Transecq ITA


Published on

The Transecq Platform is an interactive electronic security platform on your mobile phone. The software creates a secure authentication environment that can be used in a wide variety of applications.

The Transecq Platform™ uniquely identifies a mobile phone user and thus enables a secure channel between any institution and their customers.

This innovative technology makes it possible to transact, authenticate and send messages without the possibility of perpetrators intercepting the communication or taking action on someone else’s behalf, therefore eliminating fraud, identity theft phishing and even SIM-cloning.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transecq ITA

  1. 1. Transecq Two-Factor AuthenticationThe need for strongerauthentication mechanismsEstablishing the true identity of an online user is often a tricky task.Traditionally, users have been identified by means of a usernameand password. Once these credentials are supplied, a user isusually granted unconditional access to the system. In the case ofonline transaction systems, it is vital that someone does not gainunauthorized access enabling them to commit some level of fraud.As the Internet is becoming more central to everyone’s day-to-daylife, an increasing number of services are being made availableonline. This includes sensitive services such as online banking,online purchases, restricted remote system access and manymore. Along with this trend, fraud is also increasing at an alarmingrate, exploiting the security loopholes in existing informationinfrastructure.With the widespread use of exploits such as MITM (Man-In-The-Middle), MITB (Man-In-The-Browser), keystroke logging, phishingand various TEMPEST methods, additional means of online useridentification and transaction verification becomes an absolutenecessity. A username and password is no longer sufficient toidentify a user.The path to a viable solutionA user validation concept that has been around for a coupleof years is two-factor authentication. A simple username and Furthermore scalability becomes problematic, as well as thepassword employed for remote authentication is considered a considerable expenses involved to provision, manage and replacesingle factor of authentication. By providing an additional, different all the physical hardware devices.means of authentication, a second factor is introduced into the Solving the problems of token devices, mobile one-time passwordsauthentication process allowing two-factor (or multiple-factor) (OTP’s) do go a long way. However, technically it is still very similarauthentication. to hardware tokens. OTP’s as a second factor of authentication areA true second factor is usually implemented as something a user usually provisioned to a mobile phone via an SMS (text message)has or possesses, while the traditional username and password sent from the authentication system, normally a bank, and should(first factor) are things the user knows; a perpetrator would have to be entered into the system to complete authentication.gain access to the knowledge (passwords) and the physical item Users always have their phones with them, and a unique bondto be able to authenticate as someone else. between a user and a phone can easily be established. However,Hardware tokens are popular second factors. The user carries a SMS messaging does have drawbacks. Being a store-and-forwardsmall device capable of generating some unique authentication technology, delivery delays often occur and various loopholes fornumber (token) that can be entered into the authentication interception also clouds the integrity of this technology: especiallyplatform. The system usually employs some mathematical method since SMS contents is sent in plaintext. Another important point isto determine if this token indeed belongs to the specified user. the cost of sending these messages to users. Banking institutionsSo in addition to the facts the user should know (username and deploy significant resources to send and manage OTP’s via SMS.password), he also needs to be in possession of the hardware Various systems in the market generate an OTP on the mobiletoken device to successfully authenticate and gain access to the device, via applications written mostly in JAVA, although othersystem. platform specific applications are not uncommon. This modelSome problems do, however, exist around hardware tokens. Since eliminates the costs and problems around SMS OTP delivery,the user is required to constantly carry the device, it is easily lost since the user is now capable of generating an OTP at any time,and also impacts negatively on the mobile appeal of the solution. using only their mobile phone. Tel. 678.466.6772 | |
  2. 2. Transecq Two-Factor Authentication A novel way of authenticationAlthough a cost-effective and more convenient solution, this still Transecq’s Interactive Transaction Authentication (ITA) system isdoes not address the most important shortcoming of OTP’s. True a complete solution to all the authentication problems plaguingtwo-factor authentication can only be reached when the second the industry today, by approaching the problem holisticallyfactor is totally out of band. Simply put, the second factor of and enabling second factor authentication, with bidirectionalauthentication should not re-use the communication channel of (encrypted) out-of-band data transmission. ITA consists of a highthe first factor (username and password). All OTP/token solutions performance socket server receiving authentication requests fromrely on the fact that the token or number is entered into the same a workflow engine (through ISO8583, OpenID, RADIUS, LDAP orsystem the username and password was entered. This simple SOAP) and relaying the messages to a corresponding user byfact exposes the system to a whole range of vulnerabilities sending the messages to an application on their mobile phone forfor perpetrators to abuse. By successfully attacking the main approval by the user.communication channel (usually the Internet), perpetrators The ITA application on the mobile phone is available for theeffectively compromise both authentication factors. following platforms:Gartner states in its report “Where Strong Authentication Fails and • J2ME (MIDP 2.0)What You Can Do About It” (G00173132) that any authentication • Androidmethod relying on browser communications can be defeated.They further go on to note that even techniques relying on out- • iPhoneof-band phone calls can be thwarted because of the