Uploaded bytransecq
318 views

Transecq ITA

The document discusses the necessity of two-factor authentication to enhance online user security, particularly in light of increasing fraud linked to online transactions. It introduces the Transecq Interactive Transaction Authentication (ITA) system, which provides a unique out-of-band authentication method that protects against common vulnerabilities associated with traditional authentication methods. The ITA system enables secure transactions by requiring approval through a mobile application that utilizes encrypted communication, ensuring both user convenience and high security.

Embed presentation

Download to read offline
Transecq Two-Factor Authentication The need for stronger authentication mechanisms Establishing the true identity of an online user is often a tricky task. Traditionally, users have been identified by means of a username and password. Once these credentials are supplied, a user is usually granted unconditional access to the system. In the case of online transaction systems, it is vital that someone does not gain unauthorized access enabling them to commit some level of fraud. As the Internet is becoming more central to everyone’s day-to-day life, an increasing number of services are being made available online. This includes sensitive services such as online banking, online purchases, restricted remote system access and many more. Along with this trend, fraud is also increasing at an alarming rate, exploiting the security loopholes in existing information infrastructure. With the widespread use of exploits such as MITM (Man-In-The- Middle), MITB (Man-In-The-Browser), keystroke logging, phishing and various TEMPEST methods, additional means of online user identification and transaction verification becomes an absolute necessity. A username and password is no longer sufficient to identify a user. The path to a viable solution A user validation concept that has been around for a couple of years is two-factor authentication. A simple username and Furthermore scalability becomes problematic, as well as the password employed for remote authentication is considered a considerable expenses involved to provision, manage and replace single factor of authentication. By providing an additional, different all the physical hardware devices. means of authentication, a second factor is introduced into the Solving the problems of token devices, mobile one-time passwords authentication process allowing two-factor (or multiple-factor) (OTP’s) do go a long way. However, technically it is still very similar authentication. to hardware tokens. OTP’s as a second factor of authentication are A true second factor is usually implemented as something a user usually provisioned to a mobile phone via an SMS (text message) has or possesses, while the traditional username and password sent from the authentication system, normally a bank, and should (first factor) are things the user knows; a perpetrator would have to be entered into the system to complete authentication. gain access to the knowledge (passwords) and the physical item Users always have their phones with them, and a unique bond to be able to authenticate as someone else. between a user and a phone can easily be established. However, Hardware tokens are popular second factors. The user carries a SMS messaging does have drawbacks. Being a store-and-forward small device capable of generating some unique authentication technology, delivery delays often occur and various loopholes for number (token) that can be entered into the authentication interception also clouds the integrity of this technology: especially platform. The system usually employs some mathematical method since SMS contents is sent in plaintext. Another important point is to determine if this token indeed belongs to the specified user. the cost of sending these messages to users. Banking institutions So in addition to the facts the user should know (username and deploy significant resources to send and manage OTP’s via SMS. password), he also needs to be in possession of the hardware Various systems in the market generate an OTP on the mobile token device to successfully authenticate and gain access to the device, via applications written mostly in JAVA, although other system. platform specific applications are not uncommon. This model Some problems do, however, exist around hardware tokens. Since eliminates the costs and problems around SMS OTP delivery, the user is required to constantly carry the device, it is easily lost since the user is now capable of generating an OTP at any time, and also impacts negatively on the mobile appeal of the solution. using only their mobile phone. Tel. 678.466.6772 | info@transecq.com | www.transecq.com
Transecq Two-Factor Authentication A novel way of authentication Although a cost-effective and more convenient solution, this still Transecq’s Interactive Transaction Authentication (ITA) system is does not address the most important shortcoming of OTP’s. True a complete solution to all the authentication problems plaguing two-factor authentication can only be reached when the second the industry today, by approaching the problem holistically factor is totally out of band. Simply put, the second factor of and enabling second factor authentication, with bidirectional authentication should not re-use the communication channel of (encrypted) out-of-band data transmission. ITA consists of a high the first factor (username and password). All OTP/token solutions performance socket server receiving authentication requests from rely on the fact that the token or number is entered into the same a workflow engine (through ISO8583, OpenID, RADIUS, LDAP or system the username and password was entered. This simple SOAP) and relaying the messages to a corresponding user by fact exposes the system to a whole range of vulnerabilities sending the messages to an application on their mobile phone for for perpetrators to abuse. By successfully attacking the main approval by the user. communication channel (usually the Internet), perpetrators The ITA application on the mobile phone is available for the effectively compromise both authentication factors. following platforms: Gartner states in its report “Where Strong Authentication Fails and • J2ME (MIDP 2.0) What You Can Do About It” (G00173132) that any authentication • Android method relying on browser communications can be defeated. They further go on to note that even techniques relying on out- • iPhone of-band phone calls can be thwarted because of the simplicity of • BlackBerry forwarding a phone call to another