Dramatic Breakthrough in Out of Band Authentication
[author:Sestus Data Corporation Public time:May 23, 2006] |
|
Authentication typically occurs on the same communication channel that is used to facilitate transactions. A bank customer is authenticated on the bank’s website and then proceeds to transact their business on that same website. This is referred to as "in band" authentication.
"Out of band" authentication refers to the use of an alternate communication channel, such as a telephone, to deliver information used in the authentication process.
In the wake of the FFIEC recent guidance urging stronger authentication, financial institutions are increasingly looking at "out of band" authentication methods. Unfortunately, most "out of band" authentication methods are as vulnerable to fraud as their "in band" cousins.
Recently, Symantec Corporation published a report on the proceedings of the AVAR 2005 Conference entitled "Phishing In The Middle Of The Stream - Today’s Threats To Online Banking". In their report, Symantec shook the banking community by confirming the vulnerabilities of in-band approaches such as Passmark Sitekey, as well as for the first time discussing the vulnerabilities of out-of-band approaches.
So, what is the problem with delivering authentication information through out-of-band communication channels? As noted by Symantec, there is nothing wrong with the delivery method. The problem lies with the nature of the information that is being delivered.
Most out-of-band approaches send some form of temporary password to a customer’s remote telephone, pager, or other SMS device.
The problem lies with the fact that a customer’s online transaction might be affected without their knowledge by malware on their computer, by a man-in-the-middle phishing website, or by a fraudster’s control of a proxy server. In such circumstances, the customer believes the authentication code they have received on their telephone is approving their intended transaction when, in fact, the code is being used to approve an altered transaction.
On May 22, 2006, Sestus Data Corporation announced the release of its long awaited PhishCops SAFE(tm) out-of-band authentication solution. PhishCops SAFE(tm) is the world’s first SMS Authentication Facilitation Engine capable of solving the problem of altered transactions. Instead of trying to prevent fraudsters from altering a customer’s transaction, PhishCops SAFE(tm) generates an approval code which will only approve an "unaltered" transaction. If any part of the transaction is altered by fraudsters, the approval code will fail to approve the altered transaction.
Since the PhishCops SAFE(tm) approval code will only approve an UNALTERED transaction, it no longer matters whether the customer supplies the approval code, or the identity thief captures and supplies the approval code for them.
PhishCops SAFE(tm) represents a drastic paradigm shift in out-of-band authentication. It is destined to radically change the dynamics of the war against online identity theft. For its ground-breaking solution to the problem of online identity theft, the U.S. government has named PhishCops(tm) a semi-finalist for the Homeland Security Award.
Printed From:http://www.free-press-release.com/news/200605/1148415673.html
Source:Free Press Release
Similar news >>
Google Launches Global Privacy Crusade [Sep 15, 2007]
ClearLogicGroup sponsors Free Lunch Seminar in Reno, Nevada on CAD Drafting Project Management for C [Jun 10, 2006]
Senforce is Key Enabling Technology in First DITSCAP Secure Wireless Network Solution
[Apr 13, 2005]
THE U.S. DEPARTMENT OF JUSTICE SELECTS SENFORCE SECURITY SOLUTIONS [Nov 22, 2004]
|
|
