TriCipher
Press Releases
TriCipher, Inc. Announces its
New Authentication Solution Protects Against Man
in the Middle Phishing Attacks
Innovative multi-factor authentication
solution leverages existing SSL infrastructure
to prevent man in the middle phishing
SAN MATEO, CA – March 22, 2005 -- TriCipher,
Inc., the innovators of strong authentication for
the real world, today announced that its TriCipher
Armored Credential System (TACS), launched last month
at RSA Conference 2005, prevents man in the middle
phishing attacks – a security threat that has
become top of mind as businesses and consumers become
increasingly reliant on the Internet for conducting
essential business transactions. To protect themselves,
enterprises have increasingly turned to one time
passwords, a form of two factor authentication believed
to prevent successful attacks. However, industry
experts have called into question the effectiveness
of this type of authentication in protecting against
phishing. A recent article by a noted researcher
outlined weaknesses to token-based authentication
approaches. In addition, recent research from Infidel,
Inc., demonstrates that all one time password systems,
such as time synchronous tokens, can be easily compromised
by man in the middle phishing attacks - which require
very little technical sophistication on the part
of the phisher. TriCipher’s unique approach
to strong authentication leverages the Internet’s
existing SSL infrastructure, combined with a unique
multi-part credential to foil proxied man in the
middle attacks.
“Recent articles have spawned a lot of talk
amongst security experts about the role two factor
authentication plays in protecting against man in
the middle phishing,” said Rebecca Bace, President
of Infidel, Inc. “It’s true that one
time password systems are not an adequate defense,
but that is only one flavor of two factor authentication,
and an outdated one at that. The key to protecting
against these attacks is to take advantage of the
existing SSL infrastructure to authenticate the client.
SSL was designed to prevent man in the middle attacks
and doesn’t require the user to reveal the
credential -- only to prove that she has it. Ideally,
you would also like to make it impossible to steal
the entire credential from the user. The TriCipher
solution satisfies all these requirements.”
As companies have moved to one time password tokens
to protect bank and brokerage accounts, phishers
have begun to set up man in the middle attacks. In
such attacks, users are lured to a phishing site
by an email or DNS caching hack, where they enter
their username, password, and the number from a one
time password token. The phisher’s server automatically
uses this information to immediately log in to the
legitimate site, then either keeps the session open
automatically until the phisher is ready to hijack
the session or simply alters the user’s transaction
to benefit the phisher.
TACS creates a multi-part credential, splitting
the user’s credential between the user and
a secure appliance kept in the enterprise’s
data center. Since the user doesn’t have the
entire credential, he or she can’t give it
away to the phisher, nor can the phisher steal it
from their desktop. In addition, TriCipher’s
credentials use SSL client authentication, which
prevents a phisher from sitting in the middle of
the user’s session with the web server. Further,
using SSL means no new software at the web server,
making deployment fast and easy.
“The SSL infrastructure is out there and
it’s very robust,” commented Eric Greenberg,
one of the developers of the SSL protocol and current
CTO of NetFrameworks, Inc. “As an industry
we’ve only been using half of it because legacy
PKI systems were too complex to implement. The TriCipher
product vastly simplifies the deployment and management
of strong authentication and takes advantage of the
security of SSL to prevent man in the middle phishing.
The TriCipher solution provides a cost effective,
highly secure alternative to time synchronous or
challenge response one time password systems.”
“We’re delighted at the validation
our solution has received in light of the recent
scrutiny about the role two factor authentication
plays in protecting against man in the middle attacks,” said
Ravi Sandhu, Chief Scientist, TriCipher and professor
of Information Security and Assurance at George Mason
University . “At roughly five dollars per seat,
TACS provides an elegant way to protect against man
in the middle attacks that, unlike other solutions,
is extremely affordable and easy to deploy.”
About TriCipher, Inc.
TriCipher, Inc. provides strong authentication for
the real world. The first authentication system that
issues multiple types of credentials from a single
infrastructure, the TriCipher Armored Credential System™ (TACS)
allows for authentication strength to change in response
to new threats without any infrastructure changes.
Our patented technology fills the gap between authentication
systems that are either not secure enough or too hard
to use and deploy. TriCipher’s innovative approach
to strong
multi-factor authentication protects against
phishing and eliminates dictionary attacks. Founded
in 2000, TriCipher is headquartered in San Mateo, California.
The Company was incubated as NSD Security before launching
as a separate entity in 2005. Investors in TriCipher
are ArrowPath Venture Capital, Intel® Capital,
Trident Capital and Wasatch Venture Partners. For more
information, please visit
www.tricipher.com or
email info@tricipher.com.
Copyright 2005 TriCipher, Inc. TriCipher,
Armored Credential, and Armored Credential Appliance
are either registered trademarks or trademarks
of TriCipher, Inc. in the United States and/or
other countries. All other products and services
mentioned are trademarks of their respective companies.
For More Information Contact:
Elizabeth Safran, Trainer Communications for TriCipher,
Inc.
elizabeth@trainercomm.com, (408) 920-0585
Sally Sheward, TriCipher, Inc.
sally@tricipher.com,
(650) 372-1312
