STOP password sharing... NOW !

Hello,

I have developed a solution which could be of interest for many
purposes, mainly for secure login at on-line paysites.

I would like to share with the community the results of my developing
efforts, here is the fact, I developed an interesting solution that I would
like you to try.


Take a little time to read the text below, and then go to the testing site I
published, It 'should' work well from any country, actually I tested it in
Ireland, Switzerland and Italy...

The test site is at this address

http://www.exosystem.it/eng/soluzioni/saint_test.php

(please note that JAVA vrtual machine is needed installed on your pc, either
the SUN jvm, or the latest MS jvm, which is not any more available form MS,
but I could send to you an address for downloading if you need...)

Thanks in advance for your collaboration, and I hope to find someone to
remain in touch with for the deployment....

if you wish to contact me just write at the address dropping nosp_ from the
beginning !

waiting for your comments,

Ciao
Marco

--------------

SAINTlogin, a brief introduction

Basically it's a simple idea, but I found that it's not so easy to explain
in words, so I put on the internet a real testing solution, I'll try to be
as clear as possible explaining it, so maybe you can test it and tell me
your impressions, since I'm looking for people abroad to support the idea
and the business behind it...

1) The problem

On-line services are often deployed using subscriptions, users receive a
userid/password to access the web site online.
This practice leads (obviously) to undesired access from unauthorized
people, it is the so called 'password-sharing', and it's something
webmasters and online publishers do not appreciate at all.

Let's say, for example, that I publish a service for on-line news, it
exposes a daily web-newspaper, if I sell yearly subscriptions for 100$, more
people could share the same subscription and I loose much money....
Handling rotating passwords could partly solve the problem, but it's not so
easy to manage and users won't appreciate much the fact of frequent password
change.

2) Solutions

-The problem could be afforded by using certifications, but certificates
are, basically, simple files that could also be shared, and the solution is
not easily portable, so what if I want to have access from other pcs than
the one on which I installed the certficate ?... And what if my PC looses
data on the hard disks ?
-One other solution could be selling subscriptions together with hardware
smart-cards or hardware tokens (i.e. usb), but that implies using hardware,
a solution that is not well accepted by users and it is expensive for the
publisher...

3) SAINTlogin !

The ultimate solution :
I developed a system (a web service) that implements user identification by
telephone, that is, the basic idea was :
If my telephone -does have- a smart card inside, and it is unique all over
the world, why not to use it as user identification system ?

What I mean is that caller-id on the GSM Phone card is unique and not
cloneable....

Note that a GSM SIM cards, are virtually uncloneable (and this is true,
because once cloned it wouldn't be useable, the telephone service provider
would not accept two identical gsm sim-card phones being in use at the same
time and would block the two immediately if found in simultaneous use... )

I called this system SAINTlogin, it stands for :

Secure Access with Identity Notification by Telephone...

4) How it works :

SAINTlogin is a software system connected to many GSM phones (the number of
phones is expandable, actually I have connected 12, more concurrent users,
the more phones can be added, but note that usage of each phone is limited,
just at the time of user login !)
SAINTlogin is written in pure JAVA and ASP (Vb,Javascript) and it's built on
a Windows NT Service written in C++ and C...

A) When a user goes to the service page, he is asked to simply press a
button, then SAINTlogin requires to dial a number.

B) Users dial the number and 'magically !' (if he/she is registered) access
is granted, otherwise not...

To register to an on-line service (actually a demo)

A) go to the registration page, select the desired service, type your name
and press the button
B) Send an SMS message to the number shown, including in it the personal
code that was displayed

When SAINTlogin receives the message, it checks for the received code on an
internal database, and if it exists the user is registered to the service,
basically user's telephone number that comes with the SMS message is stored
as
a unique user identifier that'll be used to recognize him when access is
requested...

Easier to test than to explain !!!

I don't know of any other developer around the world that made something
like this, so I want to share it to let it it know, if you want, please
forward this letter to other friends that could be interested in deploying
this idea too...

5) Advantages of SAINTlogin validation

-Mobile phone usage
Mobile phones are today widely used, there is at least one phone for every
person in the developed countries...

