TriCipher, Inc. Announces its New Authentication Solution Protects Against Man in the Middle Phishing Attacks

SAN MATEO, CA – March 22, 2005 — TriCipher, Inc., the innovators of strong authentication for the real world, today announced that its TriCipher Armored Credential System (TACS), launched last month at RSA Conference 2005, prevents man in the middle phishing attacks – a security threat that has become top of mind as businesses and consumers become increasingly reliant on the Internet for conducting essential business transactions. To protect themselves, enterprises have increasingly turned to one time passwords, a form of two factor authentication believed to prevent successful attacks. However, industry experts have called into question the effectiveness of this type of authentication in protecting against phishing. A recent article by a noted researcher outlined weaknesses to token-based authentication approaches. In addition, recent research from Infidel, Inc., demonstrates that all one time password systems, such as time synchronous tokens, can be easily compromised by man in the middle phishing attacks – which require very little technical sophistication on the part of the phisher. TriCipher’s unique approach to strong authentication leverages the Internet’s existing SSL infrastructure, combined with a unique multi-part credential to foil proxied man in the middle attacks.

“Recent articles have spawned a lot of talk amongst security experts about the role two factor authentication plays in protecting against man in the middle phishing,” said Rebecca Bace, President of Infidel, Inc. “It’s true that one time password systems are not an adequate defense, but that is only one flavor of two factor authentication, and an outdated one at that. The key to protecting against these attacks is to take advantage of the existing SSL infrastructure to authenticate the client. SSL was designed to prevent man in the middle attacks and doesn’t require the user to reveal the credential — only to prove that she has it. Ideally, you would also like to make it impossible to steal the entire credential from the user. The TriCipher solution satisfies all these requirements.”

As companies have moved to one time password tokens to protect bank and brokerage accounts, phishers have begun to set up man in the middle attacks. In such attacks, users are lured to a phishing site by an email or DNS caching hack, where they enter their username, password, and the number from a one time password token. The phisher’s server automatically uses this information to immediately log in to the legitimate site, then either keeps the session open automatically until the phisher is ready to hijack the session or simply alters the user’s transaction to benefit the phisher.

TACS creates a multi-part credential, splitting the user’s credential between the user and a secure appliance kept in the enterprise’s data center. Since the user doesn’t have the entire credential, he or she can’t give it away to the phisher, nor can the phisher steal it from their desktop. In addition, TriCipher’s credentials use SSL client authentication, which prevents a phisher from sitting in the middle of the user’s session with the web server. Further, using SSL means no new software at the web server, making deployment fast and easy.

“The SSL infrastructure is out there and it’s very robust,” commented Eric Greenberg, one of the developers of the SSL protocol and current CTO of NetFrameworks, Inc. “As an industry we’ve only been using half of it because legacy PKI systems were too complex to implement. The TriCipher product vastly simplifies the deployment and management of strong authentication and takes advantage of the security of SSL to prevent man in the middle phishing. The TriCipher solution provides a cost effective, highly secure alternative to time synchronous or challenge response one time password systems.”

“We’re delighted at the validation our solution has received in light of the recent scrutiny about the role two factor authentication plays in protecting against man in the middle attacks,” said Ravi Sandhu, Chief Scientist, TriCipher and professor of Information Security and Assurance at George Mason University . “At roughly five dollars per seat, TACS provides an elegant way to protect against man in the middle attacks that, unlike other solutions, is extremely affordable and easy to deploy.”

About TriCipher, Inc.
TriCipher, Inc. provides strong authentication for the real world. The first authentication system that issues multiple types of credentials from a single infrastructure, the TriCipher Armored Credential SystemT (TACS) allows for authentication strength to change in response to new threats without any infrastructure changes. Our patented technology fills the gap between authentication systems that are either not secure enough or too hard to use and deploy. TriCipher’s innovative approach to strong multi-factor authentication protects against phishing and eliminates dictionary attacks. Founded in 2000, TriCipher is headquartered in San Mateo, California. The Company was incubated as NSD Security before launching as a separate entity in 2005. Investors in TriCipher are ArrowPath Venture Capital, IntelR Capital, Trident Capital and Wasatch Venture Partners. For more information, please visit or email

Copyright 2005 TriCipher, Inc. TriCipher, Armored Credential, and Armored Credential Appliance are either registered trademarks or trademarks of TriCipher, Inc. in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies.

Don't miss