Fire ID today announced Fire ID Transaction Verification, a new application that ensures only legitimate online transactions and payments are made. Providing a solution to the much publicized man-in-the-browser (MITB) and man-in-the-middle (MITM) attacks which banks are experiencing, Fire ID’s out-of-band Transaction Verification application ought to generate a unique code on the end user’s mobile phone to verify the transaction details for online purchases and transactions before they are authorized.
The MITB attack has received significant attention recently, based on its ability to circumvent strong security measures, including many two-factor authentication methods. In such attacks the hacker infects an end-user’s PC with a trojan, or similar piece of malware, which is capable of covertly faking Internet financial transactions in the end-user’s Web browser. The end-user could login securely by using one-time passwords, however, because the attack modifies the secure session, the end-user is still vulnerable.
A Gartner report (Where Strong Authentication Fails and What You Can Do About It, Avivah Litan, December 3 2009) addresses the growing dangers of MITB attacks: “These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years.”
Fire ID’s Transaction Verification application ought to thwart these hackers and MITB attacks. The application uses the customer’s mobile phone to generate a unique code for each online transaction, out-of-band from the Web browser. This code is dependent upon the full details of the transaction and is verified by the Fire ID server for authenticity. According to Fire ID, if an attacker attempts to change any of the defined transaction details, the code will become invalid and the server will detect the tampering. Since Fire ID leverages the customer’s mobile phone for transaction verification, expensive and inconvenient hardware tokens are not needed.
“In the high-stakes world of online banking fraud, hackers have developed sophisticated methods for getting inside the user’s browser and falsifying transactions. Fire ID’s Transaction Verification application provides a powerful out-of-band authentication solution to secure payments and transactions, entirely thwarting MITM and MITB attacks,” said Jenny Dugmore, CEO, Fire ID. (Source: Fire ID Ltd./GST)