number. The Transecq solution • Windows Mobile described in this paper is unique in the fact that it adheres to all • As a USSD network service for phones not supporting the of Gartner’s recommendations and is impervious to the attacks above applications plaguing the industry today. A standard attack scenario can be described as follows: A user opens a phishing site masquerading as the real website. He supplies his username and password. The fake site immediately enters these credentials into the real site using an automated script, causing an OTP to be sent to the user’s phone (or prompts the user to generate an OTP from a token generating device). At this stage any SiteKey or SurePhrase messages are also duplicated from the real site to the fake site, further strengthening the apparent legitimacy of the system. The fake site now prompts the user to enter this OTP that they generated, or by now received from the real site. At this stage, the fake site has enough details to log in to the user’s account, and transact fraudulently. AT&T 12:34 PM Transecq Mobile A truly secure two-factor solution can only be considered employing strong authentication when the second factor is completely Transecq Mobile 12:00 PM Transecq Mobile isolated and the complete loop is totally out of band with respect to the first factor. Only a system meeting these requirements would ept t t f $2495.95 9 Accept payment of $2495.95 be truly reliable in maintaining authentication integrity. Acceptt t f $2495.95 9 Accept payment of $2495.95 m d from vendor GENSTORE? Reject Accept from vendor GENSTORE? Reject Accept Once authenticated, a user should additionally be required to Acceptt t f $2495. $2495. Accept payment of $2495.95 GENSTORE from vendor GENSTORE? Reject Reject Accept Accept authenticate certain key procedures within the online/remote Reject Reject Accept Accept session - for example making beneficiary payments in an online # @ banking environment. SSL/TLS, although in essence still secure, Q 1 w 2 3 ( ) _ - 0 + P E R Y U I T *A 4 5 6 ; , “ del is by its self is no longer sufficient to protect against interception S D F / G H : J K L alt 7 8 9 ? ! , . techniques taking advantage of software implementation Z X C V B N M $ aA 0 space sym aA vulnerabilities. Therefore transaction verification totally eliminates any kind of MITM and MITB attacks, since each transaction is verified out of band in a secure and isolated authentication loop. Tel. 678.466.6772 | info@transecq.com | www.transecq.com
Transecq Two-Factor Authentication The Transecq ITA platform can identify each mobile phone in the No matter what type of attack occurs (i.e. even if a transaction world uniquely by automatically issuing each client’s phone with is changed or manipulated by a fraudster) the actual transaction a Digital Fingerprint, also called a X.509 client side certificate occurring at the bank is sent directly to the specific user over an enabling bilateral certificate validation, issued from Transecq’s encrypted second band accessible only to the specific paired trusted Certificate Authority. This certificate is stored on the client’s phone. phone inside DRMprotected space. All attacks on other channels are negated as the user approves Each transaction to approve (website login, beneficiary payment, the actual transaction and will immediately discover any fraudulent etc) is sent to the client’s phone, and a description of what the attempt. transaction entails is displayed to the user. He can choose to either Accept or Reject the transaction. The response is then cryptographically signed with the private key of the user’s certificate residing on the phone and sent down to the requesting server to be verified through PKI. This signature can then be used to ensure non-repudiation and prove the intent of any user pertaining to a specific transaction. BANK SECURE AREA TRANSFER $100 TO JOHN SMITH 1 TRANSACTION REQUEST USER 6 TRANSACTION ACCEPTED OR REJECTED TRANSFER SUCCESSFUL 2 5 YES 4 RESPONSE: YES/NO 3 TRANSACTION REQUEST SENT TO MOBILE DO YOU WANT TO TRANSFER TRANSECQ MOBILE $100 TO JOHN SMITH? AGGREGATOR Tel. 678.466.6772 | info@transecq.com | www.transecq.com
Transecq Two-Factor Authentication This system can be used as a real-time, second-factor, out-of- • Certificate is not tied to the SIM-card (or phone number), band authentication gateway for absolutely any digital action or so user is free to change SIMs (for example when travelling transaction. User input is minimal, enhancing user experience and overseas) and no pre-arrangement with mobile operators are also eliminating human errors. This system has already been used necessary when using this system, since everything is stored to successfully secure the following types of transactions: on the handset, not the SIM • Online web login and transactions (Internet Banking, Trading, • All communications are packet data (IP based), which means etc.) that institutions save millions of dollars in SMS (text) costs. • Online Credit Card (Card Not Present) purchases tying into • Transecq ITA application can be remotely launched on user’s 3-D Secure. handset by binary SMS if necessary • Credit and Debit Card Transactions at Point-of-Sale • OTP mode (generated on the handset) when there is no GSM • ATM (Automated Teller Machine) Cash withdrawals coverage • Transactions can be pre-approved by a user using ITA, in Advantages in using Transecq’s ITA system as opposed to other cases where the user knows he will enter and transact in a systems: poor GSM covered area • Phishing, MITB, MITM, keystroke logging and any other forms • ITA is completely scalable and a single phone application of user impersonation is impossible granting the user access to all ITA enabled institutions • Transaction rejections can immediately be flagged and the • An online user PIN allows for additional protection and is user contacted or account placed under review embedded in the digital signature of transactions approved • Non-repudiation is ensured since each transaction is digitally • Bidirectional flow of transactions signed by the user’s private key • Self-service options may also be made available inside ITA applications: Check balances, active/de-activate cards, limit changing In summary Transecq provides true two-factor authentication completely isolated out-of-band, and also fulfills the requirements for user convenience and usability ensuring a healthy adoption rate crucial for successful implementation and sustained operation. Transecq is the leading provider of global secure transaction authentication services. Tel. 678.466.6772 | info@transecq.com | www.transecq.com

