Why your Password + OTP + SMS Sans Anti-Phish Codes (APC) Fall-short Against Phishing and Account Take Overs?

As per Verizon data breach report, 81% of data breaches and Financial fraud trace back to credential spoofing and account take-overs. With the advances in automation of Phishing and other social engineering hack-tools such as Modlishka and Evilngnx , the real-time proxying of the victim session with authentication eventually leading to session-hijack and account take-overs is prime for weaponization.

All are susceptible to spoofing

Let us step back and see the fundamental problem with the current popular MFA schemes.

A simple bearer instrument concept in Finance would serve well to illustrate the fundamental attribute of _all_ the current popular authentication schemes. In good olden days, we used to carry cash ($) currency and when the cash was stolen, the cash can be expended perfectly by the usurper. This is due to the fact that currency cash is a bearer instrument and holder of the instrument can expend it and needless to say that was the genesis of traveler’s checks.

Looking through the same lens, the passwords, one-time passcodes (hard tokens and software app-based), SMS schemes all suffer from the same — bearer-agnostic attribute. This is fundamental root-cause of all the attack vectors on credentials such as keylogger malware, phishing, main-in-middle (proxy) that can steal/intercept your credentials even time-bound (even momentarily).

This is exactly why the problem man-in-middle snooping/intercepting on the credentials has been a challenge to the online authentication schemes. Several schemes that were proposed were made ineffective by the ever evolving and sophistication of the attacks. For example, the SSL padlock that appears when a ssl certificate matches with the domain can be easily forged by longer urls (e.g., services.mybank.services82981-xyysuooos-jasjllasl-global-some-more-chars-myphish.com) and with a matching ssl certificate of the top-level domain “myphish.com”. This is due to the fact that browsers can only visibly display limited portion of the long url and users just don’t have a chance to look at the complete url, while the browser also matches the top-level domain, and displaying a safe padlock misleading the users that they are on the legitimate site.

authentication-tied-to-the-urls-at-the-registration-n

This vexing problem of credential-phishing and spoofing of credentials can be easily addressed with Anti-Phish Codes. Anti-Phish codes are specially generated codes that even if intercepted and spoofed for authentication, the authentication system can detect the submission of spoofed codes and thus the authentication attempt fails. As such, Anti-Phish codes prevent the session-hijacking as no authenticated state cookies or tokens generated by the authentication server and thus fraud resulting from account take-overs are eliminated.

As a patented technology that is the only solution without the need for additional hardware, dongles, the Anti-Phish codes can bring in much-needed unspoofable anti-phish codes for the enterprise security, safe guarding the data assets and eliminate financial fraud due to account takeovers.

I am not a technical geek; Explain what is iLogSafe that I can understand?

Can you pass on passwords and OTPs to hackers and still feel secure? Obviously “No”. With iLogsafe, even when hackers get your codes, your accounts are secured. Your exclusive iLogSafe codes are useless for hackers, providing a password-less hassle-free secure login.

I use faceId and Voice along with fingerprint and approvals on the app. Am I not secured?

The biometrics have been the mainstream when it comes to authenticating to the gadgets in our possession. But when it comes to online authentication, such authentication schemes fail to secure you from man-in-middle attacks as shown in the “app-based approvals” video.

Disclaimer: *copyrights belong to breakdev.org

I use super strong passwords, OTPs? Why do I need iLogSafe?

Passwords and OTPs were good until yesterday. With real-time interception and hacking (spoofing) your passwords and OTPs are now more vulnerable. Don’t take our word, following reinforce the fact that they are no longer secure.

I use public and private keys; am I not secure?

Yes, public and private key pairs are secure than passwords. However mobility across devices with keychains and webauthn are clunky at best with so many variant offerings. One can always replace public key and replace real user permanently;Read our article for more details HERE

Can you show the details of how my 2FA is vulnerable(contains hacker demo videos)?

The recent attacks as documented by Microsoft on more than 10K enterprises can be easily addressed by iLogSafe and for details please go Here

The following videos help you understand the risks.

Watch this if you currently use mobile app based approval as 2FA

Disclaimer: *copyrights belong to breakdev.org

How does iLogSafe secure my online accounts, money from hackers?

iLogSafe provides a frictionless and easy to use login codes that are locked up to your devices. The patented technology will enable detection of spoofing when someone else intercepts and submits codes. We are an industry standard and meet NIST AAL-3, which means your money and online accounts are hacker-safe.
If you are serious about securing your money and accounts from fraudsters, signup now for great early bird discounts (more than $150 value package)

Do I need to create another set of passwords etc.?

No. We are passwordless.
We don’t use any of your sensitive information such as biometrics nor any private information, including your cell phone details.
Our patented technology is fun to use and intuitive to understand. No teasing of your brain memory nor we ask to solve hair-pulling puzzles.
Your grandma can use this once the account is setup!

I got many more SaaS applications, can you secure them all?

Absolutely!
Below is a starter list. If your SaaS application is not in this list please fill out here
Our product team will work towards securing that app with iLogSafe.

Do I need to create multiple iLogSafe accounts for all the SaaS applications I need to protect?

No. One iLogSafe account can secure everything with our industry standard single-sign on and federation ; completely transparent to you and you just keep using your iLogSafe account.

What is the genesis of iLogSafe? Has this been tested?

iLogSafe is the culmination of years of hacking experience and cyber security management. Patents have been issued as a testimonial of the novelty and the utility of this unique technology pioneered by iLogSafe.

Easy to use and verify its security properties even by non-technical persons, scalable solution designed by a Ph.D. in computer science with CISSP/CISM certification, a regular speaker/presentor at several security conferences and who has successfully run Fortune 500 information security and risk management programs.

At the same time, even with such extensive information security expertise with iLogSafe team, we don’t relax; we are constantly plugged into latest cyber threats and move our program roadmap taking the latest hacks into account.

Our systems are constantly tested by real hacking from our pen-testing team and it goes through multiple checks on OWASP 10, Open API security standards through static and dynamic scans/testing.

Why your Password + OTP + SMS Sans Anti-Phish Codes (APC) Fall-short Against Phishing and Account Take Overs?

All are susceptible to spoofing

Want to know magic with Anti-[Theft, Phish, Spoof, Bypass]?

Signup for Cybersecurity tips for Lawyers