Blog Feed
Protectimus team at Startup Crash Test #2
September 4 in Kharkiv was held a non-profit event Startup Crash Test #2. The main purpose of the event was to test the strength of the startups, which took part in it. Startups’ teams had a chance to talk about their ideas and marketing strategies. They heard a lot of constructive criticism from IT professionals. And they learned several useful tips that can help them to achieve success in the future. The Protectimus Company became one of the participants of Startup Crash Test #2. Its Chief Innovation & RnD Officer Denis Shokotko announced a new startups support program. The program got the name «Let Your Startup Be Secure». Under this program, the Protectimus team is ready to give its two-factor authentication solutions for free to any Startup, which cares about the safety of its users and has a competent marketing development strategy. To learn more about the program «Let Your Startup Be Secure» and to ask any question, write on this e-mail – support@protectimus.com. And here is our small photo report: Источник фото —...
read moreWhat Hides Beneath SMS Authentication?
We have to pay for everything in life. Whatever you may call it — the law of conservation of energy, karma, or Divine Providence — that is how it is and how it will always be. In the 19th century, a postal courier loyal to his sovereign would risk his life delivering a letter to the addressee, which took up to a month, protecting it from any possible foes. In the 21st century, data exchange is carried out instantly, but it is a lot easier to ‘break the seal’. Cybercrime is increasingly on the rise. In 2013, in the USA alone over 3000 companies were victims of hackers’ attacks. Forty million people suffered from the consequences of these crimes; 160 billion dollars was stolen. In 2014, the share of cyber crimes in the Russian Internet was 41% (11 thousand cases) of all the registered crimes in the IT environment. In early 2015, hackers’ attacks on bitcoin exchanges sent shock waves through the community of holders of the cryptocurrency, which lost half of its value. According to the already mentioned law of conservation of energy (or money, in our case), online security and protection methods are also becoming more sophisticated. Regular passwords have been replaced with two-factor authentication. Banks’ customers use it regularly when they receive one-time access codes via SMS messages. Admittedly, it is a step forward, but one can still trip over it. After a message is sent from a bank, it goes through a gateway and GSM network consisting of servers and transmission towers. That explains the relatively significant delay between pressing the Confirm Payment button and receiving the SMS message. Sometimes, it takes up to five minutes, which is a considerable amount of time by the standards of the 21st century: during this time, the SMS message can be intercepted and redirected, i.e. used for criminal purposes. Nowadays, hackers operate with automated hacker toolkits, and they can use the password in the SMS message in a split second. Not to mention the fact that some stages of the “short message” transmission process are carried out by people. And, it is a well-known fact that big money can be quite a temptation. There is even a special term describing this vulnerability — “man in the middle”. It describes a situation when a hacker is “in the middle” between a bank and its customer. How can side effects of SMS authentication be neutralized? For example, it can be done via the two-factor authentication system offered by the company Protectimus. A one-time password generated by a special device called a token owned by a customer is sent to the server and compared to the password generated using the same algorithm and the same input parameters. The company offers four kinds of these devices, plus support for SMS- and email tokens. Moreover, passwords are generated using three algorithms: By event (a customer’s pressing the token’s button); By time (the token’s internal clock is used); By request-response (one of the input parameters is the request from the server). The reliability of the system is verified by the Initiative for Open Authentication certificate, which puts any solution complying with its requirements to various tests. Besides, the products offered by Protectimus are continuously improved. Recently, the data mining analysis has been developed and...
read moreRecommendations for Using CWYS Data Signing
In the previous post, we reviewed the CWYS (Confirm What You See) mechanism, which allows generating one-time passwords on the basis of the data being protected. You can also see how two-factor authentication works and test the CWYS function here: Demo Users are often faced with this question: what data should be used during the ОТР generation to ensure the best protection for the system. Let’s consider the most common situation where the CWYS function is used – verification of transactions in payment and banking systems. To ensure protection for such transactions, we recommend using the following data: amount; currency; payee; identifier or transaction number; user’s current balance or balance after the transaction; any additional data that needs to be protected against modification or falsification from the point of view of your business processes, for example, transaction date, user’s IP address, etc. It is important to note that at each step of working with Protectimus only the current data that the user is working with at this moment should be used, not cached data. We are talking about the situation which can happen with the balance. Sometimes the balance is recalculated on the basis of a certain system event, while the user sees its state at a certain point in time. Using such details in the ОТР generation process protects from data replacement in a short period of time between the creation and execution of a transaction, thus protecting a user against losing money and protecting your system against reputation risks and other types of...
