Tools against man-in-the-middle attacks
Overview:
As the techniques of online fraud continually morph and evolve, banks are coming to realize that fraud is not a problem that can easily be contained; it’s an ongoing threat that requires strong and constant surveillance. Fraudsters are relentlessly inventing and reinventing tools to conduct sophisticated real-time attacks, such as man-in-the-middle, man-in-the-browser, and Rock Phish attacks. These kinds of attacks are becoming more frequent in the online banking arena, resulting in a crisis of customer confidence and significant financial losses reaching into the millions.
Man-in-the-middle attacks prey on the difficulty of verifying both the authenticity of a transaction as well as the authenticity of the customer who initiates it. VASCO addresses this security gap with our e-Signature solution, which conveniently operates on the same back-end platform as other VASCO strong authentication solutions and products.
Goal:
VASCO’s unique visual transaction signing and e-signature solutions are designed specifically to help financial institutions combat man-in-the-middle attacks and secure financial transactions. VASCO makes this possible by using data such as account numbers, transaction amounts and timestamps in order to generate an Electronic Signature unique to each particular transaction.
Threats:
A man-in-the-middle attack is an insidious form of eavesdropping in which the attacker is able to read, insert and modify messages between two parties at will, without either party becoming aware that the link between them has been compromised. With a man-in-the-middle attack, user authentication alone is not enough to verify transaction authenticity, since all communications would be conducted via a spoofed website managed by the hacker (the “man-in-the-middle”).
Approach:
Best Practices recommended by VASCO in order to combat man-in-the-middle attacks:
- Use of one-time passwords for user authentication
- Use of electronic signatures for transaction authentication
- Use of host authentication
- Use of multiple channels
- User education
Benefits
What is an e-Signature?
VASCO’s e-Signature is a short piece of information
used to authenticate a message and is based on a MAC
algorithm (Message Authentication Code).
The benefits include:
Transaction Validation
VASCO’s e-Signature solution creates an electronic
signature unique to each particular transaction.
Should any elements of a transaction be changed or
tampered with after it has been signed (as they are
with man-in-the-middle attacks), the electronic
signature becomes invalid.
Non-Repudiation
VASCO’s e-Signature solution is capable of providing
complete non-repudiation of a transaction, verifying
that a specific user was present and initiated the
transaction.
Single Back-end Platform
Because they operate on the same back-end platform,
the e-Signature solution can be combined with any
other VASCO Strong Authentication solution such as
one-time passwords and host authentication. Banks
can simply leverage their existing investment since
no infrastructure changes are required.
Software and Hardware Platforms
VASCO’s e-Signature solution can be implemented in
software-only form or as a combination of hardware
and software factors, depending on the end-user’s
needs and risk profiles.
Components of this solution
Client products:
- DIGIPASS for APPS
- DIGIPASS 760
- DIGIPASS for Web
- DIGIPASS for Mobile
- DIGIPASS e-Signature
Server Products
- VACMAN Controller
- IDENTIKEY