More Related Content

PDF
Sms based otp
byHai Nguyen
 
PDF
Securing corporate assets_with_2_fa
byHai Nguyen
 
PDF
325 330
byEditor IJARCET
 
PDF
E0962833
byIOSR Journals
 
PPT
ppt
byVideoguy
 
PDF
Mobile authentication
byHai Nguyen
 
PDF
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
byIRJET Journal
 
PDF
Entrust IdentityGuard Mobile
byEntrust Datacard
 
Sms based otp
byHai Nguyen
 
Securing corporate assets_with_2_fa
byHai Nguyen
 
325 330
byEditor IJARCET
 
E0962833
byIOSR Journals
 
ppt
byVideoguy
 
Mobile authentication
byHai Nguyen
 
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
byIRJET Journal
 
Entrust IdentityGuard Mobile
byEntrust Datacard
 

What's hot

PDF
Paper1_Final
byViral Savani
 
PDF
Online applications using strong authentication with OTP grid cards
byBayalagmaa Davaanyam
 
PDF
E Authentication System with QR Code and OTP
byijtsrd
 
PDF
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
byChema Alonso
 
PDF
120 i143
byHai Nguyen
 
PDF
Replace The Current Antiquated Credit Card System
byWarren Smith
 
PDF
Dubai 1
bymmavis
 
PDF
Sp 29 two_factor_auth_guide
byHai Nguyen
 
PDF
Two Factor Authentication Using Smartphone Generated One Time Password
byIOSR Journals
 
PDF
A secure communication in smart phones using two factor authentications
byeSAT Publishing House
 
PDF
Session 7 e_raja_kailar
byHai Nguyen
 
PDF
Pg 2 fa_tech_brief
byHai Nguyen
 
PDF
Zsun
byHai Nguyen
 
PDF
Security Analysis of Mobile Authentication Using QR-Codes
bycsandit
 
PDF
Iaetsd fpga implementation of rf technology and biometric authentication
byIaetsd Iaetsd
 
PDF
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
byTechsylvania
 
PDF
Psdot 11 highly secured net banking system using fingerprint recognition tech...
byZTech Proje
 
PDF
13_2
byPrince Gupta
 
PPT
Internet Banking Attacks (Karel Miko)
byDCIT, a.s.
 
