itootechnologies

Welcome to Itootechnologies

Nevis Security for Customer Identity Access Management(CIAM)

Banking Expert Paper from an independent Auditor

Please have a look at the attached document, and I would like to invite you to share and discuss with customers and prospects what we could provide in this regard.
In the attempt to deliver a friction free digital banking experience With the implementation of the faceID/touchID, some banks currently have implemented convenience at the cost of security. When the Client gives his Bio, the username/pwd pair is read out of the iOS keychain/Android Key-store, but than the credential pair is traveling to the server for verification, means you are vulnerable to man in the middle, man in the browser, credential stuffing and account take over attacks. With Nevis this can not happen, we provide a truly password-less FIDO based solution, in
our case, there is no username and password the would travel, we send an anonymous challenge instead, which is signed by the private key residing in the secure enclave of the device, and return the signed challenge to the server, where it is verified with the public key.
This is a big difference from the security perspective, in our case there is simply no password, therefore it cannot be stolen, any kind of social engineering is useless, the client has nothing he could mistakenly share with a fraudster. This is security by design. Please have a look at the paper, and let us discuss options how we could provide you a FIDO based real password-less login and transaction verification on all channels.
Murphy’s law says, if it can happen it will happen – you should sleep well at night, knowing that all the above listed attack vectors simply can not happen anymore. It is an undisputed fact that the client is the weak point in every security concept, but only as long as you allow this, when the client has nothing to share, social engineering becomes useless.
The client wants two things, it is security and it is convenient. Nobody wants to fear a loss of funds because one could fall victim to a fraudster, give them better security and they will love you. No more passwords for browser login, no more secure questions for CC client identification, same good CX on the App, but at a much better security.

Banking Expert Paper from an independent Auditor

Please have a look at the attached document, and I would like to invite you to share and discuss with customers and prospects what we could provide in this regard.
In the attempt to deliver a friction free digital banking experience With the implementation of the faceID/touchID, some banks currently have implemented convenience at the cost of security. When the Client gives his Bio, the username/pwd pair is read out of the iOS keychain/Android Key-store, but than the credential pair is traveling to the server for verification, means you are vulnerable to man in the middle, man in the browser, credential stuffing and account take over attacks. With Nevis this can not happen, we provide a truly password-less FIDO based solution, in
our case, there is no username and password the would travel, we send an anonymous challenge instead, which is signed by the private key residing in the secure enclave of the device, and return the signed challenge to the server, where it is verified with the public key.
This is a big difference from the security perspective, in our case there is simply no password, therefore it cannot be stolen, any kind of social engineering is useless, the client has nothing he could mistakenly share with a fraudster. This is security by design. Please have a look at the paper, and let us discuss options how we could provide you a FIDO based real password-less login and transaction verification on all channels.
Murphy’s law says, if it can happen it will happen – you should sleep well at night, knowing that all the above listed attack vectors simply can not happen anymore. It is an undisputed fact that the client is the weak point in every security concept, but only as long as you allow this, when the client has nothing to share, social engineering becomes useless.
The client wants two things, it is security and it is convenient. Nobody wants to fear a loss of funds because one could fall victim to a fraudster, give them better security and they will love you. No more passwords for browser login, no more secure questions for CC client identification, same good CX on the App, but at a much better security.

Introduction

While digital banking has increased the overall customer experience, it has also widened the attack surface for cybercriminals, with threats such as malware, man-in-the-browser or man-in-the-middle, resulting in complete Account Take Over (ATO) becoming more common and having serious consequences for customers and Financial Institutions (FIs) alike.
This paper is a brief on transaction fraud, which is defined as an unauthorized financial transaction conducted by an individual who is not the legitimate owner of an identity or financial account. The fraudster either creates a new account or takes over an existing digital account for the sole purpose of committing an illegal activity using stolen payment credentials or unauthorized payment information. The analysis paints a picture for a need of more robust transaction authentication for online and mobile banking. It outlines critical security issues, that requires authentication and transaction verification improvement and demonstrates how customers and FIs are driving the expansion of the online channel to deploy better authentication in the online banking environment.
The massive technological developments have made it easy for fake apps to steal user credential
information for fraudulent transactions is concerning. The analysis is based on stopping transactionsof a fraudster having all the information, including OTP.

Introduction

While digital banking has increased the overall customer experience, it has also widened the attack surface for cybercriminals, with threats such as malware, man-in-the-browser or man-in-the-middle, resulting in complete Account Take Over (ATO) becoming more common and having serious consequences for customers and Financial Institutions (FIs) alike.
This paper is a brief on transaction fraud, which is defined as an unauthorized financial transaction conducted by an individual who is not the legitimate owner of an identity or financial account. The fraudster either creates a new account or takes over an existing digital account for the sole purpose of committing an illegal activity using stolen payment credentials or unauthorized payment information. The analysis paints a picture for a need of more robust transaction authentication for online and mobile banking. It outlines critical security issues, that requires authentication and transaction verification improvement and demonstrates how customers and FIs are driving the expansion of the online channel to deploy better authentication in the online banking environment.
The massive technological developments have made it easy for fake apps to steal user credential
information for fraudulent transactions is concerning. The analysis is based on stopping transactionsof a fraudster having all the information, including OTP.

The Threat Landscape

The section describes weaknesses within authentication and available fraud enablers that criminals
use to bypass verification, gain access to accounts, and perpetrate fraud.
FRAUD ENABLERS

Fraud Techniques

Account takeover occurs when fraudsters use cards or bank account credentials, username, passwords and/or PII (e.g., email address, name, and date of birth) to gain access to a legitimate bank account. ATO attacks can happen in a variety of ways and conclude the same way.

Credential Stuffing and ATOs: Background and Perspective

From the perspective of financially motivated attackers, there are three obvious reasons why credential stuffing attacks against B2C organisations represent such a rich opportunity:

Digital account-based relationships are based on digital user credentials, and credential stuffing attacks are an effective, brute-force way for attackers to exploit weak or compromised credentials and gain unauthorised access to user accounts.
Long-term, account-based customer relationships in B2C organisations are managed in a variety of ways but as seen in Aberdeen’s recent research, virtually every organisation does so online, through both a website and a mobile app (see Figure 1)
Figure 1: Digital account-based relationships are based on digital user credentials, which are vulnerable to automated credential stuffing attacks.

Credential stuffing attacks have become significantly easier for attackers to automate, at very large speed and scale. For their collective convenience, financially motivated attackers have compiled and posted the user credentials derived from multiple mega-breaches (e.g., Linkedin, Netflix, Gmail, Microsoft, Yahoo, Bitcoin) into a well-organised, searchable database of nearly 3.3 billion unique username/password pairs as of early 2021.

The fact that so many consumers continue to re-use the same passwords across our financial, eCommerce, social media, personal email, and work email accounts combined with the fact that software bots are so brutally efficient at performing automated, repetitive, well-defined tasks at Internet speed and scale has elevated bot-driven credential stuffing attacks to the forefront of the attacker’s arsenal

Financially motivated attackers are making successful account takeovers pay off, in several ways. Aberdeen’s research found that B2C organisations in EMEA experienced several direct consequences from successful ATOs, including creation of new accounts (eg, credit applications), fraudulent transactions, chargebacks and false declines, transfer of funds of other value (e.g., loyalty points, rewards); fraudulent purchases (e.g., physical goods, stored value cards); and theft of services (e.g., download or streaming of digital content). See Figure 2.

Figure 2: Financially motivated attackers are making successful account takeovers in the financial services industry pay off, in several ways.