read moreTokens with the CWYS Function
To test the CWYS function and learn more about 2-factor authentication visit our demo page: Demo Protectimus offers the following OTP tokens with the CWYS (Confirm What You See) function support: Protectimus Ultra Protectimus Smart Protectimus SMS Protectimus Mail Let’s look at them in more detail. Protectimus Ultra It is a physical (hardware) token that has a number of advantages as compared to other hardware tokens, as described in more detail on our website. From the point of view of the data signing function, it is somewhat inferior to other types of tokens because it is unable to visualize the data signed. However, it still protects data from being modified or falsified during the span of time between creating and performing a transaction. Protectimus Smart It is a software token and the most popular token in the company’s product line. Its advantage lies in the fact that the data signing function is available for any token generated in it. The data signed can be visualized, and there is additional protection against manipulating the transaction data. Diagram 1 shows the process of the CWYS data signing. As you can see in Diagram 1, a user needs only to go to the context menu and select the data signing function, scan the QR code, and receive information about the transaction being performed and the ОТР to confirm it. This token’s undoubted commercial advantage is the fact that it is provided for free. Protectimus SMS It allows receiving the information on the transaction being performed, together with the OTP, via the user’s phone. The downside of this method is the disadvantages of using an SMS message to deliver authentication details. This token’s advantages include simplicity of use and generation by the user. Protectimus Mail It allows receiving the information on the transaction being performed via email. Although this adds yet another verification channel, it should be noted that generally speaking this token does not provide full-scale two-factor authentication because email is usually also password protected. As always, the final choice is up to you. Our recommendation is to use Protectimus Smart or Protectimus Ultra for the CWYS mechanism and secure protection of your system against auto-filling, injecting, and other types of manipulating the user data involved in performing...
read moreDetailed Information on Data Signing
In response to new challenges, Protectimus has developed a powerful means of protection against auto-filling, injecting, and other types of malicious software that manipulates and modifies data during transactions. There are different ways in which such software can work; for example, the recipient is changed during a transfer as an unsuspecting user enters a one-time password sent via an SMS message. The problem is that this user actually performs and verifies a fraudulent transaction without even realizing that fraudulent activities are taking place. A serious threat for banks and payment services lies in the fact that customers unwilling to admit their own mistakes place the blame on the payment systems themselves, which undermines companies’ business reputation. The Protectimus R&D Department has come up with a solution to this problem. In accordance with RFC 6287, the challenge for the challenge-response algorithm is generated randomly. We have taken further steps and developed a special challenge generation algorithm based on the details of a transaction performed by a user. It allows entering the data correlating to the data being verified and a one-time password; consequently, if this user’s data is modified in any way, the one-time password entered cannot verify the data because it is generated based on a different set of data, which prevents the possibility of any fraudulent activities. The new data signing function called CWYS (Confirm What You See) is available in the Ultra, Smart, SMS, and Mail tokens. Diagram 1 shows the process of performing a transaction requiring verification. To send data to Protectimus and receive a challenge, a user must call the POST method at https://api.protectimus.com/api/v1/token-service/tokens/sign-transaction using these mandatory parameters: tokenId – user’s token identifier; transactionData – transaction details to be used in ОТР generation; hash – НМАС-SHA256 hash of the transactionData string to verify the integrity of the data received; the user’s API key is used as the key. In the response, you will receive XML or JSON with the following elements: challenge – challenge for the ОТР generation algorithm; transactionData – encrypted transaction details; tokenType – token type; tokenName – token name; id – token identifier. For a user with a Smart token, a QR code needs to be generated and displayed; for users with other types of tokens or for users unable to scan the QR code, there has to be a displayed, which they must enter in the token to generate an ОТР. For example, if in the reply you received a challenge equal to 191,565, and the value of transactionData = 9 / vhmVzLIm / M + 8w9QXiJDA ==, then the row for QR code generation will look as follows: transaction: // challenge = 191565 & transactionData = 9 / vhmVzLIm / M + 8w9QXiJDA == To complete the process and verify the transaction, the user must provide the OTP received to the system being protected. After receiving the ОТР, the system again sends a POST request to this address: https://api.protectimus.com/api/v1/token-service/tokens/verify-signed-transaction with the following parameters: tokenId – user’s token identifier; transactionData – details of the transaction being verified (it is important to send the details that will be sent to perform the transaction, not those received when performing the previous steps); hash – hash of the transactionData string generated in the same way as when calling the previous method; otp – one-time...
