NetAuthority Takes Aim Against Man-In-The-Browser Exploits Plus Other Attacks

NetAuthority, a San Francisco-based security vendor, has announced general availability of the transaction verification solution for which the company was founded nearly one year ago. The strategy involves a device-centric approach to strong authentication that can either be delivered through CPE or through service providers.

Targeted exploits and attack surfaces include key loggers, stolen cookies and user credentials, phishing attacks, man-in-the-middle attacks, and man-in-the-browser attacks.

In a man-in-the-browser attack, the information displayed on the Web page appears to be from the appropriate source, such as a financial institution. But, it's actually coming from the criminals who are using components of the bank site, combined with their own information to make the page look real. In most cases, the intention is to make it appear that nothing significant is taking place while, in reality, transactions are occurring that the bank believes to be happening at the behest of a legitimate user.

[Related: RSA Fraud Report: Security By the Numbers ]

Man-in-the-browser (MitB) malware has emerged over the past few years, and it has become a significant threat, especially in the U.K., according to NetAuthority CEO Chris Brennan, who points to estimated losses of nearly $100 million. Much of the MitB success is based on automated malware, such as Zeus and SpyEye.

"It can't be reliably detected by anti-virus solutions, it's not defeated by multifactor authentication solutions, and it's spreading," said Brennan. "This is an opportunity for the channel to get out in front of it and have a solution that provides verification and protection as opposed to a catch-up game of detection."

"Two factor authentication is typically useless against man-in-the-browser attacks because the attacks occur after authentication," explained Talbot Harty, NetAuthority's vice president of product development. "But in our case, with the combination of our Dynamic Device Key technology and the transaction verification key, we actually have the ability to use the same two-factor authentication solution to independently verify transactions."

NEXT: Effective Verification

NetAuthority’s patent pending Transaction Verification Key (TVK) technology provides device-centric transaction verification to detect and prevent MitB injected transactions. TVKs provide rapid, independent transaction verification as an extension to NetAuthority’s Dynamic Device Keys (DDK), Device Authentication Service and Device Authentication Engine.

"Any customer that is deploying our authentication can opt in for transaction verification capability," explained NetAuthority’s Brennan. "When they flip on that service capability into their existing account, they will be provided with information about the transaction so that they can verify whether or not it's been tampered with. This will protect the banks or whoever is using it, regardless of whether the client is infected with malware. We can independently capture the hashed values of what the user actually typed into the transaction form and bring those into the key before the MitB browser can change those answers and post them back to the server."

Brennan added that the product represents a solid defense against zero-day attack scenarios while at the same time providing the ease of use desired by financial institutions and their customers.

From a technical perspective, the Client Dynamic Device Key Generator executes predefined function calls in order to retrieve device attributes and generate dynamic key data. That dynamic key data is then hashed and placed in an XML device key document. A new symmetrical key is generated and used to encrypt the XML device key document. The symmetrical key is signed and encrypted with NetAuthority DAS PKI public key, and then the encrypted key and device key document are encoded and enveloped for processing.

"Authentication is becoming a real headache," said Andrew Price, director of product management at XyPro, a Simi Valley, Calif.-based security partner. "Customers want to know that their data is secure, but they also want it to be relatively painless to them. This framework gives a high level of security without the management nightmare of distributing tokens and so on. We've worked with a lot of different solutions in the past. This is secure and has a lot fewer deployment headaches."

The system supports a wide variety of platforms and devices with prices starting at $2 per device per month. Volume pricing is also available.

PUBLISHED AUG. 14, 2012