NetAuthority Takes Aim Against Man-In-The-Browser Exploits Plus Other Attacks


NetAuthority, a San Francisco-based security vendor, has announced general availability of the transaction verification solution for which the company was founded nearly one year ago. The strategy involves a device-centric approach to strong authentication that can either be delivered through CPE or through service providers.

Targeted exploits and attack surfaces include key loggers, stolen cookies and user credentials, phishing attacks, man-in-the-middle attacks, and man-in-the-browser attacks.

In a man-in-the-browser attack, the information displayed on the Web page appears to be from the appropriate source, such as a financial institution. But, it's actually coming from the criminals who are using components of the bank site, combined with their own information to make the page look real. In most cases, the intention is to make it appear that nothing significant is taking place while, in reality, transactions are occurring that the bank believes to be happening at the behest of a legitimate user.

[Related: RSA Fraud Report: Security By the Numbers]

Man-in-the-browser (MitB) malware has emerged over the past few years, and it has become a significant threat, especially in the U.K., according to NetAuthority CEO Chris Brennan, who points to estimated losses of nearly $100 million. Much of the MitB success is based on automated malware, such as Zeus and SpyEye.

"It can't be reliably detected by anti-virus solutions, it's not defeated by multifactor authentication solutions, and it's spreading," said Brennan. "This is an opportunity for the channel to get out in front of it and have a solution that provides verification and protection as opposed to a catch-up game of detection."

"Two factor authentication is typically useless against man-in-the-browser attacks because the attacks occur after authentication," explained Talbot Harty, NetAuthority's vice president of product development. "But in our case, with the combination of our Dynamic Device Key technology and the transaction verification key, we actually have the ability to use the same two-factor authentication solution to independently verify transactions."

NEXT: Effective Verification