solutions

Transaction Verification
Mobile Banking
Two-Factor Authentication

Transaction Verification

The Man-In-The-Browser Threat

The MITB attack has received significant attention recently, based on its ability to circumvent strong security measures, including many two-factor authentication methods. In such attacks the hacker infects an end-user's PC with a trojan, or similar piece of malware, which is capable of covertly faking Internet financial transactions in the end-user's Web browser. The end-user could login securely by using one-time passwords, however, because the attack modifies the secure session, the end-user is still vulnerable.

A Simple, Effective Solution

Offline Transaction Verification

With FireID Transaction Verification, payments and transactions are protected with an added level of security thus preventing man-in-the-browser attacks. Using something the end-user already has, a mobile phone, FireID provides a secure and easy way to ensure that only legitimate payments are made. FireID allows end-users to carry any number of Transaction Verification and OTP tokens on their phone.

Transaction Verification requires that the user enter sufficient information to characterise the transaction into their mobile device. This information is used to create a unique signature to the transaction which is then entered by the user into the banking web application in order to verify the transaction. The banking solution will then verify the code with the FireID Authentication Server. If an attacker has attempted to change any details, the code will become invalid and the server will detect the tampering.

Online Transaction Verification

The above system is highly robust, but may be in some situations cumbersome to the user if the amount of information to be typed in is more than an account number and an amount. In order to address this, FireID has developed a system referred to as Online Transaction Verification. In Online Transaction Verification the user is not required to enter transaction details. Instead these are automatically downloaded by the mobile application and displayed to the user via the browser. When the user confirms the transaction, the mobile application will sign the transaction and automatically upload the transaction signature in order to confirm the transaction. This removes the need for the user to manually enter transaction information. This solution requires the user to be online.

© FireID SOUTH AFRICA 2010. ALL RIGHTS RESERVED. Terms and Conditions | Privacy Policy | A LOOKHERE DESIGN