Attacker hijacks entire online connection or tricks the user into visiting the attacker’s fake website.

He then inserts himself between the user and the users real online financial service controlling all communications.

A man-in-the-middle attack is where the attacker makes independent connections between the service and user and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. This type of attack while not easy to perform circumvents many authentication procedures.

The latest trojans, including the Man In The Browser (MITB) attacks that are defeating the common hardware tokens are resisted by PassWindow's ability to embed the actual transaction value or type directly into the encoded pattern, thereby alerting the average user to the exact nature and more importantly value of the transaction they are authenticating.

This prevents the attacker from switching account details and relaying the generic authentication codes usually given by electronic token devices.

Direct attacks on the user's browser cache to acquire previously-used challenge keys is prevented by the patterns themselves being constructed of individual image parts and authentication pages spuriously flooding the cache with other possible visual units. In this way, no historical data can be quickly intercepted from a newly compromised machine.

PassWindow

While the attacker can transfer the authentication challenge images into their fake website the user is viewing, they cannot modify the animated challenge pattern that contains specific transaction information without destroying it.

The animated challenge consists of multiple randomly-ordered frames:

One frame is the actual unique authentication code for the transaction, which can be encoded for use only with the transaction amount and a specific foreign account number. The other frame could be a visual check of the last three digits of the transaction destination account number. For example: 'A' and the three specific account digits, in this case 255.

alternative method utilizing a much smaller key pattern. The password digits follow the letter P and account destination following the letter A

= P34896 A255

The flexibility of PassWindow security enables the ability to increase the number of authentication code digits (in this case 8 digits) depending on the value of the transaction taking place. The extra encoded information could be almost any unique transaction specific information including name, date, value or a specific message to the user.

Electronic tokens

With most electronic tokens, the authentication is time or event based without any information about the type or amount of the transaction being authenticated. The attacker simply requests the user either enter in their valid authentication code or validate a numeric challenge.

Once the token user believes he is interacting with his genuine financial service, the attacker is easily able to request multiple authentications under various innocuous pretences from the user as needed by the system in order to empty the users account in the background without alerting the user. The genuine user authentication codes can be instantly sent over a network or messenger to the remote attacker, who then authenticates his fraudulent transaction.

Text Passwords:

• Difficult to memorize.
• Password policies are increasingly unworkable in normal authentication environments.
• Vulnerable to brute force and dictionary attacks.
• Vulnerable to electronic interception such as common virus based keyloggers and trojans.
• Vulnerable to social engineering.
• Vulnerable to man-in-the-middle attacks.
• Vulnerable to man-in-the-browser attacks.
• Significant additional support costs.

Software based:

• Never ending cycle of electronic based online attacks and compromise, too many to list.
• Very high support costs and very low rates of user acceptance due to often difficult technical implementation requirements.
• Users are typically locked into using the single machine or mobile device the security certificate is installed on.
• Does not guarantee the user is present.

SMS based:

• Expensive over time.
• No way to confirm that the SMS code actually reaches the client.
• User cannot be an international traveller due to different network SMS standards incompatibility.
• User needs a reliable mobile phone and signal service, which is often not reliable indoors.
• Large delays in SMS network delivery are common.
• Password sent unencrypted over insecure 3rd party networks (commonly the telecommunications E3 private network which enables any other telecommunications companies connected to read everyone else's plain text authentication codes) breaking many security audits.
• Vulnerable to ordinary telecommunications workers including mobile sales force who commonly have access to clients sms history data.
• Vulnerable to social engineering.
• Vulnerable to an attacker simply churning the users number to a different network and forwarding all calls to the attackers anonymous mobile. Most mobile networks by law are mandated to make this process easy under anti competition legislation.
• Vulnerable to a variety of increasingly common electronic mobile hijacking attacks.
• Vulnerable to man-in-the-middle attacks. ref
• With the rise of mobile internet banking the SMS authentication code can no longer be considered out-of-band.
• Vulnerable to man-in-the-browser attacks.

Smart Card / RFID Card / Magnetic Strip:

• Expensive implementation costs.
• Vulnerable to a variety of electronic attacks.
• Expense of electronic cards for each user.
• Expense of shipping card readers to each user.
• Will not work with mobile phones.
• Vulnerable to man-in-the-middle attacks.
• The biggest problem with all three systems is the lack of universal remotely installed Smartcard / RFID / Magnetic Strip readers and their authentication hardware and software support costs.

Hardware tokens:

• Very expensive implementation and management costs.
• Limited shelf life due to battery, accidental damage and clock synchronization problems.
• Vulnerable to social engineering.
• Vulnerable to man-in-the-middle attacks.
• Vulnerable to man-in-the-browser attacks.
• Deployment of hardware tokens is very expensive in secure package delivery costs for every user and logistically challenging.
• Significant additional support costs.
• Validation codes do not guarantee token is present at authentication. Due to their cumbersome nature and the easy availability of instant messengers users are increasingly leaving the devices insecurely with a partner when they travel and then request a valid authentication code via instant messenger when needed.
• USB connected tokens require open vulnerable USB ports which are increasingly used as an attack vector as well as for information theft.

Biometric authentication:

• Impossible to reissue a user's compromised biological key pattern.
• In case of fingerprint biometrics the user leaves a copy of their key everywhere they go.
• Expensive remote hardware required.
• Deployment and maintenance of remote biometric hardware is very expensive and logistically challenging.
• Unable to delegate rights.
• Easy to spoof most systems.

Please note: There is nothing special about the tinting shown above, laminates are not necessary, it is printed with the regular printer with merely a grey shade on the key pattern image.

The backlit screen of normal computer displays allow the user to clearly see the authentication numbers through the tinting.

Simple shade tinting around the key pattern even defeats normal photocopiers.