SlideShare a Scribd company logo

How Two Factor Authentication protects against hacking attacks - ArrayShield

ArrayShield Technologies Private Limited
ArrayShield Technologies Private Limited

This white paper explains how Arrayshield’s IDAS two-factor authentication product protects from several hacking attacks.

Technology
1 of 8
Download to read offline
How ArrayShield IDAS Protects Against Hacking Whitepaper Attacks Highlights of ArrayShield IDAS: √ Protects organizations from multiple hacking attacks than can compromise defeat traditional authentication methods. √ Fraud-proof login process using more intuitive and easy to remember patterns. √ Provides one secure credential for multiple applications √ Can be seamlessly integrated and deployed in any environment Introduction: Many organizations protect their infrastructure with a simple username and password. Entering this information grants access to organization’s sensitive data that is present in servers, databases, applications, email accounts, and other places. But it is widely acknowledged by Information Security Experts that passwords are notoriously insecure. Many users choose weak passwords which can be easily guessed or cracked. When password policies are enforced, users end up noting down their passwords on Post-It notes, mobiles, email or on their laptops which is a serious security vulnerability. Phishing attacks trick users into revealing their passwords. Malicious viruses and spyware can capture passwords and send them over the network to attackers. All the above scenarios make it very difficult for organizations to protect their sensitive data from the hands of hackers and competitors. Organizations of all sizes from Fortune500 to SME, Government have witnessed multiple hacking attacks recently that were caused by gaining knowledge of user’s password. The cause for concern is only magnified as the cost associated with a data breach has reached an estimate of $ 6.6 million. Additionally, government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data Breach Notification Laws and others have been put in place to protect access to corporate networks. Failure to meet requirements that call for the implementation of two-factor authentication could result in regulatory fines and irreversible damage to a brand’s reputation. Security experts worldwide suggest the usage of a strong, two-factor authentication to protect organizations assets. The same is also recommended by various compliances/certifications like PCI-DSS, HIPAA, SAS 70, ISO 27001 and others.
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Clearly passwords are not sufficient for protecting organization’s data:: √ Easy passwords can be cracked √ Random passwords can’t be remembered √ Same passwords are used at multiple places √ Passwords that needs to be continuously changed are not user- friendly This white paper describes how ArrayShield IDAS authentication system prevents various kinds of hacking attacks that compromise traditional authentication mechanisms. ArrayShield IDAS Technology: ArrayShield IDAS is a revolutionary challenge/response Two Factor Authentication paradigm that involves dynamically generated CharacterArray displayed as an array on computer terminal which is superimposed with an ArrayCard of similar structure which has opaque and transparent cells. ArrayShield IDAS is built leveraging the widely acknowledged theory that ‘humans are better at identifying, remembering and recollecting graphical patterns than text patterns’. Instead of remembering a sequence of characters as the secret i.e., password, ArrayShield IDAS users have to remember a shape or pattern as a secret. At the time of authentication, the user have to use their ArrayCard (provided to them) by overlapping the card on the displayed CharacterArray and enter the characters present in the pattern chosen to authenticate. At each time of authentication the contents displayed on the CharacterArray changes so the user has to type a different secret word during each authentication process. This makes the system a dynamic password user authentication system leveraging the two factors of Authentication – The Pattern (that user knows) and the ArrayCard (that user has). While highly secure, the ArrayShield IDAS features an easy-to-use interface and integrates quickly with existing authentication infrastructures with support for standards such as RADIUS-based OTP, SAML, and Page 2
