TECHNICAL PAPERS PRESENTED/PUBLISHED
International Journal:
- Published a technical paper Titled “Practical approach to of Network security A down to earth approach” on international Journal [The Journal of American Science 2007: 3(1): 10 – 12]. http:www.sciencepub.org/American
- Published a Technical paper titled “ Wireless Security, Myth or Reality” on international Journal [The Journal of American Science 2007; 3(2): 1-6] (ISSN:1545-1003)
http:www.sciencepub.org/American/0302/01-0244-jaya-prasad-am.doc
International Conference:
- Presented a technical paper titled “Sliding mode control of a thin walled composite structure” during the 6th ISSS International Conference on Smart
Materials Structures & Systems (ISSS-2012), Sponsored by ADA, KS
IT-BT, Dept. of IT-Govt. of India, ISRO, CMTI, Bharat Electronics,
Paper id no. 1569515303, Organized by Indian Institute of Science. Bangalore, Karnataka India, Parallel. session 6M, 4-7 Jan. 2012. - Presented a technical paper at international conference on Electrical, Electronics and Computer Engineering titled “Attack Prevention for multi owner data sharing for dynamic groups in the cloud.” at IRAJ research Foundation at puducherry. On 5th April 2014.
- Presented a technical paper titled “ Achieving Revocation for group based data sharing in cloud ”at international Conference on Engineering and applied sciences held at Vandavasi Chennai on 5th to 7th march 2014 organized by SRJ college of Engineering and Technology
National Level Technical Presentation:
- Presented technical paper titled “Protocols for Secure Quantum key distribution, A review on recent Developments” for the 5th National level workshop on cryptology on August 12th 2005 at JNN college of engineering, Shimoga, Karnataka. INDIA.( Conference Preceding Vol 1. page no. 284- 293).
- Presented a technical Paper titled “ Network Security in Embedded devices” for the National conference on “HIGH SPEED NETWORKS”(NHCSN-2007) on march 1st 2007 at New Horizon College of Engineering, Bangalore.(conference proceeding, vol. 1 Page no. 72 – 75.)
- Presented a technical paper titled “Number Systems and its Application to crypto systems” for the National technical conference conducted on 29th nov 2007 at Dayananda sagar college of Engineering, Bangalore( Conference proceeding, page – no. 40 )
- Presented a technical paper titled “Revolution in Cryptography” for the National Conference on Information and Communication Technology conducted on 28th march 2008 at New Horizon College of Engineering, Bangalore. [conference proceeding in the CD form]
- Presented a technical paper titled “New insights into insider threats of Network security for the Naional journal Scientech – peer reviewed journal on Science and technology (KARENGO4374) PAGE 09-14
Technicality and security in E-Commerce Transaction
Introduction :
Securing the E-commerce transaction is constantly being challenged by some of the attacks like man-
in-the-middle (MITM) attacks while new security threats are on the rise such as man-in-the-browser
(MITB) attacks. MITM attack is the type of attack that involves a hacker eavesdropping on an internet
session and connection, intruding into that connection, intercepting messages, and selectively
modifying data. Whereas MITB attacks can infect a web browser and has the ability to modify web pages,
modify transaction content or insert additional transactions, all in a completely covert fashion
invisible to both the user and host web application. The only way to defeat MITM and/or MITB attacks is
by utilizing an out-of-band transaction verification and authentication solution that is consumer
friendly, cost-effective, easy to manage and deploy.
Deploying secure authentication:
over the years, we’ve struggled with how to secure clients conducting sensitive financial transactions
via online banking from insecure locations, using malware-infected equipment, and sometimes running
antivirus/antispyware, sometimes not. While education of clients is key, along with providing
multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto
all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best
technological tools for the job? Are there other controls/tools financial institutions could utilize
to harden these sessions remotely?
Unless there is a major cultural and architectural shift toward using trusted platforms, you may want
to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they
face while using insecure systems, especially when it comes to the security of financial transactions
online. This doesn’t mean you should do nothing to help protect customers, but you may want to
implement the protections for the financial transactions on the parts of the system under your direct
control.
