The Transecq Platform is an interactive electronic security platform on your mobile phone. The software creates a secure authentication environment that can be used in a wide variety of applications.
The Transecq Platform™ uniquely identifies a mobile phone user and thus enables a secure channel between any institution and their customers.
This innovative technology makes it possible to transact, authenticate and send messages without the possibility of perpetrators intercepting the communication or taking action on someone else’s behalf, therefore eliminating fraud, identity theft phishing and even SIM-cloning.
Powerful Google developer tools for immediate impact! (2023-24 C)
Transecq ITA
1. Transecq
Two-Factor Authentication
The need for stronger
authentication mechanisms
Establishing the true identity of an online user is often a tricky task.
Traditionally, users have been identified by means of a username
and password. Once these credentials are supplied, a user is
usually granted unconditional access to the system. In the case of
online transaction systems, it is vital that someone does not gain
unauthorized access enabling them to commit some level of fraud.
As the Internet is becoming more central to everyone’s day-to-day
life, an increasing number of services are being made available
online. This includes sensitive services such as online banking,
online purchases, restricted remote system access and many
more. Along with this trend, fraud is also increasing at an alarming
rate, exploiting the security loopholes in existing information
infrastructure.
With the widespread use of exploits such as MITM (Man-In-The-
Middle), MITB (Man-In-The-Browser), keystroke logging, phishing
and various TEMPEST methods, additional means of online user
identification and transaction verification becomes an absolute
necessity. A username and password is no longer sufficient to
identify a user.
The path to a viable solution
A user validation concept that has been around for a couple
of years is two-factor authentication. A simple username and Furthermore scalability becomes problematic, as well as the
password employed for remote authentication is considered a considerable expenses involved to provision, manage and replace
single factor of authentication. By providing an additional, different all the physical hardware devices.
means of authentication, a second factor is introduced into the Solving the problems of token devices, mobile one-time passwords
authentication process allowing two-factor (or multiple-factor) (OTP’s) do go a long way. However, technically it is still very similar
authentication. to hardware tokens. OTP’s as a second factor of authentication are
A true second factor is usually implemented as something a user usually provisioned to a mobile phone via an SMS (text message)
has or possesses, while the traditional username and password sent from the authentication system, normally a bank, and should
(first factor) are things the user knows; a perpetrator would have to be entered into the system to complete authentication.
gain access to the knowledge (passwords) and the physical item Users always have their phones with them, and a unique bond
to be able to authenticate as someone else. between a user and a phone can easily be established. However,
Hardware tokens are popular second factors. The user carries a SMS messaging does have drawbacks. Being a store-and-forward
small device capable of generating some unique authentication technology, delivery delays often occur and various loopholes for
number (token) that can be entered into the authentication interception also clouds the integrity of this technology: especially
platform. The system usually employs some mathematical method since SMS contents is sent in plaintext. Another important point is
to determine if this token indeed belongs to the specified user. the cost of sending these messages to users. Banking institutions
So in addition to the facts the user should know (username and deploy significant resources to send and manage OTP’s via SMS.
password), he also needs to be in possession of the hardware Various systems in the market generate an OTP on the mobile
token device to successfully authenticate and gain access to the device, via applications written mostly in JAVA, although other
system. platform specific applications are not uncommon. This model
Some problems do, however, exist around hardware tokens. Since eliminates the costs and problems around SMS OTP delivery,
the user is required to constantly carry the device, it is easily lost since the user is now capable of generating an OTP at any time,
and also impacts negatively on the mobile appeal of the solution. using only their mobile phone.
Tel. 678.466.6772 | info@transecq.com | www.transecq.com
2. Transecq
Two-Factor Authentication
A novel way of authentication
Although a cost-effective and more convenient solution, this still Transecq’s Interactive Transaction Authentication (ITA) system is
does not address the most important shortcoming of OTP’s. True a complete solution to all the authentication problems plaguing
two-factor authentication can only be reached when the second the industry today, by approaching the problem holistically
factor is totally out of band. Simply put, the second factor of and enabling second factor authentication, with bidirectional
authentication should not re-use the communication channel of (encrypted) out-of-band data transmission. ITA consists of a high
the first factor (username and password). All OTP/token solutions performance socket server receiving authentication requests from
rely on the fact that the token or number is entered into the same a workflow engine (through ISO8583, OpenID, RADIUS, LDAP or
system the username and password was entered. This simple SOAP) and relaying the messages to a corresponding user by
fact exposes the system to a whole range of vulnerabilities sending the messages to an application on their mobile phone for
for perpetrators to abuse. By successfully attacking the main approval by the user.
communication channel (usually the Internet), perpetrators
The ITA application on the mobile phone is available for the
effectively compromise both authentication factors.
following platforms:
Gartner states in its report “Where Strong Authentication Fails and
• J2ME (MIDP 2.0)
What You Can Do About It” (G00173132) that any authentication
• Android
method relying on browser communications can be defeated.
They further go on to note that even techniques relying on out- • iPhone
of-band phone calls can be thwarted because of the simplicity of • BlackBerry
forwarding a phone call to another number. The Transecq solution • Windows Mobile
described in this paper is unique in the fact that it adheres to all • As a USSD network service for phones not supporting the
of Gartner’s recommendations and is impervious to the attacks
above applications
plaguing the industry today.
A standard attack scenario can be described as follows: A user
opens a phishing site masquerading as the real website. He
supplies his username and password. The fake site immediately
enters these credentials into the real site using an automated
script, causing an OTP to be sent to the user’s phone (or prompts
the user to generate an OTP from a token generating device).
