Adding a PIN to the pound
PhoneFactor can also provide an additional layer of protection by requiring users to enter a PIN to authenticate.
One serious threat on the horizon is the man-in-the-browser (MITB) attack. In this example,
1. Alice requests transfer of $1,000 to Bob.
2. MITB alters transfer request to transfer $21,000 to Fred.
3. MITB submits fraudulent request to bank.
4. Bank requests confirmation of transfer of $21,000 to Fred.
5. MITB alters confirmation page to present user with original request.
6. Alice reviews the transaction details and confirms request.
7. Bank transfers $21,000 to Fred.
Users can instantly report fraudulent activity on their accounts by choosing the fraud alert option during the authentication call, which blocks access to their account and triggers an email to your security team.
Man-in-the-Middle (MITM) attack
Man-in-the-middle attacks use various social engineering techniques to intercept user credentials and commit fraudulent actions completely under the radar. How MITM attacks work:
1. User clicks on link in a phishing email, goes to MITM site and enters credentials (including token-generated one-time password).
2. MITM site connects with bank site and impersonates legitimate user using phished credentials.
3. Bank site grants MITM account access.
4. MITM displays phony page stating system is unavailable, or waits until user wants to log off, then displays phony page confirming log-off.
When two-factor authentication is needed, a randomly-generated grid of images displays on the user’s mobile phone (using MMS, WAP, or an SMS hyperlink that is opened within the mobile browser).
WebFort authentication server
The CA Arcot WebFort authentication server applies authentication policies, issues notifications and alerts and creates reports.
Screen displays successful authentication text and icon (check mark in green circle). Even if others gain possession of the mobile phone or intercept the communication, they cannot authenticate because the one-time password is encrypted within the images.
Entrust also delivers digital certificates deployed directly to mobile devices so organizations can authenticate the device before it connects to a network.
User name and password doesn’t cut it anymore in the world of online financial transactions. New federal rules call for multi-factor authentication schemes to combat growing threats. The latest multi-factor measures focus on biometrics, advanced analytics, and out-of-band techniques utilizing smartphones.
Arcot Administrative Console
CA Arcot RiskFort administrator console is where the rules and risk-scores are created, edited, and managed.
Entrust offers multiple factors
One method of multi-factor authentication is Transaction Verification, where Entrust does real-time transaction verification on users’ mobile devices.
PhoneFactor’s out-of-band answer
Once users enter their username and password, PhoneFactor instantly places an automated phone call to the users’ registered phone number. Users simply answer the call and press # (the pound sign) to complete their login.
Confident Technologies uses the power of the grid
The first time users enroll with a website or online business, they select a few authentication categories that they can remember such as dogs, cars, flowers, etc.
Mobile soft tokens placed on mobile devices can serve as an authenticator to enterprise networks, applications, and resources.
The specific images displayed are different every time, but the users’ categories are always the same; for example, the category FOOD shows tomatoes on the first grid and strawberries on the second grid. This makes it difficult for others to determine users’ secret categories.
SMS One-time passcodes
Using existing SMS technology for mobile devices can be a convenient and low-cost method of authentication.
Three-factor voice-based authentication
Biometric voice authentication delivers the strongest level of authentication. PhoneFactor simultaneously verifies something users have (their telephone) and something users are (their voiceprint) for the second and third factors of authentication.
Tap or type to verify
Users authenticate by correctly identifying which images fit their chosen categories. They can tap the appropriate images on the touch screen display or, if users don’t have a touch screen device, they can type the corresponding letters using their mobile keypad (optionally, letters can be displayed).
CA Arcot’s RiskFort is built to prevent these types of attacks
CA Arcot’s RiskFort provides a sophisticated risk evaluation process that assesses the risk of a specific transaction and increased the level of authentication required.
Entrust’s patented grid-based authentication is yet another wrinkle of multi-factor authentication.
PhoneFactor also allows users to authenticate via SMS text; that is, PhoneFactor sends users a one-time passcode in an SMS text message, then users simply reply to the text message with the pass code to authenticate.