© Copyright Entrust, Inc. 2010

Ganando la batalla contra el Man-in-the-Browser

© Copyright Entrust, Inc. 2010

Let’s talk about

Man-in-the-Browser

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

How does it work?

4

User visits bank and logs into account

1

Malware ‘wakes up’ based on URL watch list

2

3User initiates ACH or Wire Transfer

4 Malware intercepts user’s request, substitutes alternate amount and destination

Bank receives malware’s request, sends transaction details for review and requests one-time-passcode (OTP)

5Malware intercepts site’s transaction detail confirmation, modifies them to correspond to user’s initial request

6

7User views transaction details (which look fine) then enters OTP token code into Web browser

Bank receives and validates OTP, transacting the malware-modified transaction without the user ever knowing

8

© Copyright Entrust, Inc. 2010

Alternative approaches to capturing user information…

5

Malware modifies web pages to prompt for OTP so it can silently execute a wire transfer or send OTP to criminal via Instant Message

© Copyright Entrust, Inc. 2010

H. Chen

La Alternativa: la verificación de transacciones fuera de banda mediante una aplicación móvil

© Copyright Entrust, Inc. 2010

Demonstration

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010 15

User phone automatically wakes up and notifies user of transaction

© Copyright Entrust, Inc. 2010 16

Application is PIN protected to ensure security

© Copyright Entrust, Inc. 2010 17

User reviews and confirms transaction details…

…or gets instructions if transaction is suspect

© Copyright Entrust, Inc. 2010 18

If transaction details OK, user gets confirmation code to enter on web browser

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010

© Copyright Entrust, Inc. 2010 21

Transaction history maintained for future reference

© Copyright Entrust, Inc. 2010

Entrust IdentityGuard Mobile

What is it?• Downloaded application installed on a users

mobile device– iPhone, Blackberry, Windows Mobile, Java based

smart phones

What does it do?1. Soft token

– All the features of a Entrust Mini Token OT but on a mobile device

2. Transaction Notification Service– Confirms transaction details Out-of-Band and

provides confirmation OTP to defeat Man-in-the-Browser

– Same application, optional service (upsell opportunity)

© Copyright Entrust, Inc. 2010

H. Chen

Entrust IdentityGuard Mobile

© Copyright Entrust, Inc. 2010

Multiple Identities, one device

Mix of Soft token only and Transaction Notification

Independent activation and control

Customizable branding per identity

Multiple Identities

© Copyright Entrust, Inc. 2010

Entrust Mobile - Soft Token only

OATH compliant

Time-based soft token

30 second time window

Brandable interface

© Copyright Entrust, Inc. 2010

IDG Mobile - with Transaction Verification (TVS)

OATH Time-based Soft Token

Transaction details confirmed out of band on mobile device

No data entry

OATH signature of transaction contents

User confirms transaction or acts on suspect details

© Copyright Entrust, Inc. 2010

IDG Mobile – 1 product, 2 functions

Mobile – Soft Token only and

Mobile – Soft Token with TVS

Not separate productsSame downloadProfile determined by activation codeUpsell opportunity for TVS

Different identities can have different options

© Copyright Entrust, Inc. 2010

How Transaction Verification Works

28

User attempts to undertake a risky transaction (ex: Wire Transfer)

1 2Banking application requests OOB Transaction Verification from on-

premise IDG

User opens Entrust Mobile Application3

IDG Mobile retrieves transaction details from bank’s IDG & displays to user

45 User confirms details and enters OTP in web browser OR reads how to deal with a suspect transaction

Customer

Banking Application

Self Service Module

IdentityGuard

© Copyright Entrust, Inc. 2010

How the Optional Notification Service Works

29

Apple Notification Service

Transaction Notification Service

Transaction Notification Request

Transaction Notification

Request

User attempts to undertake a risky transaction (ex: Wire Transfer)

1 2Banking application requests OOB Transaction Verification from on-

premise IDG

3 IDG sends notification message to Entrust cloud service

4 Entrust cloud service sends notification to appropriate provider

Provider sends message to device & wakes up IDG Mobile

5

IDG Mobile retrieves transaction details from bank’s IDG & displays to user

67 User reads details and enters OTP in web browser OR reads how to deal with a suspect transaction

Q4, 2010

Customer

Banking Application

Self Service Module

IdentityGuard

© Copyright Entrust, Inc. 2010 CONFIDENTIAL 30

Time-based OTP

Transaction Confirm & Sign

August 2010

August 2010

Q4/2010

Early 2011

TBD

Early 2011 Early 2011

© Copyright Entrust, Inc. 2010

Thank you!

Information Security Services S.A. Regus CiticenterAv. Mariscal López Nro. 3794 – Piso 4CP 1.892 – Asunción / ParaguayFono: 595 21 6207768 Fax: 595 21 6207701 

Visite nuestro sitio ->  www.iss.com.pyEncuéntrenos en ->  http://www.facebook.com/ISS.Paraguay