EYEdentityOnline.com

Our CEO, John De Santis has an article posted over at Bank Systems & Technology. You can and should read it here or the response won’t make as much sense, eh?

While there note the three initial comments posted and my response to them is below for your review until such time as it clears moderation over at BankTech.

===================================

Thought I’d chime in here on John’s behalf and as TriCipher’s “evangelist”. I’ll address the three previous posts in order.

First, Ron Behanic, of course what we recommend is that you check out TriCipher’s novel approach and patented technology providing alternatives to cookie-based, friendly picture-based options. I’ve included some informational links at the bottom of this post to help you pursue the questions raised in John’s article.

Second, AlmostSecure, you are correct that the purveyors of cookie-based secure authentication (an oxymoron if ever there was one) also include backend checks. Our main point isn’t that these checks or fraud detection measures shouldn’t be done or don’t have value, but that they don’t actually protect consumers. Should I steal a user’s credential, log into their bank account browse around download all their transaction and personal data from the web account, what kind of havoc can I then perpetrate on that user? I won’t have set off any alarms as I won’t have done anything alarm worthy. However, I will have plenty information to perpetrate identity theft on-line and off in a variety of vectors completely ruining the consumer’s day to put it mildly.

Botnets are already being used to thwart IP Geolocation schemes and a careful scammer could readily compromise enough accounts and move enough small amounts of money without setting off any alarms to make it worth their while. We are strong proponents of fraud prevention in addition to fraud detection.

I’d also like to correct AlmostSecure’s statement that Server SSL certificates can stop MITM attacks. This is demonstrably untrue or MITM attacks would already be prevented and not a threat. SSL was always intended to be a 2-way mechanism where not only would the server authenticate itself to the user, but the client would authenticate with a digital credential to the server. ONLY when both parties perform both ends of the SSL protocol is the communication non-MITM-able (yep, I think I just made that word up, you read it here first ). SSL as used today is 1-way and useful to prevent sniffing of traffic, but does nothing to prevent MITM attacks. We’ve been demonstrating this for several years and these attacks are happening “in the wild” as we speak with readily available kits for any script kiddie to launch.

Malware may be the most sloppily used word in computer security. Malware is a category of attacks utilizing code at the client. Keyboard loggers, screen click capture, e-mail remailers, etc. all the way through to full device “ownership” fall into the bucket of malware. Sure, if a device is completely “owned” then game over. It doesn’t matter if you have a retina scanner, smart card and DNA analyzer all attached, the attacker merely waits for the user to authenticate and takes over behind the scenes. However, short of that level of compromise there is a lot that we at TriCipher provide our customers to protect their users credentials from being stolen / compromised by a significant portion of attack vectors falling into the “malware” group. We do this providing flexibility to match exactly the strength and cost of the credential type to the risk profile of the user, the application or the underlying data.

Third, mike’s post mentions “…Triciphers [sic] alternative is a PKI…”. Yup, we use PKI because it is the only technology shown to provide the properties necessary for strong authentication, digital signing, encryption, etc. Of course, everyone knows that PKI is nearly a dirty word and that’s why TriCipher’s patented technology results in a “practical PKI” with all the security properties of PKI, but without all the pain and fuss for end-users, implementers, security folks, etc.
Certainly self-serving of me to suggest it, but your really do owe it to yourself to swing by our web site and check out how we do it and how it can help your organization address your strong authentication and credential needs. Also, feel free to swing by my blog where I’ve addressed some of these issues and more. Also come share your thoughts and challenges at www.EYEdentityOnline.com.

Webcast: Consumer Authentication, Evolving Threats, and Countermeasures with Mark Diodati, Analyst, Burton Group http://www.tricipher.com/registration/consumer_authentication_webinar.html

Man in the Middle Whitepaper: http://www.tricipher.com/landing_pages/spotlight_offer.html

Man in the Browser Whitepaper: http://www.tricipher.com/threats/man_in_the_browser.html

This entry was posted on Wednesday, August 15th, 2007 at 6:38 am and is filed under General, Security, TriCipher. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.