TriCipher Solutions: Transaction Verification
When you conduct an online transaction such as a funds transfer or stock purchase, the details of that transaction are verified with both parties before it is executed. The higher value the online transaction, the higher the risk will be that a hacker or thief will try to compromise the transaction. Typically, transactions are verified through a web page displaying the details of the transaction and then the user is asked to click confirm or verify.
Unfortunately, hackers using Man in the Browser (MITB) attacks can easily modify transaction that are verified through a web browser, even if the user is prompted to enter their password or one time passcode for each transaction. Also know as transaction generators, Man in the Browser attacks are a newly discovered type of man in the middle (MITM) attack that waits until users log in to strike, defeating all previous types of user authentication. Hackers modify data sent during a legitimate session, without the user knowing until it’s too late. In order to prevent Man in the Browser attacks, online businesses must authenticate each high-value transaction as it is submitted to ensure the transaction information isn’t modified in transit.
"Man in the Middle attacks can modify customer-generated transactions or generate new transactions; Phishing/Pharming directs a customer to a bogus server that completes the connection to the bank's server. The man 'in the middle' might actually be in the customer's PC: Trojan software can create a hidden browser session and generate transactions on the back of a legitimate strongly authenticated session - a 'Man in the Browser' attack."
Avivah Litan and Ant Allan
Transaction Verification Complements Fraud Detection and Stronger Authentication
September 2006
The existing options for transaction verification such manual phone calls, using out of band one-time passwords (SMS or email) or dedicated hardware input devices have failed to be adopted widely because they are difficult to use and deploy, require dedicated hardware devices, or simply cost too much to make business sense.
TriCipher Armored Transactions is the first transaction authentication solution that is low-cost and user-friendly enough to be widely adopted for consumer and business transactions, while at the same time preventing Man in the Browser attacks. It works by displaying details of each transaction, which users then verify. While users’ experience is as simple entering passwords and clicking a mouse, behind the scenes TriCipher’s patented PKI-based technology digitally signs the transaction through a separate secure connection, legally proving that the user authorized the transaction.