Paper1_Final
byViral Savani
 
Online applications using strong authentication with OTP grid cards
byBayalagmaa Davaanyam
 
E Authentication System with QR Code and OTP
byijtsrd
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
byChema Alonso
 
120 i143
byHai Nguyen
 
Replace The Current Antiquated Credit Card System
byWarren Smith
 
Dubai 1
bymmavis
 
Sp 29 two_factor_auth_guide
byHai Nguyen
 
Two Factor Authentication Using Smartphone Generated One Time Password
byIOSR Journals
 
A secure communication in smart phones using two factor authentications
byeSAT Publishing House
 
Session 7 e_raja_kailar
byHai Nguyen
 
Pg 2 fa_tech_brief
byHai Nguyen
 
Zsun
byHai Nguyen
 
Security Analysis of Mobile Authentication Using QR-Codes
bycsandit
 
Iaetsd fpga implementation of rf technology and biometric authentication
byIaetsd Iaetsd
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
byTechsylvania
 
Psdot 11 highly secured net banking system using fingerprint recognition tech...
byZTech Proje
 
13_2
byPrince Gupta
 
Internet Banking Attacks (Karel Miko)
byDCIT, a.s.
 

Viewers also liked

PDF
Instructivo uso repuce _primera asamblea
byPrimaria 19 de Noviembre
 
PPTX
Atag & drupal 8
byMike Gifford
 
PPTX
KEDWIBAHASAAN/BILINGUALISM/Pemilihan Bahasa Indonesia sebagai Bahasa Ibu (B1)...
byBaren Barnabas
 
PPTX
Mohammed ppuh
byMotasem Ash
 
PPTX
презентация1
bySlava Bogdan
 
PPTX
Online reputation management tip 1
byAlan Vesty
 
DOCX
Article review : Does Game-Based Learning Work? Results from Three Recent Stu...
byNurnabihah Mohamad Nizar
 
PDF
Some photos from the delegation chapter 2011
bySimona Vacchieri
 
PDF
Basiscursus iPad (iOS7) najaar 2013
byDésirée Hazekamp
 
PPTX
مظاهر تطور الحضارة الإنسانية
byMotasem Ash
 
PPTX
الكيمياء عند المسلمين
byMotasem Ash
 
PDF
FATZO Summary
byPreClinOmics
 
PDF
Avigujarat
byJitendra Sharma
 
PDF
Deber ecuaciones de valor
byYaja V. Yepez
 
PDF
Tripwire MarchApril 2012
byruralfringe
 
PDF
Green enviornment
byRazib M
 
PDF
萌え要素の効果について分析してみた@第8回ニコニコ学会βシンポジウム
byMasanori Takano
 
DOCX
Delimamalindo shipping marine services
byhassand bindin
 
PPTX
E-Resources Induction (Liverpool Community College)
byThe City of Liverpool College
 
PPT
Joomla CMS framework (1.6 - Old version)
byMinh Tri Lam
 
Instructivo uso repuce _primera asamblea
byPrimaria 19 de Noviembre
 
Atag & drupal 8
byMike Gifford
 
KEDWIBAHASAAN/BILINGUALISM/Pemilihan Bahasa Indonesia sebagai Bahasa Ibu (B1)...
byBaren Barnabas
 
Mohammed ppuh
byMotasem Ash
 
презентация1
bySlava Bogdan
 
Online reputation management tip 1
byAlan Vesty
 
Article review : Does Game-Based Learning Work? Results from Three Recent Stu...
byNurnabihah Mohamad Nizar
 
Some photos from the delegation chapter 2011
bySimona Vacchieri
 
Basiscursus iPad (iOS7) najaar 2013
byDésirée Hazekamp
 
مظاهر تطور الحضارة الإنسانية
byMotasem Ash
 
الكيمياء عند المسلمين
byMotasem Ash
 
FATZO Summary
byPreClinOmics
 
Avigujarat
byJitendra Sharma
 
Deber ecuaciones de valor
byYaja V. Yepez
 
Tripwire MarchApril 2012
byruralfringe
 
Green enviornment
byRazib M
 
萌え要素の効果について分析してみた@第8回ニコニコ学会βシンポジウム
byMasanori Takano
 
Delimamalindo shipping marine services
byhassand bindin
 
E-Resources Induction (Liverpool Community College)
byThe City of Liverpool College
 
