The Problem With Standard Security

Forticom Logo HR CMYKFraud and theft are by no means new problems. However, new technologies, increased demand for more convenient and faster payment transactions and the growing popularity of mobile devices and online shopping have given rise to a sharp increase in fraud incidents over the last few years.

According to the Australian Payments Clearing Association (APCA), the payments industry’s self-regulatory body, fraud on Australian-issued payment cards increased to $280.5 million in 2013. This is against an increase of 4% to $607.9 billion on the total amount spent by Australians on their cards.

The figures also show that card-not-present (CNP) fraud continued to represent the bulk of fraud on Australian – issued cards over the 12 month period to the end of 2013. CNP fraud (occurring mainly online) increased by 5% to $198.9 million. This is against a reported increase of more than 14%[1] in internet shopping over the same period.

Furthermore, the ACPA figures indicate that fraud involving lost and stolen Australian-issued cards increased by 33% in 2013 to $30.4 million over the 12 month period. Within Australia, lost and stolen fraud increased by 32% to $20.8 million and overseas, by 33% to $9.6 million.

Clearly, there is a dire need for a smarter, easier and more reliable means of securing electronic payment transactions. To that end, there are no shortage of companies proffering all manner of solutions. However, it seems that many, if not most, efforts to combat or prevent fraud and theft continue to be hampered by a range of factors, not the least of which is the growing sophistication of criminals and the increasing complacency of end-users. Phising, key loggers, social engineering, man-in-the-middle attacks, trojans and even the simple theft of credit cards and access credentials has meant that security can only ever been as strong as its weakest users.

The Current State Of Play

Currently, the methods and mechanisms employed to protect property of an intellectual and or financial, personal or sensitive nature has relied upon a number of common methods such as tokens, dongles, encryption, passwords and PIN numbers.

Current identification and verification methods such as tokens, dongles, passwords, PINs, encryption and so on all experience a number of inherent weaknesses, not the least of which is user. Passwords are often written down or easy to predict. Tokens and dongles can be lost or stolen and encrypted information can be intercepted and or hacked while PIN numbers can be coerced from victims or captured by key-loggers or ghosts.

To effectively combat fraud and theft in payment verification and authorisation, one requires a secure system which is not only 100 per cent effective, 100 per cent of the time, but also simple to use, extremely cost effective, accessible to all users, invulnerable to social engineering, theft, hacking, brute force and other traditional forms of attack. To many information security experts, such a list of requirements might read as fantasy. However, there now appears to be a viable solution which not only meets all these requirements, but whose origins interestingly, can be traced back Over 4000 years.

While cryptography, the art of protecting information by transforming it into an unreadable format, called cipher text, has been in use for thousands of years, its potential for use in applications regarding electronic transaction has been largely overlooked until recently.

Forticom’s ground-breaking cryptographic security method allows any individual, in any location, using any device, to prove their identity in plain sight – without fear of identity theft.

Where existing authentication processes require a user to provide a credential such as a username, card or device and then an authentication such as a PIN or password, with Forticom, the user experience remains largely unchanged.  The difference is that instead of entering a static PIN or password, the user enters an interpretation of what is displayed on screen, using their personal Keyword and Method.

Example 1: A low risk, low value website, such as a news site where users can post comments.

In this example, the organisation sets their implementation so that a user can pick any methods with no limitations, putting the control of how secure the account is in the hands of the user. The organisation has set the KeyStream to A to Z (26 characters) and the ValueStream to 0 to 9.

User 1: This user sets his Keyword to FRED with no Methods. 

Step 1: The user enters his username.

Step 2: The Forticom challenge is randomly generated and presented to the user:

Step 3: The user is prompted to enter his Forticode.

Step 4: As the user’s Keyword is FRED, he identifies the numbers corresponding to the letters and enters 9275.

Step 5: Based on the code entered, the system validates the user and allows access.

In a mobile banking situation, where a user might require slightly higher security, could employ an offset method. Offset simply means that the user adds or subtracts the value of the offset to each number in the code. Therefore, if R=2 in the Forticode Challenge, then the appropriate number would be 3 (R) +1 (Offset) = 3

An example of user who has set her Keyword to ZEBRAS Offset of +1 would work as follows:

Step 1: The user enters her username.

Step 2: The Forticom challenge is randomly generated and presented to the user:

Step 3: The user is prompted to enter her Forticode.

Step 4: As the user’s Keyword is ZEBRAS, she identifies the numbers corresponding to the letters and then applies her Method to each number, and enters 589337. [Z (4) + 1 = 5, and so on for the remainder of the code].

Step 5: Based on the code entered, the system validates the user and allows access.

Every time the user comes to use the ATM, a completely different challenge is generated, making it extremely difficult for outside observers to identify a pattern and obtain systemic access to a person’s account.

Since the user’s real credentials are never actually entered, it doesn’t matter if someone is watching, or if they record the transaction. With the permutations and options available, up to thousands of combinations would need to be considered before there would be any chance of the data being reverse engineered and an identity stolen.

Furthermore, every time a user tries to log in, a brand new, 100% randomised challenge is generated and presented to them. The user then uses their Keyword and Method to interpret the challenge and enter an authentication code, called a Forticode. That means that every time they log in, they provide a response that is valid once, and only at that point in time.

A Panic Code option is also available. That way, if a user enters their Panic Code whilst at an ATM, Forticom would notify the system while taking actions such as capturing high resolution pictures of the people at and near the device or notifying the authorities of a crime in progress whilst allowing access to the user’s account to ensure the user’s safety. Additional options in this scenario could include displaying a reduced level of funds in the available balance.

Resilience to brute force attacks and phishing

Within a traditional security system that has a 4 digit PIN, a perpetrator could run a brute force process starting at 0000 and going to 9999 and within 10,000 attempts they would have the PIN and have access to the account. To make matters worse, once a perpetrator has this PIN or password, they can continue to access an account over and over until the user notices and reports it – it takes detection after the fact to stop continued access.

With Forticom, using the same 4 digit limitation, the odds of success are reduced to 1 in 10,000 for each access attempt, and even a thief were to fluke access, it would only be useful once – they could not do it again.

In order to gain systemic access to a Forticom protected system, a perpetrator would need to identify the Keyword and the Methods, which is highly challenging as they are never directly used.

Standard scamming and phishing methods such as emails that request account numbers and access codes are also ineffective as users never provide their actual Keyword or Methods, just the Forticode interpretation.

Securing the pipeline

In addition to securing users’ details at the point of entry, the random nature of the solution continues to protect credentials after entry. The entire authentication data stream between entry point and the server where it is validated could also be recorded and analysed by fraudsters – without compromising a user’s credentials. Even if the code entered by the user was identified by the fraudster, it would mean nothing, as the user has not entered their actual Keyword – only their Forticode, which is an interpretation of the Forticom challenge.

The rapid rate of technological advancement, especially in the areas of mobile technology and raw computing power, make securing electronic transaction and access more and more challenging.

Forticom offers a genuinely secure, easy-to-use and highly adaptable system that can meet the most challenging security demands both now and into the future. Forticom can grow with your organization, whatever you needs might be.

For more information, call 1300 540 322 or visit www.forticomgroup.com



[1] NAB Online Retail Sales Index