2020th of February 6

Prevent phishing scams! Started providing authentication system for financial institutions in early June using blockchain

No ID/password required for login, authentication with a one-time password with enhanced security

Number One Solutions Co., Ltd. (Location: Meguro-ku, Tokyo, Representative Director: Tetsuo Omura, hereinafter referred to as our company), which is engaged in the blockchain development business, will provide an authentication system using blockchain technology that can prevent phishing scams in 2020 It will start in early June. This system is called BC Auth and is planned to be provided as a service for financial institutions free of charge, with the aim of introducing 6 companies one year later.

■ Use the system developed to prevent leakage of personal information as a measure against phishing fraud

BCE OOTH is a technology platform developed by our company in 2018 and is an authentication system that does not require registration of personal information. By hashing the random number generated by the user (value created based on the input data) and storing it in the authorized blockchain, it is possible to authenticate a specific service. By using a blockchain, it is possible to provide a robust authentication system that is more convenient for users (patent pending “Japanese Patent Application No. 2018-159648”).

This time, we have commercialized the developed BCE AOS so that it can be used as a plug-in (software that expands the function of the Web browser) of Chrome (chrome) of Google and edge (edge) of Microsoft.

■Login is possible only from a specific terminal, and the domain of the login URL is also specified individually

The blockchain authentication system "BC sea ose" consists of a blockchain server and a plug-in. The blockchain server is operated by us and will be equipped as an alternative to the authorization server.

The financial institution side will introduce the system of BCE AOS. The system consists of the following four.
1. Install the source code for logging in to the website with BCE
2. Ability to get one-time password data from the blockchain
3. Page for downloading plugins
4. Specify the URL for the user to log in (only for the desired company).

The user side downloads the BCE AUS plugin from the dedicated page of the financial institution. Start the plugin and register a new account. After creating an account, you can use BCE AOS to log in to a financial institution's site with a hashed one-time password.

When the user logs in, the one-time password automatically generated by the plug-in is sent to the financial institution, and the same one-time password is hashed and sent to the blockchain. The financial institution obtains the hashed one-time password from our blockchain and compares it with the one-time password automatically generated by the plugin. If they match, you can log in.

Since the authentication is performed only with the acquired one-time password, we have realized an authentication system that does not require personal information (ID/password).
In addition to blockchain, plugins have strong security features.

First, we are strengthening security by creating an environment where you can only log in to a specific device. When the user downloads the plugin, a unique ID will be automatically assigned. By downloading to the terminal, the financial institution can be identified as the terminal (browser) used by the user himself.

Second, financial institutions are strengthening security by specifying the domain of the URL where they can log in. If you do not specify the URL, BCE Auth login will not work. When you are prompted to enter your ID or password by being guided to a phishing site, you can immediately recognize that it is a scam.
Bce Auss can prevent phishing scams with strong blockchain and plugin security.

■ As a result of strengthening the security with a one-time password, the procedure up to the authentication is complicated and the convenience is reduced.

With conventional authentication systems, the user's identity is verified three times when logging in.
1. ID verification with an ID and password
2. Identity verification with one-time password
3. User confirmation that the company confirms with the authorization server.

You can log in if you are authenticated as the user in all confirmations. The authorization server is a server used to determine whether or not the user has logged in, and stores the user ID and password.

As a result of strengthening the security of the user's identity verification, the procedure has become complicated and the convenience has decreased. There is a risk that the user's ID and password will be leaked by attacking the authorization server.

It was a phishing scam that had been on the decline due to the spread of one-time passwords, but since February 2020, there have been many cases of one-time passwords being compromised. The trick is that the phishing site operator will direct the user to a fake site such as a bank, enter their ID and fixed password, and pretend to be the user and log in to regular online banking. It is a method to display a new screen on the fake site and to input the one-time password at the timing when the one-time password is sent from the bank to the user.

An authentication system that uses a blockchain can prevent leaks of IDs, passwords, and one-time passwords.

■ Monthly increase in phishing damage

According to the Ministry of Internal Affairs and Communications, phishing is a method such as sending an e-mail spoofing the sender or connecting to a fake homepage from a fake e-mail, such as credit card number and account information (user ID). , Password, etc.) to steal important personal information. " 

According to the “2020/04 Phishing Status Report” (Fishing Countermeasures Council), the number was 2019 in December 12 and 8,208 in January 2020, showing a downward trend. However, the number increased to 1 in February, 6,613 in March, and 2 in April. The reason for the increase in phishing scams is that the number of phishing attempts to steal credit card information from shopping sites such as Amazon has increased dramatically. This is because phishing techniques are prevalent by methods that break existing one-time password authentication.
The one-time password is a mechanism in which, in addition to the fixed password originally set by the user when using online banking, a different disposable password is delivered to the mobile phone registered in advance each time. Security was strengthened more than password-only authentication, and it helped prevent phishing scams for a period of time. Financial institutions are rushing to establish new prevention systems.

While verifying the usage status of BCE AUS, we aim to develop our business with a view to making it available for payment.

[About Number One Solutions Co., Ltd.]

Company Name: Number One Solutions Co., Ltd.
Headquarters Location: 153th floor, Idemitsu Ikejiri Building, 0043-7-XNUMX, Higashiyama, Meguro-ku, Tokyo, XNUMX-XNUMX
Representative Director: Tetsuo Omura
Established: July 2002
Capital: 5,000 million yen
Contact: TEL .03-6412-8470 FAX .03-6412-8471
URL: https://no1s.biz
Business :Blockchain development business

■ Inquiries from the media regarding this matter

Number One Solutions Co., Ltd. Public Relations: Kenji Domoto
TEL 03-6412-8470 / Email press@no1s.biz

You can download the press release here
Prevent phishing scams! Started providing authentication system for financial institutions in early June using blockchain