CallingID Strong Authentication Platform offers a whole suite of customizable components to provide the best possible solution that meets all needs.

• The Most Popular Solution
• Client-less Solution

CallingID Strong Authentication Platform offers a whole suite of customizable components to provide the best possible solution to meet all needs. Click on a component below to read more:

Mutual Identification, Authentication and Verification

The strong authentication platform enables the following functions:

Identification

1. Identification of user to the site
   The site identifies the user based on one or more identification fields that the user fills in a form
2. Identification of the site to the user
   After installing a small software on his desktop the user can identify the site, its owner and the location of the owner as the one he intends to do business with

Authentication

1. Authentication of the user to the site
   The user submits a conventional password which is well protected from Key-Loggers and Trojans. In addition, the user should select his own picture from a set of pictures displayed to him. Beside these inputs, machine id and geographic location are submitted to the strong authentication server to complete the verification
2. Authentication of the site to the user
   During the authentication process the user must select his own picture from a set of pictures displayed to him. If he cannot find his picture he knows that it is not the real site. This is a shared secret with a process that guarantees the authentication without complex training

Verification

1. Verification for the site that the user is whom he claims to be
   A comprehensive risk assessment system considers the user's access history into the site, the number of login retries, the geographic location and the machine characteristics. Based on all these parameters the system can approve the authentication or automatically add more identification factors to confirm that the user is really whom he claims to be. For more information about additional factors Click Here
2. Verification for the user that the site is the one he intended to visit
   Using 54 verification tests CallingID verifies for the user that there are no risks dealing with the site. If any problem is detected the user receives a signal and if he tries to submit personal or confidential data to the site he receives an immediate alert before any data is sent.

By combining these to authentication factors, CallingID provides the safest and most user friendly way to comply with the FFIEC 2005 Guidelines:

When users try to login they are shown a set of pictures, one of which is the picture they selected during sign-up. The user may only proceed to the password field once they have selected the correct image. If the users can not find their image, they'll know something is wrong.

This approach is different from other solutions and provides the best possible mutual authentication without the need to educate the user about the necessity of authenticating sites. This approach also serves as a second factor; since the correct image is required at login, abuse of the user's password won't suffice to commit identity theft.

Spyware Protection

Even if the users' machine is infected by hostile software like Spyware, Trojans or Key-Loggers, the login parameters cannot be identified by that software. When a users log into their online accounts, in cases where such hostile software exists, the hostile software is led to detect a false password while the real password is safely delivered to the site using strong encryption.

Client Risk Assessment Tool

Users are encouraged to use the CallingID toolbar. Once installed, users see who is the owner of every site they visit; where the owner is located and an automatic assessment of the risk level of submitting personal or confidential information to that site.

Internet Fraud Protection

Using patent pending technology CallingID protects users from Internet fraud.

• Phishing: When users log into their web accounts they know that it is really the site they intended to reach - it is not a phishing site.
• Man-in-the-Middle: Attacks are automatically detected.
• Spyware: Even if the users' machine is infected by hostile software like Spyware, Trojans or Key-Loggers, the login parameters cannot be identified by that software. When a users log into their online accounts, in cases where such hostile software exists, the hostile software is led to detect a false password while the real password is safely delivered to the site using strong encryption.

Real-Time Risk Assessment

CallingID Strong Authentication Risk Assessment module monitors all login requests including machine characteristics and geographic location of each request. It has built-in rules for detecting suspicious login activities. Based on these rules, a machine or IP can be tagged either as trusted, suspicious or hostile. During login from a suspicious source, at least one additional authentication factor is mandatory, while every login from a hostile source fails. Both suspicious and hostile status can be time released. Assigned operators can release hostile and suspicious locations at any time.

Additional Authentication Factors

CallingID does not require additional factor authentication for normal use. The solution is based on multiple security layers that protect users against Internet fraud and blocks hostile users automatically. However, based on the application used, the physical and environmental conditions and potential risk calculated based on failed login attempts, the authentication system might require additional authentication factors. These factors include one or more of:

• SMS OTP
  A one time password is sent to the user's mobile phone and must be entered in the web page.
• Email OTP
  A one time password is sent to the user's email address and must be entered in the web page.
• Machine Characteristics
  When the user submits his login parameters the server automatically identifies whether his machine was used to login, in the past.
• Security Card/Paper
  The user periodically receives a security card which shows 26 columns (marked A-Z) by 10 rows (marked 0-9). Each entry in this matrix has a code. The user is asked to provide the matrix code from a specific cell.
• Personal Questions
  A built in mechanism that during registration suggests personal questions for the user and saves both questions and answers. Users may add their own question and correlating answer. During login, the user is asked the selected question and must provide the correct answer.

The Most Popular Solution

Our most popular solution is our client based solution. After adding a small add-on to their Windows machines the users keep their usual authentication process without any change and are well protected from all types of Internet fraud. The solution includes the following engines:

Automatic anti-phishing

• When a user tries to use a secure site's login parameters to access a different site he is automatically alerted before submission.
• Phishing and pharming attempts automatically fail

Automatic spyware and man-in-the-middle protection

• Pages that require passwords activate a keyboard plug-in that changes the keystrokes submitted to the application to fool spyware (such as key-loggers and frame-logger) and encrypts the real sequence of keystrokes with a key received in the page.
• The browser add-on adds additional encrypted data for automatic protection against man-in-the-middle and for identification of the user's machine
• When the user submits the results the server decrypts the real password and detects man-in-the-middle and machine identification

The results: The Best Safe Login Solution Available
Easy to use; Easy to support; Non-obtrusive (the user's login process remains the same); Automatic protection against phishing, pharming, spyware and man-in-the-middle attacks; Two factor strong authentication using the hardware of the user's machine as a second factor

Client-less solution

CallingID's client-less solution can be used by any user. It does not require and hardware, software or appliance yet adds the following components:

Site to user active authentication

• During registration the user uploads (or chooses) a picture
• During login, after the user has submitted a username, a set of images is displayed. The user must select the picture he/she uploaded during registration to proceed. Once the correct image has been selected, the password is requested
• There is no need to educate the user about the necessity of authenticating the site. If the user comes across a login page that does not request image selection before requesting a password, or if the user can not find the correct image in the set, the user instinctively understands that something is wrong with the login

Anti-Spyware

• Unique technology uses javascript to encrypt the password. Spyware such as keyloggers and frameloggers cannot detect the password
• "One Time Code" - Pages are generated automatically for every request, with alternating code to confuse spyware
• Anti keyloging - Users can submit their password using an on-screen keyboard

Adaptive Risk Assessment

• When a suspicious login is detected the user is required to use additional authentication factors.
• Risk Assessment Sources Include:
  • Machine characteristics (platform, OS and browser version, regional settings)
  • Geographic location
  • History of successful and failed login events by the user and by the machine
  • Known suspected sources (like Internet cafes)
  • Known fraud profile
• Additional Authentication Factors (applied when needed):
  • Challenge questions (Maiden Name, Hometown, Pet's Name)
  • One time password sent to an email or mobile phone
  • Security card/device