Joomla CMS framework (1.6 - Old version)
byMinh Tri Lam
 

Similar to Transecq ITA

PDF
Assurity seminar 24 jan
byJason Kong
 
DOC
87559489 auth
byhomeworkping4
 
PDF
2p Mta Data Sheet V1.7 X1a
byalwayson
 
PDF
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
PPTX
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
PDF
A secure communication in smart phones using two factor authentication
byeSAT Journals
 
PDF
Signify Passcode On Demand
bypjpallen
 
PDF
Signify Passcode On Demand
bykate_holden
 
PDF
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
PPTX
Two factor authentication.pptx
byArpithaShoby
 
PDF
SmartCard Forum 2011 - Evolution of authentication market
byOKsystem
 
PDF
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
PDF
Over the Air 2011 Security Workshop
byEricsson Labs
 
PDF
Android Based Total Security for System Authentication
byIJERA Editor
 
PPTX
ESET is introducing its brand new product ESET Secure Authentication
byESET
 
DOC
status
bypixeldemo
 
DOC
ffv
bypixeldemo
 
DOC
status
bypixeldemo
 
PDF
Two-factor Authentication: A Tokenless Approach
byPortalGuard
 
PPTX
Hardware Authentication
byCoder Tech
 
Assurity seminar 24 jan
byJason Kong
 
87559489 auth
byhomeworkping4
 
2p Mta Data Sheet V1.7 X1a
byalwayson
 
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
A secure communication in smart phones using two factor authentication
byeSAT Journals
 
Signify Passcode On Demand
bypjpallen
 
Signify Passcode On Demand
bykate_holden
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
Two factor authentication.pptx
byArpithaShoby
 
SmartCard Forum 2011 - Evolution of authentication market
byOKsystem
 
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
Over the Air 2011 Security Workshop
byEricsson Labs
 
Android Based Total Security for System Authentication
byIJERA Editor
 
ESET is introducing its brand new product ESET Secure Authentication
byESET
 
status
bypixeldemo
 
ffv
bypixeldemo
 
status
bypixeldemo
 
Two-factor Authentication: A Tokenless Approach
byPortalGuard
 
Hardware Authentication
byCoder Tech
 

Recently uploaded

PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
final.pdf
byomarbishtawi04
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
final.pdf
byomarbishtawi04
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
apidays New York 2025 | AI in Application Security
byapidays
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 

