The answer to online fraud?

Every day billions are being lost by financial institutions and corporate enterprises through a range of ingenious acts of Internet fraud. This global problem is now reaching epidemic proportions, and is the major security challenge facing IT security professionals.

In recent years significant progress has been made in firewall, Virtual Private Network (VPN) and anti-virus technology to protect the central server and corporate networks. Improved encryption protocols have also pretty much secured data in transmission from the end-point device to the server.

Where many networks are still vulnerable, though, is at the end-point itself – effectively the front door to any back end system.

Enterprises still reliant on inherently weak password systems for protection against unauthorised access are simply not taking security seriously. That said, so many are still using technology that is widely regarded as the weakest form of authentication because alternatives are proving to be either too expensive or inconvenient for legitimate users.

Vulnerable to keystrokers

One of the major contributing factors in the growth of Internet fraud is the vulnerability of an individual’s identity credentials to capture by Trojan keystroke sniffers, optical character recognition spyware or simple casual observation by a co-worker. Once these credentials have been compromised it is pretty simple to not only gain access to useful detailed personal information, but use that detail for obtaining bank credit or conducting credit card transactions online – leaving the victim to pick up the pieces... and the bill!

Now there is a different approach to authentication designed not only to ensure that there is a very high level of probability that the person trying to access a private network is the person they say they are, but also that their identity is being protected during the authentication process.

PINsafe M2F authentication software has been developed to specifically deal with these threats by ensuring that each element of the authentication credential transmitted over a remote network connection (or entered at an end-point keyboard) has no validity beyond the active authentication event should it be intercepted by would-be thieves.

Essentially, PINsafe is a strong, two-factor authentication system that uses a wireless mobile device such as a mobile ’phone or PDA to generate a one-time access PIN for each authentication event, replacing the need for any dedicated token device or client-side software typically offered as a part of the older generation, two-factor security solutions.

Preparing to authenticate

As is the case with many technologies in its class, at registration end users will be issued with a user ID and PIN which can be anything from four to ten digits long. However, at the same time they are also sent an SMS to their mobile device which contains a randomly generated ten-digit security string. To authenticate themselves to a Web service or corporate Intranet, the end user initiates the session by entering their User ID on the Web browser and their one-time code.

PINsafe technology represents a perfect upgrade path for existing token-based system users, as well as an easy entry point for companies wishing to integrate strong authentication with their enterprise networks

The one-time code is obtained either by extraction from the text message or by entering the PIN number using a J2ME applet running on a Java-enabled device. The code is then entered via the browser and delivered via an SSL tunnel to the server. From there, it is a relatively simple process to compare the returned code with the one anticipated, and then pass the user through for operation.

The technology delivers a wide range of unique benefits for both the enterprise and the individual user. For the enterprise, the system engenders a high degree of confidence that only authorised users are accessing their systems, as well as providing a cost-effective solution that’s simple to administer and doesn’t require the distribution of costly tokens to the user base.

For the user, the fact that the different parts of the process are transmitted and received via two completely different technologies and networks means that individuals can also be confident that their digital identities are safe from being compromised while they are online. This is widely regarded as the most important deciding factor for many people, particularly when conducting online purchases and credit card transactions.

Leveraging full functionality

Although the user is required to execute an additional process beyond just entering a PIN or password, using a mobile device to generate the one-time code has not proven to be an unacceptable inconvenience by users of the system in practice.

A major criticism emanating from the users of token-based authentication technologies is the inconvenience of having something else to remember to take with them, particularly if they need to work from different locations. Leveraging the full functionality of a mobile device to also provide a strong authentication tool is an obviously more acceptable solution.

In business today the mobile ’phone in particular has now become an essential tool, and one which most people are unlikely to leave behind. However, it’s possible that the ’phone is not available or functioning at the time access is required. With this in mind, a fail-safe option has been built into the system.

In these circumstances the user can opt to deploy the PINsafe TURing interface which displays the security string as a special GIF on the Web page. The GIF is generated using a random combination of irregular fonts and patterned backgrounds to make the string unreadable by optical character recognition spyware (but still legible to the human eye).

Although slightly less impregnable to a hacker than the SMS version, the interface can be used in confidence provided sensible precautions are followed to avoid the string being captured by a surveillance camera or casual observer. Even then it would be difficult to compromise the system as the PIN is never typed into the keyboard – and thus cannot be electronically captured.

Perfect upgrade path?

PINsafe technology represents a perfect upgrade path for existing token-based system users, as well as an easy entry point for companies wishing to integrate strong authentication into their existing enterprise networks. The server side software has a range of API’s and can integrate with Radius and Oracle-based systems in just a few hours.