Versafe offers a server-side-only approach to fraud detection and prevention

Already a success in its native Israel, Versafe is bringing its TotALL Online Fraud Protection Suite to North America. With solutions for web-based and native mobile applications, Versafe protects banking (and other) applications from fraud and other attacks at the application layer, protecting users without requiring them to download software.

According to an August 2013 Pew Research Center, 51% of U.S. adults now bank online, a modest increase from 46% in 2010. What’s growing more rapidly is the number of mobile banking users. In 2011, 18% of mobile phone users reported they use mobile applications to conduct banking. In the latest study, that figure has nearly doubled to 35%.

This increase in online and mobile banking plays to the strength of Israeli company Versafe. In mid September, Versafe announced general availability of its TotALL Online Fraud Protection Suite in North America. Versafe touts the suite as the only solution able to both detect and protect against fraud, malware and other online threats without any user involvement. (See 50 million users strong, Versafe brings online fraud protection to North America.)

(As I researched and wrote this article, it was announced that Versafe is being acquired by another industry stalwart in online security, F5.)

As online and mobile banking grow more popular with consumers, they invariably will draw more attention from cyber criminals who see them as poorly secured channels—and for good reason. Criminals have become adept at executing bank fraud through online and mobile attack vectors such as man-in-the-browser and session hijacking. This makes financial institutions very nervous. According to a recent survey by Aite Group, 88% of global risk executives at financial institutions believe mobile is the next big point of exposure.

Versafe has two offerings that cover the two digital banking channels: WebSafe is for web-based applications, and MobileSafe takes care of mobile apps. I’ve put these solutions in the context of banking because Versafe is concentrating on this industry at this time, but the tools can work for any web-based or mobile apps. Once F5’s acquisition is complete, Versafe may expand into other industries.

When compared to competitive solutions that protect banking applications, Versafe’s big differentiator is that no software program or agent needs to be downloaded to end users’ devices. Instead, the solutions work at the application layer so anyone who uses the applications is protected. This ensures universal coverage of a particular banking application without any effort from end users.

WebSafe can be deployed using an SDK directly on a web application. If the bank prefers, an integrated technology partner can do the deployment, which involves putting a small bit of code – Versafe calls it “obfuscated polymorphic” code – into the application to be protected. This code does several things that directly combat the way cyber criminals abuse web applications.

One of the main ways criminals trick application users is to spoof a legitimate website in order to gather sensitive information like account numbers, user names and passwords. The criminal sends out a phish message, the target victim is drawn to the spoofed site and gives his credentials, and – wham! – the criminal has all he needs to go empty out the account.

To prevent this from happening, WebSafe code is embedded and hidden within the legitimate application. So, if a criminal copies that application to create a spoofed site, the WebSafe code goes with it. This code detects what has happened and alerts the application owner, who can redirect traffic away from the spoofed site and do a takedown of that site. If end users enter their credentials to the phishing site, because the WebSafe code is also in the spoofed site, it can detect them and identify the specific customers for the application owner so that holds can be placed on their accounts to prevent theft.

When customers access the legitimate web application, the WebSafe code encrypts the communications via public key encryption. The hash is sent back to the application and is decrypted by a private key residing behind the bank’s firewall.  The transactions between the user’s device and the application are decrypted on the user’s side using the one-time public key. Versafe obfuscates its encryption keys and techniques to make them harder to crack. If a cyber thief steals the customer or transaction data, it is encrypted and useless to him.

What if an end user’s PC or mobile device is already infected with malware, say a keystroke logger that is going to capture sensitive credentials? WebSafe detects the presence of malware based on what it is trying to do and is able to track down the IP of the command and control server, alert the application owner and prevent the data theft.

Another common attack vector for web applications is criminals modifying the original code with web injections, or start up background sessions. The WebSafe code detects these attempts at modifications and prevents them from happening.

MobileSafe offers some of these same capabilities for mobile apps. Once again, the deployment of this solution is through an SDK that modifies the native app with the obfuscated polymorphic code. With the ability to encrypt information at the application layer, MobileSafe offers protection against advanced threats that now target the mobile user.

In addition to protecting the specific applications, Versafe operates a managed security operations center to help minimize risks from the latest cyber attacks. Versafe has been credited with discovering several notable vulnerabilities and attacks, including a Joomla CMS vulnerability that allowed a spike in phishing and malware attacks, as well as the Eurograbber attack and a variety of zero-day attacks. The Versafe SOC provides global intelligence and works closely with security organizations and law enforcement agencies.

Web and mobile applications and the end users of these applications are prime targets for cyber criminals. Businesses with a genuine interest in protecting their customers need to build protection into the application layer to ensure that every user has a safe and positive experience without asking the users to download anything to their devices.

Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies