Identity theft in online financial transactions is big business, and it can cost you your
business. Several e-brokerages were hard-hit by massive fraud not long ago, illustrating the problem. Different
types of attacks based on stolen identity or diversion of commands do billions of dollars worth of damage each
year, according to Gartner. Interception services catch hundreds of thousands of "phishing" attempts each month
in the UK alone, but many more go undetected. There are numerous case of fraud that each run into millions of
dollars. Enterprising hackers stole identities of online brokerages using "man in the browser malware. A
different scheme intercepted utilities payments made through a bank, and increased the sum. The thieves then
requested that the banks send refunds to their own bank accounts.
A system that intends to provide comprehensive protection must be prepared to meet an
ever-growing variety of threats posed by ingenious schemes. It must be adaptable, and it must be able to take
into account customer histories, location, the type of transaction being made and other factors.
The currently known types of attacks on customer computer security that must be met
Man-in-the-browser – A "Trojan horse" changes the contents of the form that the
customer submits to the bank website. The change is not noticeable in the form itself. It takes place only in
computer memory. It takes place before SSL encoding.
Man in the Middle - Rogue software is put in place at some point between the
customer computer and the bank web sites and intercepts all the information transmitted between the customer and
Key Logging – Software implanted in the customer's computer that records all the
keystrokes of the customer, providing a complete record of user IDs, passwords, pin codes, account numbers and
transactions. Sometimes this is integrated with additional rogue software, and usually it sends the information
it has collected to the hacker.
Session Hijacking – The session is hijacked by unauthorized use of the cookies
deposited by the banking site.
Pharming – Pharming is diversion of traffic from a legitimate site to a rogue web
Phishing – Customer identity details are stolen. Typically, this is carried out in
a place and context removed from the bank web site, such as a fraudulent e-mail asking for information.
Site Cloaking – Cloaking fools search engines by disguising one web site as another.
Cross-Site Scripting – A script is injected to one web site or web log, but it is
operated at a different web site.
OS command injection – Injection of operating system commands to be carried out at
the web site.
SQL Injection – Injection of SQL queries to be executed at the web site.
Cookie tampering – Information in the cookie is changed to allow an attack.
Form Tampering (read-only and hidden fields) – Changes are made in hidden or
read-only fields in the HTML form.
Outbound Data Theft – Data sent from the web site are intercepted for use in
attacks. For example, that may include data about the software installed at the site, version number etc.
Application Denial of Service - Numerous types of attacks make use of the
possibility of entering rogue information in input fields.
The above survey only highlights the major sources of attacks, which are constantly
IDentiWall Protects against online Security
provides a robust, scalable, upgradeable
security solution for online financial transactions through the public Internet and virtual private networks.
Its theft-proof authorization mechanism alerts victims and security personnel to ongoing attempts to use stolen identities.
It combats attacks based on phishing, man-in-the-browser software, code injection and other hacker
The heart of the system is an innovative mechanism for
dual-network authentication and verification, taking advantage of customers' wireless telephones to provide a
one-time password for each entry using SMS. This innovation makes possible a system that is easy to use,
requires no new hardware and no changes to banking software or customer computer software.
builds on this functionality to provide a complete
out of the box system that is robust, scalable, maintainable, and ready to meet threats that will emerge with
developing technologies as well as existing ones.
A sophisticated database and policy mechanism make it possible
to use user location, past behavior and other information to optimize the response to attacks. A syndication
mechanism ensures that financial institutions and their IDentiWall systems are alerted to general threats, and
an investigative workbench allows tracking and surveillance.
IDentiWall is ideal for online e-banking, brokerages and
e-shopping. IDentiWall supports a hacking and phishing-proof new e-shopping method.
More about IDentiWall
IDentiWall Architecture - This schema will help you understand
what IDentiWall does and how it does it
IDentiWall Technology - This table outlines the sophisticated
technologies underlying IDentiWall
IDentiWall versus Smartcards and Tokens - How does IDentiWall
measure up against other types of solutions?
IDentiWall versus in-house development - Read this before you try
to develop your own system - don't say we didn't warn you!
Made4Biz Security announces IDentiWall secure e-Banking
- [June 1, 2008] IDentiWall secure e-banking is
an extension of IDentiWall VPN, providing the ultimate
security solution for online financial transactions
Restricted web site solution
Secure ebanking solution
IDentiWall for Insurance Companies
Firewall/VPN port management