CallingID Announces the Best Solution Against "Man-in-the-Middle" - Protecting Two-Factor Authentication Users from Phishing

NEW HAVEN, CT, November 4th, 2005 - CallingID (www.callingid.com) has enhanced its Safety Seal web site security solution to protect users from phishing scams even when the phishing site uses a proxy server. Known as 'man in the middle', this type of phishing attack can circumvent the "two-factor authentication" guidelines just issued to banks by the Federal Financial Institutions Examination Council (FFIEC) and the Federal Deposit Insurance Corporation (FDIC).

Users of tokens for account login assume that they are well protected against phishing. However, since most two-factor authentication solutions use one time password (OTP), they are vulnerable. Phishing sites use man in the middle attacks by employing proxy servers during the authentication process and thus succeed in tempting users to log into their web account through them. When the login process is completed, the proxy server operator disconnects the user and continues the session using the victim's identity.

In the last month, two man in the middle phishing sites were detected in Europe and caused banks to close their web site access until the phishing sites were taken down.

Unlike Safety Seal, other solutions addressing man in the middle attacks are complex, since they require changes to the authentication server and are not consumer friendly. Often, the consumer has to reenter a password or authentication information before each transaction. CallingID Safety Seal only requires a single login to protect the consumer.

CallingID Safety Seal is the only solution available today that automatically detects this type of phishing. Web site owners should register with CallingID as "Safety Seal Verified" and ask their users to install CallingID for the Internet. Once a user installs CallingID for the internet on his PC, whenever he tries to log unintentionally into a phishing site using the password he receives from the token, CallingID for the internet automatically detects that it is not the web site that the token belongs to and alerts the user about the problem, suggesting termination. No changes need be done on the web site.

According to FDIC recommendation, when institutions provide web access for execution of financial transactions over the Internet, they are liable for customers' losses unless they implement reasonable measures to protect their customers. Registration with CallingID as Safety Seal Verified is a simple step that financial institutions should take to comply with these recommendations.

In addition to protecting against phishing, pharming, spyware, trojans and other attacks, CallingID for the internet provides an immediate benefit for users visiting any site - it automatically displays who owns the site and verifies the site owner and business information so the user knows if he is dealing with a real company or with a risky entity.

Fifty-two verification checks are run behind the scenes to confirm that a website is actually the site one thinks it is and that it is safe to send personal information to it. For example, if the user tries to type confidential information like credit card numbers in a web page which is not well protected by a valid certificate, CallingID automatically warns the user that the site did not use reasonable security measures to protect its customers and is therefore risky.

Users can download CallingID for the internet for free from www.callingid.com/download.aspx. Installation is quick and simple.

"With the certain increase in e-commerce and holiday shopping on the Internet this year, web site owners need to provide maximum protection for their customers," said Yoram Nissenboim, CallingID CEO. "The marketplace has begun to recognize that CallingID is the most reliable product now available to protect against the vast array of Internet scams, including phishing, pharming, spyware and trojans."

About CallingID
CallingID provides solutions that encourage usage of the Internet for business, helping customers avoid Internet fraud (phishing, pharming, spyware and trojans) focusing on online banking, e-commerce and corporate sites as well as individual Internet users. CallingID's offices are located in New Haven, Connecticut and the R&D team is based in Haifa, Israel.