Frequently Asked Questions
Who is
Paynacea?
Paynacea is a Canadian software company that
specializes in Information Security and Management. We
provide turnkey solutions related to authentication,
validation and verification.
What is
Paynacea?
Paynacea is a technology that aims to improve the security
of a communications stream by channeling it over multiple
transport layers. Confused? Read on.
Why do I
need Paynacea?
With todays information infrastructure, privacy and
security are very difficult to achieve. Passwords, credit
card information, banking PINs are all vulnerable to the
simplest threats on the average home computer or public
terminal.
Secure sites, credit card gateways and the so called
"military-grade" encryption fall flat against viruses,
keyboard loggers, phishing, spyware etc. (More information
about this below.)
Paynacea's services are not a cure-all but when coupled
with modern Internet security strategies, they can provide
an extremely reliable means for assuring your peace of mind
that counters most threats to present-day security
models.
Okay, so
how does this thing actually work?
Paynacea's innovative technologies attempt to solve the
problems mentioned above by using the Plain Old Telephone
Service (POTS) as a secondary communications channel.
If a user is logging on to a site from a compromised
workstation, it can be assumed that all communications from
his computer to the server is insecure. A simple keylogger
can capture user ids, passwords and credit card information
invalidating any encryption used by these sites.
When using TeleAuth, for example, as an authentication
system, the user not only enters his password, but also
gets called on his registered phone number. He then enters
his PIN code on the phone's dialpad.
This way, the user is authenticated by two factors:
- What he knows. (His password and PIN)
- What he has. (His phone number)
In addition to providing strong two-factor
authentication, the PIN code travels over the Public
Switched Telephone Network (PSTN) which is a completely
different network from the Internet. This drastically
reduces the chances of the login account being compromised
through network sniffers or key loggers.
Hmmm,
interesting... do you have a working demo ?
Our Bank Login Demo shows how TeleAuth can
be used to authenticate users. You will need to register
your phone number with us to try the demo. Contact us at
sales@paynacea.com.
TeleAuth
What is TeleAuth?
TeleAuth is Paynacea's Two Factor / Two Channel Authentication
System. It is designed from the ground up to be easy to use, easy
to deploy and easy to maintain. Since it takes advantage of the
ubiquity and reliability of telephones, deployment is a non-issue.
It also has extremely low integration complexity due to its
easy-to-use design paradigm. In fact, most small services can be
up and running with TeleAuth in a matter of hours.
Why is it better?
What are its
features?
Where can I read
more about TeleAuth?
All these questions are answered in the TeleAuth Data Sheet.
How do I get TeleAuth?
TeleAuth is availabe as a product and / or a service. The product
is designed for large enterprises or service providers who
want complete control over the authentication processes and
systems. The service, on the other hand, is for small to
medium businesses who need the security of TeleAuth without
having to pay for all the infrastructure.
Everyday Threats
What is phishing?
Phishing is the act of sending an e-mail to a user falsely
claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private
information that will be used for identity theft. The
e-mail directs the user to visit a Web site where they are
asked to update personal information, such as passwords and
credit card, social security, and bank account numbers,
that the legitimate organization already has. The Web site,
however, is bogus and set up only to steal the user's
information.
What are
keyloggers?
Keyloggers are software (or hardware) systems that capture
the user's keystrokes. It can be useful to determine
sources of error in computer systems. Such systems are also
highly useful for law enforcement and espionage - for
instance, providing a means to obtain passwords or
encryption keys and thus bypassing other security
measures.
What are
"man-in-the-middle" attacks?
A man in the middle attack (MITM) is an attack in which an
attacker is able to read, insert and modify at will,
messages between two parties without either party knowing
that the link between them has been compromised. The
attacker must be able to observe and intercept messages
going between the two victims. An example of such an attack
is a compromised DNS server that returns a fake IP address
for a bank. The machine at the fake IP address captures all
traffic from the user, logs all (or relevant) traffic and
relays it to the real IP address.
What is
spyware?
Spyware consists of computer software that gathers and
reports information about a computer user without the
user's knowledge or consent. More broadly, the term spyware
can refer to a wide range of related malware products which
fall outside the strict definition of spyware. These
products perform many different functions, including the
delivery of unrequested advertising (pop-up ads in
particular), harvesting private information, re-routing
page requests. Spyware can include keyloggers, in-kernel
viruses and man-in-the-middle based attacks.
Encryption and Authentication
What is
encryption?
