Transecq ITA

Tel. 678.466.6772 | [email protected] | www.transecq.com

Transecq

Two-Factor Authentication

The need for stronger authentication mechanismsEstablishing the true identity of an online user is often a tricky task.

Traditionally, users have been identifi ed by means of a username

and password. Once these credentials are supplied, a user is

usually granted unconditional access to the system. In the case of

online transaction systems, it is vital that someone does not gain

unauthorized access enabling them to commit some level of fraud.

As the Internet is becoming more central to everyone’s day-to-day

life, an increasing number of services are being made available

online. This includes sensitive services such as online banking,

online purchases, restricted remote system access and many

more. Along with this trend, fraud is also increasing at an alarming

rate, exploiting the security loopholes in existing information

infrastructure.

With the widespread use of exploits such as MITM (Man-In-The-

Middle), MITB (Man-In-The-Browser), keystroke logging, phishing

and various TEMPEST methods, additional means of online user

identifi cation and transaction verifi cation becomes an absolute

necessity. A username and password is no longer suffi cient to

identify a user.

The path to a viable solutionA user validation concept that has been around for a couple

of years is two-factor authentication. A simple username and

password employed for remote authentication is considered a

single factor of authentication. By providing an additional, different

means of authentication, a second factor is introduced into the

authentication process allowing two-factor (or multiple-factor)

authentication.

A true second factor is usually implemented as something a user

has or possesses, while the traditional username and password

(fi rst factor) are things the user knows; a perpetrator would have to

gain access to the knowledge (passwords) and the physical item

to be able to authenticate as someone else.

Hardware tokens are popular second factors. The user carries a

small device capable of generating some unique authentication

number (token) that can be entered into the authentication

platform. The system usually employs some mathematical method

to determine if this token indeed belongs to the specifi ed user.

So in addition to the facts the user should know (username and

password), he also needs to be in possession of the hardware

token device to successfully authenticate and gain access to the

system.

Some problems do, however, exist around hardware tokens. Since

the user is required to constantly carry the device, it is easily lost

and also impacts negatively on the mobile appeal of the solution.

Furthermore scalability becomes problematic, as well as the

considerable expenses involved to provision, manage and replace

all the physical hardware devices.

Solving the problems of token devices, mobile one-time passwords

(OTP’s) do go a long way. However, technically it is still very similar

to hardware tokens. OTP’s as a second factor of authentication are

usually provisioned to a mobile phone via an SMS (text message)

sent from the authentication system, normally a bank, and should

be entered into the system to complete authentication.

Users always have their phones with them, and a unique bond

between a user and a phone can easily be established. However,

SMS messaging does have drawbacks. Being a store-and-forward

technology, delivery delays often occur and various loopholes for

interception also clouds the integrity of this technology: especially

since SMS contents is sent in plaintext. Another important point is

the cost of sending these messages to users. Banking institutions

deploy signifi cant resources to send and manage OTP’s via SMS.

Various systems in the market generate an OTP on the mobile

device, via applications written mostly in JAVA, although other

platform specifi c applications are not uncommon. This model

eliminates the costs and problems around SMS OTP delivery,

since the user is now capable of generating an OTP at any time,

using only their mobile phone.

Tel. 678.466.6772 | [email protected] | www.transecq.com

Transecq

Two-Factor Authentication

Although a cost-effective and more convenient solution, this still

does not address the most important shortcoming of OTP’s. True

two-factor authentication can only be reached when the second

factor is totally out of band. Simply put, the second factor of

authentication should not re-use the communication channel of

the fi rst factor (username and password). All OTP/token solutions

rely on the fact that the token or number is entered into the same

system the username and password was entered. This simple

fact exposes the system to a whole range of vulnerabilities

for perpetrators to abuse. By successfully attacking the main

communication channel (usually the Internet), perpetrators

effectively compromise both authentication factors.

Gartner states in its report “Where Strong Authentication Fails and

What You Can Do About It” (G00173132) that any authentication

method relying on browser communications can be defeated.

They further go on to note that even techniques relying on out-

of-band phone calls can be thwarted because of the simplicity of

forwarding a phone call to another number. The Transecq solution

described in this paper is unique in the fact that it adheres to all

of Gartner’s recommendations and is impervious to the attacks

plaguing the industry today.

A standard attack scenario can be described as follows: A user

opens a phishing site masquerading as the real website. He

supplies his username and password. The fake site immediately

enters these credentials into the real site using an automated

script, causing an OTP to be sent to the user’s phone (or prompts

the user to generate an OTP from a token generating device).

At this stage any SiteKey or SurePhrase messages are also

duplicated from the real site to the fake site, further strengthening

the apparent legitimacy of the system. The fake site now prompts

the user to enter this OTP that they generated, or by now received

from the real site. At this stage, the fake site has enough details to

log in to the user’s account, and transact fraudulently.

A truly secure two-factor solution can only be considered employing

strong authentication when the second factor is completely

isolated and the complete loop is totally out of band with respect

to the fi rst factor. Only a system meeting these requirements would

be truly reliable in maintaining authentication integrity.

Once authenticated, a user should additionally be required to

authenticate certain key procedures within the online/remote

session - for example making benefi ciary payments in an online

banking environment. SSL/TLS, although in essence still secure,

is by its self is no longer suffi cient to protect against interception

techniques taking advantage of software implementation

vulnerabilities. Therefore transaction verifi cation totally eliminates

any kind of MITM and MITB attacks, since each transaction is

verifi ed out of band in a secure and isolated authentication loop.

