Free Download     |     Resource Center    |     Customer Login
1.877.No.Token (1.877.668.6536)
Live Chat

PhoneFactor’s Out-of-Band Authentication Platform Offers Stronger Security

The Current Threat Landscape

Malware poses the single greatest threat to IT security today. It is rapidly evolving, defeats many of the security measures currently in place, and infects a staggering number of computers. An APWG report released in early 2010, indicates that 48% of the more than 22 million scanned computers were infected with malware2. More than 15% (1.5 million+ computers) were infected with malware.

Malware has become increasingly sophisticated since the introduction of the SilentBanker Trojan, which heralded the emergence of real-time malware-driven attacks in late 2007. More recently, the Clampi Trojan is reported to have infected more than 500,000 computers. The Trojan sits in wait for a user to access one of more than 4,600 online banking, government, and business services websites then initiates fraudulent wire transfers via Man-in-the-Middle (MITM) attacks. Malware like Zeus is reported to have infected computers at 90% of the Fortune 500 companies with malware that harvests credentials and can also be used to launch MITM attacks.

The Out-of-Band Authentication Solution

Emerging security concerns posed by malware require the use of an out-of-band authentication mechanism. Because MITM attacks are initiated by malicious code running on the user’s computer, these attacks can be used to hijack a user’s authenticated session without detection by the online banking application or the end user. The user logs in as they normally would with a username and password. If the financial institution has deployed tokens to their users, the user also enters the one-time password from the token during the login.

Once the user is authenticated, so is the attacker. The attacker can initiate new transactions, such as creating ACH and wire transfers, and reroute the user’s valid transactions to “mule” accounts. In some cases, the attacker just takes over the user’s authenticated session and displays a message to the end user that the website is currently unavailable.

To protect customers from these attacks, as well as provide the strong authentication needed to prevent the use of account credentials gained through phishing and other means, an additional layer of authentication must occur through a separate channel. This is referred to as out-of-band authentication. The telephone network is an ideal out-of-band channel for authentication. An automated phone call or text message provides an instant and easy-to-use method for confirming online logins and transactions.

With PhoneFactor, for example, when a transaction is initiated, an automated phone call or text message can be sent to the user’s registered phone number. The user is asked to verify the specific transaction.

“This is PhoneFactor calling to verify the transfer of $50,000 to account 10015 at Bank of Nigeria.”

If the transaction is valid, the user simply presses # (or a PIN) or replies to the text message to approve the transaction. If the user does not answer the call or respond to the text message, the transaction is denied or flagged for further review. In addition, the user can report fraudulent transactions by simply entering 911# during the call or in the text message reply. This locks their account and sends an instant notification to the bank’s fraud response team. Because the transaction is verified across the telephone network, it is not vulnerable to malicious code running on the user’s computer.

Systems that require users to further verify transactions by entering a one-time-passcode from a security token or other device into the application are not out-of-band and would not be able to prevent an attack like this. The user would have no way of knowing which transaction they were validating – theirs or the hacker’s. And once entered, the OTP could be hijacked by the attacker and used for other transactions. Systems that deliver an OTP via an SMS text message are similarly vulnerable.

For more information try the PhoneFactor Demo or Download the Free Version.

Benefits of Out-of-Band Authentication

   Legal  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to security tokens, fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | Tivoli Authentication | Online Banking Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards (PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates