Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » eft review  

Subscribe to Galexia news and announcements.
More information »

Galexia's specialist management consulting services: Galexia has expert consultants in privacy, authentication, electronic commerce and new technology. We leverage our legal, business and technical knowledge to deliver successful business strategies to a diverse range of clients. Find out more »

[Review of E-commerce Legislation Harmonization in ASEAN (2013)]

Review of E-commerce Legislation Harmonization in ASEAN (2013)
Find out more »

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

[« previous] [next »] [up] [title page] [full contents]

Tricerion Strong Mutual Authentication

Tricerion’s Strong Mutual Authentication (SMA) Server technology provides an example of how keypad technology can be used to achieve website authentication. SMA is a server-based solution in which organisations install an SMA server behind their firewall alongside their existing web application servers. The SMA server incorporates innovations that provide security against phishing attacks.[46]

One of these innovations is keypad personalisation. This works in the following fashion:

  • The user is prompted to enter an account / user name; and
  • The application server passes the account name to the Tricerion SMA server. The SMA server then generates an image map in the form of a personalised keypad for the specific user. The keypad is presented on the user’s screen. The user enters their password by use of the keypad (they cannot enter their password directly using a keyboard – they must use the keypad – avoiding the danger of keystroke loggers being used to intercept the password). The positions of the various characters on the keypad are randomly varied each time the user attempts to log-in.

Authentication of the website to the user is possible because the SMA server stores personalised keypad data for each user. This personalised data allows each user to specify display properties their keypad should exhibit, including background colour, border design, fonts and font size. A fraudulent party does not have access to this personalised data and so even if they try and emulate the keypad display, it is unlikely they will be able to create a keypad that adheres to each user’s individual display preferences. If the keypad displayed to the user varies in appearance from the one they expect to see, they are immediately alerted to the possibility the website they are visiting is spoofed.

SMA supports the use of passwords consisting of either alphanumeric characters or pictures. Users can accordingly define an individual set of symbols (characters or pictures) that is to be displayed to them each time they attempt to log in. Only a subset of these symbols will actually form the user’s password, and the positions of the various symbols will vary at each log in attempt. Thus, if a spoofed website uses a keypad to display symbols that the user does not expect to see, they are again alerted to the possibility that they are being subjected to a phishing attack. Additionally, it is quite likely that the subset of symbols displayed on a spoofed keypad to the user will not contain all the symbols that are part of the user’s password, making it impossible for the user to disclose their password to a fraudulent party.


An example of a personalised keypad that may be presented to an end-user

Tricerion’s implementation of keypad technology is based on another innovation known as triangulation. Triangulation describes a communication paradigm which provides additional resistance to man-in-the-middle attacks. Triangulation works by moving from traditional models of communication between the user and the online service to a trialogue in which communication occurs between the user, online service and a third party server. Communications are thus segmented into multiple, discrete channels so that even if a fraudulent party is able to intercept data transmitted along two of the three channels, they will not be able to make use of it unless they can also compromise the third channel.

[46] Tricerion, Account Hijacking Prevention with the Tricerion Strong Mutual Authentication (SMA) Server, 2005, <http://www.tricerion.com/downloads/984_Tricerion_SMA_-_Account_Hijacking_Protection.pdf>.

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]