®

How Out-of-Band Authentication used for transaction veri�cation can help �nancial services �rms protect online customers from organized cyber criminals.

Page 1 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

“Houston, we’ve had a problem…” Command Module Pilot, John Swigert, Apollo Xlll

On August 26th of 2009, The FDIC issued a special alert (SA-147-2009) warning Financial Institutions of an increase in fraudulent Electronic Funds Transfers (ETF) and associated losses as a result of compromised user credentials. These compromises were resulting from malware and Trojan infections such as Clampi and ZeuS/Zbot. www.fdic.gov/news/news/specialalert/2009/sa09147.html

On November 3, 2009 the FBI issued a press release citing an uptick in cybercrime targeting corporate wire transfer and ACH accounts. School districts and small to midsize businesses seemed to be targeted in particular.

At a May 2010 FDIC sponsored symposium on combating commercial payments fraud, a panel of experts from government and industry discussed how cybercriminals using increasingly sophisticated malware rendered many common authentication techniques ineffective. A speaker at the event was David Nelson a fraud specialist with the FDIC, Cyber Fraud and Financial Crimes Section. According to Mr. Nelson SMB’s and their financial institutions suffered about $120 million in losses due to fraudulent EFTs (Electronic Fund Transfers) in the third quarter of 2009. This was up from about $85 million in the third quarter of 2008.

Premeditated, Persistent and Proficient

Organized, talented and persistent cybercriminals have systematically targeted banking, brokerage, payroll and other financial services accounts of individuals, businesses and municipalities in the United States and around the globe. This is possible because the cybercriminals are using sophisticated malware strains in the ZeuS/Zbot family. These are Trojan Horse keystroke loggers designed to capture logon information and account information. They can be targeted at specific financial institutions and are often not detected by virus cleaning software. There is recent evidence that a more advanced form of the malware named SpyEye has been developed and distributed.

The Authentication Challenge in a Cyber World

Did you ever borrow someone’s driver’s license, (or know someone who did?) to get into a bar or club before you were 21? At the door, after a perfunctory glance at the birthday, the doorman might let you enter. Additional authentication usually consisted of the doorman holding the license and asking “what’s your Zip Code?” Likely you memorized that information just in case and routinely you were admitted. You’re probably thinking, “Sure – but what about the photo?” Without the photo and the advantage of an in-person comparison, the above scenario is a close approximation of an authentication in cyberspace. Armed with a credential and knowing the right information gets a user access.

The challenge of protecting an online account from a user who, from all appearances, ‘is’ the legitimate user is becoming more difficult. In fact, an alert issued by the FDIC in August 2009 directed financial institutions to additional guidance on authentication and information security for high-risk transactions, including FDIC FIL-66-2005 titled “Guidance on Mitigating Risk from Spyware.” The following is an excerpt from that guidance:

“Investigate the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer’s ID, password and account numbers.”

Sounds a bit like getting into that bar doesn’t it?

The Telephone as an Internet Defense Mechanism

Upon a time, validating information behind a financial transaction or payment was easy. Someone from your bank would call you at a phone number they trusted belonged to you. If the person calling

Page 2 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

was familiar with you, they often recognized your voice and needed no further assurance that they had reached the right person. Authentication was provided via a familiar voice behind a telephone number at which you could be reliably reached. No one ever referred to a phone call from your banker as an Out-of-Band Authentication, (OOBA) but in reality, that is the function of the call.

The Public Switched Telephone Network, or PSTN, is widely deployed, reliable and leaves quite a trail when you use it. After all, phone companies worldwide share a vested interest in being able to charge one another, and you, for using their networks.

Viewed in this manner, the telephone network offers considerable potential for use in remote user authentication schemes, provided the Internet and Telephone can be used simultaneously. The approach offers a practical way to manage online payment account enrollment and provide an additional authentication procedure at the transaction level. Telephone contact offers direct, out-of-band contact with an account owner at times when it is critical to do so.