National Automated Clearing House Association. (NACHA) is an organization that establishes the
standards and rules followed by financial institutions for transferring payments. And its gives
several tips for protecting against fraud, including protections like multifactor authentication, out-
of-band authentication, and dual-control to request and authorize transactions.
Protecting your account
5 Ways to Protect Your Small Business from Account Fraud Corporate account takeover is a type of fraud
where thieves gain access to a business’ finances to make unauthorized transactions, including
transferring funds from the company, creating and adding new fake employees to payroll, and stealing
sensitive customer information that may not be recoverable. The Georgia Bankers Association and
American Bankers Association recommend following these tips to keep your small business safe.
1. Educate your employees. You and your employees are the first line of defense against corporate
account takeover. A strong security program paired with employee education about the warning signs,
safe practices, and responses to a suspected takeover are essential to protecting your company and
customers.
2. Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them periodically.
3. Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud.
4. Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
5. Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities. For additional information, you can also visit the following websites to learn more about how to protect
2. Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them periodically.
3. Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud.
4. Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
5. Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. It is critical that you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities. For additional information, you can also visit the following websites to learn more about how to protect
1. Choose a secure ecommerce platform. “Put your ecommerce site on a platform that uses a sophisticated
object-orientated programming language,” says Shawn Hess, software development manager, VoIP Supply.
“We’ve used plenty of different open source ecommerce platforms in the past and the one we’re using now
is by far the most secure,” Hess says. “Our administration panel is inaccessible to attackers because
it’s only available on our internal network and completely removed from our public facing servers.
Additionally, it has a secondary authentication that authenticates users with our internal Windows
network.”
2. Use a secure connection for online checkout–and make sure you are PCI compliant. “Use strong SSL [Secure Sockets Layer] authentication for Web and data protection,” says Rick Andrews, technical director, Trust Services, Symantec. “It can be a leap of faith for customers to trust that your ecommerce site is safe, particularly when Web-based attacks increased 30 percent last year. So it’s important to use SSL certificates “to authenticate the identity of your business and encrypt the data in transit,” Andrews says. “This protects your company and your customers from getting their financial or important information stolen.” Even better: “Integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers know that your website is safe.” “SSL certificates are a must for transactions,” Hess agrees. “To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout,” he says. “This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company.”
3. Don’t store sensitive data. “There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes,” says Chris Pogue, director of Digital Forensics and Incident Response at Trustwave. “In fact, it is strictly forbidden by the PCI Standards,” Pogue says. He recommends purging old records from your database and keeping a minimal amount of data, just enough for charge-backs and refunds. “The risk of a breach outweighs the convenience for your customers at checkout,” he says. “If you have nothing to steal, you won’t be robbed.”
4. Employ an address and card verification system. “Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges,” says Colin O’Dell, lead Magento developer for Unleashed Technologies.
5. Require strong passwords. “While it is the responsibility of the retailer to keep customer information safe on the back-end, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers,” says Sarah Grayson, senior marketing manager for the Web Security Group at McAfee. “Longer, more complex logins will make it harder for criminals to breach your site from the front-end,” she says.
6. Set up system alerts for suspicious activity. “Set an alert notice for multiple and suspicious transactions coming through from the same IP address,” advises Deric Loh, managing director at digital agency Vault Labs. Similarly, set up system alerts for “multiple orders placed by the same person using different credit cards, phone numbers that are from markedly different areas than the billing address and orders where the recipient name is different than the card holder name.”
7. Layer your security. “One of the best ways to keep your business safe from cybercriminals is layering your security,” says Grayson. “Start with firewalls, an essential aspect in stopping attackers before they can breach your network and gain access to your critical information.” Next, she says, “add extra layers of security to the website and applications such as contact forms, login boxes and search queries.” These measures “will ensure that your ecommerce environment is protected from application- level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS).”
8. Provide security training to employees. Employees “need to know they should never email or text sensitive data or reveal private customer information in chat sessions as none of these communication methods is secure,” says Jayne Friedland Holland, chief security officer and associate general counsel at technology firm NIC Inc.. “Employees also need to be educated on the laws and policies that affect customer data and be trained on the actions required to keep it safe,” Holland says. Finally, “use strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices.”
