|
Internet Threat Protection - Overview
Every year as the market for personal information grows, new threats appear. For example, we saw the rise of a dangerous form of phishing called “man-in-the-middle” (MITM) in 2006. This sophisticated threat is able to fool users into logging into fraudulent sites and capture their credentials, even those created with one-time password (OTP) tokens or grid cards. Traditional username/passwords are vulnerable to a range of threats, and do not meet regulatory policies or best practices for preventing identity fraud. Hardware-based approaches require changes to your users' behavior and are prohibitively expensive to deploy and manage.
Whether you cater to millions of consumer users or thousands of employees and partners, you have to protect your data and your systems from these emerging threats. Arcot's unique software-only approach to authentication gives you a competitive advantage when dealing with threats like MITM by delivering PKI-based protection while retaining a familiar username/password interface.
Here are some examples of how we protect from the range of Internet threats you face:
MITM/Phishing:
- Threat: Attacker fools user into logging into fraudulent site via email
- Solution: Arcot offers three ways to stop MITM/phishing
- RiskFort risk-based authentication can detect unusual patterns of behavior in users with legitimate credentials and block the transaction in real-time. RiskFort collects and analyzes a range of data automatically to measure fraud potential.
- WebFort strong authentication uses the ArcotID file and a password for two-factor authentication. Even with legitimate credentials, a fraudster cannot log in with the private key contained in the ArcotID file (see Brute Force below). Also, the ArcotID will only prompt a user for credentials for the domain that issued it, automatically preventing MITM attacks from succeeding.
- Optional Personal Assurance Message (PAM) confirms site authenticity to users before they provide password
|
Pharming:
- Threat: Attacker poisons DNS server to redirect users to fake web site
- Solution: The ArcotID file checks to confirm an SSL connection with the domain that issued it. If the domain does not match, the ArcotID client will not authenticate with the fraudulent site.
|
Replay:
- Threat: An attacker captures and replays a copy of a the ArcotID challenge/response and replays it to the WebFort server
- Solution: Each challenge/response between the ArcotID and a WebFort server is unique. If the attacker replays the signed challenge, WebFort will detect that it was verified previously and reject the authentication attempt.
|
Malware:
- Threat: Malware captures every keystroke and mouseclick on the computer and periodically sends that information to the criminal who created it.
- Solution: Our optional Scrambled PIN Pad thwarts logging Malware. The PIN Pad is a virtual keyboard that shows up differently on the screen every time, preventing the storing of mouse clicks to recreate PINs.
|
Brute Force:
- Threat: Attacker copies the key container to his own equipment and exhaustively attempts millions of passwords, which eventually leads to the disclosure of the private key.
- Solution: Arcot's patented “Cryptographic Camouflage” technology encrypts the private key using the user's password and standard encryption algorithms. Our technology ensures that any password will generate a private key that meets the specific, particular and well-documented characteristics of a private key. The attacker will use this legitimate-appearing but incorrect private key to attempt to log in. You can configure how many attempts a user may make before being locked out.
|
|
