Jun 5, 2020

Prevent phishing fraud! Blockchain-based authentication system will be available to financial institutions from early June.

No ID and password required for login, authentication with one-time password for enhanced security

No.1 Solutions, a blockchain development company, will begin offering an authentication system that uses blockchain technology to prevent phishing fraud in early June 2020. The system, called BC Auth, will be provided free of charge as a service for financial institutions, with the aim of introducing it to 100 companies within a year.

■System developed to prevent leakage of personal information to be used as a countermeasure against phishing scams

BCACE is an authentication system that does not require registration of personal information, a technology platform developed by our company in 2018. The random numbers generated by the user are hashed (a value created based on the data entered) and stored in an authorized blockchain to authenticate a specific service. The blockchain can be used to provide an authentication system that is both robust and more convenient for users (patent pending “Patent Application 2018-159648”).
The newly developed BeeCeose has been commercialized for use as a plug-in (software that extends the functionality of a web browser) for Google’s Chrome browser and Microsoft’s edge.

■Login is possible only from specific terminals, and the domain of the login URL can be individually specified.

The blockchain authentication system, “BCeos,” consists of a blockchain server and plug-ins. The blockchain server is operated by us and equipped as a substitute for the authorization server.
The financial institution will install the BCeos system. The system consists of the following four components
1. Placement of the source code for logging in with BCeos on the website
2. Function to retrieve one-time password data from the blockchain
3. Page for downloading plug-ins
4. Designation of URL for users to log in (only for companies that wish to do so).

The user downloads the BC-Auth plug-in from the dedicated page of the financial institution. Launch the plug-in and register a new account. After creating an account, users can log in to the financial institution’s website with a hashed one-time password using BC-Auth.

When the user logs in, the one-time password automatically generated by the plug-in is sent to the financial institution, and the same one-time password is hashed and sent to the blockchain. The financial institution retrieves the hashed one-time password from our blockchain and matches it with the one-time password automatically generated by the plug-in. If a match is found, the user can log in.

The authentication system does not require personal information (ID and password), as it authenticates only with the obtained one-time password.
In addition to the blockchain, the plug-in has robust security features.
First, security is enhanced by creating an environment in which users can only log in using specific terminals. When a user downloads the plug-in, a unique ID is automatically assigned. By downloading it to the terminal, the financial institution can identify it as the terminal (browser) used by the user himself/herself.
Next, financial institutions enhance security by specifying the domain of the URL where users can log in. With an unspecified URL, the BCOC login will not work. Once a user is directed to a phishing site and prompted to enter his/her ID and password, he/she can immediately recognize that it is a scam.
With the strong security of blockchain and plug-ins, BCeose can prevent phishing scams.

■As a result of enhanced security with one-time passwords, the procedure to authentication is complicated and less convenient

Conventional authentication systems require users to confirm their identity three times when logging in.
1. Identification with ID and password
Identification with a one-time password
3. The company confirms the user’s identity with the authorization server.
Once the user is verified by all the checks, the user can log in. The authorization server is a server used to determine whether the user is logged in by the user himself/herself, and stores the user’s ID and password.
As a result of enhanced security for user identification, the procedure has become more complicated and less convenient. There is a risk of user IDs and passwords being leaked if the authorization server is attacked.
Although phishing fraud had been on the decrease due to the spread of one-time passwords, since February 2020, cases of one-time passwords being broken have become more frequent. In this scam, the operator of the phishing site leads the user to a false site such as a bank’s website and asks the user to enter his/her ID and fixed password, then poses as the user and logs in to a legitimate online banking account. The phishing site then displays a new screen on the fake site and asks the user to enter the one-time password at the same time the one-time password is sent to the user from the bank.
Blockchain-based authentication systems can prevent IDs, passwords, and one-time passwords from being compromised.

■ Phishing Scams Increasing Monthly

According to the Ministry of Internal Affairs and Communications, phishing fraud is “the act of stealing important personal information such as credit card numbers and account information (user IDs, passwords, etc.) by sending e-mails that spoof the sender or by having the user connect to a fake website from a fake e-mail. The term “refers to”.
According to the “2020/04 Phishing Status Report” (Council of Anti-Phishing Japan), there were 8,208 cases in December 2019 and 6,613 cases in January 2020, showing a downward trend. However, in February of the same year, there were 7,630 cases; in March, 9,671 cases; and in April, 11,645 cases. The reason for the increase in phishing scams is the dramatic increase in phishing attempts to fraudulently steal credit card information by pretending to be from shopping sites such as Amazon. Phishing scams are increasingly using one-time passwords to break existing authentication methods.
One-time passwords are a mechanism whereby a different disposable password is sent to a pre-registered cell phone in addition to the fixed password originally set by the user when using online banking. The system provides greater security than password-only authentication and has been useful in preventing phishing fraud for a certain period of time. Financial institutions are rushing to establish new prevention systems.
While verifying the usage of BC-Auth, we aim to develop the business with a view to making it a fee-based system.

About No.1 Solutions, Inc.

Company name: No.1 Solutions, Inc.
Head office: Idemitsu Ikejiri Building 7F, 3-15-1 Higashiyama, Meguro-ku, Tokyo 153-0043, Japan
Representative Director: Tetsuo Menrai
Establishment : July 2002
Capital :50 million yen
Contact : TEL .03-6412-8470 FAX .03-6412-8471
URL : https://no1s.biz
Business : Blockchain development business

For inquiries from the media regarding this matter, please contact

No.1 Solutions, Inc. Public Relations: Kenji Domoto
TEL 03-6412-8470 / Email press@no1s.biz
Press release can be downloaded from here.

Prevent phishing fraud! Blockchain-based authentication system will be available to financial institutions from early June.