A novel way of authenticationTransecq’s Interactive Transaction Authentication (ITA) system is

a complete solution to all the authentication problems plaguing

the industry today, by approaching the problem holistically

and enabling second factor authentication, with bidirectional

(encrypted) out-of-band data transmission. ITA consists of a high

performance socket server receiving authentication requests from

a workfl ow engine (through ISO8583, OpenID, RADIUS, LDAP or

SOAP) and relaying the messages to a corresponding user by

sending the messages to an application on their mobile phone for

approval by the user.

The ITA application on the mobile phone is available for the

following platforms:

• J2ME (MIDP 2.0)

• Android

• iPhone

• BlackBerry

• Windows Mobile

• As a USSD network service for phones not supporting the

above applications

aA aA0 space sym

#Q 1

w 2 3 ( ) _ - + @

E R T Y U I 0 P

alt 7Z

8X9C

?V

!B,N.M $

*A 4

S5D

6F

/G H

: ;J K

, “L

del

Transecq Mobile

AAAAAAcccccccccceeeeepppppttttttAcceptRRRRRRRReeeejjjjjjjjeeeeccccttttttReject

tt tt ffff $$$$22224449999555 9999555ept payment of $2495.95eptt paymentt offf $$$222444999555.999555d GENSTORE?m vendor GENSTORE?

Accept payment of $2495.95from vendor GENSTORE?

12:00 PMTransecq Mobile

AAAAAAcccccccccceeeeepppppttttttAcceptRRRRRRRReeeejjjjjjjjeeeeccccttttttReject

Accept payment of $2495.AAAAcceptt paymentt offff $$$$22224449999555.from vendor GENSTORE

Accept payment of $2495.95from vendor GENSTORE?

AT&T 12:34 PMTransecq Mobile

AAAAAAcccccccccceeeeepppppttttttAcceptRRRRRRRReeeejjjjjjjjeeeecccctttttttReject

Accept payment of $2495.95AAAAcceptt paymentt offff $$$$2222444499995555.99995555from vendor GENSTORE?

Accept payment of $2495.95from vendor GENSTORE?

Tel. 678.466.6772 | [email protected] | www.transecq.com

Transecq

Two-Factor Authentication

USER

TRANSACTION REQUEST SENT TO MOBILE

RESPONSE: YES/NO4

6 TRANSACTION ACCEPTED OR REJECTED

1 TRANSACTION REQUEST

TRANSFER $100TO JOHN SMITH

YES

TRANSFERSUCCESSFUL

DO YOU WANT TO TRANSFER $100 TO JOHN SMITH?

3

BANK SECURE AREA

TRANSECQ MOBILEAGGREGATOR

52

The Transecq ITA platform can identify each mobile phone in the

world uniquely by automatically issuing each client’s phone with

a Digital Fingerprint, also called a X.509 client side certifi cate

enabling bilateral certifi cate validation, issued from Transecq’s

trusted Certifi cate Authority. This certifi cate is stored on the client’s

phone inside DRMprotected space.

Each transaction to approve (website login, benefi ciary payment,

etc) is sent to the client’s phone, and a description of what the

transaction entails is displayed to the user. He can choose to

either Accept or Reject the transaction. The response is then

cryptographically signed with the private key of the user’s certifi cate

residing on the phone and sent down to the requesting server to

be verifi ed through PKI. This signature can then be used to ensure

non-repudiation and prove the intent of any user pertaining to a

specifi c transaction.

No matter what type of attack occurs (i.e. even if a transaction

is changed or manipulated by a fraudster) the actual transaction

occurring at the bank is sent directly to the specifi c user over an

encrypted second band accessible only to the specifi c paired

phone.

All attacks on other channels are negated as the user approves

the actual transaction and will immediately discover any fraudulent

attempt.

Tel. 678.466.6772 | [email protected] | www.transecq.com

Transecq

Two-Factor Authentication

This system can be used as a real-time, second-factor, out-of-

band authentication gateway for absolutely any digital action or

transaction. User input is minimal, enhancing user experience and

also eliminating human errors. This system has already been used

to successfully secure the following types of transactions:

• Online web login and transactions (Internet Banking, Trading,

etc.)

• Online Credit Card (Card Not Present) purchases tying into

3-D Secure.

• Credit and Debit Card Transactions at Point-of-Sale

• ATM (Automated Teller Machine) Cash withdrawals

Advantages in using Transecq’s ITA system as opposed to other

systems:

• Phishing, MITB, MITM, keystroke logging and any other forms

of user impersonation is impossible

• Transaction rejections can immediately be fl agged and the

user contacted or account placed under review

• Non-repudiation is ensured since each transaction is digitally

signed by the user’s private key

• Self-service options may also be made available inside ITA

applications: Check balances, active/de-activate cards, limit

changing

• Certifi cate is not tied to the SIM-card (or phone number),

so user is free to change SIMs (for example when travelling

overseas) and no pre-arrangement with mobile operators are

necessary when using this system, since everything is stored

on the handset, not the SIM

• All communications are packet data (IP based), which means

that institutions save millions of dollars in SMS (text) costs.

• Transecq ITA application can be remotely launched on user’s

handset by binary SMS if necessary

• OTP mode (generated on the handset) when there is no GSM

coverage

• Transactions can be pre-approved by a user using ITA, in

cases where the user knows he will enter and transact in a

poor GSM covered area

• ITA is completely scalable and a single phone application

granting the user access to all ITA enabled institutions

• An online user PIN allows for additional protection and is

embedded in the digital signature of transactions approved

• Bidirectional fl ow of transactions

In summary Transecq provides true two-factor authentication

completely isolated out-of-band, and also fulfi lls the

requirements for user convenience and usability ensuring a

healthy adoption rate crucial for successful implementation

and sustained operation.

Transecq is the leading provider of global secure transaction

authentication services.