-It could work with fixed phones too !
SAINTlogin relies on caller-id, and there is no reason why it couldn't work
from fixed phones, and it does, offering the same level of security....
Apart from the demo, which relies on sending an SMS for registration, a
provider could manually register users' telephone numbers and manage them
for the duration of the subscription, as it would do with normal user id and
passwords.

-SAINTlogin is not privacy pervasive !
Although SAINTlogin stores telephone numbers in a user's database, there is
not any direct connection between phone numbers and real user names, the
stored identifier can be just a nicknmae, not the real name and it is user
provided....

-ZERO COSTS !
SAINTlogin is a zero-cost implementation : zero-cost for users (no charges
for un-answered calls to the system) zero-costs for on-line providers, they
just have to add a few lines of code to implement the SAINTlogin web service
!

6) Where are we going from now on

-SAINTlogin is going to be transformed in a real web service, it could be
used by webmasters or site developers to implement secure access for their
users, just adding some lines of code to their web pages that invokes the
service
running on our server (or on other clone SAINTlogin servers around the
world)...

- SAINTlogin is going to be a FREE service, or at least it will be just with
some limitations on the number of users (small organizations with, say, 50
to 100 users won't pay anything, but large organizations could pay a small
per/user price to validate their users and an annual fee...)

- I think that SAINTlogin can be as much secure as a credit card, if we link
it to a 4 pin code number, (using ssl protocol) after user dialled to
login....

-Lot's of supplemental services can be built around it, I have many in mind,
I'll tell you about them it if you're interested...

-I've heard of some companies around the world (someone told me there's a
new zealand bank) implementing something like SAINTlogin. they use GSM
phones for their users validation, but it has never been implemented as a
free web service designed to be incorporated in ANY website....
Some of them use just sending an SMS containing a new password at each
requested login, and that's expensive for providers (an SMS at every login)
and boring for users that have to wait for the sms containing a new password
each time they login !

_____________________________________

better yet, voice recognition!

that way, it could even work without having to use a phone! all you need is
a mic!



