Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
How Two Factor Authentication protects against hacking attacks - ArrayShield
1. How ArrayShield IDAS Protects Against Hacking
Whitepaper
Attacks
Highlights of ArrayShield IDAS:
√ Protects organizations from multiple hacking attacks than can
compromise defeat traditional authentication methods.
√ Fraud-proof login process using more intuitive and easy to
remember patterns.
√ Provides one secure credential for multiple applications
√ Can be seamlessly integrated and deployed in any environment
Introduction:
Many organizations protect their infrastructure with a simple username and password. Entering this
information grants access to organization’s sensitive data that is present in servers, databases, applications,
email accounts, and other places. But it is widely acknowledged by Information Security Experts that
passwords are notoriously insecure. Many users choose weak passwords which can be easily guessed or
cracked. When password policies are enforced, users end up noting down their passwords on Post-It notes,
mobiles, email or on their laptops which is a serious security vulnerability. Phishing attacks trick users into
revealing their passwords. Malicious viruses and spyware can capture passwords and send them over the
network to attackers.
All the above scenarios make it very difficult for organizations to protect their sensitive data from the hands of
hackers and competitors. Organizations of all sizes from Fortune500 to SME, Government have witnessed
multiple hacking attacks recently that were caused by gaining knowledge of user’s password. The cause for
concern is only magnified as the cost associated with a data breach has reached an estimate of $ 6.6 million.
Additionally, government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data Breach
Notification Laws and others have been put in place to protect access to corporate networks. Failure to meet
requirements that call for the implementation of two-factor authentication could result in regulatory fines
and irreversible damage to a brand’s reputation.
Security experts worldwide suggest the usage of a strong, two-factor authentication to protect organizations
assets. The same is also recommended by various compliances/certifications like PCI-DSS, HIPAA, SAS 70, ISO
27001 and others.
2. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
Clearly passwords are not sufficient for protecting
organization’s data::
√ Easy passwords can be cracked
√ Random passwords can’t be remembered
√ Same passwords are used at multiple places
√ Passwords that needs to be continuously changed are not user-
friendly
This white paper describes how ArrayShield IDAS authentication system prevents various kinds of hacking
attacks that compromise traditional authentication mechanisms.
ArrayShield IDAS Technology:
ArrayShield IDAS is a revolutionary challenge/response Two Factor Authentication paradigm that involves
dynamically generated CharacterArray displayed as an array on computer terminal which is superimposed
with an ArrayCard of similar structure which has opaque and transparent cells.
ArrayShield IDAS is built leveraging the widely acknowledged theory that ‘humans are better at identifying,
remembering and recollecting graphical patterns than text patterns’. Instead of remembering a sequence of
characters as the secret i.e., password, ArrayShield IDAS users have to remember a shape or pattern as a
secret.
At the time of authentication, the user have to use their ArrayCard (provided to them) by overlapping the card
on the displayed CharacterArray and enter the characters present in the pattern chosen to authenticate. At
each time of authentication the contents displayed on the CharacterArray changes so the user has to type a
different secret word during each authentication process. This makes the system a dynamic password user
authentication system leveraging the two factors of Authentication – The Pattern (that user knows) and the
ArrayCard (that user has).
While highly secure, the ArrayShield IDAS features an easy-to-use interface and integrates quickly with
existing authentication infrastructures with support for standards such as RADIUS-based OTP, SAML, and
Page 2
3. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
others. This makes deployments fast and easy for an organization to implement and its customers to use.
The ArrayShield IDAS provides protection against common hacking attacks and several new attacks that are
becoming popular among fraudsters. Other solutions, including one-time-password (OTP) generator tokens,
do not offer the same level of protection against attacks such as the Real-time Replay attacks. The following
section contains a list of known hacking attacks and shows how ArrayShield IDAS defeats those attacks.
