User name and password doesn't cut it anymore in the world of online financial transactions. New federal rules call for multi-factor authentication schemes to combat growing threats. The latest multi-factor measures focus on biometrics, advanced analytics, and out-of-band techniques utilising smartphones.
One serious threat on the horizon is the man-in-the-browser (MITB) attack. In this example,1. Alice requests transfer of $1,000 to Bob.2. MITB alters transfer request to transfer $21,000 to Fred.3. MITB submits fraudulent request to bank.4. Bank requests confirmation of transfer of $21,000 to Fred.5. MITB alters confirmation page to present user with original request.6. Alice reviews the transaction details and confirms request.7. Bank transfers $21,000 to Fred.
Man-in-the-Middle (MITM) attack
Man-in-the-middle attacks use various social engineering techniques to intercept user credentials and commit fraudulent actions completely under the radar. How MITM attacks work:1. User clicks on link in a phishing email, goes to MITM site and enters credentials (including token-generated one-time password).2. MITM site connects with bank site and impersonates legitimate user using phished credentials.3. Bank site grants MITM account access.4. MITM displays phony page stating system is unavailable, or waits until user wants to log off, then displays phony page confirming log-off.
CA Arcot's RiskFort
CA Arcot's RiskFort provides a sophisticated risk evaluation process that assesses the risk of a specific transaction and increased the level of authentication required.
Arcot Administrative Console
CA Arcot RiskFort administrator console is where the rules and risk-scores are created, edited, and managed.
WebFort authentication server
The CA Arcot WebFort authentication server applies authentication policies, issues notifications and alerts and creates reports.
From the user perspective
With the CA ArcotID secure software credentials, users gain improved security of multi-factor authentication without changing their familiar user name and password log-in experience. Unlike other multi-factor authentication methods that often require extra steps such as obtaining and typing in a one-time-password, CA ArcotID strengthens the user name and password authentication process by transparently providing software-only, public key infrastructure-based, multi-factor authentication.
Confident Technologies uses the power of the grid
The first time users enroll with a website or online business, they select a few authentication categories that they can remember such as dogs, cars, flowers, etc.
When two-factor authentication is needed, a randomly-generated grid of images displays on the user's mobile phone (using MMS, WAP, or an SMS hyperlink that is opened within the mobile browser).
The specific images displayed are different every time, but the users' categories are always the same; for example, the category FOOD shows tomatoes on the first grid and strawberries on the second grid. This makes it difficult for others to determine users' secret categories.
Tap or type to verify
Users authenticate by correctly identifying which images fit their chosen categories. They can tap the appropriate images on the touch screen display or, if users don't have a touch screen device, they can type the corresponding letters using their mobile keypad (optionally, letters can be displayed).
Screen displays successful authentication text and icon (check mark in green circle). Even if others gain possession of the mobile phone or intercept the communication, they cannot authenticate because the one-time password is encrypted within the images.
Entrust offers multiple factors
One method of multi-factor authentication is Transaction Verification, where Entrust does real-time transaction verification on users' mobile devices.
Mobile soft tokens placed on mobile devices can serve as an authenticator to enterprise networks, applications, and resources.
Entrust also delivers digital certificates deployed directly to mobile devices so organisations can authenticate the device before it connects to a network.
SMS one-time passcodes
Using existing SMS technology for mobile devices can be a convenient and low-cost method of authentication.
Entrust's patented grid-based authentication is yet another wrinkle of multi-factor authentication.
PhoneFactor's out-of-band answer
Once users enter their username and password, PhoneFactor instantly places an automated phone call to the users' registered phone number. Users simply answer the call and press # (the pound sign) to complete their login.
Adding a PIN to the pound
PhoneFactor can also provide an additional layer of protection by requiring users to enter a PIN to authenticate.
PhoneFactor also allows users to authenticate via SMS text; that is, PhoneFactor sends users a one-time passcode in an SMS text message, then users simply reply to the text message with the pass code to authenticate.
Three-factor voice-based authentication
Biometric voice authentication delivers the strongest level of authentication. PhoneFactor simultaneously verifies something users have (their telephone) and something users are (their voiceprint) for the second and third factors of authentication.
Users can instantly report fraudulent activity on their accounts by choosing the fraud alert option during the authentication call, which blocks access to their account and triggers an email to your security team.
ShareTwitter Facebook Google Plus Email this article
Recommended for you10 tips for turning Android into a business phone 10 top iPhone apps for IT professionals
Latest UK Updated 12:23am
Tech City UK publishes visa guidance for founders and technologists that want to fast-track their move to UK
The informaiton comes after an FOI request revealed Tech City UK received just 10 applications for its fast
Techworld has learned that the Silicon Valley internet giant could be hesitating on the build due to uncertainties in Europe
It is not invulnerable but might still be a useful bridge to stronger authentication