Encryption is the process of obscuring information to make
it unreadable without special knowledge. This is usually
done for secrecy, and typically for confidential
communications. Encryption can also be used for
authentication. Even when encrypted, messages can still be
subject to traffic analysis although this cannot typically
be used to reveal the actual contents of the message.
What is
Authentication?
Authentication is the process of determining whether
someone or something is, in fact, who or what it claims to
be. Authentication can based on three factors:
• Something you are: Biometrics, fingerprints, retina
scans, voiceprint analysis, etc.
• Something you know: Passwords, PIN codes, etc.
• Something you have: Keys, smart cards, ATM cards
etc.
Most online authentication mechanisms are single factor
since they are based on passwords. An effective
authentication system would use atleast two factors to
verify that a user is really who he claims he is.
What is
public-key encryption?
Public-key encryption (also Public-key cryptography) is a
form of modern cryptography which allows users to
communicate securely without previously agreeing on a
shared secret key. For most of the history of cryptography,
a key had to be kept absolutely secret and would be agreed
upon beforehand using a secure, but non-cryptographic,
method; for example, a face-to-face meeting or a trusted
courier. There are a number of significant practical
difficulties in this approach to distributing keys.
Public-key cryptography was invented to address these
drawbacks. With public-key cryptography, users can
communicate securely over an insecure channel without
having to agree upon a key beforehand.
Public-key algorithms typically use a pair of two related
keys: one key is private and must be kept secret, while
the other is made public and can be widely distributed; it
should not be possible to deduce one key of a pair given
the other. The terminology of "public-key cryptography"
derives from the idea of making part of the key public
information. The term asymmetric-key cryptography is also
used because not all parties hold the same information.
Some public-key algorithms operate a little differently,
and use other methods to enable parties to agree on secret
keys without having previously exchanged key material.
What is
"military-grade" encryption?
Many crypto vendors claim their solution is "military
grade." This is a term with no real meaning, since there
isn't a real metric by which something can be judged
"military grade," except for it to be actually used by
various armed forces. Since they don't reveal what they're
using, it's neither possible to prove nor to disprove
something as being "military grade." Some good crypto
products unfortunately also use this term.
What is
"snakeoil"?
Refers to a cryptography or security product that makes
exaggerated claims of what the product is capable of,
giving the user a false sense of security. The term snake
oil, which is credited to Matt Curtin for using in
reference to computer security products, comes from the
19th-century American practice of selling cure-all elixirs
in traveling medicine shows. Snake oil salesmen would
falsely claim that the potions would cure any ailments. The
term has been appropriated to mean security and encryption
products that make impossible claims, such as unbreakable
codes.
What is a
secure site?
Refers to any Web site that uses encrypted transmissions
and takes other appropriate measures to ensure the
protection of sensitive information such as credit card
information. One way to know if you are visiting a secure
site is be looking at the URL. If it begins with https:
(instead of http:), it is a secure site. But with recent
URL spoofing vulnerabilities in popular browsers, there is
no real reliable means of telling if you are at a secure
site.
What is
SSL?
Secure Sockets Layer. A technology (employed by secure
sites) used on the Internet to secure web pages and
transactions by means of public key cryptography. A
digitally secure communications channel is established
between the server and the client after which all data is
encrypted. Message integrity is provided by the use of
digital signatures, and trust in an individual or a website
is ascertained by using digital certificates which are
signed by a Certificate Authority acting as a "trusted
third party." The encryption strength used in SSL is 40-bit
and 128 bit.
The Solutions
What is
the PSTN?
Short for 'Public Switched Telephone Network', this is the
standard telephone service that most homes use. It is also
referred to as POTS, or Plain Old Telephone Service.
What
additional software/hardware do I need to use
Paynacea?
Nothing. We provide the toll-free numbers. We terminate and
process the PSTN calls. We provide a secure gateway for you
to receive the information. All you need to do is update
your site's code to request it from us. A single HTTP (or
HTTPS) request. No complicated APIs to learn. No new protocols.
Just a simple web request. That easy.
What if my
phone line is tapped?
If your phone line is tapped, you really have bigger
problems.
In any case, in today's internet age, it is more likely
that your computer is compromised than your phone line
being tapped. If your phone line is tapped, that's still
one authentication layer compromised. You can still depend
on a secure site to safeguard its communications
stream.
Your everyday hacker/credit card thief is an amateur. They
search for and feed off easy preys. Tapping phone lines is
too much work (for them), they'll find someone else to feed
on.