Hacking Attacks and How ArrayShield IDAS protects against them
Hacking Attack Vector Protection offered by ArrayShield IDAS
Keyloggers:
ArrayShield IDAS being a dynamic password
Keyloggers are applications or hardware devices system is not vulnerable to keyloggers. Even if the
that monitor a user's keystrokes and sends this hacker gets the One-Time SecretCode of the user
information back to the malicious user over of a system, this One-Time SecretCode cannot be
internet. Hardware Keyloggers are small inline reused by the hacker to login to the system
devices placed between the keyboard and the (because of the dynamic nature of the
computer. The other kind of Keyloggers are CharacterArray) and hacker cannot get the Pattern
Software Keyloggers, these are also referred as of the user from the One-Time SecretCode of the
spywares. Spyware usually gets into the computer user. Hence ArrayShield IDAS can give complete
through banner ad-based software where the user protection from both the Software Keyloggers and
is enticed to install the software for free. the Hardware Keyloggers.
Real-time Replay Attack:
Since ArrayShield IDAS is a challenge-response
Malware sits inside a user's browser and waits for system, the CharacterArray shown for each
the user to log into a bank. During login, the transaction is unique and the One-Time
malware copies the user's ID, password and OTP, SecretCode derived by the user is valid only for
sends them to the attacker and stops the browser that transaction. Even if a hacker does Real-time
from sending the login request to the bank's Replay attack and attains the One-Time
website, telling the user that the service is SecretCode and replays the same from his
"temporarily unavailable." The fraudster machine it will not be matching the correct One-
immediately uses the User ID, password and OTP Time SecretCode for the different CharacterArray
to log in and drain the user's accounts. for this transaction.
Page 3
4. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
Man in the Browser Attack:
ArrayShield IDAS client which is hardened has a
Malware overwrites transactions sent by a user to Transaction Verification module through which the
the online banking website with the criminal's own transaction details as received by the host (bank),
transactions. This overwrite happens behind the to the user (customer) over a SSL channel is
scenes so that the user does not see the revised verified. After user confirms the transaction details
transaction values. This way, neither the user nor on the client application the transaction gets
the bank realizes that the data sent to the bank processed there-by preventing the MITB attack.
has been altered.
Phishing:
In ArrayShield IDAS system, the one-time-secret
The attacker targets users and fools them into code derived and entered by the user on the
entering their credentials into a fake web site. This phishing site is not valid for the next transaction.
usually occurs when a criminal sends an email Additionally as the ArrayCard structure and the
impersonating a customer service organization and details are not available to the Phishing site the
asks recipients to click on a URL to perform hacker will not be able to deduce the user’s
account maintenance or verification. The link takes identity information (pattern and the Card details)
them to a fraudulent site, which prompts them for by doing the Phishing attack on the user.
their valid credentials.
Pharming:
In ArrayShield IDAS system, the one-time-secret
The attacker poisons the DNS server and redirects code derived and entered by the user on the
users to the fraudulent web site. Users do not pharming site is not valid for the next transaction.
suspect anything because the redirect happens Additionally as the ArrayCard structure and the
even when the user selects the web site from a details are not available to the Pharming site the
saved favorite or actually types in the correct URL. hacker will not be able to deduce the user’s
identity information (pattern and the Card details)
by doing the Pharming attack on the user.
Page 4
5. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
Shoulder Surfing:
If a hacker tries to do Shoulder Surfing on a user
Shoulder surfing is looking over someone's using ArrayShield IDAS system, he has to see both
shoulder, to get information about his identity. the key sequence and the CharacterArray and do a
Shoulder surfing is an effective way to get mapping before the user submits the page to
information in crowded places because it is easy to derive the pattern of the user.
stand next to someone and watch as they fill out a
form. Shoulder surfing becomes a serious problem Let us consider a case hacker observes that the
both in cases user enters password directly or if user typed the character R, the hacker has to
the user is entering the password through a virtual identify the position of the R in the
keyboard. In the case of virtual keyboard it is CharacterArray, he has to linearly search each and
relatively easy for the hacker to see the mouse every cell of the CharacterArray to identify the
clicks on the screen. position of the R in the CharacterArray. By the
time the hacker identify the position of R, the user
will type all other characters of his One-Time
SecretCode. Hence Shoulder Surfing is not
effective against IDAS system.