The following schematics illustrate, at a high level, the application flow of a ‘typical’, (if there is such a thing) account compromise, and the way a modification to the authorization process to include a phone based out-of-band funds transfer verification can protect online financial accounts.

1. A Cybercriminal hosts an infected Web Site on the Internet/Web, and launches a phishing email, or pays for ads on search sites drive traffic to the site. Reports on industry trends targeted at specific categories of small to mid-sized businesses are often used.

2. An employee from an SMB visits the Web Site and downloads an innocent looking whitepaper or report, and behind the scenes gets a malware payload also.

3. At some point the employee accesses the online company accounts at their Financial Institution the malware captures the logon, account # and password…

The malware is likely capturing any and all keystrokes the employee is typing. Consequently all username and account information is at risk including email, 401k accounts, personal banking accounts, corporate accounts, email…

SMB Cybercriminal

whitepaper

SMB

SMB’s Bank

Cybercriminal

Page 3 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

4. While the employee remains connected to the Internet, or the next time they connect, behind the scenes the malware broadcasts the keystroke logfile back to the cybercriminal, usually via a number of hops through anonymous proxy servers.

 

5. Armed with the correct account information, the cybercriminal accesses the SMB’s account at the bank.

6. Having gained access, the criminal must now attempt to transfer funds via electronic funds transfer or an e-payment capability. In an online financial environment protected by Out-of-Band Authentication provided by Authentify, any attempt to add a new destination account for funds transfer or e-payment would trigger a phone call to a telephone number associated with the account.

In order to complete a fraudulent transaction, the criminal would have to compromise the online account information AND also be able to answer a telephone that belonged to an SMB employee authorized to use the account. An employee answering the automated telephone call from the bank would have the ability to cancel the transaction. If the call was routed to an office phone after hours and no one picked up, the transaction would also be cancelled. The Out-of-Band Authentication thwarts the cyber thief with both stolen logon credentials or hijacking a transaction in flight (Man-in-the-Middle | Man-in-the-Browser) by repeating the context of the transaction to the end user via a channel the thief can not intercept.

SMB Cybercriminal

SMB’s AccountCybercriminal

$ $$

SMB’s Bank

Cybercriminal

Authentify Service Center

If you are sending $50,000 to an account...

773-243-0300

Incoming call...

1 2 3

654

987

#0*

Page 4 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

Best Practices For Out-of-Band Authentication

The use of a telephone call synchronized to an online user’s Web session, as shown, can defeat an un-authorized user attempting to use an account. The telephone becomes a proxy for a security token, something the end user physically possesses and the cyber thief will not.

When evaluating Web security and financial transaction security it is important to recognize that ALL security techniques and technologies should be applied in layers to be most effective. Any single authentication technique or form factor becomes a single point of failure when used alone.

Referring back to the “borrowed” driver’s license example, relying on possession of the driver’s license, the doorman lets you inside. If the doorman at the bar also called a phone number known to go with the address on the license and asked for the party whose name appeared on the front of the license – you’d be turned away if that person came to the phone. This is a very simple – but perhaps familiar example of multi-factor authentication.

Out-of-Band Authentication or OOBA is very useful for strengthening the authentication ahead of some sensitive online events, often the point of attack by cyber thieves. For instance, just as a jewel thief in the physical world needs to “fence” their stolen goods to turn them into cash, a cyber thief needs to move funds to an account they control to actually turn a theft into cash for themselves. Sensitive transactions that are best protected with out-of-band authentication include:

• The addition of a new payee or routing number to an e-account• A password replacement/change• An address or other critical information change• A larger than normal transaction

Authentify first introduced its telephone based authentication services at the RSA Security Conference in 2001. In the decade that has passed since that introduction Authentify has:

• Completed 100’s of millions of calls validating user registrations, financial transactions, logons and other online ‘events’ on behalf of our clients which include many of the most hacked, attacked, phished and pharmed e-businesses on the Internet & Web.

