Recent reports that all authentication technology based on SMS text message transmission may be at risk from a new variant of the Zeus worm, a Trojan virus that infects common mobile phone platforms, have been dismissed by Swivel Secure’s VP of Technology, Chris Russell as being overstated.
Whilst Chris accepts that the new variant ‘Zitmo’, designed to target the new Android devices, could result in an SMS authentication code being redirected to a remote hacker’s server, he denies the suggestion that all mobile phone based authentication systems are vulnerable to this type of attack.
“Unlike other technologies that involve the user receiving the login credential via SMS, PINsafe delivers a random security string which needs a fixed PIN to generate the response. At no time during the process is the user asked to enter their personal PIN so it is never transmitted either by SMS or over the Internet so cannot be intercepted by any digital eaves-dropper, rendering the Trojan ineffective.”
PINsafe uses a very simple, patented protocol to generate a one-time-code for each login session. Users are sent a random alpha-numeric security string in advance of the requirement as a text message to their phone. This is not what the user sends back to the server so is of no use to the hacker. With the SMS message transmitted via the mobile network and the OTC returned via an SSL link to the server the process is doubly secure.
“This is one of our key differentiators,” added Richard H Harris, MD at Swivel Secure. “There are a number of copycat systems that use SMS as part of the process; typically the user is sent a code that they then simply return to prove their identity. Of course it only proves that the person has the phone at the time of the login and yes, the code can be intercepted en route from the client to the server, in which case the reports would be right to say that the Zeus worm is a potential threat. This is not how PINsafe works.”
Mobile two-factor authentication is rapidly becoming the preferred option for authorising access to corporate networks and Web applications, replacing legacy systems that require some form of token device. Swivel pioneered the use of enterprise-class, SMS based authentication with the launch of PINsafe in 2003 and has since developed a global client base involving hundreds of thousands of individual users across the whole range of industry sectors. Current clients include global brand names and multi-national businesses as well as smaller SMEs.