Guessing:
In the ArrayShield IDAS pattern based system, the
Guessing is the simplest attack that a hacker can users chose the patterns irrespective of their
do on a User Authentication system. One of the personal information. Still the hacker can do
main problems with the username-password guessing by trying out most frequently used
system is ‘selection of password’ itself. Studies patterns like corner elements, diagonal elements
show that users always pick passwords which are and knight moves etc. which are easy to have as
short and easy to remember. Often it is very easy patterns. So even though the hacker tried the easy
to break the user’s password, if the personal patterns he cannot get through the authentication
information about him/her is known and more procedure because of the ArrayShield’s two factor
often than not, it is widely known nature. The hacker has to guess about the user’s
ArrayCard structure also. As the card structure is
unique and randomly generated, guessing is not
possible for the same. Hence ArrayShield is fool
proof against Guessing attack.
Page 5
6. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
Social Engineering:
In the ArrayShield IDAS pattern based system, the
Social Engineering is the act of manipulating users choose the patterns irrespective of their
people to reveal their private details, rather than personal information. Also making users reveal
by breaking in or using technical cracking the patterns over phone is not possible though
techniques. Examples of the same is to access the revealing of passwords by uninformed users is
user’s social media accounts or call them over prevalent.
phone and know more about the user personal
details and possibly authentication credentials. Additionally the attacker has to break multiple
identity details like pattern, card structure from
the end user which is not possible with the
conventional social engineering attacks.
BruteForce Attack:
The first variant of Bruteforce attack is String
In a Bruteforce attack, an intruder or hacker tries based Bruteforce attack, in this method the
all possible combinations to crack the secret of the attacker ignores the CharacterArray and tries with
user. The hacker will do an exhaustive search on some random string as the One-Time SecretCode.
the complete space to find the secret of the user. Because of the dynamic nature of the
CharacterArray, the bruteforce search space will
never converge when compared to finite
convergence time for other authentication
mechanisms. Additionally IDAS system has built-in
controls to restrict the user access after finite
failed attempts.
Dictionary Attack:
To attempt Dictionary attacks on IDAS system
Dictionary attack is improved version of Bruteforce hacker has to construct dictionaries for patterns
attack. In Dictionary attack, instead of searching all and ArrayCard Structure details. Since ArrayCard
possible combinations the hacker will search only structure and values are pseudo random,
the possibilities which are most likely to be Dictionaries can’t be constructed for the same
selected by the user. making this attack in-effective against ArrayShield
IDAS System.
Page 6
7. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
Comparison between ArrayShield IDAS and other authentication technologies in terms of
capability to defend against various hacking attacks
Key Realtime MITB Phishing/ Shoulder Guessing Social Dictionary/
logger Replay Pharming Surfing Engineering BruteForce
attack Attack
ArrayShield Yes Yes Yes Yes Yes Yes Yes Yes
IDAS
Question & No No No No No No No No
Answer
based
Virtual Yes No No No No No No No
Keyboard
Password No No No No No No No No
Use of two No No No No No No No No
passwords
Hardware Yes No No Yes Yes Yes Yes Yes
Token
Software Yes No No Yes Yes Yes Yes Yes
Token
Out of Band Yes No No Yes Yes Yes No Yes
(SMS based
OTP)
Yes – provides protection; No – doesn’t provide complete protection
Page 7
8. How ArrayShield IDAS protects against Hacking Attacks - Whitepaper
ABOUT ARRAYSHIELD
Array Shield Technologies is the maker of software security products in the area of Multi-Factor
Authentication. The company’s mission is to provide highly secure, cost effective and easy to use software
security solutions globally.
For more information, visit us at www.arrayshield.com
Page 8