CallingID Strong Authentication Platform offers a whole suite of customizable
components to provide the best possible solution that meets all needs.
The
Most Popular Solution
Client-less
Solution
CallingID Strong Authentication Platform offers a whole suite of customizable
components to provide the best possible solution to meet all needs. Click on a
component below to read more:
Mutual Identification, Authentication and
Verification
The strong authentication platform enables the following functions:
| Identification |
| A. |
Identification of user to the site
The site identifies the user based on one or more identification fields that
the user fills in a form |
| B. |
Identification of the site to the user
After installing a small software on his desktop the user can identify the
site, its owner and the location of the owner as the one he intends to do
business with
|
| Authentication |
| A. |
Authentication of the user to the site
The user submits a conventional password which is well protected from
Key-Loggers and Trojans. In addition, the user should select his own picture
from a set of pictures displayed to him. Beside these inputs, machine id and
geographic location are submitted to the strong authentication server to
complete the verification |
| B. |
Authentication of the site to the user
During the authentication process the user must select his own picture from a
set of pictures displayed to him. If he cannot find his picture he knows that
it is not the real site. This is a shared secret with a process that guarantees
the authentication without complex training
|
| Verification |
| A. |
Verification for the site that the user is whom he claims to be
A comprehensive risk assessment system considers the user's access history into
the site, the number of login retries, the geographic location and the machine
characteristics. Based on all these parameters the system can approve the
authentication or automatically add more identification factors to confirm that
the user is really whom he claims to be. For more information about additional
factors Click Here |
| B. |
Verification for the user that the site is the one he intended to
visit
Using 54 verification tests CallingID verifies for the user that there are no
risks dealing with the site. If any problem is detected the user receives a
signal and if he tries to submit personal or confidential data to the site he
receives an immediate alert before any data is sent. |
By combining these to authentication factors, CallingID provides the safest and
most user friendly way to comply with the
FFIEC
2005 Guidelines:
When users try to login they are shown a set of pictures, one of which is the
picture they selected during sign-up. The user may only proceed to the password
field once they have selected the correct image. If the users can not find
their image, they'll know something is wrong.
This approach is different from other solutions and provides the best possible
mutual authentication without the need to educate the user about the necessity
of authenticating sites. This approach also serves as a second factor; since
the correct image is required at login, abuse of the user's password won't
suffice to commit identity theft.
Spyware Protection
Even if the users' machine is infected by hostile software like Spyware,
Trojans or Key-Loggers, the login parameters cannot be identified by that
software. When a users log into their online accounts, in cases where such
hostile software exists, the hostile software is led to detect a false password
while the real password is safely delivered to the site using strong
encryption.
Client Risk Assessment Tool
Users are encouraged to use the CallingID toolbar. Once installed, users see
who is the owner of every site they visit; where the owner is located and an
automatic assessment of the risk level of submitting personal or confidential
information to that site.
Internet Fraud Protection
Using patent pending technology CallingID protects users from Internet fraud.
|
Phishing: When users log into their web accounts they know that it is
really the site they intended to reach - it is not a phishing site. |
|
Man-in-the-Middle: Attacks are automatically detected.
|
|
Spyware: Even if the users' machine is infected by hostile software like
Spyware, Trojans or Key-Loggers, the login parameters cannot be identified by
that software. When a users log into their online accounts, in cases where such
hostile software exists, the hostile software is led to detect a false password
while the real password is safely delivered to the site using strong
encryption.
|
Real-Time Risk Assessment
CallingID Strong Authentication Risk Assessment module monitors all login
requests including machine characteristics and geographic location of each
request. It has built-in rules for detecting suspicious login activities. Based
on these rules, a machine or IP can be tagged either as trusted, suspicious or
hostile. During login from a suspicious source, at least one additional
authentication factor is mandatory, while every login from a hostile source
fails. Both suspicious and hostile status can be time released. Assigned
operators can release hostile and suspicious locations at any time.
Additional Authentication Factors
CallingID does not require additional factor authentication for normal use. The
solution is based on multiple security layers that protect users against
Internet fraud and blocks hostile users automatically. However, based on the
application used, the physical and environmental conditions and potential risk
calculated based on failed login attempts, the authentication system might
require additional authentication factors. These factors include one or more
of:
|
SMS OTP |
A one time password is sent to the user’s mobile phone and must be entered in
the web page.
|
|
Email OTP |
A one time password is sent to the user’s email address and must be entered in
the web page.
|
|
Machine Characteristics |
When the user submits his login parameters the server automatically identifies
whether his machine was used to login, in the past.
|
|
Security Card/Paper |
The user periodically receives a security card which shows 26 columns (marked
A-Z) by 10 rows (marked 0-9). Each entry in this matrix has a code. The user is
asked to provide the matrix code from a specific cell.
|
|
Personal Questions |
A built in mechanism that during registration suggests personal questions for
the user and saves both questions and answers. Users may add their own question
and correlating answer. During login, the user is asked the selected question
and must provide the correct answer.
|
The Most Popular Solution
Our most popular solution is our client based solution. After adding a small
add-on to their Windows machines the users keep their usual authentication
process without any change and are well protected from all types of Internet
fraud. The solution includes the following engines:
Automatic anti-phishing |
|
When a user tries to use a secure site's login parameters to access a different
site he is automatically alerted before submission. |
|
Phishing and pharming attempts automatically fail |
Automatic spyware and man-in-the-middle protection |
|
Pages that require passwords activate a keyboard plug-in that changes the
keystrokes submitted to the application to fool spyware (such as key-loggers
and frame-logger) and encrypts the real sequence of keystrokes with a key
received in the page. |
|
The browser add-on adds additional encrypted data for automatic protection
against man-in-the-middle and for identification of the user’s machine |
|
When the user submits the results the server decrypts the real password and
detects man-in-the-middle and machine identification |
The results: The Best Safe Login Solution Available
Easy to use; Easy to support; Non-obtrusive (the user's login process remains
the same); Automatic protection against phishing, pharming, spyware and
man-in-the-middle attacks; Two factor strong authentication using the hardware
of the user’s machine as a second factor
Client-less solution
CallingID's client-less solution can be used by any user. It does not require
and hardware, software or appliance yet adds the following components:
Site to user active authentication |
|
During registration the user uploads (or chooses) a picture |
|
During login, after the user has sumbitted a username, a set of
images is displayed. The user must select the picture he/she uploaded during
registration to procced. Once the correct image has been selected, the password
is requested |
|
There is no need to educate the user about the necessity of
authenticating the site. If the user comes accross a login page that does not
request image selection before requesting a password, or if the user can not
find the correct image in the set, the user instinctivly understands that
something is wrong with the login |
Anti-Spyware |
|
Unique technology uses javascript to encrypt the password. Spyware
such as keyloggers and frameloggers cannot detect the password |
|
"One Time Code" - Pages are generated automatically for every
request, with alternating code to confuse spyware |
|
Anti keyloging - Users can submit their password using an on-screen
keyboard |
Adaptive Risk Assessment |
|
When a suspicious login is detected the user is required to use
additional authentication factors. |
|
Risk Assessment Sources Include: |
|
|
Machine characteristics (platform, OS and browser version, regional settings) |
|
|
Geographic location |
|
|
History of successful and failed login events by the user and by the machine |
|
|
Known suspected sources (like Internet cafés) |
|
|
Known fraud profile |
|
Additional Authentication Factors (applied when needed): |
|
|
Challenge questions (Maiden Name, Hometown, Pet's Name) |
|
|
One time password sent to an email or mobile phone |
|
|
Security card/device |