9. Use tracking numbers for all orders. “To combat chargeback fraud, have tracking numbers for every order you send out,” advises Jon West, CEO, AddShoppers, a social commerce platform for retailers. “This is especially important for retailers who drop ship.”
10. Monitor your site regularly–and make sure whoever is hosting it is, too. “Always have a real-time analytics tool,” says Punit Shah, director of Marketing at online jeweler My Trio Rings. “It’s the real-world equivalent of installing security cameras in your shop. Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior,” he says. “With tools like these we even receive alerts on our phones when there is suspicious activity, allowing us to act quickly and prevent suspicious behavior from causing harm.” Also, make sure whoever is hosting your ecommerce site “regularly monitors their servers for malware, viruses and other harmful software,” says Ian Rogers, SEO and Web developer, Mvestor Media, an SEO and website design company. “Ask your current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website.”
11. Perform regular PCI scans. “Perform regular quarterly PCI scans through services like Trustwave to lessen the risk that your ecommerce platform is vulnerable to hacking attempts,” advises West. “If you’re using third-party downloaded software like Magento or PrestaShop, stay on top of new versions with security enhancements,” he says. “A few hours of development time today can potentially save your entire business in the future.”
12. Patch your systems. “Patch everything immediately–literally the day they release a new version,” says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. “That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers.” “Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007,” says Pogue. So it’s critical you install patches on all software: “Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.”
13. Make sure you have a DDoS protection and mitigation service. “With DDoS [Distributed Denial of Service] attacks increasing in frequency, sophistication and range of targets, ecommerce sites should turn to cloud-based DDoS protection and managed DNS services to provide transactional capacity to handle proactive mitigation and eliminate the need for significant investments in equipment, infrastructure and expertise,” says Sean Leach, vice president of Technology, Verisign. “The cloud approach will help [ecommerce businesses] trim operational costs while hardening their defenses to thwart even the largest and most complex attacks,” he argues. “In addition, a managed, cloud-based DNS hosting service can help deliver 100 percent DNS resolution, improving the availability of Internet-based systems that support online transactions and communications.”
14. Consider a fraud management service. “Fraud does happen. And for merchants, the best resolution is to make sure you are not holding the bag when it does,” says Bob Egner, vice president of Product Management at EPiServer, a .NET content management and ecommerce product company. “Most credit card companies offer fraud management and chargeback management services. This is a practical approach to take because most security experts know there is no such thing as 100 percent safe.”
15. Make sure you or whoever is hosting your site is backing it up–and has a disaster recovery plan. “Results from a recent study by Carbonite revealed businesses have big gaps in their data backup plans- -putting them at risk for losing valuable information in the instance of power outage, hard drive failure or even a virus,” says David Friend, CEO of Carbonite. So to make sure your site is properly protected, back it up regularly–or make sure your hosting service is doing so.
SSL architecture: SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL 1.0, 2.0 and 3.0. Netscape developed the original SSL protocols. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”. the browser/server requests that the Web server identify itself. The Web server sends the browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts the SSL certificate. … The Web server sends back a digitally signed acknowledgement to start an SSL encrypted session SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. … A domain name, server name or hostname.
2. Use a secure connection for online checkout–and make sure you are PCI compliant. “Use strong SSL [Secure Sockets Layer] authentication for Web and data protection,” says Rick Andrews, technical director, Trust Services, Symantec. “It can be a leap of faith for customers to trust that your ecommerce site is safe, particularly when Web-based attacks increased 30 percent last year. So it’s important to use SSL certificates “to authenticate the identity of your business and encrypt the data in transit,” Andrews says. “This protects your company and your customers from getting their financial or important information stolen.” Even better: “Integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers know that your website is safe.” “SSL certificates are a must for transactions,” Hess agrees. “To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout,” he says. “This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company.”
3. Don’t store sensitive data. “There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes,” says Chris Pogue, director of Digital Forensics and Incident Response at Trustwave. “In fact, it is strictly forbidden by the PCI Standards,” Pogue says. He recommends purging old records from your database and keeping a minimal amount of data, just enough for charge-backs and refunds. “The risk of a breach outweighs the convenience for your customers at checkout,” he says. “If you have nothing to steal, you won’t be robbed.”
