Scott Goldman CEO TextPower

TextPower, a leader in innovative text messaging software solutions for enterprises, has debunked a claim that the Zitmo Trojan Variant Eurograbber defeats all two-factor authentication citing the company’s TextKey authentication service which uses a cell phone’s unique identifier – its “fingerprint” – to authenticate a web site user through a simple text message instead of a web browser. 

The Zitmo Trojan has cost online banking customers throughout Europe millions in stolen funds as this variant has infected Android and BlackBerry devices and is capable of defeating common forms of two-factor authentication.  TextKey’s patent-pending technology eliminates any browser interaction during the authentication process  and thus won’t allow man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks affecting mobile device users.

“There are several two-factor authentication methods used to protect web sites, but those that allow any form of data entry on a web browser page are vulnerable to a MITB/MITM attack,” said Scott Goldman, CEO, TextPower.  “To eliminate this angle of attack, you must eliminate any method that involves the browser.  A secure server-to-server connection between an authentication service and the web site is the simplest and most straightforward approach to do this.  TextKey uses exactly that type of connection, completely circumventing any browser involvement to eliminate threats from any MITB/MITM attacks.” 

Unlike other two-factor authentication processes, TextKey’s authentication code is displayed in clear text on the user's screen after they have successfully entered their ID and password.  This code must be sent via SMS to the TextKey cloud-based authentication system from the cell phone preregistered to that user's ID.  There is no open field for a hacker to monitor or trap information on the web site's page, nor is there any hardware or software required at the web site's server to implement TextKey authentication.  Only the next-generation of two-factor authentication, like TextKey, combines the convenience of a soft token with the resistance to browser-based attacks. 

Establishing an account with a TextKey installation on the web site side is fast and simple.  The individual web site maintains the user's ID and password already and simply adds their cell phone number to the record.  Then a simple plug-in, available in .NET, PHP and Java, is inserted into the web site's login page HTML.  When the ID and password are successfully entered a modal dialog box appears showing the code that the user must text into the TextKey system from their cell phone.  The code must be sent within the user-defined time frame from the correct phone to grant access.  If the wrong code is sent, or if the correct code is sent from an unregistered phone, access is denied.  It's simple, easy to install and the least-hackable method available. 

The product, TextKey, has won two major industry awards and is patent-pending.  Although the product is still in "slightly stealth" mode it has generated significant interest from some major financial institutions and is going to be publicly released within the next 90 days.

TextPower, Inc. provides alerting and authentication solutions to a variety of industries worldwide using text messaging (SMS). The company's software and text messaging services help companies enhance their revenues, decrease costs and improve customer service. TextPower's authentication product, TextKey™, replaces the token or security fob previously needed to verify the identity of online users for password-protected applications.  TextPower’s mission-critical infrastructure employs geo-redundancy for the industry’s highest reliability, providing delivery to virtual every cell phone in the United States and connections to most recognized wireless operators around the world.