Ganando la batalla contra  el Man-in-the-Browser
Let’s talk about Man-in-the-Browser
 
How does it work? 3 User initiates ACH or Wire Transfer 4 Malware intercepts user’s request, substitutes alternate amount ...
Alternative approaches to capturing user information… Malware modifies web pages to prompt for OTP so it can silently exec...
La Alternativa:  la verificación de transacciones fuera de banda mediante una aplicación móvil H. Chen
Demonstration
 
 
 
 
 
 
 
User phone automatically wakes up and notifies user of transaction
Application is PIN protected to ensure security
User reviews and confirms transaction details… … or gets instructions if transaction is suspect
If transaction details OK, user gets confirmation code to enter on web browser
 
 
Transaction history maintained for future reference
Entrust IdentityGuard Mobile <ul><li>What is it? </li></ul><ul><li>Downloaded application installed on a users mobile devi...
Entrust IdentityGuard Mobile H. Chen
Multiple Identities, one device Mix of Soft token only and Transaction Notification Independent activation and control Cus...
Entrust Mobile - Soft Token only OATH compliant Time-based soft token 30 second time window Brandable interface
IDG Mobile - with Transaction Verification (TVS) OATH Time-based Soft Token Transaction details confirmed out of band on m...
IDG Mobile – 1 product, 2 functions <ul><li>Mobile – Soft Token only and  </li></ul><ul><li>Mobile – Soft Token with TVS  ...
How Transaction Verification Works User attempts to undertake a risky transaction (ex: Wire Transfer) 1 2 Banking applicat...
How the Optional Notification Service Works Transaction Notification Service Transaction Notification Request Transaction ...
CONFIDENTIAL  Time-based OTP Transaction Confirm & Sign August 2010 August 2010 Q4/2010 Early 2011 TBD Early 2011 Early 2011
Thank you! <ul><li>Information Security Services S.A.   </li></ul><ul><li>Regus Citicenter </li></ul><ul><li>Av. Mariscal ...
Upcoming SlideShare
Loading in …5
×

ISS SA le presenta IdentityGuard Mobile de Entrust

1,004 views

Published on

La aplicación avanzada de autenticación móvil es un componente de un enfoque de seguridad de capas para frustrar los ataques maliciosos de software Man-in-the-Browser - como el vil Zeus Trojan - y está ya disponible como parte de la versión más reciente de Entrust IdentityGuard 9.3.

"Para combatir con efectividad las cadenas cada vez más sofisticadas de software malicioso, incluyendo los ataques Man-in-the-Browser, las instituciones financieras deberían utilizan un enfoque por capas dirigido por soluciones de seguridad basadas en identidad demostradas",

"Además de los sólidos métodos de autenticación y fraude, la verificación de transacciones fuera de banda mediante una aplicación móvil puede demostrar ser efectiva para ayudar a combatir los ataques Man-in-the-Browser".

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,004
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ISS SA le presenta IdentityGuard Mobile de Entrust