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper others. This makes deployments fast and easy for an organization to implement and its customers to use. The ArrayShield IDAS provides protection against common hacking attacks and several new attacks that are becoming popular among fraudsters. Other solutions, including one-time-password (OTP) generator tokens, do not offer the same level of protection against attacks such as the Real-time Replay attacks. The following section contains a list of known hacking attacks and shows how ArrayShield IDAS defeats those attacks. Hacking Attacks and How ArrayShield IDAS protects against them Hacking Attack Vector Protection offered by ArrayShield IDAS Keyloggers: ArrayShield IDAS being a dynamic password Keyloggers are applications or hardware devices system is not vulnerable to keyloggers. Even if the that monitor a user's keystrokes and sends this hacker gets the One-Time SecretCode of the user information back to the malicious user over of a system, this One-Time SecretCode cannot be internet. Hardware Keyloggers are small inline reused by the hacker to login to the system devices placed between the keyboard and the (because of the dynamic nature of the computer. The other kind of Keyloggers are CharacterArray) and hacker cannot get the Pattern Software Keyloggers, these are also referred as of the user from the One-Time SecretCode of the spywares. Spyware usually gets into the computer user. Hence ArrayShield IDAS can give complete through banner ad-based software where the user protection from both the Software Keyloggers and is enticed to install the software for free. the Hardware Keyloggers. Real-time Replay Attack: Since ArrayShield IDAS is a challenge-response Malware sits inside a user's browser and waits for system, the CharacterArray shown for each the user to log into a bank. During login, the transaction is unique and the One-Time malware copies the user's ID, password and OTP, SecretCode derived by the user is valid only for sends them to the attacker and stops the browser that transaction. Even if a hacker does Real-time from sending the login request to the bank's Replay attack and attains the One-Time website, telling the user that the service is SecretCode and replays the same from his "temporarily unavailable." The fraudster machine it will not be matching the correct One- immediately uses the User ID, password and OTP Time SecretCode for the different CharacterArray to log in and drain the user's accounts. for this transaction. Page 3
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Man in the Browser Attack: ArrayShield IDAS client which is hardened has a Malware overwrites transactions sent by a user to Transaction Verification module through which the the online banking website with the criminal's own transaction details as received by the host (bank), transactions. This overwrite happens behind the to the user (customer) over a SSL channel is scenes so that the user does not see the revised verified. After user confirms the transaction details transaction values. This way, neither the user nor on the client application the transaction gets the bank realizes that the data sent to the bank processed there-by preventing the MITB attack. has been altered. Phishing: In ArrayShield IDAS system, the one-time-secret The attacker targets users and fools them into code derived and entered by the user on the entering their credentials into a fake web site. This phishing site is not valid for the next transaction. usually occurs when a criminal sends an email Additionally as the ArrayCard structure and the impersonating a customer service organization and details are not available to the Phishing site the asks recipients to click on a URL to perform hacker will not be able to deduce the user’s account maintenance or verification. The link takes identity information (pattern and the Card details) them to a fraudulent site, which prompts them for by doing the Phishing attack on the user. their valid credentials. Pharming: In ArrayShield IDAS system, the one-time-secret The attacker poisons the DNS server and redirects code derived and entered by the user on the users to the fraudulent web site. Users do not pharming site is not valid for the next transaction. suspect anything because the redirect happens Additionally as the ArrayCard structure and the even when the user selects the web site from a details are not available to the Pharming site the saved favorite or actually types in the correct URL. hacker will not be able to deduce the user’s identity information (pattern and the Card details) by doing the Pharming attack on the user. Page 4
