack during any phase. EASY SOLUTIONS TOTAL FRAUD PROTECTION Attack Planning Computer Exploit $ Root List $$ DETECT MONITORING SERVICE Attack Setup & Launch Attack Setup $$$ Attack Mass Mailers $$$ DETECT MONITORING SERVICE Cashing Credential Collection $$$$ Cashing $$$$$$ RISK BASED AUTHENTICATION SHUTDOWN SERVICES To summarize, it is important to define an authentication strategy which grows on the foundation of a platform that can add multiple security factors and/or methods for the authentication of applications exposed on the Internet. The different products that make up the protection strategy involve a focus on multi-level protection as described below. 8

DetectID 3 DetectID is the only authentication platform that combines the potentiality of detecting malicious processes during the authentication process with the objective of shielding the authentication cycle from malware. The following graph shows how DetectID keeps a registry of the processes running in the end-device while a session of online banking is taking place. 9

DetectID 3 DetectID allows taking the user out of the authentication equation by means of its powerful device authentication engine, which through the use of hardware allows truly authenticating a device. DetectID implements the user-to-site authentication concept by means of IdentiSite which allows each user to define a secret image with the bank to identify when he/she is truly connected with the entity. 10

DetectID 3 DetectID also includes a proprietary implementation of OTP (One Time Password) that allows out of band authentication schemes via email or mobile phone. Integration with leading technologies of the physical OTP industry such as Vasco and RSA is also possible. The following graph compares the different factors and authentication methods with the security they offer and the resistance to different threats that affect e-banking platforms, as shown in this study. Protection Factors Offers Strong Authentication Resists Man-in-the Middle Attacks Res ists Man in the Browser Attacks Is easy to manage Is easy to implement Resists Social Engineering Attacks Implements User-to-Site Authentication Offers Multi-Layer Protection TCO (1.cheapest 5 mos t expensive) Total Sec urity (1. least secure 5. most secure) Passwords One time Password (OTPs) Coordination Cards Device Authentication Image Authentication Challenge Questions USB Tokens Digital Certificates Authentication + Malware Detection DetectID Authentication Framework 1 1 5 3 2 2 2 4 1 1 1 1 3 3 4 3 4 5 3 5 11

ABOUT EASY SOLUTIONS 4 Easy Solutions is simplifying the way businesses deal with and effectively deploy security for online transactions. We provide solutions for identifying and preventing online transaction fraud while helping institutions comply with existing US domestic and international two factor authentication requirements. Using our advanced transaction fraud prevention solutions, we help protect online businesses and enterprise applications from phishing attacks, online credential theft and Internet fraud threats. Our software solutions are simple to manage and easy to deploy. Our patent-pending technologies provide accurate identification of devices with unprecedented accuracy while protecting users by monitoring transaction behavior for activity associated with fraudulent activity. By simplifying online transaction security, Easy Solutions provides consumers and online merchants and financial institutions the ability to focus on their business instead of worrying about the safety of their transactions. Online security experts with years of extensive knowledge and experience in protecting enterprises from traditional security threats, online fraud and Internet phishing attacks developed Easy Solutions intellectual property and technologies. Working closely with the leading security companies and leading financial enterprises with large online customer communities, Easy Solutions continuously collect and understands the latest methods used by online criminals. This knowledge is combined with our patent pending behavioral monitoring that protects users on a per transaction basis. The transaction monitoring is backed up with continuous identification of attributes collected from end-user devices to create a unique device fingerprinting that enables forensic identification. These capabilities are delivered in a simple effective software package providing our customers the ability to protect sensitive customer transactions and data while complying with business regulatory compliance issues. 12

ABOUT EASY SOLUTIONS 4 One of the most important aspects of our solution is that no change in behavior is required on behalf of the users and the implementation is easy for both the business and its customers. Easy Solutions is the only security vendor focused exclusively on fraud prevention; providing anti-phishing services and research, multifactor authentication and anomaly transaction detection. The capacity to react to new threats in the antifraud protection field is based on our proprietary technology and in the methodology to face each threat in an integral way implemented through Easy Solutions Total Fraud Protection Strategy. Headquarters: 1401 Sawgrass Corporate Parkway, Sunrise, FL 33323 - Phone: +1-866-524-4782 Latin America: Calle 93A No. 14 17 Of. 506 Bogota, Colombia - Phone: +57 1-2362455. Copyright 2009, Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectTA, Detect Professional Service and Detect Monitoring Service are trademarks of Easy Solutions, Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information