SOURCE: IronKey

IronKey

March 30, 2011 07:00 ET

Illegally Obtained Website Certificates Remind Banks of Security Weaknesses in Internet Architecture

IronKey Trusted Network Keeps Banking Customers Safe From Network Hacks

SUNNYVALE, CA--(Marketwire - March 30, 2011) - The public disclosure of a successful breach of a certificate authority that resulted in falsely obtained website digital certificates is reminding banks, governments and corporations of the security weaknesses inherent in the Internet architecture. These attacks can lead to falsified websites, stolen identities, and massive online banking heists. IronKey announced its Trusted Network service is available with Trusted Access for Banking to keep banks and their clients safe from these types of attacks.

This attack on a certificate authority illustrates that hackers and criminals are going to extremely sophisticated lengths to be able to create fake websites that impersonate those of major companies. Last week's attack could allow hackers to intercept encrypted Web communications at fake websites by fooling browsers into thinking they are communicating securely with legitimate websites operated by companies such as Google, Yahoo and Microsoft for example. Similarly, attackers could create digital certificates of banks or government agencies, allowing them to create fake websites that intercept encrypted transactions and communications, without a user being able to detect it.

This recent certificate authority attack means that a criminal site could have a valid website certificate for a bank that would make the criminal site seem legitimate to software protections in browsers and anti-virus programs. IronKey today announced that their IronKey Trusted Network, operated for use by its Trusted Access for Banking customers, protects banks and their clients from such attacks. 

"Our advice is that banks should provide the highest common denominator for security, one that ensures their online banking clients all arrive safely at the right place, in spite of phony certificates, DNS tampering, ISP attacks, and similar hacks that occur every day," said Dave Jevans, IronKey's founder and chairman. "Trusted Access provides banks and their clients with the most secure online banking experience. Instead of trying to keep up with criminals and detect known attacks, Trusted Access isolates online banking sessions to keep them safe, from the user's browser all the way to the bank site. Trusted Access can be put to work immediately, because it does not require modification to banking websites or require users to download software over the Internet."

With the IronKey Trusted Network, Trusted Access keeps banking customers safe from these attacks:

  • DNS tampering: Provides authoritative DNS lookups that are not dependent on local network or ISP settings and are delivered through an encrypted tunnel
  • Phoney websites: Prevents loading of unauthorized content and websites using automatic whitelist protection
  • Network monitoring: Encrypts all network access through a secure tunnel so Trojans are unable to monitor DNS lookups and website access to identify online banking activity
  • Unauthorized and revoked certificates: Checks certificate status in real-time using the industry standard Online Certificate Status Protocol (OCSP) so that bad certificates aren't accepted even when revoked by the certificate authority

Trusted Access also allows banks to address current and draft industry guidelines. Trusted Access allows banks to provide a dedicated online banking experience as recommended by NACHA and the FBI.1 In addition, draft FFIEC guidance that updates 2005 online banking authentication guidelines recognizes that a USB device that securely connects users to online banking is a relevant multi-layer security control to prevent fraud.2

IronKey Trusted Access for Banking, including the IronKey Trusted Network service, is available immediately worldwide. With Trusted Access for Banking, users simply connect their Trusted Access security device to the USB port on their PC computer to automatically launch a protected, virtualized online banking environment. The Trusted Access Web Browser starts at the bank's home page and restricts users to only navigate to bank-authorized web sites. To protect users from ever-changing malware, Trusted Access for Banking does not rely on potentially compromised and vulnerable applications on the user's host computer. Instead, a secure, encrypted connection to online banking is made through the IronKey Trusted Network to lock out man-in-the-middle and DNS attacks. Advanced encrypted keyboard input protects users from keyloggers that can steal user names and passwords. 

Resources

"Protecting Online Banking Customers from Evolving Cyber Crime Threats," a 20-minute online webcast from IronKey, can help you understand the risks facing anyone using a PC for online banking and why anti-virus software and firewalls and other conventional safeguards are not able to stop these attacks. The webcast explains the latest bank phishing attacks, the ZeuS Trojan and SpyEye, the "mule" economy and dozens of other topics relevant to understanding and fighting this serious crime wave.

"Trusted Access Guided Demonstration" provides a complete product demonstration and example attacks. Presented by Kapil Raina, senior product manager at IronKey, the demonstration also shows how banks can easily issue and manage Trusted Access.

About IronKey

Ranked as the 14th best venture-funded company in The Wall Street Journal's "Next Big Thing 2011" survey, IronKey secures data and online access for individuals, enterprises, and governments. IronKey solutions protect remote workers from the threats of data loss, compromised passwords, and computers infected by malicious software and crimeware. IronKey multi-function devices connect to a computer's USB port and are easy to manage with the IronKey management service. This allows users to securely carry sensitive corporate data, strongly authenticate to VPNs and corporate networks and isolate online banking customers from Advanced Persistent Threat attacks. IronKey customers include Fortune 500 companies, healthcare providers, financial institutions and government agencies around the world. Trusted Access for Banking has also won numerous awards such as 'FutureNow 2010 Top 5' from Bank Technology News. Visit www.IronKey.com for more information.

1 National Automated Clearinghouse Association (NACHA)
2 Federal Financial Institutions Examination Council (FFIEC)

Contact Information