TriCipher Secures Online Financial Transactions

Tricipher Inc. Aug 06, 2007

Strong Credentials Thwart Emerging Man in the Middle and Man in the Browser Threats Facing Financial Institutions

LOS GATOS, Calif., June 26 / / - Today TriCipher extended its strong credential management platform from user and portal identity protection to business process protection with Armored Transactions(TM), the most powerful and user-friendly solution to verify online transactions. As businesses implement strong online user authentication to comply with domestic and international regulatory guidelines, attacks are evolving from phishing for users' login credentials to stealth man in the browser (MITB) attacks that intercept and modify transactions.

Integrated into TriCipher Armored Credential System (TACS) 4.0, Armored Transactions prevents hackers' MITB attacks from manipulating activities such as electronic funds transfers, bill pay and stock purchases to perpetrate fraud, identity theft, and pump-and-dump attacks.

"Financial institutions and their customers are completely unprotected against attacks that target transactions," said John De Santis, TriCipher's CEO. "Even if financial institutions provide multifactor user authentication such as tokens or smart cards, attackers can initiate or modify any unprotected transaction they want using man in the browser attacks."

TriCipher's recently announced ID Tool ToGo(TM), a portable, affordable strong credential, puts Armored Transactions' protection on a U3 USB smart drive, protecting transactions wherever users do business.

Man in the Browser: The Next Generation of Fraud

Also known as transaction generators, man in the browser (MITB) attacks are a newly discovered type of man in the middle (MITM) attack that waits until users log in to strike, defeating all previous types of user authentication. Hackers modify data sent during a legitimate session, without the user knowing until it's too late; for example, users could unknowingly purchase the wrong stock or transfer a large sum of money directly into a hackers' account.



  Authentication Method                Phishing   Pharming    MITM    MITB

                                       2004       2005        2006    2007

  Transaction Authentication           Yes        Yes         Yes     Yes

  Smart Card + PKI                     Yes        Yes         Yes     No

  Tokens, Grid/Scratch Cards           Yes        Yes         No      No

  Cookie, Text, Picture                Yes        Maybe       No      No

  IP Geolocation, Device Fingerprint   Yes        Maybe       No      No

  Password                             No         No          No      No

Yes - Prevents the Attack
No - Does Not Prevent the Attack
Maybe - Targeted Attack Required

Gartner Research VPs Avivah Litan and Ant Allan said in Gartner's September 2006 report Transaction Verification Complements Fraud Detection and Stronger Authentication, "MITM attacks can modify customer-generated transactions or generate new transactions; phishing/pharming directs a customer to a bogus server that completes the connection to the bank's server. The man 'in the middle' might actually be in the customer's PC: Trojan software can create a hidden browser session and generate transactions on the back of a legitimate strongly authenticated session - a 'man in the browser' attack."(1)

For more information on man in the middle (MITM) and MITB attacks and TriCipher's solutions, visit the following links:

The Perfect Storm: Man in the Middle Phishing Kits, Weak Authentication and Organized Criminals (http://tricipher.com/landing_pages/spotlight_offer_pr.html)

Protecting Online Transactions: Enabling Faster Payments - Featuring Gartner Research (http://www.tricipher.com/registration/online_transactions_pr.html)

TriCipher Armored Credential System (http://www.tricipher.com/product/index.html)

Armored Transactions (http://tricipher.com/product/armored_transactions.html)

ID Tool ToGo (http://www.tricipher.com/product/id_tool_togo.html)

TriCipher Armored Transactions: Strong User and Transaction Authentication

Existing options for authenticating transactions, such as manual phone calls, out-of-band one-time passwords (SMS or e-mail) or dedicated hardware input devices, have failed to be adopted widely because they are difficult to use and deploy, require single-use devices, or simply cost too much.

TriCipher Armored Transactions is the first transaction authentication solution that is low-cost and user-friendly enough to be widely adopted for consumer and business transactions, while at the same time preventing MITB attacks. It works by displaying details of each transaction, which users then verify. While users' experience is as simple entering passwords and clicking a mouse, behind the scenes TriCipher's patented PKI-based technology digitally signs the transaction through a separate secure connection, legally proving that the user authorized the transaction.

Global Business Benefits and Compliance Needs: Faster and More Secure Payments

Customers and government regulators are demanding that financial institutions deliver faster and more secure payments. The U.S. Federal Financial Institutions Examination Council (FFIEC) mandates multifactor authentication for high-risk applications to counter fraud and identity theft. Also, the E.U. and European Central Bank have issued guidance for the Single Euro Payments Area (SEPA), which requires straight through processing (STP) with same-day or next-day payment clearing, giving customers more time to accrue interest and have funds available.

Financial institutions currently rely on longer payment clearance windows to catch fraudulent activities. With less time to detect fraud after the fact, financial institutions will need fraud prevention measures in the form of strong user and transactions authentication to make payments faster and more secure.

TriCipher Armored Transactions is available immediately as a new product module for TACS 4.0.

About TriCipher

TriCipher, Inc. provides a unified authentication infrastructure to protect the B2B and B2C online channel against fraud and identity theft. The TriCipher Armored Credential System(TM) (TACS) is the first authentication system that enables companies to deploy and manage multiple types of credentials from a single infrastructure. Through this flexible "Authentication Ladder," TriCipher protects customer investment by adjusting authentication strength to defeat new threats and to meet regulatory changes without the need to implement a new infrastructure. Founded in 2000, TriCipher is headquartered in Los Gatos, Calif. The company is funded by ArrowPath Venture Capital, Intel Capital, RBC Technology Ventures, Trident Capital, and Wasatch Venture Fund. For more information, visit TriCipher on the web at http://www.tricipher.com/.

(1) Gartner, Inc., Transaction Verification Complements Fraud Detection and Stronger Authentication, by Avivah Litan and Ant Allan, 12 September 2006

Source: TriCipher, Inc.

CONTACT: Adam Parken, aparken@corporateink.com, or Dan Brennan, dbrennan@corporateink.com, both of Corporate Ink, +1-617-969-9192, for TriCipher, Inc.

Web site: http://www.tricipher.com/