Attacker hijacks entire online connection or tricks the user into visiting the attacker's fake website.

He then inserts himself between the user and the user's real online financial service, controlling all communications.

A man-in-the-middle attack is where the attacker makes independent connections between the service and user and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. This type of attack commonly circumvents many types of online authentication systems.

The latest trojans, including the Man In The Browser (MITB) attacks, which are defeating the common OTP-style hardware tokens are defended by PassWindow's ability to embed the actual transaction value or type directly into the encoded pattern, thereby alerting the average user to the exact nature or value of the transaction they are authenticating.

This prevents the attacker from switching account details and relaying the generic authentication codes usually given by electronic token devices.

Advanced bulky electronic tokens with attached keypads and inbuilt transaction signing can provide a complex type of user-actioned transaction authentication with a heavy usability cost where the user must enter all the challenge and transaction information into the devices; however, it has been revealed that the complex nature of the method has allowed criminals to bypass even this high level of electronic security by simply programming the user actions under the guise of device resynchronization.

The passive transaction authentication method provided by the PassWindow method protects against user programming, and in doing so allows protection against even the most pernicious malware or social engineering methods.

PassWindow

While the attacker can transfer the authentication challenge images into their fake website the user is viewing, they cannot modify the animated challenge pattern that contains specific transaction information without destroying the information.

The animated challenge consists of multiple randomly-ordered frames:

One frame is the unique authentication code for the transaction, which can be encoded for use only with the transaction amount and a specific foreign account number. The other frame could be a visual check of the last three digits of the transaction destination account number. For example: 'A' and the three specific account digits, in this case 255.

The flexibility of PassWindow enables the number of authentication code digits (in this case 8 digits) to be increased depending on the value of the transaction taking place.

An alternative method enables a much smaller key pattern. The password digits follow the letter P and last 3 digits of the account destination follow the letter A

Superimposed key and challenge patterns

= P34896 A255

The extra encoded information could be almost any unique transaction specific information including name, date, value, IP address or a specific message to the user.

Electronic tokens

With most electronic tokens, the authentication is time or event based and lacks any information about the type or amount of the transaction being verified. The attacker simply requests that the user either enter in their valid authentication code or validate a numeric challenge.

Once the token user believes he is interacting with his genuine financial service, the attacker requests multiple authentications under various innocuous pretences. The user's account is then emptied in the background.

PassWindow overcomes every single failure point below.

Text Passwords:

• Difficult to memorize
• Many password systems allow a user to undermine their own online security by using simple passwords such as "123456".
• Exceedingly harsh password policies are increasingly unworkable in normal authentication environments.
• Significant additional support costs
• Vulnerable to:
  • Brute force and dictionary attacks
  • Electronic interception such as common virus based keyloggers and trojans
  • Social engineering, such as telephone calls purported to be from the service provider or official-looking documents
  • Phishing scams
  • Man-in-the-middle attacks
  • Man-in-the-browser attacks

Software based:

• Never-ending cycle of online attacks and patches
• Very high support costs and very low rates of user acceptance due to often difficult technical implementation requirements
• Users are typically locked into using the single machine or mobile device a security certificate is installed on.
• Does not guarantee the user is present

SMS based:

• Expensive over time
• Certain SMS-based authentication plans bill the user for each SMS message sent.
• No way to confirm that the SMS code has actually reached the client
• User cannot be an international traveller due to international network SMS-standard incompatibilities
• User needs a reliable mobile phone and signal service, which is often not available indoors.
• Large delays in SMS network delivery are common.
• Password sent unencrypted over insecure third-party networks (commonly the telecommunications E3 private network, which enables any other telecommunications companies connected to read everyone else's plain text authentication codes) breaking many security audits.
• Underlying mobile GSM encryption algorithm is essentially broken, allowing SMSs to be read by third parties. Many such attacks are being presented at international security conventions.
• A mobile is generally not considered a security device by the owner and as such is generally more susceptible to various forms of fraud.
• The GSM protocol allows the cancelling of previously sent SMSs, which enables a trojan to cancel security notifications sent to the user when the phone number is changed.
• With the rise of mobile internet banking, the SMS authentication code can no longer be considered out-of-band.
• Vulnerable to:
  • Ordinary telecommunications workers, including the mobile sales force who commonly have access to their clients' SMS history data
  • Social engineering attacks, such as an attacker simply calling the user immediately after the SMS has been sent and purporting to be a representative of the service provider.
  • Phishing attacks designed to clone a victims phone.
  • A variety of increasingly common electronic mobile hijacking attacks.
  • Man-In-The-Middle attacks. 1, 2
  • Man-In-The-Browser (MITB) trojan attacks.
  • Fake authentication messages being sent to a user.
  • An attacker simply churning the users number to a different network and forwarding all calls to the attacker's anonymous mobile. Most mobile networks by law are mandated to make this process easy under anti-competition legislation.
  • the 'TDOS' attack, where a victim's phone is overwhelmed while their online accounts are being looted.

