First in NZ to protect against MIM Attacks
Wednesday, 20 September 2006
RaboPlus first retail banking service in NZ able to protect against “Man-in-the-Middle” attacks
RaboPlus is the first banking service in New Zealand able to protect its retail customers against a “Man in the Middle” (MITM) attack using a digital signature in addition to two-factor authentication security measures.
Maarten Kleinjtes, NZ Police Electronic Crime Laboratory Manager, says: “The future will see criminals changing their current methods of attacking internet banking customers and MITM attacks will be the most likely scenario.
“RaboPlus’ digital signature technology will provide a robust protection mechanism against any such attacks,” he says.
A man-in-the-middle attack (MITM) can occur when criminals position themselves between the customer and the bank and are able to read, insert and modify the communication at will without either party knowing that the security between them has been compromised.
RaboPlus General Manager Mike Heath says RaboPlus’ security is one step above that provided by other banks.
“We are using the most advanced systems available so we can assure our customers that their money and their private information is safe,” he says.
RaboPlus’ defense against MITM attacks is to use a host authentication mechanism, using digital signatures, that ensures the customer knows she/he is visiting the real bank site. It means the user’s password cannot be misused by a fraudster hiding behind a fake copy of the bank’s web site. No other bank in New Zealand has the digital signature step in place for its retail customers.
Mr Heath says RaboPlus’ parent company Rabobank invests heavily in internet security which benefits all divisions of the bank globally.
“Rabobank is Europe's largest internet bank and continually invests in state-of-the-art internet security from which RaboPlus customers in New Zealand benefit,” he says.
RaboPlus customers must use two factor authentication (their pin number together with a randomly generated number from their DigiPass) to log-in and thereafter each transaction is signed with a digital signature. The digital signature (also generated by their DigiPass) is used by the bank to verify the transaction to ensure it has not been modified (by criminals) and that it comes from the customer and not from a fraudster in the middle.
All RaboPlus customers are issued with a DigiPass – an internet security token developed by security partner VASCO which must be used in conjunction with a personal identification number (PIN) to access their account. The token generates a new one-time pass code every 36 seconds and, when combined with the user’s PIN, creates a log-in combination that is valid only for that particular user at that moment in time.
Unlike some banks, RaboPlus does not charge customers for the Digipass because it considers this part of the customer service model; in the same way that a customer would not expect to pay a fee for a security guard to stand outside a bank branch.
VASCO’s systems are used by 500 international financial institutions and over 3,000 blue-chip corporations and governments located in more than 100 countries.
The Rabobank Group is the only banking group in New Zealand to have a AAA credit rating from Standard & Poor’s and Moody’s, the highest available - a reflection of the bank’s financial security.
The Rabobank Group has been rated twice (in 2004 and 2005) by Global Finance Magazine as one of the world’s safest banks.