• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How Two Factor Authentication protects against hacking attacks - ArrayShield
 

How Two Factor Authentication protects against hacking attacks - ArrayShield

on

  • 1,413 views

This white paper explains how Arrayshield’s IDAS two-factor authentication product protects from several hacking attacks.

This white paper explains how Arrayshield’s IDAS two-factor authentication product protects from several hacking attacks.

Statistics

Views

Total Views
1,413
Views on SlideShare
1,412
Embed Views
1

Actions

Likes
3
Downloads
14
Comments
1

1 Embed 1

https://twimg0-a.akamaihd.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How Two Factor Authentication protects against hacking attacks - ArrayShield How Two Factor Authentication protects against hacking attacks - ArrayShield Document Transcript

    • How ArrayShield IDAS Protects Against Hacking Whitepaper Attacks Highlights of ArrayShield IDAS: √ Protects organizations from multiple hacking attacks than can compromise defeat traditional authentication methods. √ Fraud-proof login process using more intuitive and easy to remember patterns. √ Provides one secure credential for multiple applications √ Can be seamlessly integrated and deployed in any environmentIntroduction:Many organizations protect their infrastructure with a simple username and password. Entering thisinformation grants access to organization’s sensitive data that is present in servers, databases, applications,email accounts, and other places. But it is widely acknowledged by Information Security Experts thatpasswords are notoriously insecure. Many users choose weak passwords which can be easily guessed orcracked. When password policies are enforced, users end up noting down their passwords on Post-It notes,mobiles, email or on their laptops which is a serious security vulnerability. Phishing attacks trick users intorevealing their passwords. Malicious viruses and spyware can capture passwords and send them over thenetwork to attackers.All the above scenarios make it very difficult for organizations to protect their sensitive data from the hands ofhackers and competitors. Organizations of all sizes from Fortune500 to SME, Government have witnessedmultiple hacking attacks recently that were caused by gaining knowledge of user’s password. The cause forconcern is only magnified as the cost associated with a data breach has reached an estimate of $ 6.6 million.Additionally, government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data BreachNotification Laws and others have been put in place to protect access to corporate networks. Failure to meetrequirements that call for the implementation of two-factor authentication could result in regulatory finesand irreversible damage to a brand’s reputation.Security experts worldwide suggest the usage of a strong, two-factor authentication to protect organizationsassets. The same is also recommended by various compliances/certifications like PCI-DSS, HIPAA, SAS 70, ISO27001 and others.
    • How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Clearly passwords are not sufficient for protecting organization’s data:: √ Easy passwords can be cracked √ Random passwords can’t be remembered √ Same passwords are used at multiple places √ Passwords that needs to be continuously changed are not user- friendlyThis white paper describes how ArrayShield IDAS authentication system prevents various kinds of hackingattacks that compromise traditional authentication mechanisms.ArrayShield IDAS Technology:ArrayShield IDAS is a revolutionary challenge/response Two Factor Authentication paradigm that involvesdynamically generated CharacterArray displayed as an array on computer terminal which is superimposedwith an ArrayCard of similar structure which has opaque and transparent cells.ArrayShield IDAS is built leveraging the widely acknowledged theory that ‘humans are better at identifying,remembering and recollecting graphical patterns than text patterns’. Instead of remembering a sequence ofcharacters as the secret i.e., password, ArrayShield IDAS users have to remember a shape or pattern as asecret.At the time of authentication, the user have to use their ArrayCard (provided to them) by overlapping the cardon the displayed CharacterArray and enter the characters present in the pattern chosen to authenticate. Ateach time of authentication the contents displayed on the CharacterArray changes so the user has to type adifferent secret word during each authentication process. This makes the system a dynamic password userauthentication system leveraging the two factors of Authentication – The Pattern (that user knows) and theArrayCard (that user has).While highly secure, the ArrayShield IDAS features an easy-to-use interface and integrates quickly withexisting authentication infrastructures with support for standards such as RADIUS-based OTP, SAML, and Page 2