read moreIdeal Authentication
Creativity is the art of compromise. One gifted artist may never receive recognition during his lifetime and die penniless (Vincent Van Gogh). Another one may mass-produce a painting a day to order and bask in his glory (Boris Kustodiev). Time was the final judge as to the talent and merit of these two artists and their works, but it happened only after they died. The procedure of authenticity verification is a kind of art, too. For a manufacturer, ideal authentication is reliable data protection at the minimum possible expense. A user is also interested in the price, but there is expected to be the maximum possible convenience and transparency of use. A compromise needs to be reached here; there is no possibility for an ideal solution. In the end, friction makes a perpetual motion machine impossible, but it is possible to increase an engine’s efficiency coefficient. What is required to verify that a person entering a password is the one who he says he is? In a simple situation, all that is needed is to stand by this person and watch him enter the password. This would not work in most situations — it would mean that one-half of the planet’s population would have to be watching the other half. But, information can be gathered indirectly by watching where a person is located, what the person buys, what browser the person uses and at what time, whether he has a wife and kids, what sports team the person supports; also, biometrical data or behavior details (for example, the handwriting slant, typing speed, etc.) can be taken into account. From all this information collected, it is possible to create an electronic image – a kind of a ‘mirror image’ – of this user. This image can be placed in a ‘cloud’ where the data is accessible to the server performing authentication. There is the other side to this coin. The user must agree to the collection of his information. Practical experience shows that there should be no serious problems with that. Remember what a big deal was made of Facebook introducing new rules for using its members’ information and how everyone was indignant about this blatant intrusion into their personal life, and yet the number of people that actually closed their Facebook accounts because of this was very insignificant. Here we see the need for another compromise. A manufacturer needs to have the complete details for authentication purposes, but part of the necessary information can only be collected using expensive technologies. A user would also like to ensure the maximum protection of his information, but he is not always willing to provide all the information about himself. A manufacturer and a user would probably agree on some of the authenticity verification parameters. For people living on Planet Earth of the Solar System in the Milky Way galaxy, there are currently three compromise factors for authentication purposes: “What I Know”, “What I Own”, and “What I Am”. I know the password; I have a gadget for generating it (a token), and I have the necessary biometric data. At this point in space and time, the “ideal” authentication should take into account all of these three parameters simultaneously. But, biometric sensors are still quite expensive (a concession to please a manufacturer) and...
read moreHow to Make Authentication Simple and Secure
The Rothschild brothers, who grew rich making profits on the results of the Battle of Waterloo, used to say: “He who owns information owns the world”. The only thing to specify here is who the information belongs to: yourself or somebody else. All throughout its history, mankind has been involved in authentication technique development, from making call signals imitating birds’ sounds and manual ciphering to logging into a system via GPS. During this entire period of time, the key focus has been the search for a simpler authentication method (one that does not involve compromising a system’s reliability). The problem is that sooner or later all new protection methods grow outdated and obsolete; besides, enterprising fraudsters are no fools – they may not want to own the world, but they do want to own at least some nude celebrity photos. And, as we know, what one man built up another man can break down. In modern times, the information battlefield is the Internet — it is the most convenient platform with the largest audience. Authentication methods are growing more complex and sophisticated, too: digest authentication (HTTPS protocol), OpenID, OpenAuth, etc. At this stage in the society’s development, we have come to a paradoxical conclusion: to make authentication simple, we need to make it more complicated. That is, more complicated for a manufacturer; for a user, things remain as simple as ever. There are three factors that can be used to verify a user: what he knows (a password); what he owns (a card key); and what nature gave him at birth — his biometric data. The three parameters combined in one system — what could be simpler? But, there is also the aspect of cost-effectiveness to be considered. In and of itself, a biometric detector is nothing new; for example, iPhone has the Touch ID technology. But when used together with Apple’s software, the fingerprint scanner will produce an error, which once even led to a recall of an update to iOS 8.0.1. On a user’s level, too, there are occasional problems with the use of a scanner. Besides, biometric technologies are relatively expensive. In terms of reliability, they leave much to be desired, too: a small cut can alter a fingerprint. Besides, once a criminal has a person’s biometric data in their possession, they can use the data for illegal purposes indefinitely — until the end of either the criminal’s or the poor discredited person’s natural life. But, the first two factors mentioned above are worth combining, both in terms of cost-effectiveness and protection level. In two-factor authentication, two passwords are used — a reusable static password and a one-time password. In our case, here is what happens when the “One Time Password” technology is used. A user wants to get authenticated in the system and first enters his regular static password and then his OTP (One Time Password) shown on the screen of a special gadget called a token. The system transmits the data to the authentication server, which will use the same algorithm to generate a password and compare it to the password entered by the user; if the two passwords are identical, the system welcomes the user. The gadget costs less than ten dollars, and the service is under a dollar per month. The conclusion...
read more