Smart Card / RFID Card / Magnetic Strip:

• Expensive implementation costs
• Primarily designed for in-person authentication and do not provide a method to solve online authentication more so than ordinary tokens
• Vulnerable to a variety of electronic attacks, includuing Man In The Middle
• Electronic cards are relatively expensive
• Providing card readers to each user is expensive
• Will generally not work with mobile phones
• The biggest problem with all three systems is the lack of universal remotely installed Smartcard / RFID / Magnetic Strip readers, as well as their hardware and software support costs.

Hardware tokens:

• Very expensive implementation and management costs
• Limited shelf life due to battery, electronic malfunction, accidental damage and clock synchronization problems
• Time-based tokens place unwelcome pressure on a user to enter the validation code within 30-seconds
• Deployment of hardware tokens is very expensive. Providing secure package delivery for every user is logistically challenging.
• Significant additional support costs
• The physical size of hardware token dissuades users keeping them secure on their person. They are too large and cumbersome for a wallet or pocket, and are therefore often left unattended.
• Validation codes do not guarantee that the token is present at authentication. Due to their bulky nature and the easy availability of instant messaging applications, users are increasingly leaving the devices insecurely with a partner when they travel and then request a valid authentication code via instant messager when needed.
• Their generic appearance enables the original device to be switched, delaying a user reporting the theft while the attacker is using the device to authenticate.
• USB connected tokens require open vulnerable USB ports, which are increasingly used as an attack vector as well as for information theft.
• Vulnerable to:
  • Social engineering
  • Telephone based attacks
  • Man-in-the-middle (MITM) attacks
  • Man-in-the-browser (MITB) attacks

Biometric authentication:

• Does not solve online authentication issues
• Deployment and maintenance of remote biometric hardware is very expensive and logistically challenging
• It is impossible to reissue a user's compromised biological key pattern
• In the case of fingerprint biometrics, the user leaves a copy of their key everywhere they go. Other factors are just as easily recorded and emulated by an attacker.
• Expensive remote hardware required
• It is impossible to delegate rights
• Biometrics often appears to work well in controlled demonstrations with the tolerance set below operating levels; however, these settings produce high rates of false positive responses in many real world applications.
• Easy to spoof most systems
• The variance of many users biological factors is a serious problem for biometrics with some professions, medical conditions and medications obfuscating fingerprints and iris factors.

LiveCD security:

• Significant usability issues, such as speed, portability, lack of associated transaction infrastructure such as accounting software, invoices, bookmarks, emails, personal business information files which will not be present.
• Difficult for the average user to create a LiveCD
• Possible for malware to still infect a system from a system or USB device
• Unable to apply security updates to the LiveCD
• If a service provider, such as a bank, tries to supply LiveCDs to their user base, they will need a large IT support team to manage the various driver and device incompatibility issues.
• If a service provider supplies LiveCDs to their user base, they become vulnerable to fake trojanized versions being either mailed to users or dropped at branch office waiting tables.
• USB-based systems limited by insecurity of USB ports
• Vulnerable to:
  • Common phishing attacks
  • Telephone-based social engineering attacks

Please note: There is nothing special about the tinting shown above, laminates are not necessary, it is printed with the regular printer with merely a grey shade on the key pattern image.

The backlit screen of normal computer displays allow the user to clearly see the authentication numbers through the tinting.

Simple shade tinting around the key pattern even defeats normal photocopiers.