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Shoulder Surfing: If a hacker tries to do Shoulder Surfing on a user Shoulder surfing is looking over someone's using ArrayShield IDAS system, he has to see both shoulder, to get information about his identity. the key sequence and the CharacterArray and do a Shoulder surfing is an effective way to get mapping before the user submits the page to information in crowded places because it is easy to derive the pattern of the user. stand next to someone and watch as they fill out a form. Shoulder surfing becomes a serious problem Let us consider a case hacker observes that the both in cases user enters password directly or if user typed the character R, the hacker has to the user is entering the password through a virtual identify the position of the R in the keyboard. In the case of virtual keyboard it is CharacterArray, he has to linearly search each and relatively easy for the hacker to see the mouse every cell of the CharacterArray to identify the clicks on the screen. position of the R in the CharacterArray. By the time the hacker identify the position of R, the user will type all other characters of his One-Time SecretCode. Hence Shoulder Surfing is not effective against IDAS system. Guessing: In the ArrayShield IDAS pattern based system, the Guessing is the simplest attack that a hacker can users chose the patterns irrespective of their do on a User Authentication system. One of the personal information. Still the hacker can do main problems with the username-password guessing by trying out most frequently used system is ‘selection of password’ itself. Studies patterns like corner elements, diagonal elements show that users always pick passwords which are and knight moves etc. which are easy to have as short and easy to remember. Often it is very easy patterns. So even though the hacker tried the easy to break the user’s password, if the personal patterns he cannot get through the authentication information about him/her is known and more procedure because of the ArrayShield’s two factor often than not, it is widely known nature. The hacker has to guess about the user’s ArrayCard structure also. As the card structure is unique and randomly generated, guessing is not possible for the same. Hence ArrayShield is fool proof against Guessing attack. Page 5
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Social Engineering: In the ArrayShield IDAS pattern based system, the Social Engineering is the act of manipulating users choose the patterns irrespective of their people to reveal their private details, rather than personal information. Also making users reveal by breaking in or using technical cracking the patterns over phone is not possible though techniques. Examples of the same is to access the revealing of passwords by uninformed users is user’s social media accounts or call them over prevalent. phone and know more about the user personal details and possibly authentication credentials. Additionally the attacker has to break multiple identity details like pattern, card structure from the end user which is not possible with the conventional social engineering attacks. BruteForce Attack: The first variant of Bruteforce attack is String In a Bruteforce attack, an intruder or hacker tries based Bruteforce attack, in this method the all possible combinations to crack the secret of the attacker ignores the CharacterArray and tries with user. The hacker will do an exhaustive search on some random string as the One-Time SecretCode. the complete space to find the secret of the user. Because of the dynamic nature of the CharacterArray, the bruteforce search space will never converge when compared to finite convergence time for other authentication mechanisms. Additionally IDAS system has built-in controls to restrict the user access after finite failed attempts. Dictionary Attack: To attempt Dictionary attacks on IDAS system Dictionary attack is improved version of Bruteforce hacker has to construct dictionaries for patterns attack. In Dictionary attack, instead of searching all and ArrayCard Structure details. Since ArrayCard possible combinations the hacker will search only structure and values are pseudo random, the possibilities which are most likely to be Dictionaries can’t be constructed for the same selected by the user. making this attack in-effective against ArrayShield IDAS System. Page 6
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Comparison between ArrayShield IDAS and other authentication technologies in terms of capability to defend against various hacking attacks Key Realtime MITB Phishing/ Shoulder Guessing Social Dictionary/ logger Replay Pharming Surfing Engineering BruteForce attack Attack ArrayShield Yes Yes Yes Yes Yes Yes Yes Yes IDAS Question & No No No No No No No No Answer based Virtual Yes No No No No No No No Keyboard Password No No No No No No No No Use of two No No No No No No No No passwords Hardware Yes No No Yes Yes Yes Yes Yes Token Software Yes No No Yes Yes Yes Yes Yes Token Out of Band Yes No No Yes Yes Yes No Yes (SMS based OTP) Yes – provides protection; No – doesn’t provide complete protection Page 7
How ArrayShield IDAS protects against Hacking Attacks - Whitepaper ABOUT ARRAYSHIELD Array Shield Technologies is the maker of software security products in the area of Multi-Factor Authentication. The company’s mission is to provide highly secure, cost effective and easy to use software security solutions globally. For more information, visit us at www.arrayshield.com Page 8

