NIM, which was launched at the RSA Conference in San Francisco in February, is a USB fob bearing the credentials a user needs to carry out online authentication, complete with a web server and browser for access to sites from a PC or laptop without relying on the machine’s own connectivity software infrastructure.
The device is designed to facilitate consumer identity-based apps from any PC or laptop, including public machines in internet cafes, by providing portable authentication credentials and creating a web session without relying on the local web server or browser. The plan is to move from authentication to actual transactions in the next release, according to Cedric Collomb, senior VP of identity and access management at the Paris-based company. However, for that to happen, he said there will be the need to add technology securing the device from so-called man-in-the-browser attacks.
In a recent threat report, the Department of Homeland Security described man-in-the-browser attacks as a twist on a familiar threat called man-in-the-middle attacks. It said that with man-in-the-browser attacks, the idea of stealthily modifying or capturing data between parties is similar, but the difference is that as a financial transaction happens, the data can be stolen or changed. Man-in-the-browser attacks are more sinister than man-in-the-middle attacks because they use Trojan Horses that invisibly install themselves on users’ systems through a web browser. The attacks modify users’ financial transactions when they visit a legitimate web site, such as their personal online banking accounts. The Trojan Horses are disguised as web browser helper objects or browser extensions and hijack data during online transactions.
Even though the NIM fob comes with its own browser that works on the local host IP address, it could still be infiltrated with a Trojan from which man-in-the-browser attacks could then be launched. Without revealing how the company intends to address this issue, Collomb did say that there are plans to add transaction-signing for purposes of non-repudiation.