If you're still worried about your phone line being tapped,
try using your cellular phone. Tapping a cellular phone
requires a lot more expertise and specialised hardware. It
also requires the person who is tapping to physically
follow you around fairly closely (to capture the upstream
traffic from the phone to the cell tower). In addition,
they should be able to circumvent / decipher the encryption
used by your service provider. This is no piece of pie.
I am a
VoIP user. How does that affect me?
If you're using a VoIP service with a softphone (a software
based phone), you're still easy target. The numeric keys
you dial on your keyboard can be logged. It may be safer to
point and click the keys on the GUI. It requires more craft
on the part of a virus to capture this.
If you're using a hardphone (a phone adapter or a physical
VoIP phone), you are immune from keyloggers and in-kernel
viruses.
With the above said, in the end, you're still using a
single communactions channel. This is not safe. And this is
not how Paynacea's technologies are designed to be
used.
I am a
dialup user. How does that affect me?
The easy answer is: Use your cellular phone. But if you
don't have one, read on.
Depending on how the site has implemented its session
management, you can disconnect from the service, dial
Paynacea, log back on to the internet and continue from
there. It requires the site to have developed its session
management code to facilitate this.
Do you
store the Credit Card information or PIN codes?
No. We do not store any information unless requested.
What kind
of systems do you use?
We run Gentoo Linux on Intel/AMD based servers. We also
tune the hell out of it and lock it down the best we can.
We also have a fully redundant backbone with 24x7x365
network operations.
Where are
the toll-free numbers accessible from?
The toll-free numbers are accessible from the U.S. and
Canada.
SafeSerf
How does
SafeSerf protect me?
SafeSerf applies Paynacea technologies to your everyday
website. It lets you shop online without revealing
important information (like credit card numbers, social
security numbers or PIN codes) to your local computer. So
if you're worried about spyware or viruses stealing your
personal information; or worried about shopping at a public
terminal; you're safe.
When you shop online via SafeSerf, you never have to type
your credit card information in on your computer. Instead
you dial a toll-free number and key it in on your phone.
SafeSerf will take care of delivering the number to the
site.
This way you are immune to most potential vulnerabilities
on your computer.
What
additional tools do I need to use SafeSerf?
Nothing. No additional hardware. No fancy software to
download and install. No sacrifical lamb. Just a SafeSerf
account.
A website does not need to be Paynacea-enabled to be
compatible with SafeSerf. SafeSerf Paynacea-enables most
online businesses automatically. Try out the demo and see for
yourself.
What
information can SafeSerf protect?
Credit Card Numbers. Social Security Numbers. PIN Codes.
Access Numbers. Private phone numbers. Numeric Passwords.
You can use SafeSerf to protect almost any kind of
sensitive numeric information.
In addition, SafeSerf tunnels all communications over a
secure encrypted link (SSL); this means that it
automatically adds a layer of security to sites that are
not SSL enabled. This is extremely useful on public
terminals.
When
should I use SafeSerf?
SafeSerf is not meant to be used for day to day browsing.
Use it only when you need to enter sensitive information:
like shopping online, visiting government sites, filling up
private forms etc.
Using SafeSerf for day-to-day browsing places unnecessary
load on our servers and affects the overall quality of
service expected by our customers.
Do all
websites work with SafeSerf?
Unfortunately not. Sites that make heavy use of JavaScript
or use other obscure HTTP features will not work.
Sometimes you can work around this by visiting the site
outside of SafeSerf and letting the site redirect itself to
its final destination. Then copy the URL and paste it into
the SafeSerf URL field. Other times, you may have to
temporarily disable JavaScript on your browser (even though
SafeSerf depends on it) and re-enable it when entering your
sensitive information.
Also remember to send us links to sites that don't work. We
add this to our database of known sites and if there's
enough requests, we may incorporate a workaround on our
end.
I'm a
business with an online store. How do I get my customers to
SafeSerf my site for free?
Sign up for a SafeSerf Business account. We will then send
you a SafeSerf link to your online store. All you need to
do is add this link to your website so your customers can
SafeSerf your store.
How is
SafeSerf different from other Paynacea technologies like
TeleAuth and TelePay?
SafeSerf is an end-user (that's you and me) technology. It
does not require sites to be Paynacea-enabled.
TeleAuth, TelePay, CallerAuth and KeyDistributor are
enterprise technologies. They are meant for
security-conscious businesses who would like to
Paynacea-enable themselves and provide more reliable
authentication.
| Useful Links |
| References |