Welcome to Itootechnologies
Please have a look at the attached document, and I would like to invite you to share and discuss with customers and prospects what we could provide in this regard.
In the attempt to deliver a friction free digital banking experience With the implementation of the faceID/touchID, some banks currently have implemented convenience at the cost of security. When the Client gives his Bio, the username/pwd pair is read out of the iOS keychain/Android Key-store, but than the credential pair is traveling to the server for verification, means you are vulnerable to man in the middle, man in the browser, credential stuffing and account take over attacks. With Nevis this can not happen, we provide a truly password-less FIDO based solution, in
our case, there is no username and password the would travel, we send an anonymous challenge instead, which is signed by the private key residing in the secure enclave of the device, and return the signed challenge to the server, where it is verified with the public key.
This is a big difference from the security perspective, in our case there is simply no password, therefore it cannot be stolen, any kind of social engineering is useless, the client has nothing he could mistakenly share with a fraudster. This is security by design. Please have a look at the paper, and let us discuss options how we could provide you a FIDO based real password-less login and transaction verification on all channels.
Murphy’s law says, if it can happen it will happen – you should sleep well at night, knowing that all the above listed attack vectors simply can not happen anymore. It is an undisputed fact that the client is the weak point in every security concept, but only as long as you allow this, when the client has nothing to share, social engineering becomes useless.
The client wants two things, it is security and it is convenient. Nobody wants to fear a loss of funds because one could fall victim to a fraudster, give them better security and they will love you. No more passwords for browser login, no more secure questions for CC client identification, same good CX on the App, but at a much better security.
Please have a look at the attached document, and I would like to invite you to share and discuss with customers and prospects what we could provide in this regard.
In the attempt to deliver a friction free digital banking experience With the implementation of the faceID/touchID, some banks currently have implemented convenience at the cost of security. When the Client gives his Bio, the username/pwd pair is read out of the iOS keychain/Android Key-store, but than the credential pair is traveling to the server for verification, means you are vulnerable to man in the middle, man in the browser, credential stuffing and account take over attacks. With Nevis this can not happen, we provide a truly password-less FIDO based solution, in
our case, there is no username and password the would travel, we send an anonymous challenge instead, which is signed by the private key residing in the secure enclave of the device, and return the signed challenge to the server, where it is verified with the public key.
This is a big difference from the security perspective, in our case there is simply no password, therefore it cannot be stolen, any kind of social engineering is useless, the client has nothing he could mistakenly share with a fraudster. This is security by design. Please have a look at the paper, and let us discuss options how we could provide you a FIDO based real password-less login and transaction verification on all channels.
Murphy’s law says, if it can happen it will happen – you should sleep well at night, knowing that all the above listed attack vectors simply can not happen anymore. It is an undisputed fact that the client is the weak point in every security concept, but only as long as you allow this, when the client has nothing to share, social engineering becomes useless.
The client wants two things, it is security and it is convenient. Nobody wants to fear a loss of funds because one could fall victim to a fraudster, give them better security and they will love you. No more passwords for browser login, no more secure questions for CC client identification, same good CX on the App, but at a much better security.
While digital banking has increased the overall customer experience, it has also widened the attack surface for cybercriminals, with threats such as malware, man-in-the-browser or man-in-the-middle, resulting in complete Account Take Over (ATO) becoming more common and having serious consequences for customers and Financial Institutions (FIs) alike.
This paper is a brief on transaction fraud, which is defined as an unauthorized financial transaction conducted by an individual who is not the legitimate owner of an identity or financial account. The fraudster either creates a new account or takes over an existing digital account for the sole purpose of committing an illegal activity using stolen payment credentials or unauthorized payment information. The analysis paints a picture for a need of more robust transaction authentication for online and mobile banking. It outlines critical security issues, that requires authentication and transaction verification improvement and demonstrates how customers and FIs are driving the expansion of the online channel to deploy better authentication in the online banking environment.
The massive technological developments have made it easy for fake apps to steal user credential
information for fraudulent transactions is concerning. The analysis is based on stopping transactionsof a fraudster having all the information, including OTP.
While digital banking has increased the overall customer experience, it has also widened the attack surface for cybercriminals, with threats such as malware, man-in-the-browser or man-in-the-middle, resulting in complete Account Take Over (ATO) becoming more common and having serious consequences for customers and Financial Institutions (FIs) alike.
This paper is a brief on transaction fraud, which is defined as an unauthorized financial transaction conducted by an individual who is not the legitimate owner of an identity or financial account. The fraudster either creates a new account or takes over an existing digital account for the sole purpose of committing an illegal activity using stolen payment credentials or unauthorized payment information. The analysis paints a picture for a need of more robust transaction authentication for online and mobile banking. It outlines critical security issues, that requires authentication and transaction verification improvement and demonstrates how customers and FIs are driving the expansion of the online channel to deploy better authentication in the online banking environment.
