Tools against man-in-the-middle attacks
As the techniques of online fraud continually morph and evolve, banks are coming to realize that fraud is not a problem that can easily be contained; it’s an ongoing threat that requires strong and constant surveillance. Fraudsters are relentlessly inventing and reinventing tools to conduct sophisticated real-time attacks, such as man-in-the-middle, man-in-the-browser, and Rock Phish attacks. These kinds of attacks are becoming more frequent in the online banking arena, resulting in a crisis of customer confidence and significant financial losses reaching into the millions.
Man-in-the-middle attacks prey on the difficulty of verifying both the authenticity of a transaction as well as the authenticity of the customer who initiates it. VASCO addresses this security gap with our e-Signature solution, which conveniently operates on the same back-end platform as other VASCO strong authentication solutions and products.
VASCO’s unique visual transaction signing and e-signature solutions are designed specifically to help financial institutions combat man-in-the-middle attacks and secure financial transactions. VASCO makes this possible by using data such as account numbers, transaction amounts and timestamps in order to generate an Electronic Signature unique to each particular transaction.
A man-in-the-middle attack is an insidious form of eavesdropping in which the attacker is able to read, insert and modify messages between two parties at will, without either party becoming aware that the link between them has been compromised. With a man-in-the-middle attack, user authentication alone is not enough to verify transaction authenticity, since all communications would be conducted via a spoofed website managed by the hacker (the “man-in-the-middle”).
Best Practices recommended by VASCO in order to combat man-in-the-middle attacks:
- Use of one-time passwords for user authentication
- Use of electronic signatures for transaction authentication
- Use of host authentication
- Use of multiple channels
- User education
What is an e-Signature?
VASCO’s e-Signature is a short piece of information used to authenticate a message and is based on a MAC algorithm (Message Authentication Code).
The benefits include:
VASCO’s e-Signature solution creates an electronic signature unique to each particular transaction. Should any elements of a transaction be changed or tampered with after it has been signed (as they are with man-in-the-middle attacks), the electronic signature becomes invalid.
VASCO’s e-Signature solution is capable of providing complete non-repudiation of a transaction, verifying that a specific user was present and initiated the transaction.
Single Back-end Platform
Because they operate on the same back-end platform, the e-Signature solution can be combined with any other VASCO Strong Authentication solution such as one-time passwords and host authentication. Banks can simply leverage their existing investment since no infrastructure changes are required.
Software and Hardware Platforms
VASCO’s e-Signature solution can be implemented in software-only form or as a combination of hardware and software factors, depending on the end-user’s needs and risk profiles.
Components of this solution
- DIGIPASS for APPS
- DIGIPASS 760
- DIGIPASS for Web
- DIGIPASS for Mobile
- DIGIPASS e-Signature
- VACMAN Controller