Malware-Resilient SAAS and Strong Authentication

Sunday, August 22, 2010

Eli Talmor


There is good chance that your computer is infested with malware. In most of the cases the purpose of malware is perpetrate Identity Fraud for financial gain of the fraudsters.

The purpose of this blog is to demonstrate the need for Malware-Resilient Software-as-a-Service strong authentication.Malware-resiliency. 

The problem we are facing today is that we cannot trust our computers anymore. The passwords we enter are stolen by key loggers, the transaction data we enter in browser is modified by Trojans, etc.

Given the scale of the problem and potential cost, especially in fragile economy, it is highly unlikely that the solution to the problem will be too expensive in terms of up-front, distribution and maintenance costs.

Software-as-a-Service (SaaS)  is the natural candidate.

But  can SaaS  be malware-resilient ? In other words can we trust this SaaS, if we cannot trust our computer??? If this SaaS is computer client-only software - the answer is no. Malware will find ways to circumvent it- no matter how secure it may look.

SaaS must utilize client-server architecture to be trustworthy. We put our trust in server... Strong Authentication.Strong authentication may include a combination of something you have (your PC), something you know (your PIN) and something you are (your Biometrics).

But malware residing on your PC may key-log your PIN and replay your Biometrics, so that your "trusted" server will not be able to detect the problem. Therefore one needs to design the client in such a way that malware will not be able to bypass its security features. 

For example it is well known that CAPTCHA is used to distinguish between humans and computer programs. It is also well known that fraudsters use "human service providers" who decode CAPCHA online for few $. Another way to distinguish between malware and humans is SPEECH.

Malware will not be able to speak to PC microphone, while humans can do it quite easily, making malware prevention straightforward , provided all the ways to circumvent it are blocked.

Scalability. Malware-resilient Strong Authentication may be 2-factor (PC ID and PIN) and without the need for extra hardware and to take no more then 5 sec of users time.

If application needs extra level of security , at the expense of longer session (15 sec)  - then Live Voice Biometrics can be added. 

Cross-posted from     

Possibly Related Articles:
Viruses & Malware
malware SaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.