Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

PINsafe Buffers Users From SMS Based Zeus Vulnerabilities

Swivel Secure : 03 November, 2010  (Technical Article)
Fears of SMS based authentication being vulnerable have been declared by Swivel Secure as irrelevant to PINsafe which provides one time codes without transmission of PIN numbers either by SMS or on a website
Claims made by Spanish IT security company, S21 that authentication technology based on SMS text message transmission may be at risk from a new malware infection have been dismissed by Swivel Secure's CTO Chris Russell as being overstated.

Whilst Chris accepts that the new variant of the Zeus Trojan could theoretically enable an individual's online banking details to be copied and an SMS authentication code to be intercepted, he denies any suggestion that all mobile phone based authentication systems are vulnerable to this type of attack.

"Unlike other technologies that involve the user receiving a security code via SMS, PINsafe delivers a random security string which needs a fixed PIN to generate the response. At no time during the process is the user asked to enter their personal PIN so it is never transmitted either by SMS or over the Internet so cannot be intercepted by any digital eaves-dropper, rendering the Trojan ineffective."

PINsafe uses a very simple, patented protocol to generate a one-time-code for each login session. Users are sent a random alpha-numeric security string in advance of the requirement as a text message to their phone. They generate the unique login code based on their secret PIN and the positions of the characters in the string. With the SMS message transmitted via the mobile network and the OTC returned via an SSL link to the server the process is doubly secure.

"This is one of our key differentiators," continued Chris. "There are a number of copycat systems that use SMS as part of the process; typically the user is sent a code that they then simply return to prove their identity. Of course it only proves that the person has the phone at the time of the login and yes, the code can be intercepted en route from the client to the server, in which case S21 would be right to say that the Zeus worm is a potential threat. This is not how PINsafe works."

Mobile Two-factor authentication is rapidly becoming the preferred option for authorising access to corporate networks and Web applications, replacing legacy systems that require some form of token device. Swivel pioneered the use of enterprise-class, SMS based authentication with the launch of PINsafe in 2003 and has since developed a global client base involving hundreds of thousands of individual users across the whole range of industry sectors. Current clients include global brand names and multi-national businesses as well as smaller SMEs.

In addition to SMS, PINsafe offers a range of additional user interface options including an image based system for low risk Web applications as well as a Java application and an iPhone app that can run on a range of smart mobile devices further protecting the user ID from malware such as the Zeus Trojan.

Accredited under the UK government's CCTM scheme and the only non-token based technology approved for the Microsoft 365 environment, PINsafe is the fastest growing form of mobile two-factor authentication technology in the world; delivering massive cost savings for businesses without risk to the user's ID or the integrity of the network.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo