[HOME]           [About Us]           [[Products]]           [News]           [Contact Us]                                                                  [Site Map]

 

[Authentify]

 

[Technology]

 

Authentication Solutions

Demos

Technology - The Telephone as an Internet Defense Mechanism

Upon a time, validating information behind a financial transaction or payment was easy. Someone from your bank would call you on the phone at a telephone number they knew belonged to you. If the person calling was familiar with you, they often recognized your voice and needed no further assurance that they had reached the right person. Authentication was provided via a familiar voice behind a telephone number at which you could be reliably reached. No one ever referred to a phone call from your banker as an Out-of-Band Authentication, but in reality, that is the function of the call.

The Public Switched Telephone Network, or PSTN, is one of the most widely deployed systems of globally unique identifying numbers in existence. With a few exceptions, the combination of country code, area code, local exchange and numbers will reliably connect you to a well-identified location and party. In addition, the PSTN leaves quite a trail when you use it. After all, phone companies worldwide share a vested interest in being able to charge one another, and you, for using their networks.

Viewed in this manner, the telephone network offers considerable potential for use in remote user authentication schemes, provided the Internet and Telephone can be used simultaneously. The approach offers a practical way to manage online payment account enrollment and provide an additional authentication procedure at the transaction level. Telephone contact offers direct, out-of-band contact with an account owner at times when it is beneficial to do so.
 

Why Is Out-of-Band Authentication Effective?

The Internet and Public Switched Telephone Network, (the PSTN), are separate networks with their own timestamps, data types and operating principles. Authentify has harnessed the usefulness of using the two networks together. The Authentify network synchronization process provides a means to routinely authenticate a remote online user relying on their ability to simultaneously control a specific telephone along with their computer at a particular point in time.

When a user needs to be authenticated for a Web registration or other transaction, the Web server sends an XML message to Authentify requesting the telephone call and Web synchronization as a service. Authentify’s telephony servers, respond to the service request message received from the Web server and place an automated outbound telephone call over the PSTN to the online user – while they are still online. Simultaneously, Authentify’s transaction manager responds with messages to the Web server invoking a special display. The user will see information delivered to them via the Internet/Web and will be required to provide that information to Authentify via the telephone.

This process results in a synchronous, out-of-band exchange that only the user controlling both the telephone and the computer can complete. It is worthy to note that this process employs an outbound telephone call. This is NOT an application of Caller ID based on Automatic Number Identification often called ANI. (pronounced – “Annie”)

As a simple example, imagine an online user activating an existing financial account for Internet use. The user attempting to activate their account will receive a telephone call at a number retrieved from their existing account records or provided in their enrollment forms. During the call, the user will be prompted to speak a confirmation string being displayed on their computer screen. They must speak the number correctly and be willing to leave a voice recording. At the end of the enrollment, the financial institution has a strong audit trail from both the PSTN and the Internet. As both an authentication technique and a defense mechanism, Out-of-Band Authentication of this type is particularly effective against the keystroke logging and man in the middle exploits described above.

A fraudster who has keystroke logged account information, the man-in-the-middle or even an ‘insider’ or family member can have access to all the correct account information. They will, however, not have access to, or not be willing to answer a telephone that belongs to the legitimate account owner. They recognize this is a good way to be recognized and caught.

For example, in the case of a phraudster who has logged keystrokes and attempts to access an account using all the correct information, a high value payment can trigger a telephone call to the account owner. The account owner is not involved in the transaction. Simply hanging up the phone prevents the transaction from being completed.

In the case of the man-in-the-middle exploit, a variation of the process is very effective. The financial or payment application requests a phone call to the account owner. The phone call, in addition to requiring the user to answer the phone, will also repeat to the user the value of the transaction and perhaps the last few digits of the destination account. If the account numbers and amounts have been tampered with by a man-in-the-middle, the legitimate user will recognize the attempt at tampering and can cancel the transaction.
 

 

 

Jump to other product categories:

[V-STARS]     [coatings]     [infotech]     [cryogenics]     [machined components]     [consulting]

 

                                                                                                                                                                                                                                                Copyright © 2007 DNP Global