Recommended

PCQuest reviews ArrayShield Product
PCQuest reviews ArrayShield ProductPCQuest reviews ArrayShield Product
PCQuest reviews ArrayShield ProductArrayShield Technologies Private Limited
 
Compilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksCompilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksArrayShield Technologies Private Limited
 
Problems with biometric authentication
Problems with biometric authenticationProblems with biometric authentication
Problems with biometric authenticationArrayShield Technologies Private Limited
 
What is Two Factor Authentication
What is Two Factor AuthenticationWhat is Two Factor Authentication
What is Two Factor AuthenticationArrayShield Technologies Private Limited
 
Two Factor Authentication for VPN
Two Factor Authentication for VPNTwo Factor Authentication for VPN
Two Factor Authentication for VPNArrayShield Technologies Private Limited
 
Two Factor Authentication for Salesforce
Two Factor Authentication for SalesforceTwo Factor Authentication for Salesforce
Two Factor Authentication for SalesforceArrayShield Technologies Private Limited
 
Two Factor Authentication for Google Apps
Two Factor Authentication for Google AppsTwo Factor Authentication for Google Apps
Two Factor Authentication for Google AppsArrayShield Technologies Private Limited
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 

Recommended

PCQuest reviews ArrayShield Product
PCQuest reviews ArrayShield ProductPCQuest reviews ArrayShield Product
PCQuest reviews ArrayShield ProductArrayShield Technologies Private Limited
 
Compilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksCompilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksArrayShield Technologies Private Limited
 
Problems with biometric authentication
Problems with biometric authenticationProblems with biometric authentication
Problems with biometric authenticationArrayShield Technologies Private Limited
 
What is Two Factor Authentication
What is Two Factor AuthenticationWhat is Two Factor Authentication
What is Two Factor AuthenticationArrayShield Technologies Private Limited
 
Two Factor Authentication for VPN
Two Factor Authentication for VPNTwo Factor Authentication for VPN
Two Factor Authentication for VPNArrayShield Technologies Private Limited
 
Two Factor Authentication for Salesforce
Two Factor Authentication for SalesforceTwo Factor Authentication for Salesforce
Two Factor Authentication for SalesforceArrayShield Technologies Private Limited
 
Two Factor Authentication for Google Apps
Two Factor Authentication for Google AppsTwo Factor Authentication for Google Apps
Two Factor Authentication for Google AppsArrayShield Technologies Private Limited
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