4. Employ an address and card verification system. “Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges,” says Colin O’Dell, lead Magento developer for Unleashed Technologies.
5. Require strong passwords. “While it is the responsibility of the retailer to keep customer information safe on the back-end, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers,” says Sarah Grayson, senior marketing manager for the Web Security Group at McAfee. “Longer, more complex logins will make it harder for criminals to breach your site from the front-end,” she says.
6. Set up system alerts for suspicious activity. “Set an alert notice for multiple and suspicious transactions coming through from the same IP address,” advises Deric Loh, managing director at digital agency Vault Labs. Similarly, set up system alerts for “multiple orders placed by the same person using different credit cards, phone numbers that are from markedly different areas than the billing address and orders where the recipient name is different than the card holder name.”
7. Layer your security. “One of the best ways to keep your business safe from cybercriminals is layering your security,” says Grayson. “Start with firewalls, an essential aspect in stopping attackers before they can breach your network and gain access to your critical information.” Next, she says, “add extra layers of security to the website and applications such as contact forms, login boxes and search queries.” These measures “will ensure that your ecommerce environment is protected from application- level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS).”
8. Provide security training to employees. Employees “need to know they should never email or text sensitive data or reveal private customer information in chat sessions as none of these communication methods is secure,” says Jayne Friedland Holland, chief security officer and associate general counsel at technology firm NIC Inc.. “Employees also need to be educated on the laws and policies that affect customer data and be trained on the actions required to keep it safe,” Holland says. Finally, “use strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices.”
9. Use tracking numbers for all orders. “To combat chargeback fraud, have tracking numbers for every order you send out,” advises Jon West, CEO, AddShoppers, a social commerce platform for retailers. “This is especially important for retailers who drop ship.”
10. Monitor your site regularly–and make sure whoever is hosting it is, too. “Always have a real-time analytics tool,” says Punit Shah, director of Marketing at online jeweler My Trio Rings. “It’s the real-world equivalent of installing security cameras in your shop. Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior,” he says. “With tools like these we even receive alerts on our phones when there is suspicious activity, allowing us to act quickly and prevent suspicious behavior from causing harm.” Also, make sure whoever is hosting your ecommerce site “regularly monitors their servers for malware, viruses and other harmful software,” says Ian Rogers, SEO and Web developer, Mvestor Media, an SEO and website design company. “Ask your current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website.”
11. Perform regular PCI scans. “Perform regular quarterly PCI scans through services like Trustwave to lessen the risk that your ecommerce platform is vulnerable to hacking attempts,” advises West. “If you’re using third-party downloaded software like Magento or PrestaShop, stay on top of new versions with security enhancements,” he says. “A few hours of development time today can potentially save your entire business in the future.”
12. Patch your systems. “Patch everything immediately–literally the day they release a new version,” says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. “That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers.” “Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007,” says Pogue. So it’s critical you install patches on all software: “Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.”
13. Make sure you have a DDoS protection and mitigation service. “With DDoS [Distributed Denial of Service] attacks increasing in frequency, sophistication and range of targets, ecommerce sites should turn to cloud-based DDoS protection and managed DNS services to provide transactional capacity to handle proactive mitigation and eliminate the need for significant investments in equipment, infrastructure and expertise,” says Sean Leach, vice president of Technology, Verisign. “The cloud approach will help [ecommerce businesses] trim operational costs while hardening their defenses to thwart even the largest and most complex attacks,” he argues. “In addition, a managed, cloud-based DNS hosting service can help deliver 100 percent DNS resolution, improving the availability of Internet-based systems that support online transactions and communications.”
14. Consider a fraud management service. “Fraud does happen. And for merchants, the best resolution is to make sure you are not holding the bag when it does,” says Bob Egner, vice president of Product Management at EPiServer, a .NET content management and ecommerce product company. “Most credit card companies offer fraud management and chargeback management services. This is a practical approach to take because most security experts know there is no such thing as 100 percent safe.”
