INFOTECH: Stellenbosch Company's Solution For Secure Online Transacting
Recent Western Cape Business News
A team of young technology wizards, from a software company based in Stellenbosch, has come up with an innovative solution for secure Internet banking and transacting – a first for the world and South Africa. Entersect Technologies specialises in software development for the mobile phone environment and is the first to provide true, secure two-factor authentication.
Says Schalk Nolte, CEO of Entersect: “Our two-factor authentication is completely isolated out-of-band, and also fulfils the requirements for user convenience and usability, ensuring a healthy adoption rate crucial for successful implementation and sustained operation. “Through continuous product and platform development, we ensure that our technology provides the best security as well as user experience over and above making life easier by providing tasks that previously required either a visit to the bank/institution, or a call to the call centre.”
Nolte continues: “The fact that most users carry their phones with them at all times allows for a whole new range of interactive decisions that can be pushed to the user if done securely. With our solutions, we envisage total control and access to digital transactions and data passed to the user without fear of digital interception, fraud or identity theft.”
The Internet is becoming increasingly central to day-to-day life and there is an ever-increasing amount of services being made available online. Nolte adds: “This includes sensitive services such as online banking, online purchases, restricted remote system access, and more. Along with this trend, fraud is also increasing at an alarming rate, with fraudsters capitalising on security loopholes.”
Establishing the true identity of an online user is often a tricky task. Christiaan Brand, Chief Technical Officer of Entersect, explains: “Traditionally users have been identified by means of a username and password. Once these credentials are supplied, a user is usually granted unconditional access to the system e.g. the bank’s website and allowed to transfer funds, pay accounts, etc.
“Due to the fact that it’s so easy to obtain someone’s username and password, banks then introduced a One-Time-Password or OTP, which is sent via sms to your cellular phone. The perpetrator now needs your username, password and OTP to gain access to your account. However, it didn’t take long before fraudsters figured out a way to obtain the OTP. As it’s sent via the cell phone network, anyone working at the relevant network had access to these messages.
“Another way was for the user to think he is on the bank’s website when he’s not. He is on a site which looks almost exactly similar to that of the bank’s, then enters all his details including the OTP.
“Some thieves even manage to attack programmes on the user’s computer (FireFox, Internet Explorer, Chrome, etc). All the info entered on the computer, is then changed before being sent to the bank. An example would be that the user wants to pay Mr Smith R500. The fraudster changes the amount in the user’s browser to R10 000 and Mr Smith to Mr Thompson.”
Entersect’s Interactive Transaction Authentication (ITA) system is a complete solution to all the authentication problems in the industry today. This is achieved by approaching the problem holistically and enabling second factor authentication, with bidirectional (encrypted) out-of-band data transmission. Brand continues: ““Our platform can identify each mobile phone in the world uniquely by automatically issuing each client’s phone with a Digital Fingerprint, also called a X.509 client side certificate. This enables bilateral certificate validation, issued from Entersect’s trusted Certificate Authority. This certificate is stored on the client’s phone inside protected space.
“What this means in layman’s terms is that each transaction to approve (website login, beneficiary payment, etc) is sent to the client’s phone and a description of what the transaction entails is displayed. He or she can then choose to either accept or reject the transaction. The response is then cryptographically signed and sent down to the requesting server to be verified through PKI. This signature can then be used to secure non-repudiation and prove the intent of any user pertaining to a specific transaction.”
Nolte adds: “In other words, no matter what type of attack occurs - i.e. even if a transaction is changed or manipulated by a fraudster - the actual transaction occurring at the bank is sent directly to the specific user over an encrypted second band accessible only to the specific paired phone. All attacks on other channels are therefore negated as the user approves the actual transaction and will immediately discover any fraudulent attempt.”
Business News Sector Tags:
Fax 2 Email
Study IT Online
Work from Home