Innovative Multi-factor Authentication Solution Leverages Existing SSL
Infrastructure to Prevent Man in the Middle Phishing
SAN MATEO, Calif., March 22 /PRNewswire/ -- TriCipher, Inc., the
innovators of strong authentication for the real world, today announced that
its TriCipher Armored Credential System (TACS), launched last month at RSA
Conference 2005, prevents man in the middle phishing attacks -- a security
threat that has become top of mind as businesses and consumers become
increasingly reliant on the Internet for conducting essential business
transactions. To protect themselves, enterprises have increasingly turned to
one-time passwords, a form of two factor authentication believed to prevent
successful attacks. However, industry experts have called into question the
effectiveness of this type of authentication in protecting against phishing. A
recent article by a noted researcher outlined weaknesses to token-based
authentication approaches. In addition, recent research from Infidel, Inc.,
demonstrates that all one-time password systems, such as time synchronous
tokens, can be easily compromised by man in the middle phishing
attacks -- which require very little technical sophistication on the part of
the phisher. TriCipher's unique approach to strong authentication leverages
the Internet's existing SSL infrastructure, combined with a unique multi-part
credential to foil proxied man in the middle attacks.
"Recent articles have spawned a lot of talk amongst security experts about
the role two factor authentication plays in protecting against man in the
middle phishing," said Rebecca Bace, President of Infidel, Inc. "It's true
that one time password systems are not an adequate defense, but that is only
one flavor of two factor authentication, and an outdated one at that. The key
to protecting against these attacks is to take advantage of the existing SSL
infrastructure to authenticate the client. SSL was designed to prevent man in
the middle attacks and doesn't require the user to reveal the
credential -- only to prove that she has it. Ideally, you would also like to
make it impossible to steal the entire credential from the user. The TriCipher
solution satisfies all these requirements."
As companies have moved to one-time password tokens to protect bank and
brokerage accounts, phishers have begun to set up man in the middle attacks.
In such attacks, users are lured to a phishing site by an email or DNS caching
hack, where they enter their username, password, and the number from a
one-time password token. The phisher's server automatically uses this
information to immediately log in to the legitimate site, then either keeps
the session open automatically until the phisher is ready to hijack the
session or simply alters the user's transaction to benefit the phisher.
TACS creates a multi-part credential, splitting the user's credential
between the user and a secure appliance kept in the enterprise's data center.
Since the user doesn't have the entire credential, he or she can't give it
away to the phisher, nor can the phisher steal it from their desktop. In
addition, TriCipher's credentials use SSL client authentication, which
prevents a phisher from sitting in the middle of the user's session with the
web server. Further, using SSL means no new software at the web server, making
deployment fast and easy.
"The SSL infrastructure is out there and it's very robust," commented Eric
Greenberg, one of the developers of the SSL protocol and current CTO of
NetFrameworks, Inc. "As an industry we've only been using half of it because
legacy PKI systems were too complex to implement. The TriCipher product vastly
simplifies the deployment and management of strong authentication and takes
advantage of the security of SSL to prevent man in the middle phishing. The
TriCipher solution provides a cost effective, highly secure alternative to
time synchronous or challenge response one time password systems."
"We're delighted at the validation our solution has received in light of
the recent scrutiny about the role two factor authentication plays in
protecting against man in the middle attacks," said Ravi Sandhu, Chief
Scientist, TriCipher and professor of Information Security and Assurance at
George Mason University. "At roughly five dollars per seat, TACS provides an
elegant way to protect against man in the middle attacks that, unlike other
solutions, is extremely affordable and easy to deploy."
About TriCipher, Inc.
TriCipher, Inc. provides strong authentication for the real world. The
first authentication system that issues multiple types of credentials from a
single infrastructure, the TriCipher Armored Credential System(TM) (TACS)
allows for authentication strength to change in response to new threats
without any infrastructure changes. Our patented technology fills the gap
between authentication systems that are either not secure enough or too hard
to use and deploy. TriCipher's innovative approach to strong multi-factor
authentication protects against phishing and eliminates dictionary attacks.
Founded in 2000, TriCipher is headquartered in San Mateo, California. The
Company was incubated as NSD Security before launching as a separate entity in
2005. Investors in TriCipher are ArrowPath Venture Capital, Intel(R) Capital,
Trident Capital and Wasatch Venture Partners. For more information, please
visit http://www.tricipher.com or email info@tricipher.com.
NOTE: TriCipher, Armored Credential, and Armored Credential Appliance are
either registered trademarks or trademarks of TriCipher, Inc. in the United
States and/or other countries. All other products and services mentioned are
trademarks of their respective companies.
SOURCE TriCipher, Inc.
 back to top
Related links:
http://www.tricipher.com
CONTACT:
Sally Sheward of TriCipher, Inc.,
sally@tricipher.com; or Elizabeth Safran of Trainer
Communications, +1-408-920-0585, or elizabeth@trainercomm.com,
for TriCipher, Inc.
|
