[ insider_reports_insider ]
VirtualATM To Key Secure Online Banking
David Utter
Staff Writer
2006-12-14
 Insider Reports RSS Feed
The Authentium security firm has a product nearing launch that could eliminate keyloggers and man in the middle attacks from plaguing users of online financial services.
 | | VirtualATM To Key Secure Online Banking |  |
A few weeks ago, I'd talked with Authentium marketing VP Corey O'Donnell about some security-related topics, and financial websites came up in the conversation. I asked what might be a solution to the problem of threats to online banking, short of putting a hard-wired Bloomberg terminal equivalent in every home.
To my surprise, he had an answer, and when we spoke again this week I found it won't require getting my home rewired or finding a place for a dedicated terminal.
If E-Trade had been using a solution like VirtualATM, Authentium's product scheduled for a March 2007 launch, they never would have had to pay out $18.5 million to clients who had their account details captured by a keylogger on their compromised systems.
Criminals used those credentials to login to a number of E-Trade accounts and pump up the price of a penny stock the criminals controlled. Then the scamsters sold their inflated shares and left E-Trade's clients to complain to E-Trade.
The online brokerage ended up having to make good on the fraudulent transactions and reimbursed their clients. That event probably got more financial institutions interested in a better way to provide secure services than any security breach did.
To take a greater role in protecting consumers and safeguarding accounts, not to mention avoiding another E-Trade-sized payout, banks have tried different solutions. These have generally involved displaying a particular image, text, or color that customers have selected to indicate they are connecting to a bank's site.
Such measures could be defeated by man in the middle attacks, not to mention the ongoing threat from keyloggers. Preventing these problems requires a more robust end-to-end approach, and Authentium may have created that.
Instead of a hard-wired physical solution that establishes a secure channel from customer to bank, Authentium's VirtualATM will accomplish this through software. VirtualATM would be embedded in a security suite, and creates a secure connection using VPN to the financial institution.
That connection can either go to a VPN concentrator on a bank's network, or to a central site at the customer's ISP that in turn retrieves the bank's web page to serve it to the customer. Either way, the bank and the customer know they are each connecting to a legitimate entity.
VirtualATM goes a step further than securing the channel. When running, VirtualATM locks down the system. No other software can run while VirtualATM is in use.
It goes deep into the OS to block low-level system calls, where malware like keyloggers and other abusive programs would operate. O'Donnell demonstrated this by showing a PC running a keylogger that easily captured a username entered on a bank's web form, then running VirtualATM, pulling up the same bank's page, and entering the username.
The keylogger never saw it take place.
Authentium has been working with some banks through the development of VirtualATM. They have also been talking with Internet service providers like Cox, a long-time Authentium partner. If everyone can find common equitable ground, I won't be surprised to see the bigger banks, as well as online brokerages, make VirtualATM a customer requirement to perform transactions through the Internet.
---
Tag: VirtualATM
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the updates - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
