NetAuthority, the device security company, is releasing new tools for an essential slice of the electronic communications security pie: knowing who you are talking to. The company’s new Transaction Verification Key is intended to make identity-stealing “Man in the Browser” attacks virtually impossible.
Here’s how Man in the Browser (MitB) works:
Imagine this: You phone your bank, asking a service rep to pay a phone bill and transfer money from savings to checking. Only, instead of talking to the bank, you’re speaking to a crook who is talking to you on one phone … and your bank on the other. And when you provide him with all the authentication details your bank requires, he loots your account and transfers your funds into accounts he controls.
Substitute a browser for the phone, you’ve got a MitB attack.
You’re using your own browser, and you’re seeing what you think is your bank’s site, or your online email, or your corporate account … but actually you’re seeing only what a hacker wants you to see, while she does whatever she wants with your personal information.
And, unfortunately, most antivirus solutions can’t do a thing about it — according to NetAuthority, about 85 percent of MitB infections cannot be detected by current antivirus software.
NetAuthority thinks it has a solution, and I talked to chief executive Chris Brennan about it yesterday.
“There’s an absence of strong authentication services that are easy to deploy, Brennan says. “We realized the device itself can be the key … it has enough unique attributes to create a key that could not be cracked.”
In other words, your computer or your smartphone are unique in terms of software, components, log entries, defects, and any of 19 different variables. If your bank’s server knows your device and authenticates it, and all communication between device and server contains an encrypted key based on those unique attributes, the server can be assured it is talking to your actual device, and your software can be certain it is talking the server.
So you know the bank rep is on the line, not a crook. And the bank knows that you are you.
How does it work?
“We have a dynamic device key that has to be on the device,” Brennan says. “The user downloads a small application when at the web page trying to authenticate.”
From a user perspective, this could be a browser plugin, or just part of a mobile app installed for online banking. From a company perspective, it’s a few lines of code that integrate the verification engine into their server-side application. Then the browser and the server can communicate securely, says NetAuthority.
“It’s impossible to put something in the middle of this and breach its security,” says Brennan.
Any attempted MitB attack, or any attempted re-routing through a proxy server, would immediately trigger an alarm. And the solution uses multi-factor authentication, meaning that a lucky guess on one or two factors cannot spoof the system.
Supported devices include just about any smartphone: Android, iOS, Windows Phone, or BlackBerry. Any Windows, Mac, or Linux PC will work as well. Server-side, NetAuthority supports Linux, Solaris, and Windows Server.
Pricing has not yet been released.
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.