More Related Content

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Featured

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 

Featured (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

How Two Factor Authentication protects against hacking attacks - ArrayShield

  • 1. How ArrayShield IDAS Protects Against Hacking Whitepaper Attacks Highlights of ArrayShield IDAS: √ Protects organizations from multiple hacking attacks than can compromise defeat traditional authentication methods. √ Fraud-proof login process using more intuitive and easy to remember patterns. √ Provides one secure credential for multiple applications √ Can be seamlessly integrated and deployed in any environment Introduction: Many organizations protect their infrastructure with a simple username and password. Entering this information grants access to organization’s sensitive data that is present in servers, databases, applications, email accounts, and other places. But it is widely acknowledged by Information Security Experts that passwords are notoriously insecure. Many users choose weak passwords which can be easily guessed or cracked. When password policies are enforced, users end up noting down their passwords on Post-It notes, mobiles, email or on their laptops which is a serious security vulnerability. Phishing attacks trick users into revealing their passwords. Malicious viruses and spyware can capture passwords and send them over the network to attackers. All the above scenarios make it very difficult for organizations to protect their sensitive data from the hands of hackers and competitors. Organizations of all sizes from Fortune500 to SME, Government have witnessed multiple hacking attacks recently that were caused by gaining knowledge of user’s password. The cause for concern is only magnified as the cost associated with a data breach has reached an estimate of $ 6.6 million. Additionally, government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data Breach Notification Laws and others have been put in place to protect access to corporate networks. Failure to meet requirements that call for the implementation of two-factor authentication could result in regulatory fines and irreversible damage to a brand’s reputation. Security experts worldwide suggest the usage of a strong, two-factor authentication to protect organizations assets. The same is also recommended by various compliances/certifications like PCI-DSS, HIPAA, SAS 70, ISO 27001 and others.
  • 2. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Clearly passwords are not sufficient for protecting organization’s data:: √ Easy passwords can be cracked √ Random passwords can’t be remembered √ Same passwords are used at multiple places √ Passwords that needs to be continuously changed are not user- friendly This white paper describes how ArrayShield IDAS authentication system prevents various kinds of hacking attacks that compromise traditional authentication mechanisms. ArrayShield IDAS Technology: ArrayShield IDAS is a revolutionary challenge/response Two Factor Authentication paradigm that involves dynamically generated CharacterArray displayed as an array on computer terminal which is superimposed with an ArrayCard of similar structure which has opaque and transparent cells. ArrayShield IDAS is built leveraging the widely acknowledged theory that ‘humans are better at identifying, remembering and recollecting graphical patterns than text patterns’. Instead of remembering a sequence of characters as the secret i.e., password, ArrayShield IDAS users have to remember a shape or pattern as a secret. At the time of authentication, the user have to use their ArrayCard (provided to them) by overlapping the card on the displayed CharacterArray and enter the characters present in the pattern chosen to authenticate. At each time of authentication the contents displayed on the CharacterArray changes so the user has to type a different secret word during each authentication process. This makes the system a dynamic password user authentication system leveraging the two factors of Authentication – The Pattern (that user knows) and the ArrayCard (that user has). While highly secure, the ArrayShield IDAS features an easy-to-use interface and integrates quickly with existing authentication infrastructures with support for standards such as RADIUS-based OTP, SAML, and Page 2
  • 3. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper others. This makes deployments fast and easy for an organization to implement and its customers to use. The ArrayShield IDAS provides protection against common hacking attacks and several new attacks that are becoming popular among fraudsters. Other solutions, including one-time-password (OTP) generator tokens, do not offer the same level of protection against attacks such as the Real-time Replay attacks. The following section contains a list of known hacking attacks and shows how ArrayShield IDAS defeats those attacks. Hacking Attacks and How ArrayShield IDAS protects against them Hacking Attack Vector Protection offered by ArrayShield IDAS Keyloggers: ArrayShield IDAS being a dynamic password Keyloggers are applications or hardware devices system is not vulnerable to keyloggers. Even if the that monitor a user's keystrokes and sends this hacker gets the One-Time SecretCode of the user information back to the malicious user over of a system, this One-Time SecretCode cannot be internet. Hardware Keyloggers are small inline reused by the hacker to login to the system devices placed between the keyboard and the (because of the dynamic nature of the computer. The other kind of Keyloggers are CharacterArray) and hacker cannot get the Pattern Software Keyloggers, these are also referred as of the user from the One-Time SecretCode of the spywares. Spyware usually gets into the computer user. Hence ArrayShield IDAS can give complete through banner ad-based software where the user protection from both the Software Keyloggers and is enticed to install the software for free. the Hardware Keyloggers. Real-time Replay Attack: Since ArrayShield IDAS is a challenge-response Malware sits inside a user's browser and waits for system, the CharacterArray shown for each the user to log into a bank. During login, the transaction is unique and the One-Time malware copies the user's ID, password and OTP, SecretCode derived by the user is valid only for sends them to the attacker and stops the browser that transaction. Even if a hacker does Real-time from sending the login request to the bank's Replay attack and attains the One-Time website, telling the user that the service is SecretCode and replays the same from his "temporarily unavailable." The fraudster machine it will not be matching the correct One- immediately uses the User ID, password and OTP Time SecretCode for the different CharacterArray to log in and drain the user's accounts. for this transaction. Page 3