The massive technological developments have made it easy for fake apps to steal user credential
information for fraudulent transactions is concerning. The analysis is based on stopping transactionsof a fraudster having all the information, including OTP.
The section describes weaknesses within authentication and available fraud enablers that criminals
use to bypass verification, gain access to accounts, and perpetrate fraud.
FRAUD ENABLERS
Cybercrime is becoming more commercialized every year, with fraud automation and phishing kits available for purchase for a monthly fee. These kits are designed to be easy to use even when the fraudster has limited technical skills. As a result it's easier than ever before for unsophisticated actors to commit fraud at scale.
The frequency of SMS phishing attacks targeting bank customers is exploding. Email services have become more effective at detecting and phishing attacks, criminals are turning to a channel with fewer spam controls, SMS. SMS messages are also many times more likely to be opened than email, making it an increasingly attractive channel for scammers.
Often disguised as legitimate software that use overlay attacks to steal login credentials and payment card details from users of online and mobile banking applications. Once malware detects that the online/mobile banking app is running, it will activate and push the targeted app to the background and display its own login interface instead. When the victim authenticates, the malware collects the user’s credentials. Mobile banking Trojans can remain active and modify the data while the victim performs other actions within the banking session.
A data breach exposes confidential or protected information, potentially resulting in the loss or theft of an individual’s SSN, bank account, credit card credentials, personal health information, usernames, passwords, email addresses or other PII. Fraudsters purchase this information on the dark web to access payment credentials that customers have with FIs.
These attacks are commonly used with or initiated by malware. MitM attacks intercept a communication between the customer and the FI and then alter, send, and receive communications about the transaction without raising suspicion. They can affect the mobile banking channel when customers use unsecure public hotspots to log in, authenticate and/or transfer payment data through a network controlled by the fraudster, who is able to gain access to usernames and passwords that are stolen during transmission. MitB attack is a form of session hijacking that infects a web browser or a mobile device by installing an add-on to intercept communication or modify transaction details.
SMS is one of the most popular and tested mobile services with worldwide accessibility across all global systems for mobiles. The current short message service (SMS) can only secure plain text between the sender and various mobile phone users and servers for many purposes. SMS lacks a built-in mechanism for text message authentication and provides no security for text messages sent as data. Multifactor authentication (MFA) is a fast-growing technology. Initially, only passwords were used to protect personal accounts, called one-factor authentication, eventually two-factor authentication, which involves a one-time password (OTP) after verifying the password was introduced. However, fraudsters try to use different techniques to get OTP and passwords to take over accounts.
Transaction flow
Mobile and Internet banking mostly follow similar transaction processing, once a user has successfully registered themselves for mobile/internet banking and a device has been registered against their account, a username/password along with an OTP is required to log into the account. The OTP is delivered via SMS on registered phone number and email address. To execute transactions, funds transfer or bill payment, user registers a beneficiary, this again generates a valid OTP delivered on registered device and a registered phone number.
Once a beneficiary has been successfully added, transactions made to the registered beneficiary no longer require authentication. This means transaction authentication & authorization is completely absent.
At the time of initial login or account opening, a device is registered based on certain parameters. To register a new device, user normally receives an OTP on the registered number.
SMS is one of the most popular and tested mobile services with worldwide accessibility across all global systems for mobiles. The current short message service (SMS) can only secure plain text between the sender and various mobile phone users and servers for many purposes. SMS lacks a built-in mechanism for text message authentication and provides no security for text messages sent as data. Multifactor authentication (MFA) is a fast-growing technology. Initially, only passwords were used to protect personal accounts, called one-factor authentication, eventually two-factor authentication, which involves a one-time password (OTP) after verifying the password was introduced. However, fraudsters try to use different techniques to get OTP and passwords to take over accounts.
Transaction flow
Mobile and Internet banking mostly follow similar transaction processing, once a user has successfully registered themselves for mobile/internet banking and a device has been registered against their account, a username/password along with an OTP is required to log into the account. The OTP is delivered via SMS on registered phone number and email address. To execute transactions, funds transfer or bill payment, user registers a beneficiary, this again generates a valid OTP delivered on registered device and a registered phone number.
Once a beneficiary has been successfully added, transactions made to the registered beneficiary no longer require authentication. This means transaction authentication & authorization is completely absent.
At the time of initial login or account opening, a device is registered based on certain parameters. To register a new device, user normally receives an OTP on the registered number.
Vulnerabilities in current mechanism
Vulnerabilities in current mechanism
Account takeover occurs when fraudsters use cards or bank account credentials, username, passwords and/or PII (e.g., email address, name, and date of birth) to gain access to a legitimate bank account. ATO attacks can happen in a variety of ways and conclude the same way.
The techniques discussed above have repeatedly proven as an effective bypass for both OTP and device binding, since device binding itself depends on a valid OTP. Neither OTP nor device binding validates the actual transaction, and once a fraudster has access to the device or can intercept the OTP, there are very little controls that banks have in place to detect Account Take Over. Not relying on simply authentication, it also should require biometric authentication during transactions, which is not shareable like OTP, to ensure that the user is legitimate.
