Dramatic Breakthrough in Out-of-Band Authentication
May 24, 2006 (PRLEAP.COM) Business News
In today’s internet environment, authentication typically occurs on the same communication channel that is used to facilitate subsequent transactions. For example, a bank customer is authenticated on the bank’s website, and then proceeds to transact their business on that same website. This is referred to as "in band" authentication."Out of band" authentication refers to the use of an alternate communication channel, such as a telephone, pager, or other SMS device, to deliver information used in the authentication process.
In the wake of the FFIEC and FDIC’s recent regulatory guidance urging stronger multi-factor authentication, financial institutions are increasingly looking at "out of band" or other "back channel" authentication methods. Unfortunately, most "out of band" authentication methods are as vulnerable to fraud and abuse as their "in band" cousins.
SYMANTEC REPORT
Recently, Symantec Corporation published a report on the proceedings of the AVAR 2005 Conference entitled "Phishing In The Middle Of The Stream - Today’s Threats To Online Banking". In their report, Symantec shook the banking community by boldly confirming the vulnerabilities of well-known in-band approaches such as Passmark Sitekey, as well as for the first time discussing the vulnerabilities of most out-of-band approaches. Passmark Sitekey has since "sold out" to RSA Security in a move that might best be described as "getting out while they could".
THE PROBLEM IS THE INFORMATION, NOT THE DELIVERY METHOD
So, what is the problem with delivering authentication information through out-of-band communication channels? As noted by Symantec, there is nothing wrong with the delivery methods. The problem lies with the nature of the information that is being delivered.
Most out-of-band approaches send some form of temporary password to a customer’s remote telephone, pager, or other SMS device. Often this password resembles a numeric code and is time expiring or can only be used once.
The problem lies with the fact that a customer’s online transaction might be affected without their knowledge by malware on their computer, by a man-in-the-middle phishing website, or by a fraudster’s control of a proxy server. In such circumstances, the unsuspecting customer believes the authentication code they have received on their telephone is approving their intended transaction when, in fact, the code is being used to approve a transaction which has been altered by a fraudster. A customer might believe they are transferring funds from their savings account to their checking account, when in fact, the fraudster has altered the intended transaction to transfer funds from the customer’s savings account to their own account. The website sends out the approval code to the customer’s telephone, and the customer supplies the received approval code to the fraudster, who completes the altered transaction.
SOLUTION ANNOUNCED
Sestus Data Corporation has announced the release of its long awaited PhishCops SAFE(tm) out-of-band authentication solution. PhishCops SAFE(tm) is the world’s first SMS Authentication Facilitation Engine capable of solving the problem of altered transactions. Instead of trying to prevent fraudsters from altering a customer’s transaction, PhishCops SAFE(tm) generates an approval code which will only approve an "unaltered" transaction.
GOVERNMENT-APPROVED MATHEMATIC AUTHENTICATION
PhishCops SAFE(tm) uses unbreakable government-approved mathematic authentication algorithms to produce an approval code which is based on the underlying transactional elements. If any part of the transaction is altered by fraudsters, the approval code will fail to approve the (now altered) transaction.
A DRASTIC PARADIGM SHIFT: SECRECY IS NO LONGER A CONCERN
Most out-of-band authentication solutions depend on keeping transmitted approval codes and other information secret from fraudsters. With PhishCops SAFE(tm), secrecy of the transmitted information is no longer a concern. Since the PhishCops SAFE(tm) approval code will only approve an unaltered transaction, it no longer matters whether the customer supplies the approval code themselves, or the identity thief captures and supplies the approval code for them. Since the transaction can no longer be altered by fraudsters to their advantage, fraudsters will be reduced to entering legitimate approval codes for legitimate transactions which have been approved by the account owner; essentially doing their victim's work for them.
PhishCops SAFE(tm) is built on the patent-pending PhishCops(tm) technology and represents a drastic paradigm shift in out-of-band authentication. It is destined to radically change the dynamics of the war against online identity theft.
For its ground-breaking solution to the problem of online identity theft, the U.S. government has named PhishCops(tm) a semi-finalist for the Homeland Security Award. In 2005, PhishCops(tm) was also the only multi-factor authentication solution to receive InfoWorld’s highest honor, the InfoWorld 100 Award. PhishCops SAFE(tm) and Token by Phone(tm) are part of the PhishCops(tm) multi-factor authentication suite of products.