SecurEnvoy has developed a security technology that solves the problem of the session cookie, a hacking technique used by cybercriminals to hijack a users' online session that any browser can be innocently subjected to.
The Oddjob technique, says Phil Underwood Chief Security Officer, has already been used against customers of banks in Poland and the US, indicating that cybercriminals are already aware of the fraud technology's potential.
"The technique involves infecting a user's computer with a trojan, and then intercepting relevant Web-based commands - plus cookie transmissions - in order to prevent the web site noting that the legitimate user has terminated their online session," he said.
"By using a trojan to log the relevant GET and POST commands, as well as injecting data into an active Web session, cybercriminals can allow a legitimate user to log off their online web service, but keep the session alive on another Internet connection," he added.
This is achieved, says the SecurEnvoy CSO, by lifting the relevant cookie from the users' machine and injecting it into a second - and quite separate Web browser session.
Since cookies are used by a large number of Web sites to identify a user for the length of the online session, injecting the same cookie into a second - and temporarily parallel - Internet session, means that the second session piggybacks on the first, explained Underwood.
“Then, when the first session logs out - provided the cybercriminal intercepts the log-off command - they can maintain the piggyback session, which then becomes the main session. They then assume full control over the users’ online web facilities typically banking”, he added.
“SecurEnvoy's authentication technology”, says Underwood, “strengthens the ability to prove the identity of the user via Two-Factor authentication, whilst also protecting the cookie from impersonation by locking it to the original browser session”.
SecurEnvoy believes that authentication should also encompass the entire web session. Most Two-Factor authentication solutions do not include protection beyond initial authentication. SecurEnvoy have built in signifcant steps to protect the integrity of the session and its associated cookie.
Even if someone tries to intercept the session cookie and other relevant data through nefarious means, the lack of authentication in combination with the finger-printed cookie session will cause the unauthorised session to be dropped.
"Our unique technology is transparent to the user. It works in the background to develop a layer of authentication security that cybercriminals cannot beat," says Underwood.
"The SecurEnvoy authentication system logs the legitimate users' IP address and several other session parameters that identify the online user, their computer and Internet connection. Then, by selectively interrogating the connection on a rotational basis, continue’s to authenticate the user in the background for the entire length of the session," he adds.
Using this approach means that, even if the third-party hacker has succeeded in infecting the legitimate user with a trojan that forwards cookies and other parameters to their own system, that data is still not sufficient to beat the SecurEnvoy authentication technology.
“Furthermore”, he says, “because SecurEnvoy's authentication technology is constantly rotating its verification sequences between – for example - three of the available ten authentication parameters of a user's online session, unless the cybercriminal can impersonate all of the parameters, their session will terminate”.
"SecurEnvoy's authentication technology means that financial institutions and corporates can use multiple identification parameters to identify - beyond all doubt - that a user is who they claim they are, and continue to authenticate that user - continuously – throughout their entire online session, quietly and in the background," said Underwood.
"Using this approach means that both ends of the online session can proceed with their transactions without any worry that their session can be intercepted or similarly hijacked," he added.