"Libero" <nosp_orlandi.marco@libero.it> wrote in message
news:bineeo$o6t$4@newsread.albacom.net...
> Hello,
>
> I have developed a solution which could be of interest for many
> purposes, mainly for secure login at on-line paysites.
>
> I would like to share with the community the results of my developing
> efforts, here is the fact, I developed an interesting solution that I
would
> like you to try.
>
>
> Take a little time to read the text below, and then go to the testing site
I
> published, It 'should' work well from any country, actually I tested it in
> Ireland, Switzerland and Italy...
>
> The test site is at this address
>
> http://www.exosystem.it/eng/soluzioni/saint_test.php
>
> (please note that JAVA vrtual machine is needed installed on your pc,
either
> the SUN jvm, or the latest MS jvm, which is not any more available form
MS,
> but I could send to you an address for downloading if you need...)
>
> Thanks in advance for your collaboration, and I hope to find someone to
> remain in touch with for the deployment....
>
> if you wish to contact me just write at the address dropping nosp_ from
the
> beginning !
>
> waiting for your comments,
>
> Ciao
> Marco
>
> --------------
>
> SAINTlogin, a brief introduction
>
> Basically it's a simple idea, but I found that it's not so easy to explain
> in words, so I put on the internet a real testing solution, I'll try to be
> as clear as possible explaining it, so maybe you can test it and tell me
> your impressions, since I'm looking for people abroad to support the idea
> and the business behind it...
>
> 1) The problem
>
> On-line services are often deployed using subscriptions, users receive a
> userid/password to access the web site online.
> This practice leads (obviously) to undesired access from unauthorized
> people, it is the so called 'password-sharing', and it's something
> webmasters and online publishers do not appreciate at all.
>
> Let's say, for example, that I publish a service for on-line news, it
> exposes a daily web-newspaper, if I sell yearly subscriptions for 100$,
more
> people could share the same subscription and I loose much money....
> Handling rotating passwords could partly solve the problem, but it's not
so
> easy to manage and users won't appreciate much the fact of frequent
password
> change.
>
> 2) Solutions
>
> -The problem could be afforded by using certifications, but certificates
> are, basically, simple files that could also be shared, and the solution
is
> not easily portable, so what if I want to have access from other pcs than
> the one on which I installed the certficate ?... And what if my PC looses
> data on the hard disks ?
> -One other solution could be selling subscriptions together with hardware
> smart-cards or hardware tokens (i.e. usb), but that implies using
hardware,
> a solution that is not well accepted by users and it is expensive for the
> publisher...
>
> 3) SAINTlogin !
>
> The ultimate solution :
> I developed a system (a web service) that implements user identification
by
> telephone, that is, the basic idea was :
> If my telephone -does have- a smart card inside, and it is unique all over
> the world, why not to use it as user identification system ?
>
> What I mean is that caller-id on the GSM Phone card is unique and not
> cloneable....
>
> Note that a GSM SIM cards, are virtually uncloneable (and this is true,
> because once cloned it wouldn't be useable, the telephone service provider
> would not accept two identical gsm sim-card phones being in use at the
same
> time and would block the two immediately if found in simultaneous use... )
>
> I called this system SAINTlogin, it stands for :
>
> Secure Access with Identity Notification by Telephone...
>
> 4) How it works :
>
> SAINTlogin is a software system connected to many GSM phones (the number
of
> phones is expandable, actually I have connected 12, more concurrent users,
> the more phones can be added, but note that usage of each phone is
limited,
> just at the time of user login !)
> SAINTlogin is written in pure JAVA and ASP (Vb,Javascript) and it's built
on
> a Windows NT Service written in C++ and C...
>
> A) When a user goes to the service page, he is asked to simply press a
> button, then SAINTlogin requires to dial a number.
>
> B) Users dial the number and 'magically !' (if he/she is registered)
access
> is granted, otherwise not...
>
> To register to an on-line service (actually a demo)
>
> A) go to the registration page, select the desired service, type your name
> and press the button
> B) Send an SMS message to the number shown, including in it the personal
> code that was displayed
>
> When SAINTlogin receives the message, it checks for the received code on
an
> internal database, and if it exists the user is registered to the service,
> basically user's telephone number that comes with the SMS message is
stored
> as
> a unique user identifier that'll be used to recognize him when access is
> requested...
>
> Easier to test than to explain !!!
>
> I don't know of any other developer around the world that made something
> like this, so I want to share it to let it it know, if you want, please
> forward this letter to other friends that could be interested in deploying
> this idea too...
>
> 5) Advantages of SAINTlogin validation
>
> -Mobile phone usage
> Mobile phones are today widely used, there is at least one phone for every
> person in the developed countries...
>
> -It could work with fixed phones too !
> SAINTlogin relies on caller-id, and there is no reason why it couldn't
work
> from fixed phones, and it does, offering the same level of security....
> Apart from the demo, which relies on sending an SMS for registration, a
> provider could manually register users' telephone numbers and manage them
> for the duration of the subscription, as it would do with normal user id
and
> passwords.
>
> -SAINTlogin is not privacy pervasive !
> Although SAINTlogin stores telephone numbers in a user's database, there
is
> not any direct connection between phone numbers and real user names, the
> stored identifier can be just a nicknmae, not the real name and it is user
> provided....
>
> -ZERO COSTS !
> SAINTlogin is a zero-cost implementation : zero-cost for users (no charges
> for un-answered calls to the system) zero-costs for on-line providers,
they
> just have to add a few lines of code to implement the SAINTlogin web
service
> !
>
> 6) Where are we going from now on
>
> -SAINTlogin is going to be transformed in a real web service, it could be
> used by webmasters or site developers to implement secure access for their
> users, just adding some lines of code to their web pages that invokes the
> service
> running on our server (or on other clone SAINTlogin servers around the
> world)...
>
> - SAINTlogin is going to be a FREE service, or at least it will be just
with
> some limitations on the number of users (small organizations with, say, 50
> to 100 users won't pay anything, but large organizations could pay a small
> per/user price to validate their users and an annual fee...)
>
> - I think that SAINTlogin can be as much secure as a credit card, if we
link
> it to a 4 pin code number, (using ssl protocol) after user dialled to
> login....
>
> -Lot's of supplemental services can be built around it, I have many in
mind,
> I'll tell you about them it if you're interested...
>
> -I've heard of some companies around the world (someone told me there's a
> new zealand bank) implementing something like SAINTlogin. they use GSM
> phones for their users validation, but it has never been implemented as a
> free web service designed to be incorporated in ANY website....
> Some of them use just sending an SMS containing a new password at each
> requested login, and that's expensive for providers (an SMS at every
login)
> and boring for users that have to wait for the sms containing a new
password
> each time they login !
>
> _____________________________________
>
>
>
>
>
>
>

....thanks for suggestion, but at the moment I prefer remaining with my feet
attached to the ground....

