Top Links You Must Click On
From the Wires
TextKey's Two Factor Authentication Stops Zitmo Trojan Variant
MITM and MITB Attacks Are Only Possible If the Browser Is Used in the Authentication Process
By: Marketwired .
Dec. 11, 2012 06:00 AM
SAN JUAN CAPISTRANO, CA -- (Marketwire) -- 12/11/12 -- TextPower, a leader in innovative text messaging software solutions for enterprises, today debunked a claim that the Zitmo Trojan Variant Eurograbber defeats all two-factor authentication citing the company's TextKey authentication service which uses a cell phone's unique identifier -- its "fingerprint" -- to authenticate a web site user through a simple text message instead of a web browser.
The Zitmo Trojan has cost online banking customers throughout Europe millions in stolen funds as this variant has infected Android and BlackBerry devices and is capable of defeating common forms of two-factor authentication. TextKey's patent-pending technology eliminates any browser interaction during the authentication process and thus won't allow man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks affecting mobile device users.
"There are several two-factor authentication methods used to protect web sites, but those that allow any form of data entry on a web browser page are vulnerable to a MITB/MITM attack," said Scott Goldman, CEO, TextPower. "To eliminate this angle of attack, you must eliminate any method that involves the browser. A secure server-to-server connection between an authentication service and the web site is the simplest and most straightforward approach to do this. TextKey uses exactly that type of connection, completely circumventing any browser involvement to eliminate threats from any MITB/MITM attacks."
Unlike other two-factor authentication processes, TextKey's authentication code is displayed in clear text on the user's screen after they have successfully entered their ID and password. This code must be sent via SMS to the TextKey cloud-based authentication system from the cell phone preregistered to that user's ID. There is no open field for a hacker to monitor or trap information on the web site's page, nor is there any hardware or software required at the web site's server to implement TextKey authentication. Only the next-generation of two-factor authentication, like TextKey, combines the convenience of a soft token with the resistance to browser-based attacks.
Establishing an account with a TextKey installation on the web site side is fast and simple. The individual web site maintains the user's ID and password already and simply adds their cell phone number to the record. Then a simple plug-in, available in .NET, PHP and Java, is inserted into the web site's login page HTML. When the ID and password are successfully entered a modal dialog box appears showing the code that the user must text into the TextKey system from their cell phone. The code must be sent within the user-defined time frame from the correct phone to grant access. If the wrong code is sent, or if the correct code is sent from an unregistered phone, access is denied. It's simple, easy to install and the least-hackable method available.
The product, TextKey, has won two major industry awards and is patent-pending. Although the product is still in "slightly stealth" mode it has generated significant interest from some major financial institutions and is going to be publicly released within the next 90 days.
About TextPower, Inc.
For more information contact:
Enterprise Open Source Magazine Latest Stories . . .
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week