Transecq ITA

  • 1.
    Transecq Two-Factor Authentication The need for stronger authentication mechanisms Establishing the true identity of an online user is often a tricky task. Traditionally, users have been identified by means of a username and password. Once these credentials are supplied, a user is usually granted unconditional access to the system. In the case of online transaction systems, it is vital that someone does not gain unauthorized access enabling them to commit some level of fraud. As the Internet is becoming more central to everyone’s day-to-day life, an increasing number of services are being made available online. This includes sensitive services such as online banking, online purchases, restricted remote system access and many more. Along with this trend, fraud is also increasing at an alarming rate, exploiting the security loopholes in existing information infrastructure. With the widespread use of exploits such as MITM (Man-In-The- Middle), MITB (Man-In-The-Browser), keystroke logging, phishing and various TEMPEST methods, additional means of online user identification and transaction verification becomes an absolute necessity. A username and password is no longer sufficient to identify a user. The path to a viable solution A user validation concept that has been around for a couple of years is two-factor authentication. A simple username and Furthermore scalability becomes problematic, as well as the password employed for remote authentication is considered a considerable expenses involved to provision, manage and replace single factor of authentication. By providing an additional, different all the physical hardware devices. means of authentication, a second factor is introduced into the Solving the problems of token devices, mobile one-time passwords authentication process allowing two-factor (or multiple-factor) (OTP’s) do go a long way. However, technically it is still very similar authentication. to hardware tokens. OTP’s as a second factor of authentication are A true second factor is usually implemented as something a user usually provisioned to a mobile phone via an SMS (text message) has or possesses, while the traditional username and password sent from the authentication system, normally a bank, and should (first factor) are things the user knows; a perpetrator would have to be entered into the system to complete authentication. gain access to the knowledge (passwords) and the physical item Users always have their phones with them, and a unique bond to be able to authenticate as someone else. between a user and a phone can easily be established. However, Hardware tokens are popular second factors. The user carries a SMS messaging does have drawbacks. Being a store-and-forward small device capable of generating some unique authentication technology, delivery delays often occur and various loopholes for number (token) that can be entered into the authentication interception also clouds the integrity of this technology: especially platform. The system usually employs some mathematical method since SMS contents is sent in plaintext. Another important point is to determine if this token indeed belongs to the specified user. the cost of sending these messages to users. Banking institutions So in addition to the facts the user should know (username and deploy significant resources to send and manage OTP’s via SMS. password), he also needs to be in possession of the hardware Various systems in the market generate an OTP on the mobile token device to successfully authenticate and gain access to the device, via applications written mostly in JAVA, although other system. platform specific applications are not uncommon. This model Some problems do, however, exist around hardware tokens. Since eliminates the costs and problems around SMS OTP delivery, the user is required to constantly carry the device, it is easily lost since the user is now capable of generating an OTP at any time, and also impacts negatively on the mobile appeal of the solution. using only their mobile phone. Tel. 678.466.6772 | info@transecq.com | www.transecq.com
  • 2.
    Transecq Two-Factor Authentication A novel way of authentication Although a cost-effective and more convenient solution, this still Transecq’s Interactive Transaction Authentication (ITA) system is does not address the most important shortcoming of OTP’s. True a complete solution to all the authentication problems plaguing two-factor authentication can only be reached when the second the industry today, by approaching the problem holistically factor is totally out of band. Simply put, the second factor of and enabling second factor authentication, with bidirectional authentication should not re-use the communication channel of (encrypted) out-of-band data transmission. ITA consists of a high the first factor (username and password). All OTP/token solutions performance socket server receiving authentication requests from rely on the fact that the token or number is entered into the same a workflow engine (through ISO8583, OpenID, RADIUS, LDAP or system the username and password was entered. This simple SOAP) and relaying the messages to a corresponding user by fact exposes the system to a whole range of vulnerabilities sending the messages to an application on their mobile phone for for perpetrators to abuse. By successfully attacking the main approval by the user. communication channel (usually the Internet), perpetrators The ITA application on the mobile phone is available for the effectively compromise both authentication factors. following platforms: Gartner states in its report “Where Strong Authentication Fails and • J2ME (MIDP 2.0) What You Can Do About It” (G00173132) that any authentication • Android method relying on browser communications can be defeated. They further go on to note that even techniques relying on out- • iPhone of-band phone calls can be thwarted because of the simplicity of • BlackBerry forwarding a phone call to another number. The Transecq solution • Windows Mobile described in this paper is unique in the fact that it adheres to all • As a USSD network service for phones not supporting the of Gartner’s recommendations and is impervious to the attacks above applications plaguing the industry today. A standard attack scenario can be described as