Star Trek's computer's not yet avialable, and we're still using a mouse
attached, somehow, to the computer....

(do you remember the movie in which spoke tried to give orders speaking into
an old fashioned Mac mouse...? That was because he jumped back in 1990
year...)



"anti-bozak" <antibozak@dot.com> ha scritto nel messaggio
news:CJU3b.1330$Lk5.699@newsread3.news.pas.earthli nk.net...
better yet, voice recognition!

that way, it could even work without having to use a phone! all you need is
a mic!



"Libero" <nosp_orlandi.marco@libero.it> wrote in message
news:bineeo$o6t$4@newsread.albacom.net...
> Hello,
>
> I have developed a solution which could be of interest for many
> purposes, mainly for secure login at on-line paysites.
>
> I would like to share with the community the results of my developing
> efforts, here is the fact, I developed an interesting solution that I
would
> like you to try.
>
>
> Take a little time to read the text below, and then go to the testing site
I
> published, It 'should' work well from any country, actually I tested it in
> Ireland, Switzerland and Italy...
>
> The test site is at this address
>
> http://www.exosystem.it/eng/soluzioni/saint_test.php
>
> (please note that JAVA vrtual machine is needed installed on your pc,
either
> the SUN jvm, or the latest MS jvm, which is not any more available form
MS,
> but I could send to you an address for downloading if you need...)
>
> Thanks in advance for your collaboration, and I hope to find someone to
> remain in touch with for the deployment....
>
> if you wish to contact me just write at the address dropping nosp_ from
the
> beginning !
>
> waiting for your comments,
>
> Ciao
> Marco
>
> --------------
>
> SAINTlogin, a brief introduction
>
> Basically it's a simple idea, but I found that it's not so easy to explain
> in words, so I put on the internet a real testing solution, I'll try to be
> as clear as possible explaining it, so maybe you can test it and tell me
> your impressions, since I'm looking for people abroad to support the idea
> and the business behind it...
>
> 1) The problem
>
> On-line services are often deployed using subscriptions, users receive a
> userid/password to access the web site online.
> This practice leads (obviously) to undesired access from unauthorized
> people, it is the so called 'password-sharing', and it's something
> webmasters and online publishers do not appreciate at all.
>
> Let's say, for example, that I publish a service for on-line news, it
> exposes a daily web-newspaper, if I sell yearly subscriptions for 100$,
more
> people could share the same subscription and I loose much money....
> Handling rotating passwords could partly solve the problem, but it's not
so
> easy to manage and users won't appreciate much the fact of frequent
password
> change.
>
> 2) Solutions
>
> -The problem could be afforded by using certifications, but certificates
> are, basically, simple files that could also be shared, and the solution
is
> not easily portable, so what if I want to have access from other pcs than
> the one on which I installed the certficate ?... And what if my PC looses
> data on the hard disks ?
> -One other solution could be selling subscriptions together with hardware
> smart-cards or hardware tokens (i.e. usb), but that implies using
hardware,
> a solution that is not well accepted by users and it is expensive for the
> publisher...
>
> 3) SAINTlogin !
>
> The ultimate solution :
> I developed a system (a web service) that implements user identification
by
> telephone, that is, the basic idea was :
> If my telephone -does have- a smart card inside, and it is unique all over
> the world, why not to use it as user identification system ?
>
> What I mean is that caller-id on the GSM Phone card is unique and not
> cloneable....
>
> Note that a GSM SIM cards, are virtually uncloneable (and this is true,
> because once cloned it wouldn't be useable, the telephone service provider
> would not accept two identical gsm sim-card phones being in use at the
same
> time and would block the two immediately if found in simultaneous use... )
>
> I called this system SAINTlogin, it stands for :
>
> Secure Access with Identity Notification by Telephone...
>
> 4) How it works :
>
> SAINTlogin is a software system connected to many GSM phones (the number
of
> phones is expandable, actually I have connected 12, more concurrent users,
> the more phones can be added, but note that usage of each phone is
limited,
> just at the time of user login !)
> SAINTlogin is written in pure JAVA and ASP (Vb,Javascript) and it's built
on
> a Windows NT Service written in C++ and C...
>