In Europe, the Revised Payment Services Directive (PSD2) have introduced a range of security requirements designed to counter man in the middle attacks and ATO.
In India, the reserve bank of under its Mobile Application Security Controls recommends:
The techniques discussed above have repeatedly proven as an effective bypass for both OTP and device binding, since device binding itself depends on a valid OTP. Neither OTP nor device binding validates the actual transaction, and once a fraudster has access to the device or can intercept the OTP, there are very little controls that banks have in place to detect Account Take Over. Not relying on simply authentication, it also should require biometric authentication during transactions, which is not shareable like OTP, to ensure that the user is legitimate.
In Europe, the Revised Payment Services Directive (PSD2) have introduced a range of security requirements designed to counter man in the middle attacks and ATO.
In India, the reserve bank of under its Mobile Application Security Controls recommends:
FIDO (Fast Identity Online) is based on binding the device with the user and consequently using the device to authenticate every user action and not just simply login. It addresses a variety of use cases including MFA. FIDO Authentication is based on free and open standards developed by the FIDO Alliance. It encompasses a set of authentication techniques other than passwords and SMS OTP It eliminates many of the vulnerabilities and problems that arise from password-based authentication, OTP through SMS. While OTP only covers one of the criteria “What you know.” FIDO encompasses both a “who you are” and “what you know.”FIDO standards solve the pr blem of MITM attacks by providing cryptographic proof the user is inpossession of the second factor, and that they are interacting with a legitimate service. Further FIDO authenticators can digitally sign transactions.
While the purpose of authentication is to verify a customer when enrolling an account or making a payment, environmental vulnerabilities weaken the effectiveness of current authentication methods and create new opportunities for fraud. Authentication of the customer and payment method needs to occur at each step in the remote payment process: account creation, enrolment and especially during transaction to identify, prevent and mitigate fraud attacks. The current mechanism of device binding and ability to change devices based on OTP is not sufficient to contain Man in the Middle Attacks, eventually resulting in Account Take Overs. A defense in depth approach is much needed that can authenticate users during transactions using biometric. OTP should be considered as a small step in the evolution of authentication mechanisms, demanding a more robust mechanism based on biometric and public key cryptography. The technology is already available, regulators have acknowledged the weakness and have started to advise on using mechanisms other than OTP.
While the purpose of authentication is to verify a customer when enrolling an account or making a payment, environmental vulnerabilities weaken the effectiveness of current authentication methods and create new opportunities for fraud. Authentication of the customer and payment method needs to occur at each step in the remote payment process: account creation, enrolment and especially during transaction to identify, prevent and mitigate fraud attacks. The current mechanism of device binding and ability to change devices based on OTP is not sufficient to contain Man in the Middle Attacks, eventually resulting in Account Take Overs. A defense in depth approach is much needed that can authenticate users during transactions using biometric. OTP should be considered as a small step in the evolution of authentication mechanisms, demanding a more robust mechanism based on biometric and public key cryptography. The technology is already available, regulators have acknowledged the weakness and have started to advise on using mechanisms other than OTP.
From the perspective of financially motivated attackers, there are three obvious reasons why credential stuffing attacks against B2C organisations represent such a rich opportunity:
Digital account-based relationships are based on digital user credentials, and credential stuffing attacks are an effective, brute-force way for attackers to exploit weak or compromised credentials and gain unauthorised access to user accounts.
Long-term, account-based customer relationships in B2C organisations are managed in a variety of ways but as seen in Aberdeen’s recent research, virtually every organisation does so online, through both a website and a mobile app (see Figure 1)
Figure 1: Digital account-based relationships are based on digital user credentials, which are vulnerable to automated credential stuffing attacks.
Credential stuffing attacks have become significantly easier for attackers to automate, at very large speed and scale. For their collective convenience, financially motivated attackers have compiled and posted the user credentials derived from multiple mega-breaches (e.g., Linkedin, Netflix, Gmail, Microsoft, Yahoo, Bitcoin) into a well-organised, searchable database of nearly 3.3 billion unique username/password pairs as of early 2021.
The fact that so many consumers continue to re-use the same passwords across our financial, eCommerce, social media, personal email, and work email accounts combined with the fact that software bots are so brutally efficient at performing automated, repetitive, well-defined tasks at Internet speed and scale has elevated bot-driven credential stuffing attacks to the forefront of the attacker’s arsenal
Financially motivated attackers are making successful account takeovers pay off, in several ways. Aberdeen’s research found that B2C organisations in EMEA experienced several direct consequences from successful ATOs, including creation of new accounts (eg, credit applications), fraudulent transactions, chargebacks and false declines, transfer of funds of other value (e.g., loyalty points, rewards); fraudulent purchases (e.g., physical goods, stored value cards); and theft of services (e.g., download or streaming of digital content). See Figure 2.
Figure 2: Financially motivated attackers are making successful account takeovers in the financial services industry pay off, in several ways.