    • How ArrayShield IDAS protects against Hacking Attacks - Whitepaperothers. This makes deployments fast and easy for an organization to implement and its customers to use.The ArrayShield IDAS provides protection against common hacking attacks and several new attacks that arebecoming popular among fraudsters. Other solutions, including one-time-password (OTP) generator tokens,do not offer the same level of protection against attacks such as the Real-time Replay attacks. The followingsection contains a list of known hacking attacks and shows how ArrayShield IDAS defeats those attacks.Hacking Attacks and How ArrayShield IDAS protects against them Hacking Attack Vector Protection offered by ArrayShield IDAS Keyloggers: ArrayShield IDAS being a dynamic password Keyloggers are applications or hardware devices system is not vulnerable to keyloggers. Even if the that monitor a users keystrokes and sends this hacker gets the One-Time SecretCode of the user information back to the malicious user over of a system, this One-Time SecretCode cannot be internet. Hardware Keyloggers are small inline reused by the hacker to login to the system devices placed between the keyboard and the (because of the dynamic nature of the computer. The other kind of Keyloggers are CharacterArray) and hacker cannot get the Pattern Software Keyloggers, these are also referred as of the user from the One-Time SecretCode of the spywares. Spyware usually gets into the computer user. Hence ArrayShield IDAS can give complete through banner ad-based software where the user protection from both the Software Keyloggers and is enticed to install the software for free. the Hardware Keyloggers. Real-time Replay Attack: Since ArrayShield IDAS is a challenge-response Malware sits inside a users browser and waits for system, the CharacterArray shown for each the user to log into a bank. During login, the transaction is unique and the One-Time malware copies the users ID, password and OTP, SecretCode derived by the user is valid only for sends them to the attacker and stops the browser that transaction. Even if a hacker does Real-time from sending the login request to the banks Replay attack and attains the One-Time website, telling the user that the service is SecretCode and replays the same from his "temporarily unavailable." The fraudster machine it will not be matching the correct One- immediately uses the User ID, password and OTP Time SecretCode for the different CharacterArray to log in and drain the users accounts. for this transaction. Page 3
    • How ArrayShield IDAS protects against Hacking Attacks - WhitepaperMan in the Browser Attack: ArrayShield IDAS client which is hardened has aMalware overwrites transactions sent by a user to Transaction Verification module through which thethe online banking website with the criminals own transaction details as received by the host (bank),transactions. This overwrite happens behind the to the user (customer) over a SSL channel isscenes so that the user does not see the revised verified. After user confirms the transaction detailstransaction values. This way, neither the user nor on the client application the transaction getsthe bank realizes that the data sent to the bank processed there-by preventing the MITB attack.has been altered.Phishing: In ArrayShield IDAS system, the one-time-secretThe attacker targets users and fools them into code derived and entered by the user on theentering their credentials into a fake web site. This phishing site is not valid for the next transaction.usually occurs when a criminal sends an email Additionally as the ArrayCard structure and theimpersonating a customer service organization and details are not available to the Phishing site theasks recipients to click on a URL to perform hacker will not be able to deduce the user’saccount maintenance or verification. The link takes identity information (pattern and the Card details)them to a fraudulent site, which prompts them for by doing the Phishing attack on the user.their valid credentials.Pharming: In ArrayShield IDAS system, the one-time-secretThe attacker poisons the DNS server and redirects code derived and entered by the user on theusers to the fraudulent web site. Users do not pharming site is not valid for the next transaction.suspect anything because the redirect happens Additionally as the ArrayCard structure and theeven when the user selects the web site from a details are not available to the Pharming site thesaved favorite or actually types in the correct URL. hacker will not be able to deduce the user’s identity information (pattern and the Card details) by doing the Pharming attack on the user. Page 4
