• +61 4300 93677
  • +60 12 570 1114

Protecting Retail Internet Banking

Online banking today is facing two foremost threats – the man-in-the-middle (MITM) attack, which involves being within physical proximity to the intended target, and another that man-in-the-browser (MITB) attack only involves malware.

In MITM an attacker will gain access to the user’s network, and then insert their tools in between the users’ computer and the websites the user visits and capture their login credentials. Fraudsters use Man-in-the-Browser (MITB) malware to capture data or social engineer users into surrendering login credentials and other sensitive information. Man-in-the-Browser malware infects the end user’s device and injects new HTML into web pages served by the web server and captures information directly from the browser memory.

Real-time transaction security can said to be the most convenient yet resilient way to fight against MITB, MITM. EZMCOM’s OOB transaction verification works in the way that the business applications will use another channel (the mobile phone) to validate a transaction or the addition of a new payee to an electronic funds transfer enabled account. The OOB transaction verification strengthens the security while increasing user convenience

In the simplest scenario, when an account is being used and a transaction is being authorised for payment, the user clicks to proceed with the transaction.

 

The transaction in progress and the fraudster (MITM/MITB) just has the card details while doing online transaction (through compromised website or an infected computer.

1.For an online user the bank sends out a transaction request (PUSH) notification for approval in real time to users mobile

2.Genuine user receives notification on the Mobile app and realises that this is not the real transaction and denies the transaction.

3.Bank receives the deny notification and rejects the transaction request

 

Alternatively an offline user will receive a notification on the website for scanning the QR code.

1.The use selects the offline OTP generation on his mobile app

2.Once the QR code is scanned the Mobile app generate an offline OTP

3.As soon as the OTP is submitted into the Banks website the bank recognises the OTP and authorises the transaction request