How to keep your online business secure

Doing business has always necessitated guarding against crime and fraud, and online business is no exception. In the recent decades, the internet has become a veritable goldmine for cybercriminals, whose level of sophistication is constantly evolving. Large amounts of money and information are changing hands over the internet, and skilled cybercriminals have both the know-how and the technical means to gain illicit access to them. We need to decide which battles we absolutely cannot afford to lose.

A significant difference between the real world and the internet is that real-world fraud does not scale well. At the same time, the infinite scalability of the internet is one of its most attractive features, especially for fraudsters, and especially in combination with the ever-increasing share of the world’s GDP, in the form of both money and information, that one can access through computer networks.

Scalable online fraud is a complex matter, but a lot of it boils down to signature fraud, or, simply put, producing false documents. In the physical world, documents can be secured with a combination of a signature, watermarked paper and ID control. Online, things are not as easy. In fact, developing and implementing trusted signatures has been one of the most important challenges for online business. You can never be sure that the device in the hands of the end user is not infected by malware that has given attackers total control while being hard to detect. This is something to keep in mind even when relying on biometric solutions, as the input / output from the phone’s fingerprint reader or the voice input / output of voice authentication software are as secure – or insecure – as the device and the communication channels they are using.

Under these considerations, what we need to do is find a way to sign transactions and documents that bypasses malware and relies on the real, trusted signature, preferably without having to use any extra hardware. At the same time, we must keep in mind who the real enemy is: the infinitely scalable attacks that could put us out of business with one blow.

Here are some things we know: the internet is open to malware, the devices we use are open to malware, and all applications currently on the market are open to malware. Out of these three, the one that can realistically be tamper-proofed are the applications. What we need are applications that implement trusted signatures in the insecure, malware-riddled ecosystem of internet-connected devices.

This is quite a challenging task in a world where leading researchers claim that no application is secure and that the internet is fundamentally broken. By the way, they are right: all evidence supports that the infrastructure is broken. This is why in our research we always expect all devices, be it desktop computers or mobile phones, to be taken over by malware.

We know that there is malware out there that can steal your text messages, modify what you see on the screen and get access to all of your credentials and sensitive data, including your passwords and credit card numbers. How does our solution deal with this threat?

The way our software works is by modifying the code blocks of the secure application for every new transaction or important action – on an individual basis for each device. This stops the malware from tampering with the application as it is given practically no time to respond to the changes. We also watermark the screen, so that we can be certain that the user sees what we actually meant for them to see. With these measures in place, we can offer a solution that produces qualified, secure electronic signatures that are fully compliant with the PSD2 requirements on Strong Customer Authentication.

An independent security evaluator, the German SRC, has verified the underlying technology. Their conclusion is that we achieve Strong Authentication on a single device with no extra hardware – quite a feat in today’s insecure digital landscape.

For similar stories, please check out our Web Fraud Prevention and Online Authentication Market Guide 2016/2017 here to get access to an insightful outline of the global digital identity and web fraud ecosystem.

About Trond Lemberg

Trond has 30 years of experience in banking (Nordea), banking technology and information security technology, including being the project manager of the first VISA SET certified trust centre (Evry) of Norway. He is currently CEO at Protectoria and also the inventor of 5 patent pending security mechanisms of Protectoria.

About Protectoria

Protectoria is a digital security company from Oslo, Norway. Protectoria is strategically aiming at the high-end software security market derived from the compliant security market of EU/EEA. Our focus lies on Internet communication. Being able to protect your identity and trust others is the cornerstone of our online lives.