What Hides Beneath SMS Authentication?

We have to pay for everything in life. Whatever you may call it — the law of conservation of energy, karma, or Divine Providence — that is how it is and how it will always be. In the 19th century, a postal courier loyal to his sovereign would risk his life delivering a letter to the addressee, which took up to a month, protecting it from any possible foes. In the 21st century, data exchange is carried out instantly, but it is a lot easier to ‘break the seal’.

Cybercrime is increasingly on the rise. In 2013, in the USA alone over 3000 companies were victims of hackers’ attacks. Forty million people suffered from the consequences of these crimes; 160 billion dollars was stolen. In 2014, the share of cyber crimes in the Russian Internet was 41% (11 thousand cases) of all the registered crimes in the IT environment. In early 2015, hackers’ attacks on bitcoin exchanges sent shock waves through the community of holders of the cryptocurrency, which lost half of its value.


SMS authentication

According to the already mentioned law of conservation of energy (or money, in our case), online security and protection methods are also becoming more sophisticated. Regular passwords have been replaced with two-factor authentication. Banks’ customers use it regularly when they receive one-time access codes via SMS messages. Admittedly, it is a step forward, but one can still trip over it.

After a message is sent from a bank, it goes through a gateway and GSM network consisting of servers and transmission towers. That explains the relatively significant delay between pressing the Confirm Payment button and receiving the SMS message. Sometimes, it takes up to five minutes, which is a considerable amount of time by the standards of the 21st century: during this time, the SMS message can be intercepted and redirected, i.e. used for criminal purposes. Nowadays, hackers operate with automated hacker toolkits, and they can use the password in the SMS message in a split second. Not to mention the fact that some stages of the “short message” transmission process are carried out by people. And, it is a well-known fact that big money can be quite a temptation. There is even a special term describing this vulnerability — “man in the middle”. It describes a situation when a hacker is “in the middle” between a bank and its customer.

How can side effects of SMS authentication be neutralized? For example, it can be done via the two-factor authentication system offered by the company Protectimus. A one-time password generated by a special device called a token owned by a customer is sent to the server and compared to the password generated using the same algorithm and the same input parameters. The company offers four kinds of these devices, plus support for SMS- and email tokens. Moreover, passwords are generated using three algorithms:

  • By event (a customer’s pressing the token’s button);
  • By time (the token’s internal clock is used);
  • By request-response (one of the input parameters is the request from the server).
Protectimus hardware token

Hardware TOTP token

The reliability of the system is verified by the Initiative for Open Authentication certificate, which puts any solution complying with its requirements to various tests. Besides, the products offered by Protectimus are continuously improved. Recently, the data mining analysis has been developed and is currently being used. In short, it is a process of verifying a user’s authenticity by the user’s ‘virtual environment’. The company’s plans include adding the biometric authentication factor.

Why is it convenient for banks? Firstly, there are two solution options to choose from:

  • Use the so-called SaaS — software as a service (for example, cloud services Google — Docs, Drive);
  • Integrate the Protectimus platform into the existing security system (a flexible application programming interface will ensure the ease and simplicity of this process).

Secondly, the intuitive user interface is adequately reflected in various types of devices (computer, Smartphone, tablet). Thirdly, the developers provide customers with complete documentation and comprehensive support.

And, fourthly, it is all about the money, of course. As compared to the competitors’ prices, the cost of owning the Protectimus system is half as much. In absolute terms, one of the token types costs less than ten dollars, and the service costs start at one dollar per month for one token. The customers get a comprehensive systematic approach to solving problems related to data security, full-scale authentication management, as well as event monitoring systems and emergency notifications. All the features are available on the project’s website in the full-scale demo mode (when you register in the system, you also receive 25$ in your account).

Yes, we have to pay for everything in life. However, when big money is at stake – and, as a result, your customers’ peace of mind and your company’s reputation – it makes more sense to pay to ensure protection than to pay as a regrettable consequence of lacking system security.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Cyber Max

Max has a great experience in various fields of IT. The main service areas he is involved in are financial services solutions, web development, mobile device management and security solutions. In the previous projects Max has acted as initiator, architect, developer, mentor, program/project manager and co-founder.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This