PINsafe Two-Factor Authentication Technology Thwarts Impact of Zeus Worm
28th October 2010, Wetherby, UK; Claims made by Spanish IT security company, S21 that authentication technology based on SMS text message transmission may be at risk from a new malware infection have been dismissed by Swivel Secure’s CTO Chris Russell as being overstated.
Whilst Chris accepts that the new variant of the Zeus Trojan could theoretically enable an individual’s online banking details to be copied and an SMS authentication code to be intercepted, he denies any suggestion that all mobile phone based authentication systems are vulnerable to this type of attack.
“Unlike other technologies that involve the user receiving a security code via SMS, PINsafe delivers a random security string which needs a fixed PIN to generate the response. At no time during the process is the user asked to enter their personal PIN so it is never transmitted either by SMS or over the Internet so cannot be intercepted by any digital eaves-dropper, rendering the Trojan ineffective.”
PINsafe uses a very simple, patented protocol to generate a one-time-code for each login session. Users are sent a random alpha-numeric security string in advance of the requirement as a text message to their phone. They generate the unique login code based on their secret PIN and the positions of the characters in the string. With the SMS message transmitted via the mobile network and the OTC returned via an SSL link to the server the process is doubly secure.
“This is one of our key differentiators,” continued Chris. “There are a number of copycat systems that use SMS as part of the process; typically the user is sent a code that they then simply return to prove their identity. Of course it only proves that the person has the phone at the time of the login and yes, the code can be intercepted en route from the client to the server, in which case S21 would be right to say that the Zeus worm is a potential threat. This is not how PINsafe works.”
Mobile Two-factor authentication is rapidly becoming the preferred option for authorising access to corporate networks and Web applications, replacing legacy systems that require some form of token device. Swivel pioneered the use of enterprise-class, SMS based authentication with the launch of PINsafe in 2003 and has since developed a global client base involving hundreds of thousands of individual users across the whole range of industry sectors. Current clients include global brand names and multi-national businesses as well as smaller SMEs.
In addition to SMS, PINsafe offers a range of additional user interface options including an image based system for low risk Web applications as well as a Java application and an iPhone app that can run on a range of smart mobile devices further protecting the user ID from malware such as the Zeus Trojan.
Accredited under the UK government’s CCTM scheme and the only non-token based technology approved for the Microsoft 365 environment, PINsafe is the fastest growing form of mobile two-factor authentication technology in the world; delivering massive cost savings for businesses without risk to the user’s ID or the integrity of the network.