CEO Mark Kay says "Every enterprise and every Cons
Post# of 82672
Mark Kay: "OOBAaaS (OOB as a Service) is as large as the global mobile market itself. More than a billion OOBA transactions are already processed every week"
Quote:
StrikeForce Technologies is an emerging company with a big patent. It holds the patent for “Multichannel Device Utilizing A Centralized Out-of-Band Authentication System (COBAS)”; put more simply, if you want to do out-of-band authentication with a mobile device, you need to talk to these guys. In concept, how it works is relatively simple. Picture yourself logging into a social network like Twitter, Pinterest, or Facebook. Now, consider that there’s an increasing trend to use something called “linked authentication;” this is a form of single sign-on where online services will permit user access based on the authenticated credentials from a site like Facebook or Twitter. In other words, if someone hacks your Twitter account, they might also be able to access your eWallets across a host of shopping sites and wreak havoc on your credit cards.
Instead of just using a simple, easy to hack username-password combination, OOBA uses a separate channel to authenticate a user. It might dial a call or send a text message or email to a user’s wireless phone and would require an authentic response in order to permit the login to proceed. The same concept could extend to any transaction being conducted after initial authentication; in other words, you may be logged into Twitter, then try to buy something on another site that logs you in based on your Twitter authentication. To complete the purchase and authorize the transaction, OOBA process would be triggered.
“This additional step would increase the chance of not being the next reported data breach by over 80 percent, as stated in Verizon’s 2013 Data Breach Investigations Report,”says StrikeForce’s CEO Mark Kay. He adds that, as The Guardian recently reported, more than a billion OOBA transactions are already processed every week. The approach became far more popular after RSA encryption was hacked in March 2011 and companies realized that security tokens, while two-factor, use codes that are too easy for hackers to predict and, for that reason, are highly vulnerable. OOBA, on the other hand, uses “OATH compliant one time passwords which are 100 percent random,” explains Kay.
Though increasingly applied for security, OOBA should make sense for financial transactions as well. In 2011, Forbes reported that credit card fraud alone was a $190 billion problem. More recently, Practical eCommerce reported that for every $1 million in revenue generated, online retailers lose at least $9,000.00 to various forms of fraud, particularly credit card fraud and identity fraud due to stolen credentials.
The beauty of out-of-band authentication, and the reason it is needed, is that it’s very difficult to defeat. Login-password combinations, and now security tokens like RSA, are child’s play for hackers. These linear approaches are relatively easy to defeat; once a hacker breaches the perimeter, there’s virtually no looking back. But while out-of-band uses technology, it’s really more of a philosophy that’s tough to defeat; make sure the user is who the user claims to be. Though no mechanism can be perfect, there is some simple wisdom in an idea that says, “unless you call me on my phone and confirm that I’m the one who is logging in, don’t permit the login.”
Naysayers will argue that there are all sorts of ways to defeat this concept, but the bottom line is that there are many fewer ways to defeat it than there are to defeat passwords, and those ways are complex enough to turn off all but the more, or most, committed perpetrators. StrikeForce’s Kay adds that keystroke encryption, as a complement to OOBA, would fill “the security gap any authentication product might have” and would “prevent over 90 percent of the data breaches” identified in Verizon’s report (StrikeForce also provides real-time keystroke encryption and anti-keylogging technology).
OOBA As a Revenue Play
If the mobile device is part of the security scheme, it adds value to all of the things a mobile operator knows about a device at any given time – where it is, how it’s being used, and whether or not it is allowed to connect with the network. That puts the CSP in an even better position to secure the out-of-band authentication device; detect fraudulent usage patterns that may point to a compromised device; shut down a device that has been stolen or forged; and follow up with customers directly to inform them that their interests are being protected by – who else ? the worthy keeper of the public trust.
In other words, out-of-band authentication is not just something a mobile operator should use to protect its customers, services, and billing infrastructure; it is a value-added service it can offer to anyone in the digital economy that relies on mobile access to engage users and conduct transactions. As Kay notes, that ultimately includes “every enterprise and consumer across the globe.” Even if that’s a slight overstatement, it would seem like the potential addressable market to which CSPs could deliver “OOBAaaS” is as large as the global mobile market itself.