Authentication: fighting the fraudsters

Every day, billions of pounds are being lost by financial institutions and corporate enterprises. The cause? Numerous (and ingenious) acts of Internet fraud. This global problem is now reaching truly epidemic proportions, and is the major challenge facing the IT industry.

In recent times, it’s true to say that significant progress has been made in firewall, Virtual Private Network (VPN) and anti-virus technologies to protect the central server and corporate networks. Similarly, improved encryption protocols have pretty much secured data in transmission from the end-point device to the server.

However, where many networks are still vulnerable is at that end-point itself – which is the ‘front door’ to any back end system.

Trojan keystroke ‘sniffers’

Enterprises still reliant on inherently weak password systems for protection against unauthorised access are simply not taking security seriously. The reason why so many are using technology widely regarded as the weakest form of authentication is that the alternatives are proving to be either too expensive or inconvenient for legitimate users, while still proving vulnerable to a range of ‘sniffer’ devices and Trojan spyware.

One of the major contributory factors in the growth of Internet fraud lies with the vulnerability of an individual’s identity credentials to capture by Trojan keystroke ‘sniffers’, optical character recognition spyware or simple, casual observation by a co-worker. Once these credentials have been compromised, it is relatively simple not only to gain access to useful, detailed personal information but to use that information to obtain bank credit or conduct credit card transactions online – leaving the victim to pick up the pieces… and, very often, the bill!

Today, authentication software is being developed to ensure that each element of the authentication credential transmitted over a remote network connection (or entered at an end-point keyboard) has no validity beyond the active authentication event if it happens to be intercepted at some point.

Take PINSafe M2F authentication software, for example. This is a strong, two-factor authentication system deploying a wireless mobile device (such as a cell phone or PDA) to generate a one-time access PIN for each authentication event, replacing the need for any dedicated token device or client-side software typically offered as part of the older generation two-factor data security solutions.

As is the case with many technologies in its class, users are issued with a user ID and a PIN – which can be anything from four to ten digits long – at registration. At the same time, the user will also be sent an SMS to their mobile device which contains a randomly-generated, ten-digit security string. To authenticate themselves to a web service or corporate Intranet, the user initiates the session by entering their unique ID on the web browser, as well as their one-time code.

The one-time code is obtained either by extraction from the text message or by entering the PIN number using a J2ME applet running on a Java-enabled device.

The code is then entered via the browser and delivered via a Secure Socket Layer (SSL) tunnel to the server. From there, it is a relatively simple process to compare the returned code with the one anticipated in order to pass the end user through for system use.

Benefits to be realised

For the enterprise, the system engenders a high degree of confidence that only authorised users are accessing their systems, as well as providing a cost-effective solution that is simple to administer and does not require the distribution of costly tokens to the user base.

For the user, the fact that the different parts of the process are transmitted and received via two completely different technologies and networks means that individuals can also be confident their digital identities are safe from being compromised while they are online. This is widely regarded as the most important deciding factor for people, particularly when conducting online purchases and credit card transactions.

Although the user is required to execute an additional process beyond just entering a PIN or password, using a mobile device to generate the one-time code has not proven to be an unacceptable inconvenience in practice.

A major criticism by users of token-based authentication technologies is the inconvenience of having something else they need to remember to take with them (particularly if they need to work from different locations). Leveraging the full functionality of a mobile device such that it also provides a strong authentication tool is obviously a more acceptable solution.

Deploying a fail-safe option

In today’s business environment, the mobile phone has now become an essential tool, and one most people are unlikely to leave behind. However, it’s sometimes the case that a phone will not be available or otherwise functioning at the time access is required. That is precisely why a fail-safe option must be built in.

In such circumstances, the user can opt to deploy the PINSafe TURing interface (which displays the security string as a special GIF on the web page). The GIF is generated using a random combination of irregular fonts and patterned backgrounds – rendering it unreadable by optical character recognition spyware but legible to the human eye.

Although slightly less impregnable to a hacker than the SMS version, the interface can be used in confidence provided sensible precautions are followed to avoid the string being captured by a surveillance camera or casual observer. Even then it would be difficult to compromise the system as the PIN is never typed into the keyboard (and, therefore, cannot be electronically captured).

PINSafe technology represents a perfect upgrade path for existing token-based system users, and is an easy entry point for those companies wishing to integrate strong authentication into their enterprise networks.

A rapidly growing market sector in the enterprise world is SSL VPN technology, such as the EX 1500 system developed by The Aventail Corporation. This enables users to securely access their corporate Intranets from anywhere in the world (including Internet cafés).