  1. 1. Ganando la batalla contra el Man-in-the-Browser
  2. 2. Let’s talk about Man-in-the-Browser
  3. 4. How does it work? 3 User initiates ACH or Wire Transfer 4 Malware intercepts user’s request, substitutes alternate amount and destination Bank receives malware’s request, sends transaction details for review and requests one-time-passcode (OTP) 5 Malware intercepts site’s transaction detail confirmation, modifies them to correspond to user’s initial request 6 7 User views transaction details (which look fine) then enters OTP token code into Web browser Bank receives and validates OTP, transacting the malware-modified transaction without the user ever knowing 8 User visits bank and logs into account 1 Malware ‘wakes up’ based on URL watch list 2
  4. 5. Alternative approaches to capturing user information… Malware modifies web pages to prompt for OTP so it can silently execute a wire transfer or send OTP to criminal via Instant Message
  5. 6. La Alternativa: la verificación de transacciones fuera de banda mediante una aplicación móvil H. Chen
  6. 7. Demonstration
  7. 15. User phone automatically wakes up and notifies user of transaction
  8. 16. Application is PIN protected to ensure security
  9. 17. User reviews and confirms transaction details… … or gets instructions if transaction is suspect
  10. 18. If transaction details OK, user gets confirmation code to enter on web browser
  11. 21. Transaction history maintained for future reference
  12. 22. Entrust IdentityGuard Mobile <ul><li>What is it? </li></ul><ul><li>Downloaded application installed on a users mobile device </li></ul><ul><ul><li>iPhone, Blackberry, Windows Mobile, Java based smart phones </li></ul></ul><ul><li>What does it do? </li></ul><ul><li>Soft token </li></ul><ul><ul><li>All the features of a Entrust Mini Token OT but on a mobile device </li></ul></ul><ul><li>Transaction Notification Service </li></ul><ul><ul><li>Confirms transaction details Out-of-Band and provides confirmation OTP to defeat Man-in-the-Browser </li></ul></ul><ul><ul><li>Same application, optional service (upsell opportunity) </li></ul></ul>
  13. 23. Entrust IdentityGuard Mobile H. Chen
  14. 24. Multiple Identities, one device Mix of Soft token only and Transaction Notification Independent activation and control Customizable branding per identity Multiple Identities
  15. 25. Entrust Mobile - Soft Token only OATH compliant Time-based soft token 30 second time window Brandable interface
  16. 26. IDG Mobile - with Transaction Verification (TVS) OATH Time-based Soft Token Transaction details confirmed out of band on mobile device No data entry OATH signature of transaction contents User confirms transaction or acts on suspect details
  17. 27. IDG Mobile – 1 product, 2 functions <ul><li>Mobile – Soft Token only and </li></ul><ul><li>Mobile – Soft Token with TVS </li></ul><ul><li>Not separate products </li></ul><ul><ul><li>Same download </li></ul></ul><ul><ul><li>Profile determined by activation code </li></ul></ul><ul><ul><li>Upsell opportunity for TVS </li></ul></ul><ul><li>Different identities can have different options </li></ul>
  18. 28. How Transaction Verification Works User attempts to undertake a risky transaction (ex: Wire Transfer) 1 2 Banking application requests OOB Transaction Verification from on-premise IDG User opens Entrust Mobile Application 3 IDG Mobile retrieves transaction details from bank’s IDG & displays to user 4 5 User confirms details and enters OTP in web browser OR reads how to deal with a suspect transaction Customer Banking Application Self Service Module IdentityGuard
  19. 29. How the Optional Notification Service Works Transaction Notification Service Transaction Notification Request Transaction Notification Request Apple Notification Service User attempts to undertake a risky transaction (ex: Wire Transfer) 1 2 Banking application requests OOB Transaction Verification from on-premise IDG 3 IDG sends notification message to Entrust cloud service 4 Entrust cloud service sends notification to appropriate provider Provider sends message to device & wakes up IDG Mobile 5 IDG Mobile retrieves transaction details from bank’s IDG & displays to user 6 7 User reads details and enters OTP in web browser OR reads how to deal with a suspect transaction Q4, 2010 Customer Banking Application Self Service Module IdentityGuard
  20. 30. CONFIDENTIAL Time-based OTP Transaction Confirm & Sign August 2010 August 2010 Q4/2010 Early 2011 TBD Early 2011 Early 2011
  21. 31. Thank you! <ul><li>Information Security Services S.A. </li></ul><ul><li>Regus Citicenter </li></ul><ul><li>Av. Mariscal López Nro. 3794 – Piso 4 </li></ul><ul><li>CP 1.892 – Asunción / Paraguay </li></ul><ul><li>Fono: 595 21 6207768 </li></ul><ul><li>Fax: 595 21 6207701 </li></ul><ul><li>  </li></ul><ul><li>Visite nuestro sitio ->   www.iss.com.py </li></ul><ul><li>Encuéntrenos en ->   http :// www.facebook.com / ISS.Paraguay </li></ul>

×