  • 4. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Man in the Browser Attack: ArrayShield IDAS client which is hardened has a Malware overwrites transactions sent by a user to Transaction Verification module through which the the online banking website with the criminal's own transaction details as received by the host (bank), transactions. This overwrite happens behind the to the user (customer) over a SSL channel is scenes so that the user does not see the revised verified. After user confirms the transaction details transaction values. This way, neither the user nor on the client application the transaction gets the bank realizes that the data sent to the bank processed there-by preventing the MITB attack. has been altered. Phishing: In ArrayShield IDAS system, the one-time-secret The attacker targets users and fools them into code derived and entered by the user on the entering their credentials into a fake web site. This phishing site is not valid for the next transaction. usually occurs when a criminal sends an email Additionally as the ArrayCard structure and the impersonating a customer service organization and details are not available to the Phishing site the asks recipients to click on a URL to perform hacker will not be able to deduce the user’s account maintenance or verification. The link takes identity information (pattern and the Card details) them to a fraudulent site, which prompts them for by doing the Phishing attack on the user. their valid credentials. Pharming: In ArrayShield IDAS system, the one-time-secret The attacker poisons the DNS server and redirects code derived and entered by the user on the users to the fraudulent web site. Users do not pharming site is not valid for the next transaction. suspect anything because the redirect happens Additionally as the ArrayCard structure and the even when the user selects the web site from a details are not available to the Pharming site the saved favorite or actually types in the correct URL. hacker will not be able to deduce the user’s identity information (pattern and the Card details) by doing the Pharming attack on the user. Page 4
  • 5. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Shoulder Surfing: If a hacker tries to do Shoulder Surfing on a user Shoulder surfing is looking over someone's using ArrayShield IDAS system, he has to see both shoulder, to get information about his identity. the key sequence and the CharacterArray and do a Shoulder surfing is an effective way to get mapping before the user submits the page to information in crowded places because it is easy to derive the pattern of the user. stand next to someone and watch as they fill out a form. Shoulder surfing becomes a serious problem Let us consider a case hacker observes that the both in cases user enters password directly or if user typed the character R, the hacker has to the user is entering the password through a virtual identify the position of the R in the keyboard. In the case of virtual keyboard it is CharacterArray, he has to linearly search each and relatively easy for the hacker to see the mouse every cell of the CharacterArray to identify the clicks on the screen. position of the R in the CharacterArray. By the time the hacker identify the position of R, the user will type all other characters of his One-Time SecretCode. Hence Shoulder Surfing is not effective against IDAS system. Guessing: In the ArrayShield IDAS pattern based system, the Guessing is the simplest attack that a hacker can users chose the patterns irrespective of their do on a User Authentication system. One of the personal information. Still the hacker can do main problems with the username-password guessing by trying out most frequently used system is ‘selection of password’ itself. Studies patterns like corner elements, diagonal elements show that users always pick passwords which are and knight moves etc. which are easy to have as short and easy to remember. Often it is very easy patterns. So even though the hacker tried the easy to break the user’s password, if the personal patterns he cannot get through the authentication information about him/her is known and more procedure because of the ArrayShield’s two factor often than not, it is widely known nature. The hacker has to guess about the user’s ArrayCard structure also. As the card structure is unique and randomly generated, guessing is not possible for the same. Hence ArrayShield is fool proof against Guessing attack. Page 5
  • 6. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Social Engineering: In the ArrayShield IDAS pattern based system, the Social Engineering is the act of manipulating users choose the patterns irrespective of their people to reveal their private details, rather than personal information. Also making users reveal by breaking in or using technical cracking the patterns over phone is not possible though techniques. Examples of the same is to access the revealing of passwords by uninformed users is user’s social media accounts or call them over prevalent. phone and know more about the user personal details and possibly authentication credentials. Additionally the attacker has to break multiple identity details like pattern, card structure from the end user which is not possible with the conventional social engineering attacks. BruteForce Attack: The first variant of Bruteforce attack is String In a Bruteforce attack, an intruder or hacker tries based Bruteforce attack, in this method the all possible combinations to crack the secret of the attacker ignores the CharacterArray and tries with user. The hacker will do an exhaustive search on some random string as the One-Time SecretCode. the complete space to find the secret of the user. Because of the dynamic nature of the CharacterArray, the bruteforce search space will never converge when compared to finite convergence time for other authentication mechanisms. Additionally IDAS system has built-in controls to restrict the user access after finite failed attempts. Dictionary Attack: To attempt Dictionary attacks on IDAS system Dictionary attack is improved version of Bruteforce hacker has to construct dictionaries for patterns attack. In Dictionary attack, instead of searching all and ArrayCard Structure details. Since ArrayCard possible combinations the hacker will search only structure and values are pseudo random, the possibilities which are most likely to be Dictionaries can’t be constructed for the same selected by the user. making this attack in-effective against ArrayShield IDAS System. Page 6
  • 7. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper Comparison between ArrayShield IDAS and other authentication technologies in terms of capability to defend against various hacking attacks Key Realtime MITB Phishing/ Shoulder Guessing Social Dictionary/ logger Replay Pharming Surfing Engineering BruteForce attack Attack ArrayShield Yes Yes Yes Yes Yes Yes Yes Yes IDAS Question & No No No No No No No No Answer based Virtual Yes No No No No No No No Keyboard Password No No No No No No No No Use of two No No No No No No No No passwords Hardware Yes No No Yes Yes Yes Yes Yes Token Software Yes No No Yes Yes Yes Yes Yes Token Out of Band Yes No No Yes Yes Yes No Yes (SMS based OTP) Yes – provides protection; No – doesn’t provide complete protection Page 7
  • 8. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper ABOUT ARRAYSHIELD Array Shield Technologies is the maker of software security products in the area of Multi-Factor Authentication. The company’s mission is to provide highly secure, cost effective and easy to use software security solutions globally. For more information, visit us at www.arrayshield.com Page 8