15. Make sure you or whoever is hosting your site is backing it up–and has a disaster recovery plan. “Results from a recent study by Carbonite revealed businesses have big gaps in their data backup plans- -putting them at risk for losing valuable information in the instance of power outage, hard drive failure or even a virus,” says David Friend, CEO of Carbonite. So to make sure your site is properly protected, back it up regularly–or make sure your hosting service is doing so.
SSL architecture: SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL 1.0, 2.0 and 3.0. Netscape developed the original SSL protocols. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”. the browser/server requests that the Web server identify itself. The Web server sends the browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts the SSL certificate. … The Web server sends back a digitally signed acknowledgement to start an SSL encrypted session SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. … A domain name, server name or hostname.
SSL architecture:
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link
between a web server and a browser. This link ensures that all data passed between the web server and
browsers remain private and integral.
SSL 1.0, 2.0 and 3.0. Netscape developed the original SSL protocols. Version 1.0 was never publicly
released because of serious security flaws in the protocol; version 2.0, released in February 1995,
“contained a number of security flaws which ultimately led to the design of SSL version 3.0”.
the browser/server requests that the Web server identify itself. The Web server sends the
browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts
the SSL certificate. … The Web server sends back a digitally signed acknowledgement to start an SSL
encrypted session
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s
details. When installed on a web server, it activates the padlock and the https protocol and allows
secure connections from a web server to a browser. … A domain name, server name or hostname.
SSL deployment
You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer
recipients to be registered by the customer seven days in advance of the transaction’s occurrence.
• Patented technology U.S. Patent #6,993,658 • Efficient out-of-band transaction verification utilizing ubiquitous text messaging • Zero-footprint technology requiring nothing to install on mobile devices • Increased protection against advanced threats such as man-in-the-browser and man-in-the-middle attacks • Reduce online fraudulent transaction activity and account takeovers • Increases reliability of security for online debit card transactions without PIN exposure • Ability to access lower processing fees associated with “secure” debit cards • Bolster consumer confidence and loyalty towards e-commerce merchants
over the years, we’ve struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely? Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control. Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal. You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction’s occurrence. PRO+ Content Find more PRO+ content and other member only offers, here.
• E-Handbook Get smart about threat intel tools and services • E-Handbook Single sign-on service requires a cloud-era update • E-Handbook
Crafting an insider threat program: Why and how You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer’s Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.’s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind. When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware. This was last published in August 2011
DynaPay™ Transaction Verification Process 1. Customer logs to store website. 2. Customer orders store items. 3. Customer goes to check out and enters payment and shipping information. 4. Customer clicks ‘Place Order’ button. 5. A ‘one-time-pin’ will be sent via SMS to the customers mobile phone. 6. Customer enters PIN into OTP prompt within the allowed time frame. 7. Once OTP is verified, the transaction will be complete and the order placed. 8. Customer receives order confirmation.
• Patented technology U.S. Patent #6,993,658 • Efficient out-of-band transaction verification utilizing ubiquitous text messaging • Zero-footprint technology requiring nothing to install on mobile devices • Increased protection against advanced threats such as man-in-the-browser and man-in-the-middle attacks • Reduce online fraudulent transaction activity and account takeovers • Increases reliability of security for online debit card transactions without PIN exposure • Ability to access lower processing fees associated with “secure” debit cards • Bolster consumer confidence and loyalty towards e-commerce merchants
over the years, we’ve struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely? Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control. Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal. You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction’s occurrence. PRO+ Content Find more PRO+ content and other member only offers, here.
• E-Handbook Get smart about threat intel tools and services • E-Handbook Single sign-on service requires a cloud-era update • E-Handbook
Crafting an insider threat program: Why and how You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer’s Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.’s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind. When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware. This was last published in August 2011
DynaPay™ Transaction Verification Process 1. Customer logs to store website. 2. Customer orders store items. 3. Customer goes to check out and enters payment and shipping information. 4. Customer clicks ‘Place Order’ button. 5. A ‘one-time-pin’ will be sent via SMS to the customers mobile phone. 6. Customer enters PIN into OTP prompt within the allowed time frame. 7. Once OTP is verified, the transaction will be complete and the order placed. 8. Customer receives order confirmation.