nternet protocol- (IP) enabled transactions entered through a Secure Sockets Layer (SSL) session are the gold standard for online security. The sessions pass through an encrypted "tunnel" providing safe passage across the Internet for financial transactions. But can SSL be subverted by clever criminals?

"If you're talking about a scenario where they spoof a Web site, the answer is yes," said Tim Callan, Group Product Marketing Manager for VeriSign. Cyber criminals create spoofs, or copies, of real sites.

Beware geeks bearing gifts

Hackers use Trojan horses to empty bank accounts. They are so sophisticated, they can evade SSL precautions. Acquired when a user visits a specious Web site or clicks a link in a corrupt e-mail message, they quietly install themselves, rifle through the cache looking for bank Web pages, which they spoof, and wait for the user to visit the bank site again.

After the user has logged in, initiating an SSL session, the Trojan can capture the data through keyloggers, or it can substitute a spoofed page, becoming a "man in the middle." The user unknowingly sends data to the hacker's server - often in another country - which forwards different transaction instructions to the bank, all within an SSL session.

"Consumers conducting online transactions cannot be confident what they see onscreen is what is really happening," said Ted Crooks, Vice President of Global Fraud Solutions at Fair Isaac Corp. "An IP-enabled merchant system dedicated to card transactions is probably more secure than a consumer PC."

Yet, no device is entirely secure. Merchants can minimize threats by keeping systems behind firewalls with up-to-date antivirus software. ISOs and merchant level salespeople can educate merchants about fraud techniques and alert them when new methods pop up.

Software to the rescue

In April, The 41st Parameter Inc. announced that its FraudNet software features SafeSession, which covertly analyzes sessions in progress for signs that a second computer is involved in the transaction.

"Detecting the smoking gun lets you know that it's happening," said 41st Parameter Chief Executive Officer Ori Eisen, former Worldwide Fraud Director for American Express Co. One way SafeSession does this is by calculating the time return differential between the computer that logged on and the one that is attempting to execute the transaction to see, down to the millisecond, if they match.

Banks, large online merchants, online payment systems and automated clearing house processors can all use the software. The 41st Parameter counts large merchants and payment processors, such as Neiman Marcus and 2Checkout.com, among its clients. "We fingerprint the victim's [PC] and the perpetrator's device. We do that with 41 parameters when you log in, such as what time zone you're in, IP address, browser settings and versions of software, without the user having to do anything," Eisen said.

Certification authorities and VeriSign are creating the High-Assurance (HA) SSL certificate, which requires a rigorous authentication procedure. Internet Explorer 7 browsers have a spoof-proof field in the address bar, making phony pages easier to recognize. The field "will toggle back and forth between the name of the [HA] site and the name of the authenticator," said Callan.