NetAuthority offers solution to combat 'man-in-the-browser' attacks

Following its official company launch earlier this spring, NetAuthority, a provider of device-centric authentication technology, announced last week that it rolling out a new solution designed to prevent man-in-the-browser (MitB) attacks.  

Similar to man-in-the-middle (MitM) threats, MitB attacks occur when Trojan malware is injected into a web browser, which can then be used by cyber criminals to monitor a user’s Internet activity. These hackers are typically looking for ways to divert a user’s financial transactions to an account of their choosing.

"The notion that occurs in this man-in-the-browser attack is that – let’s call it a bad guy – has injected this into your browser and they are observing and monitoring the activity of a user over a continuous basis so that they can develop a profile that you have a relationship with a particular bank or brokerage (firm) and so forth," explained Chris Brennan, CEO of NetAuthority. "What they have done is recreated the entire webpage of a bank in order to affect a transaction. They would take all of that specific information and inject it into a personalized webpage that they have created so that you are looking at the webpage they have created, but it has your specific account information in it."

To prevent this, Brennan said that NetAuthority’s new Transaction Verification technology would extract values off of the transaction page itself at the process where their solution would normally generate a request to a device to authenticate it.

"Who is the payee? What is the dollar amount? We take that specific account information, we hash that and put it with the device key so that when the challenge occurs at the device and responds back to the server, it must contain the hashed information that conforms with the transaction that you are creating," Brennan said. "Here is where the difference would occur. The bad guys would create a false transaction in the background and send that back to the financial institution to potentially create a new payee, set that payee up as one of their mule accounts and attempt to authorize that transaction. What happens in our situation is that message from the bad guy goes back to the bank, the bank gets the information, but it doesn’t have the hashed information on the transaction values we extracted from the transaction page."

The bank would subsequently realize that this transaction was corrupted and that someone had attempted to make an unauthorized transfer.

"This is an extremely unique approach, an extremely strong, elegant and very simple method, but it’s irrefutably strong in its ability to protect users again by validating the device that it’s coming from and specifically verifying the transaction itself," Brennan added.

Though the technology would be applicable to any organization with information or assets that are vulnerable to a data breach, Brennan said that they have specifically received a lot of interest from companies in healthcare and financial sectors. The Transaction Verification solution is currently undergoing testing with a number of the company’s technology partners, according to Brennan.