Beating Online Fraud With a Phone

The fear of online fraud and theft looms large in consumers’ minds.

Even among those performing transactions on the Internet — banking, stock trading or checking credit card balances online — appear to be worried about the threat of fraud. A recent survey found that 64 percent of 1,500 Internet users who have performed an online transaction said they worry that it’s only “somewhat difficult” or “not at all difficult” for a hacker or thief to get access to an online banking account.

The survey, conducted by Harris Interactive for hosted security services provider Positive Networks, aims to identify a need for products like Positive’s, which seek to stem the tide of circumventing even two-factor authentication.

Increasingly, failures of standard two-factor authentication are making their way into the news. In January, for instance, the Silent Banker Trojan Horse, which targeted 400 banks, impacted hundreds of thousands of users worldwide.

While a number of vendors like RSA market security tokens, Positive Networks takes a different approach. Its solution is Phone Factor, a two-factor authentication product designed for the Web sites of online services, like banks. The service uses the public telephone system as the means for users to confirm their identity.

“If your computer’s compromised, it’s impossible to use it to create the security you need,” Positive networks’ co-founder and CEO Tim Sutton told “You’ve got to do something off the computer, and we decided to use the phone system.”

Once a user’s computer is compromised, “any product that’s attached to it is compromised,” Sutton added. PhoneFactor works to avoid this pitfall by relying on “out-of-band” authentication, meaning that it can authenticate by communicating separately from a potentially hacked PC’s line.

Here’s how the system works: After signing up for PhoneFactor, the system calls you when you’re authenticating and prompts you to complete the transaction or login. This involves pressing either a PIN number or simply hitting the pound sign twice. Alternatively, authentication could be far more complex, such as inputting context-sensitive information.

The system works with any phone, landline or wireless, Sutton said, and supports VoIP phones as well.

“Someone would have to physically steal your telephone” to be able to perpetrate online fraud, Sutton said.

The system can be set up to provide as detailed or complex information as the user needs, and can be used to sign in to “your corporate e-mail, your bank account, your mission-critical application — whatever,” Sutton said.

Although other two-factor out-of-band authentication systems such as physical RSA SecurID tokens are available and in wide use — particularly in financial institutions — “people don’t want to carry them,” Sutton contended.

“The problem is getting users to carry a device they don’t want to carry,” he said. “Since people have their phones with them most of the time, that’s a better solution.”

But Positive Networks isn’t the only one looking for a new way to tackle two-factor authentication. Last month, industry giant RSA, a unit of EMC (NYSE: EMC) began offering new two-factor authentication for the BlackBerry designed to similarly merge users’ mobile habits with token authentication.

Earlier this month, Positive Networks and JanRain announced CallVerifID, a jointly developed phone-based two-factor authentication solution for users of myOpenId, a free identity management solution from, a division of JanRain.

News Around the Web