simplicity of • BlackBerryforwarding a phone call to another number. The Transecq solution • Windows Mobiledescribed in this paper is unique in the fact that it adheres to all • As a USSD network service for phones not supporting theof Gartner’s recommendations and is impervious to the attacks above applicationsplaguing the industry today.A standard attack scenario can be described as follows: A useropens a phishing site masquerading as the real website. Hesupplies his username and password. The fake site immediatelyenters these credentials into the real site using an automatedscript, causing an OTP to be sent to the user’s phone (or promptsthe user to generate an OTP from a token generating device).At this stage any SiteKey or SurePhrase messages are alsoduplicated from the real site to the fake site, further strengtheningthe apparent legitimacy of the system. The fake site now promptsthe user to enter this OTP that they generated, or by now receivedfrom the real site. At this stage, the fake site has enough details tolog in to the user’s account, and transact fraudulently. AT&T 12:34 PM Transecq MobileA truly secure two-factor solution can only be considered employingstrong authentication when the second factor is completely Transecq Mobile 12:00 PM Transecq Mobileisolated and the complete loop is totally out of band with respectto the first factor. Only a system meeting these requirements would ept t t f $2495.95 9 Accept payment of $2495.95be truly reliable in maintaining authentication integrity. Acceptt t f $2495.95 9 Accept payment of $2495.95 m d from vendor GENSTORE? Reject Accept from vendor GENSTORE? Reject AcceptOnce authenticated, a user should additionally be required to Acceptt t f $2495. $2495. Accept payment of $2495.95 GENSTORE from vendor GENSTORE? Reject Reject Accept Acceptauthenticate certain key procedures within the online/remote Reject Reject Accept Acceptsession - for example making beneficiary payments in an online # @banking environment. SSL/TLS, although in essence still secure, Q 1 w 2 3 ( ) _ - 0 + P E R Y U I T *A 4 5 6 ; , “ delis by its self is no longer sufficient to protect against interception S D F / G H : J K L alt 7 8 9 ? ! , .techniques taking advantage of software implementation Z X C V B N M $ aA 0 space sym aAvulnerabilities. Therefore transaction verification totally eliminatesany kind of MITM and MITB attacks, since each transaction isverified out of band in a secure and isolated authentication loop. Tel. 678.466.6772 | |
  3. 3. Transecq Two-Factor AuthenticationThe Transecq ITA platform can identify each mobile phone in the No matter what type of attack occurs (i.e. even if a transactionworld uniquely by automatically issuing each client’s phone with is changed or manipulated by a fraudster) the actual transactiona Digital Fingerprint, also called a X.509 client side certificate occurring at the bank is sent directly to the specific user over anenabling bilateral certificate validation, issued from Transecq’s encrypted second band accessible only to the specific pairedtrusted Certificate Authority. This certificate is stored on the client’s inside DRMprotected space. All attacks on other channels are negated as the user approvesEach transaction to approve (website login, beneficiary payment, the actual transaction and will immediately discover any fraudulentetc) is sent to the client’s phone, and a description of what the attempt.transaction entails is displayed to the user. He can choose toeither Accept or Reject the transaction. The response is thencryptographically signed with the private key of the user’s certificateresiding on the phone and sent down to the requesting server tobe verified through PKI. This signature can then be used to ensurenon-repudiation and prove the intent of any user pertaining to aspecific transaction. BANK SECURE AREA TRANSFER $100 TO JOHN SMITH 1 TRANSACTION REQUEST USER 6 TRANSACTION ACCEPTED OR REJECTED TRANSFER SUCCESSFUL 2 5 YES 4 RESPONSE: YES/NO 3 TRANSACTION REQUEST SENT TO MOBILE DO YOU WANT TO TRANSFER TRANSECQ MOBILE $100 TO JOHN SMITH? AGGREGATOR Tel. 678.466.6772 | |
  4. 4. Transecq Two-Factor AuthenticationThis system can be used as a real-time, second-factor, out-of- • Certificate is not tied to the SIM-card (or phone number),band authentication gateway for absolutely any digital action or so user is free to change SIMs (for example when travellingtransaction. User input is minimal, enhancing user experience and overseas) and no pre-arrangement with mobile operators arealso eliminating human errors. This system has already been used necessary when using this system, since everything is storedto successfully secure the following types of transactions: on the handset, not the SIM• Online web login and transactions (Internet Banking, Trading, • All communications are packet data (IP based), which means etc.) that institutions save millions of dollars in SMS (text) costs.• Online Credit Card (Card Not Present) purchases tying into • Transecq ITA application can be remotely launched on user’s 3-D Secure. handset by binary SMS if necessary• Credit and Debit Card Transactions at Point-of-Sale • OTP mode (generated on the handset) when there is no GSM• ATM (Automated Teller Machine) Cash withdrawals coverage • Transactions can be pre-approved by a user using ITA, inAdvantages in using Transecq’s ITA system as opposed to other cases where the user knows he will enter and transact in asystems: poor GSM covered area• Phishing, MITB, MITM, keystroke logging and any other forms • ITA is completely scalable and a single phone application of user impersonation is impossible granting the user access to all ITA enabled institutions• Transaction rejections can immediately be flagged and the • An online user PIN allows for additional protection and is user contacted or account placed under review embedded in the digital signature of transactions approved• Non-repudiation is ensured since each transaction is digitally • Bidirectional flow of transactions signed by the user’s private key• Self-service options may also be made available inside ITA applications: Check balances, active/de-activate cards, limit changingIn summary Transecq provides true two-factor authenticationcompletely isolated out-of-band, and also fulfills therequirements for user convenience and usability ensuring ahealthy adoption rate crucial for successful implementationand sustained operation.Transecq is the leading provider of global secure transactionauthentication services. Tel. 678.466.6772 | |