At this stage any SiteKey or SurePhrase messages are also
duplicated from the real site to the fake site, further strengthening
the apparent legitimacy of the system. The fake site now prompts
the user to enter this OTP that they generated, or by now received
from the real site. At this stage, the fake site has enough details to
log in to the user’s account, and transact fraudulently.
AT&T 12:34 PM
Transecq Mobile
A truly secure two-factor solution can only be considered employing
strong authentication when the second factor is completely Transecq Mobile
12:00 PM Transecq Mobile
isolated and the complete loop is totally out of band with respect
to the first factor. Only a system meeting these requirements would
ept
t t f $2495.95
9
Accept payment of $2495.95
be truly reliable in maintaining authentication integrity. Acceptt t f $2495.95
9
Accept payment of $2495.95
m d
from vendor GENSTORE?
Reject Accept
from vendor GENSTORE? Reject Accept
Once authenticated, a user should additionally be required to Acceptt t f $2495.
$2495.
Accept payment of $2495.95
GENSTORE
from vendor GENSTORE?
Reject
Reject Accept
Accept
authenticate certain key procedures within the online/remote Reject
Reject Accept
Accept
session - for example making beneficiary payments in an online
# @
banking environment. SSL/TLS, although in essence still secure, Q
1
w
2 3 ( ) _ - 0
+
P
E R Y U I
T
*A 4 5 6 ; , “ del
is by its self is no longer sufficient to protect against interception S D F
/
G H
:
J K L
alt 7 8 9 ? ! , .
techniques taking advantage of software implementation Z X C V B N M $
aA
0 space sym aA
vulnerabilities. Therefore transaction verification totally eliminates
any kind of MITM and MITB attacks, since each transaction is
verified out of band in a secure and isolated authentication loop.
Tel. 678.466.6772 | info@transecq.com | www.transecq.com
3. Transecq
Two-Factor Authentication
The Transecq ITA platform can identify each mobile phone in the No matter what type of attack occurs (i.e. even if a transaction
world uniquely by automatically issuing each client’s phone with is changed or manipulated by a fraudster) the actual transaction
a Digital Fingerprint, also called a X.509 client side certificate occurring at the bank is sent directly to the specific user over an
enabling bilateral certificate validation, issued from Transecq’s encrypted second band accessible only to the specific paired
trusted Certificate Authority. This certificate is stored on the client’s phone.
phone inside DRMprotected space.
All attacks on other channels are negated as the user approves
Each transaction to approve (website login, beneficiary payment, the actual transaction and will immediately discover any fraudulent
etc) is sent to the client’s phone, and a description of what the attempt.
transaction entails is displayed to the user. He can choose to
either Accept or Reject the transaction. The response is then
cryptographically signed with the private key of the user’s certificate
residing on the phone and sent down to the requesting server to
be verified through PKI. This signature can then be used to ensure
non-repudiation and prove the intent of any user pertaining to a
specific transaction.
BANK SECURE AREA
TRANSFER $100
TO JOHN SMITH
1 TRANSACTION REQUEST
USER
6 TRANSACTION ACCEPTED OR REJECTED
TRANSFER
SUCCESSFUL
2
5
YES
4 RESPONSE: YES/NO
3 TRANSACTION REQUEST SENT TO MOBILE
DO YOU WANT TO TRANSFER TRANSECQ MOBILE
$100 TO JOHN SMITH? AGGREGATOR
Tel. 678.466.6772 | info@transecq.com | www.transecq.com
4. Transecq
Two-Factor Authentication
This system can be used as a real-time, second-factor, out-of- • Certificate is not tied to the SIM-card (or phone number),
band authentication gateway for absolutely any digital action or so user is free to change SIMs (for example when travelling
transaction. User input is minimal, enhancing user experience and overseas) and no pre-arrangement with mobile operators are
also eliminating human errors. This system has already been used necessary when using this system, since everything is stored
to successfully secure the following types of transactions: on the handset, not the SIM
• Online web login and transactions (Internet Banking, Trading, • All communications are packet data (IP based), which means
etc.) that institutions save millions of dollars in SMS (text) costs.
• Online Credit Card (Card Not Present) purchases tying into • Transecq ITA application can be remotely launched on user’s
3-D Secure. handset by binary SMS if necessary
• Credit and Debit Card Transactions at Point-of-Sale • OTP mode (generated on the handset) when there is no GSM
• ATM (Automated Teller Machine) Cash withdrawals coverage
• Transactions can be pre-approved by a user using ITA, in
Advantages in using Transecq’s ITA system as opposed to other cases where the user knows he will enter and transact in a
systems: poor GSM covered area
• Phishing, MITB, MITM, keystroke logging and any other forms • ITA is completely scalable and a single phone application
of user impersonation is impossible granting the user access to all ITA enabled institutions
• Transaction rejections can immediately be flagged and the • An online user PIN allows for additional protection and is
user contacted or account placed under review embedded in the digital signature of transactions approved
• Non-repudiation is ensured since each transaction is digitally • Bidirectional flow of transactions
signed by the user’s private key
• Self-service options may also be made available inside ITA
applications: Check balances, active/de-activate cards, limit
changing
In summary Transecq provides true two-factor authentication
completely isolated out-of-band, and also fulfills the
requirements for user convenience and usability ensuring a
healthy adoption rate crucial for successful implementation
and sustained operation.
Transecq is the leading provider of global secure transaction
authentication services.
Tel. 678.466.6772 | info@transecq.com | www.transecq.com