    • How ArrayShield IDAS protects against Hacking Attacks - WhitepaperShoulder Surfing: If a hacker tries to do Shoulder Surfing on a userShoulder surfing is looking over someones using ArrayShield IDAS system, he has to see bothshoulder, to get information about his identity. the key sequence and the CharacterArray and do aShoulder surfing is an effective way to get mapping before the user submits the page toinformation in crowded places because it is easy to derive the pattern of the user.stand next to someone and watch as they fill out aform. Shoulder surfing becomes a serious problem Let us consider a case hacker observes that theboth in cases user enters password directly or if user typed the character R, the hacker has tothe user is entering the password through a virtual identify the position of the R in thekeyboard. In the case of virtual keyboard it is CharacterArray, he has to linearly search each andrelatively easy for the hacker to see the mouse every cell of the CharacterArray to identify theclicks on the screen. position of the R in the CharacterArray. By the time the hacker identify the position of R, the user will type all other characters of his One-Time SecretCode. Hence Shoulder Surfing is not effective against IDAS system.Guessing: In the ArrayShield IDAS pattern based system, theGuessing is the simplest attack that a hacker can users chose the patterns irrespective of theirdo on a User Authentication system. One of the personal information. Still the hacker can domain problems with the username-password guessing by trying out most frequently usedsystem is ‘selection of password’ itself. Studies patterns like corner elements, diagonal elementsshow that users always pick passwords which are and knight moves etc. which are easy to have asshort and easy to remember. Often it is very easy patterns. So even though the hacker tried the easyto break the user’s password, if the personal patterns he cannot get through the authenticationinformation about him/her is known and more procedure because of the ArrayShield’s two factoroften than not, it is widely known nature. The hacker has to guess about the user’s ArrayCard structure also. As the card structure is unique and randomly generated, guessing is not possible for the same. Hence ArrayShield is fool proof against Guessing attack. Page 5
    • How ArrayShield IDAS protects against Hacking Attacks - WhitepaperSocial Engineering: In the ArrayShield IDAS pattern based system, theSocial Engineering is the act of manipulating users choose the patterns irrespective of theirpeople to reveal their private details, rather than personal information. Also making users revealby breaking in or using technical cracking the patterns over phone is not possible thoughtechniques. Examples of the same is to access the revealing of passwords by uninformed users isuser’s social media accounts or call them over prevalent.phone and know more about the user personaldetails and possibly authentication credentials. Additionally the attacker has to break multiple identity details like pattern, card structure from the end user which is not possible with the conventional social engineering attacks.BruteForce Attack: The first variant of Bruteforce attack is StringIn a Bruteforce attack, an intruder or hacker tries based Bruteforce attack, in this method theall possible combinations to crack the secret of the attacker ignores the CharacterArray and tries withuser. The hacker will do an exhaustive search on some random string as the One-Time SecretCode.the complete space to find the secret of the user. Because of the dynamic nature of the CharacterArray, the bruteforce search space will never converge when compared to finite convergence time for other authentication mechanisms. Additionally IDAS system has built-in controls to restrict the user access after finite failed attempts.Dictionary Attack: To attempt Dictionary attacks on IDAS systemDictionary attack is improved version of Bruteforce hacker has to construct dictionaries for patternsattack. In Dictionary attack, instead of searching all and ArrayCard Structure details. Since ArrayCardpossible combinations the hacker will search only structure and values are pseudo random,the possibilities which are most likely to be Dictionaries can’t be constructed for the sameselected by the user. making this attack in-effective against ArrayShield IDAS System. Page 6
    • How ArrayShield IDAS protects against Hacking Attacks - WhitepaperComparison between ArrayShield IDAS and other authentication technologies in terms ofcapability to defend against various hacking attacks Key Realtime MITB Phishing/ Shoulder Guessing Social Dictionary/ logger Replay Pharming Surfing Engineering BruteForce attack AttackArrayShield Yes Yes Yes Yes Yes Yes Yes YesIDASQuestion & No No No No No No No NoAnswerbasedVirtual Yes No No No No No No NoKeyboardPassword No No No No No No No NoUse of two No No No No No No No NopasswordsHardware Yes No No Yes Yes Yes Yes YesTokenSoftware Yes No No Yes Yes Yes Yes YesTokenOut of Band Yes No No Yes Yes Yes No Yes(SMS basedOTP)Yes – provides protection; No – doesn’t provide complete protection Page 7
    • How ArrayShield IDAS protects against Hacking Attacks - Whitepaper ABOUT ARRAYSHIELDArray Shield Technologies is the maker of software security products in the area of Multi-FactorAuthentication. The company’s mission is to provide highly secure, cost effective and easy to use softwaresecurity solutions globally.For more information, visit us at www.arrayshield.com Page 8