New approach to online banking takes authentication out of the browser

“In the midst of an international epidemic of phishing attacks on banks, every time a consumer logs information into their bank’s website, they are potentially exposing sensitive and valuable information to any and every watching cybercriminal,” said Francois van Schoor, president of Entersekt.

Much of the approach on the part of financial companies to thwart criminals has been motivated by the principle that if one simply builds a defensive wall higher than the neighbors, then the security holes are less of a concern, according to Christiaan Brand, CTO of Entersekt. Even if there are holes in a given one-time password system or in hardware token approaches, chances are that if the other defenses look strong, the criminals will attack a different organization with the lower walls or fewer defenses, he explained in an interview with Infosecurity.

Eventually, however, higher walls won’t be enough. “Man in the middle phishing, trojans on PCs and trojans on phones are all getting more sophisticated,” Brand noted. “The purpose of a lot of Android malware is to intercept one-time passwords, so there’s definitely been an advance in the complexity and inventiveness of the fraudster. The idea is that we’ll stay ahead of the curve and continue to innovate.”

To that end, Entersekt is taking a different approach with the use of electronic certificate technology; certificates are deployed using Entersekt’s mobile application, Transakt, which is available for Apple iOS, BlackBerry, Android, Windows Phone and any Java platforms.

Transakt then verifies both the bank and the mobile device, eliminating the need for hardware tokens or one-time passwords. The bank retains full control over registering users, and all communication is encrypted end-to-end and cannot be intercepted by outside parties. The strategy is already deployed in the company’s home market of South Africa.

“With existing [browser-based] systems, multiple parties know your access credentials, but with Entersekt’s Transakt the bank can validate the user, but not replicate the user identity,” Brand explained.

The problem is a growing one, across verticals. “We’ve started with financial institutions because we can influence direct financial losses, but in small and medium businesses and for enterprises moving to the cloud, this is a big issue as well,” Brand said. “Suddenly, all of your data is up on the internet – and much of it is being protected by best-of-breed mechanisms like sending SMS passwords to a user’s phone, which is a very easy approach to break.”

The need for better authentication is also a non-geographically specific one, according to van Schoor; while every market has its own differences in terms of regulatory mandates and guidelines, there is also notable commonality. “The main thing to point out is that while we obviously we cover the market in South Africa, phishing fraud is carried out by the same fraudsters and organizations globally. And we are starting to see traction in the UK and in Western Europe because of that.” The company is also looking to expand in North America, he added.

What’s hot on Infosecurity Magazine?