Identity theft in online financial transactions is big business, and it can cost you your business. Several e-brokerages were hard-hit by massive fraud not long ago, illustrating the problem. Different types of attacks based on stolen identity or diversion of commands do billions of dollars worth of damage each year, according to Gartner. Interception services catch hundreds of thousands of "phishing" attempts each month in the UK alone, but many more go undetected. There are numerous case of fraud that each run into millions of dollars. Enterprising hackers stole identities of online brokerages using "man in the browser malware. A different scheme intercepted utilities payments made through a bank, and increased the sum. The thieves then requested that the banks send refunds to their own bank accounts.

A system that intends to provide comprehensive protection must be prepared to meet an ever-growing variety of threats posed by ingenious schemes. It must be adaptable, and it must be able to take into account customer histories, location, the type of transaction being made and other factors.

The currently known types of attacks on customer computer security that must be met include:

Man-in-the-browser – A "Trojan horse" changes the contents of the form that the customer submits to the bank website. The change is not noticeable in the form itself. It takes place only in computer memory. It takes place before SSL encoding.  

Man in the Middle - Rogue software is put in place at some point between the customer computer and the bank web sites and intercepts all the information transmitted between the customer and the bank.

Key Logging – Software implanted in the customer's computer that records all the keystrokes of the customer, providing a complete record of user IDs, passwords, pin codes, account numbers and transactions. Sometimes this is integrated with additional rogue software, and usually it sends the information it has collected to the hacker.

Session Hijacking – The session is hijacked by unauthorized use of the cookies deposited by the banking site.

Pharming – Pharming is diversion of traffic from a legitimate site to a rogue web site.

Phishing –  Customer identity details are stolen. Typically, this is carried out in a place and context removed from the bank web site, such as a fraudulent e-mail asking for information. 

Site Cloaking – Cloaking fools search engines by disguising one web site as another.

Cross-Site Scripting – A script is injected to one web site or web log, but it is operated at a different web site.

OS command injection – Injection of operating system commands to be carried out at the web site.

SQL Injection – Injection of SQL queries to be executed at the web site.

Cookie tampering – Information in the cookie is changed to allow an attack.   

Form Tampering (read-only and hidden fields) – Changes are made in hidden or read-only fields in the HTML form.

Outbound Data Theft – Data sent from the web site are intercepted for use in attacks. For example, that may include data about the software installed at the site, version number etc.

Application Denial of Service -   Numerous types of attacks make use of the possibility of entering rogue information in input fields.

The above survey only highlights the major sources of attacks, which are constantly multiplying.

 

IDentiWall Protects against online Security Threats

Made4Biz IDentiWall provides a robust, scalable, upgradeable security solution for online financial transactions through the public Internet and virtual private networks. Its   theft-proof authorization mechanism alerts victims and security personnel to ongoing attempts to use stolen identities. It combats attacks based on phishing, man-in-the-browser software,  code injection and other hacker strategies.

The heart of the system is an innovative mechanism for dual-network authentication and verification, taking advantage of customers' wireless telephones to provide a one-time password for each entry using SMS. This innovation makes possible a system that is easy to use, requires no new hardware and no changes to banking software or customer computer software.

IDentiWall builds on this functionality to provide a complete out of the box system that is robust, scalable, maintainable, and ready to meet threats that will emerge with developing technologies as well as existing ones.

A sophisticated database and policy mechanism make it possible to use user location, past behavior and other information to optimize the response to attacks. A syndication mechanism ensures that financial institutions and their IDentiWall systems are alerted to general threats, and an investigative workbench allows tracking and surveillance.

IDentiWall is ideal for online e-banking, brokerages and e-shopping. IDentiWall supports a hacking and phishing-proof new e-shopping method.  

More about IDentiWall

IDentiWall Architecture - This schema will help you understand what IDentiWall does and how it does it

IDentiWall Technology - This table outlines the sophisticated technologies underlying IDentiWall

IDentiWall versus Smartcards and Tokens - How does IDentiWall measure up against other types of solutions?

IDentiWall versus in-house development - Read this before you try to develop your own system - don't say we didn't warn you!

IDentiWall Announcement

Made4Biz Security announces IDentiWall secure e-Banking - [June 1, 2008] IDentiWall secure e-banking is an extension of  IDentiWall VPN, providing the ultimate security solution for online financial transactions More

IDentiWall Authentication

Strong Authentication Transaction Verification

IDentiWall Solutions

Restricted web site solution Secure ebanking solution IDentiWall for Insurance Companies Firewall/VPN port management