follows: A user opens a phishing site masquerading as the real website. He supplies his username and password. The fake site immediately enters these credentials into the real site using an automated script, causing an OTP to be sent to the user’s phone (or prompts the user to generate an OTP from a token generating device). At this stage any SiteKey or SurePhrase messages are also duplicated from the real site to the fake site, further strengthening the apparent legitimacy of the system. The fake site now prompts the user to enter this OTP that they generated, or by now received from the real site. At this stage, the fake site has enough details to log in to the user’s account, and transact fraudulently. AT&T 12:34 PM Transecq Mobile A truly secure two-factor solution can only be considered employing strong authentication when the second factor is completely Transecq Mobile 12:00 PM Transecq Mobile isolated and the complete loop is totally out of band with respect to the first factor. Only a system meeting these requirements would ept t t f $2495.95 9 Accept payment of $2495.95 be truly reliable in maintaining authentication integrity. Acceptt t f $2495.95 9 Accept payment of $2495.95 m d from vendor GENSTORE? Reject Accept from vendor GENSTORE? Reject Accept Once authenticated, a user should additionally be required to Acceptt t f $2495. $2495. Accept payment of $2495.95 GENSTORE from vendor GENSTORE? Reject Reject Accept Accept authenticate certain key procedures within the online/remote Reject Reject Accept Accept session - for example making beneficiary payments in an online # @ banking environment. SSL/TLS, although in essence still secure, Q 1 w 2 3 ( ) _ - 0 + P E R Y U I T *A 4 5 6 ; , “ del is by its self is no longer sufficient to protect against interception S D F / G H : J K L alt 7 8 9 ? ! , . techniques taking advantage of software implementation Z X C V B N M $ aA 0 space sym aA vulnerabilities. Therefore transaction verification totally eliminates any kind of MITM and MITB attacks, since each transaction is verified out of band in a secure and isolated authentication loop. Tel. 678.466.6772 | info@transecq.com | www.transecq.com
  • 3.
    Transecq Two-Factor Authentication The Transecq ITA platform can identify each mobile phone in the No matter what type of attack occurs (i.e. even if a transaction world uniquely by automatically issuing each client’s phone with is changed or manipulated by a fraudster) the actual transaction a Digital Fingerprint, also called a X.509 client side certificate occurring at the bank is sent directly to the specific user over an enabling bilateral certificate validation, issued from Transecq’s encrypted second band accessible only to the specific paired trusted Certificate Authority. This certificate is stored on the client’s phone. phone inside DRMprotected space. All attacks on other channels are negated as the user approves Each transaction to approve (website login, beneficiary payment, the actual transaction and will immediately discover any fraudulent etc) is sent to the client’s phone, and a description of what the attempt. transaction entails is displayed to the user. He can choose to either Accept or Reject the transaction. The response is then cryptographically signed with the private key of the user’s certificate residing on the phone and sent down to the requesting server to be verified through PKI. This signature can then be used to ensure non-repudiation and prove the intent of any user pertaining to a specific transaction. BANK SECURE AREA TRANSFER $100 TO JOHN SMITH 1 TRANSACTION REQUEST USER 6 TRANSACTION ACCEPTED OR REJECTED TRANSFER SUCCESSFUL 2 5 YES 4 RESPONSE: YES/NO 3 TRANSACTION REQUEST SENT TO MOBILE DO YOU WANT TO TRANSFER TRANSECQ MOBILE $100 TO JOHN SMITH? AGGREGATOR Tel. 678.466.6772 | info@transecq.com | www.transecq.com
  • 4.
    Transecq Two-Factor Authentication This system can be used as a real-time, second-factor, out-of- • Certificate is not tied to the SIM-card (or phone number), band authentication gateway for absolutely any digital action or so user is free to change SIMs (for example when travelling transaction. User input is minimal, enhancing user experience and overseas) and no pre-arrangement with mobile operators are also eliminating human errors. This system has already been used necessary when using this system, since everything is stored to successfully secure the following types of transactions: on the handset, not the SIM • Online web login and transactions (Internet Banking, Trading, • All communications are packet data (IP based), which means etc.) that institutions save millions of dollars in SMS (text) costs. • Online Credit Card (Card Not Present) purchases tying into • Transecq ITA application can be remotely launched on user’s 3-D Secure. handset by binary SMS if necessary • Credit and Debit Card Transactions at Point-of-Sale • OTP mode (generated on the handset) when there is no GSM • ATM (Automated Teller Machine) Cash withdrawals coverage • Transactions can be pre-approved by a user using ITA, in Advantages in using Transecq’s ITA system as opposed to other cases where the user knows he will enter and transact in a systems: poor GSM covered area • Phishing, MITB, MITM, keystroke logging and any other forms • ITA is completely scalable and a single phone application of user impersonation is impossible granting the user access to all ITA enabled institutions • Transaction rejections can immediately be flagged and the • An online user PIN allows for additional protection and is user contacted or account placed under review embedded in the digital signature of transactions approved • Non-repudiation is ensured since each transaction is digitally • Bidirectional flow of transactions signed by the user’s private key • Self-service options may also be made available inside ITA applications: Check balances, active/de-activate cards, limit changing In summary Transecq provides true two-factor authentication completely isolated out-of-band, and also fulfills the requirements for user convenience and usability ensuring a healthy adoption rate crucial for successful implementation and sustained operation. Transecq is the leading provider of global secure transaction authentication services. Tel. 678.466.6772 | info@transecq.com | www.transecq.com