Source: Digital Resolve
Digital Resolve, the leading provider of transparent, risk-based authentication solutions, has introduced a new approach to mutual authentication with the addition of a Website Authentication Module to its Fraud Analyst product for online fraud and identity theft prevention for the financial services industry.
With Digital Resolve's Fraud Analyst Website Authentication Module, financial institutions can now provide their customers with the ability to seamlessly determine whether or not they are communicating with their banks' Web servers. This Module is aimed at the detection of fake websites and the prevention of Website spoofing, more specifically Man-in-the-Middle attacks that involve a cyber criminal redirecting the consumer from a bank's Website to the criminal's server. That server then acts as a proxy for communication between the consumer's personal computer and the bank's Website, allowing the attacker to observe all the data passed in between.
"There has been an enormous focus recently on one-way security strategies that authenticate customers to financial institutions," Dennis Maicon, executive vice president, Financial Services Solutions, said. "However, most financial institutions are not authenticating their websites to customers and prospects before collecting sensitive information. This is the very reason that phishing, pharming, and now Man-in-the-Middle attacks are successful. Until now, unsuspecting consumers just cannot tell they are being redirected to a spoofed Website during an attack or that a man in the middle has hijacked their session."
Unlike current technologies in the marketplace that incorporate cookies and shared images or watermarks and require active user participation, Digital Resolve's Website Authentication Module is very difficult to defeat and provides protection against phishing, pharming and man in the middle attacks without intervention by end users. Furthermore, other approaches to mutual authentication provide no protection beyond login authentication, as when non-bank customers wish to apply for a bank's services online and as such must provide personally identifiable information.
This fool-proof solution utilizes patented techniques to create a "trusted" server list that legitimizes Websites and verifies that there is no man in the middle for both banking customers and non-customers alike. In addition, the Website Authentication Module's back-end processes use patented methods to build the trusted server list in a secure environment, with constant quality checks to identify any potential list contamination.
"Allowing the customer's computer to determine who it is communicating with is crucial to any mutual authentication strategy. Current approaches using secure cookies and shared images are still extremely vulnerable to these types of insidious attacks. They simply do not provide the necessary – and expected – protection when a man in the middle is involved and do not even address a bank’s prospects," Maicon added.
Now in beta, the Website Authentication Module will be generally available in the fourth quarter of 2005.