OHVA, Inc.

SOUNDPASS is a proprietary Multi-Factor Authentication (MFA) virtual token security software product from OHVA, Inc., with the added benefit of being transparent to the user. It provides Dynamic Authentication by automatically generating a new virtual token each time the user accesses their online account. Because it is transparent to the user, the SoundPass virtual token cannot be Phished or Keylogged thereby providing strong built in multiple security layers of protection against today's online accessing villains; including malware carrying the most commonly used exploit, the Zeus Trojan, using a real-time Keylogger. Uniquely, SoundPass is fully portable with the added flexibility to also be used as a hardware solution based on the user's preference and without ever issuing any hardware. SoundPass is user friendly, affordable, and requires no maintenance all of which are geared to save Financial Institutions time and money. It can bolt onto any existing authentication solution Login page adding a strong layer of MFA security. SoundPass has been protecting online bank accounts for members of Anheuser-Busch Employees' Credit Union and American Eagle Credit Union since 2007.

"OHVA's SoundPass is a cutting edge solution. We feel it offers our members the highest level of security available."

- David Gray, Manager, Electronic Services, Anheuser-Busch Employees' Credit Union and Division

ON-LINE VULNERABLITY: Today's exploits far exceed yesterday's authentication solutions, which almost all have been breached right out of the gate. Besides being ineffective against current sophisticated online threats, authentication solutions have also proven to be too expensive. Hundreds of millions of online users are vulnerable worldwide. Bloomberg released an article in August 2011 stating that, “cybercrooks are stealing as much as $1 billion a year from small and mid-sized bank accounts in the U.S. and Europe.” Law enforcement is unable to address the majority of these cybercrimes. The New FFIEC Guidance requires a layered approach for best security practices regarding consumer online bank accounts. The majority of access security solutions already utilize multiple security layers. Unfortunately, these layers tend to be various types of single factor authentication or they revert to single factor, which in every case are no match against today’s organized crime in protecting online accounts. What is interesting is while the FFIEC best security practice for consumer accounts is to use a layered approach, for commercial online accounts the FFIEC mandates MFA security. Why? Because MFA provides stronger authentication security, which all online bank accounts should be using as best security practice.

Majority of today's Authentication Solutions:

Username and Password is single factor authentication, vulnerable to Keylogging, Phishing, Man-in-the-Middle, etc.

Challenge-Response Question is single factor authentication, vulnerable to Keylogging, Phishing, and Man-in-the-Middle.

IP Address can be spoofed, temporarily routed to a fake Web site, or to a Hacker's PC.

Cookies can be easily deleted, stolen, moved, or just lost.

Secret Images & Phrases are vulnerable to Keylogging and MITM.

OTP Tokens regardless of form factor are vulnerable to a Zeus Trojan real-time Keylogger.

Behavioral Software flags anomaly's and reverts the user to a Challenge Question.

Out-of-Band phone calls are vulnerable to a Zeus Trojan and MITM unless used with a strong MFA solution.

PKI Certificates are vulnerable to Phishing, Counterfeiting, cumbersome to use, and expensive.

Smart Card requires a cumbersome and expensive to deploy reader.

USB Tokens are cumbersome and expensive to deploy.

SoundPass™ White Paper by OHVA, Inc.

SoundPass™ Overview

SoundPass™ is a cryptographically advanced security technology software solution offering strong, fully portable, and affordable multifactor authentication for all browser-based logins. It consists of a software driver dll that resides on the server and a small Java applet, sent from the server, which runs on the client machine.During initialization, the SoundPass™ server driver creates and passes a software token to the client applet, and stores a master copy in a database. The SoundPass™ client applet encrypts the software token using an owner-supplied key, where the key is never stored on any device or held in any way by the applet. The SoundPass™ client applet stores the encrypted token file on the hard drive or any portable writable device that has a drive letter on the client machine, including USB thumb drives, PDAs, MP3 players, network enabled devices, DVDs, CDs, floppy disks, and internal or external hard drives. Registration of individual users is fully automatic and there is no additional maintenance required outside of normal server administration.During authentication, the SoundPass™ client applet decrypts the stored token file using an owner-prompted key, combines the token with a session key, verifies the server to which the client is connected, and securely transmits the result to the server via encryption mechanisms. The SoundPass™ server driver validates the result by performing the same calculations on data expected from the client applet and compares the results.

Key Features

1. The value of the token never changes, allowing the user to share the key with family members, etc. However, the information passed to the server is never the same, creating a one-time-use key, valid only once.

2. The user-supplied key that is used to encrypt and decrypt the token file is never stored, making it difficult to compromise the actual token. This prevents an attacker from using the information captured from the stored token file from a lost thumb drive, Trojan attack, etc.

3. The client applet can optionally display a keypad, allowing the user to supply a key using only the mouse. This feature defeats “Key Logging” attacks.

4. The solution contains built-in checks against “Man-in the Middle” attacks. The client applet and the server dll run checks to verify that the client is communicating directly with the intended server.

5. The information exchanged between the server and the client provides a built-in design feature that defeats “Replay” attacks.

6. The encrypted token file can be stored on a user-supplied USB thumb drive or PDA, effectively creating a 100% Hardware Token solution without having to deploy unique hardware.

7. SoundPass™ is packaged as a Java jar file and a server side dll, making deployment simple.

DEFEAT MALWARE TROJANS:

To learn more about how we can comfortably make this extraordinary claim and discover how SoundPass fits into your online accessing security efforts, contact us by email at:mangelinovich@ohvasecurity.com or by phone at: 408-857-0716

webassets/Picture1.jpg