Digital Transactions Authoritative, insightful and timely information for payments professionals
Mindful of the rapid spread of online frauds depending on phishing, The 41st Parameter Inc. plans next month to roll out a new version of its machine-authentication technology. The Scottsdale, Ariz.-based company is already piloting the new version of its software, called TimeDiff Linking, and last week filed for an amended patent on it. The move is part of The 41st Parameter's migration from batch to real-time anti-fraud processing, says Chief Executive Ori Eisen, who founded the company last year. The new version, he says, is “exponentially” more powerful than the first, in part because of the added factors it takes into account. “By testing our data over thousands of transactions, we more than doubled the number of things we looked at,” he says. “Now it has over 40 locks instead of 15 or so.” TimeDiff Linking depends on characteristics of a user's computer to help establish whether the person logging in at a retailer or bank Web site is actually the customer or a fraudster who obtained passwords and user IDs in a phishing fraud. One such characteristic, says Eisen, who for proprietary reasons won't go into detail about how the product works, is the time difference between the user's machine clock and that of the server he's logging on to. This difference, or “clock drift,” may not be unique to each machine, as a fingerprint is to each person, but it helps establish identity when combined with other factors, and makes a phisher's job more complicated, Eisen says. “It's part of the signature, not the signature,” he says. “It adds to the randomness of what [an online criminal] needs to guess. When you get down to the millisecond, it's not trivial to do.” To demonstrate the software's effectiveness, the company hired Kevin Mitnick, once a notorious hacker, and gave him the password to an account Eisen had set up and protected with TimeDiff Linking, inviting him to break into it. The software foiled Mitnick, who now runs Mitnick Security Consulting LLC. Most fraudsters, Eisen says, will quit in frustration, moving on to easier prey. Also, he says, fraudsters are reluctant to pour resources into an exploit when they're unsure of the payoff. “We force you to do more work, and you will do all this work without knowing what your prize is,” he says. The company, which markets to both online retailers and banks, incorporates TimeDiff Linking into a product it calls PhishingNet. Eisen says the company has the product in pilots with “several” financial institutions domestically and overseas. In phishing frauds, criminals use bogus e-mails and Web sites to trick consumers into giving up their passwords and other identifying data, which they can then use to break into consumers' accounts, make fraudulent purchases, or sell. The number of reported phishing sites increased at an average monthly rate of 15%, starting in July last year, and reached 2,854 in April, according to the Anti-Phishing Working Group, a consortium of software companies, networks, and law-enforcement agencies.