• Assisted the FBI, INTERPOL, and numerous law enforcement agencies tracking cyber criminals around the globe.

• Testified before the FCC, the U.S. Congress, the Senate Banking Committee and other legislative bodies regarding threats posed by organized cybercriminals and identity thieves.

• Developed numerous features, functionality and behind-the-scenes technologies to ensure the Authentify process is much more than just a phone call. In a recent report, one of the leading analysts in the online fraud space indicated Authentify was the only phone based 2-factor or 3-factor authentication vendor capable of defeating common exploits against phone based strong authentication schemas.

Page 5 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

A High Level Schematic of an Authentify OOB Enabled Application

The interface to Authentify is a standard XML AOI. The telephone call process is invoked as a Web service in true Service Oriented Architecture fashion. The code framework for existing applications need not be modified – with the exception of needing telephone number fields in either directories or registration screens. Your application stores and passes the telephone number to Authentify.

x -

Synchronized exchange with end

user, real time, interactive,

bi-directional. PSTN

Authentify Service Center

Public or 3rd PartyData Sources

Telephone Data Anlytics directly from the

Telephone Network (SS7)

Call Forward Detection

Mutually authenticated connections via https | XML API

Web Server

773-243-0300

Incoming call...

1 2

54

87

0*

3

6

9

#

Page 6 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

Application flows can include any of the following elements in a sequence chosen to best protect the application or information you wish to protect:

ProductFeatures/Application Elements**Note: All available features are seldom used in a single implementation.

• Automated Outbound Telephone Call• DTMF (Phone Ketpad) Confirmation # Exchange• Bi-directional confirmation number exchange• Spoken Confirmation Number Exchange (speech recognition)• Shared secret spoken exchange or challenge response• Voice Recording capture• Playback of recording “on file” for mutual authentication. (is the ‘right’ place

calling me?)• SMS OTP/PIN Delivery• Voice Biometrics• Global Telephone Data Analytics• Call Forward Detection• Email integration• Audit Trail Reporting• Delegated Enrollment templates• Inbound call to console w biometric authentication• “Liveness” test or CAPTCHA keystroke or utterance• E-signature template and document/voice hash

Voice applications are supported in any language with voice prompts provided by human professional; voice talent. Randomly generated audio strings also provided using text to speech with human voice talent constructs as opposed to synthetic voices.

About Authentify, Inc.

Authentify Inc., provides automated authentication services to prominent global businesses, routinely protecting accounts and transactions in more than 150 countries. Authentify delivers an effective authentication process relying on making telephone contact with a user while they are managing an online account. It is a process that is practical for businesses, easy for users and effective worldwide by virtue of leveraging the reach and stability of the public switched telephone network. The company’s patented technology employs a message based architecture permitting easy layering with existing technology and infrastructure. The company’s primary focus is providing authentication services to enable routine but sensitive processes to complete with high levels of certainty.

Authentify, Inc. - Headquarters 8745 West Higgins RoadSuite 240Chicago, IL 60631Phone: 773-243-0300Email: info@authentify.com

Authentify, Ltd. Hong Kong12/F, Capitol Centre, Tower II28, Jardine’s CrescentCauseway BayHong KongPhone: +852 9304 6699

For more information contact on Authentify at:

Authentify technology is protected by U.S. PATENT NOS. 6,934,858 / 7,383,572 / 7,461,258

Page 7 Copyright January 2011, Authentify, Inc.

Defending Financial Accounts from the Wrong People Armed with the Right Information.

Authentify, Inc. - Headquarters 8745 West Higgins RoadSuite 240Chicago, IL 60631Phone: 773-243-0300Email: info@authentify.com

Authentify, Ltd. Hong Kong12/F, Capitol Centre, Tower II28, Jardine’s CrescentCauseway BayHong KongPhone: +852 9304 6699

For more information contact on Authentify at:

Authentify technology is protected by U.S. PATENT NOS. 6,934,858 / 7,383,572 / 7,461,258www.authentify.com