> A) When a user goes to the service page, he is asked to simply press a
> button, then SAINTlogin requires to dial a number.
>
> B) Users dial the number and 'magically !' (if he/she is registered)
access
> is granted, otherwise not...
>
> To register to an on-line service (actually a demo)
>
> A) go to the registration page, select the desired service, type your name
> and press the button
> B) Send an SMS message to the number shown, including in it the personal
> code that was displayed
>
> When SAINTlogin receives the message, it checks for the received code on
an
> internal database, and if it exists the user is registered to the service,
> basically user's telephone number that comes with the SMS message is
stored
> as
> a unique user identifier that'll be used to recognize him when access is
> requested...
>
> Easier to test than to explain !!!
>
> I don't know of any other developer around the world that made something
> like this, so I want to share it to let it it know, if you want, please
> forward this letter to other friends that could be interested in deploying
> this idea too...
>
> 5) Advantages of SAINTlogin validation
>
> -Mobile phone usage
> Mobile phones are today widely used, there is at least one phone for every
> person in the developed countries...
>
> -It could work with fixed phones too !
> SAINTlogin relies on caller-id, and there is no reason why it couldn't
work
> from fixed phones, and it does, offering the same level of security....
> Apart from the demo, which relies on sending an SMS for registration, a
> provider could manually register users' telephone numbers and manage them
> for the duration of the subscription, as it would do with normal user id
and
> passwords.
>
> -SAINTlogin is not privacy pervasive !
> Although SAINTlogin stores telephone numbers in a user's database, there
is
> not any direct connection between phone numbers and real user names, the
> stored identifier can be just a nicknmae, not the real name and it is user
> provided....
>
> -ZERO COSTS !
> SAINTlogin is a zero-cost implementation : zero-cost for users (no charges
> for un-answered calls to the system) zero-costs for on-line providers,
they
> just have to add a few lines of code to implement the SAINTlogin web
service
> !
>
> 6) Where are we going from now on
>
> -SAINTlogin is going to be transformed in a real web service, it could be
> used by webmasters or site developers to implement secure access for their
> users, just adding some lines of code to their web pages that invokes the
> service
> running on our server (or on other clone SAINTlogin servers around the
> world)...
>
> - SAINTlogin is going to be a FREE service, or at least it will be just
with
> some limitations on the number of users (small organizations with, say, 50
> to 100 users won't pay anything, but large organizations could pay a small
> per/user price to validate their users and an annual fee...)
>
> - I think that SAINTlogin can be as much secure as a credit card, if we
link
> it to a 4 pin code number, (using ssl protocol) after user dialled to
> login....
>
> -Lot's of supplemental services can be built around it, I have many in
mind,
> I'll tell you about them it if you're interested...
>
> -I've heard of some companies around the world (someone told me there's a
> new zealand bank) implementing something like SAINTlogin. they use GSM
> phones for their users validation, but it has never been implemented as a
> free web service designed to be incorporated in ANY website....
> Some of them use just sending an SMS containing a new password at each
> requested login, and that's expensive for providers (an SMS at every
login)
> and boring for users that have to wait for the sms containing a new
password
> each time they login !
>
> _____________________________________
>
>
>
>
>
>
>

In article <biqls3$ioj$1@newsread.albacom.net>, "Libero"
<nosp_orlandi.marco@libero.it> writes:

>...thanks for suggestion, but at the moment I prefer remaining with my feet
>attached to the ground....

That depends on how you see "attached to the ground".
The whole schema you described depends on me calling from the same number
everytime. For some, that is entirely possible and usually true. For some, its
not reasonable at all.

The company I work for has over 200 phone lines, every single one of them will
show up as the same number on called ID (by design). But, I have but one line
at home. So how would I use a resource such as that at work and home?

--
Randy

Randy,

>The company I work for has over 200 phone lines, every single one of them
will
>show up as the same number on called ID (by design). But, I have but one
line
>at home. So how would I use a resource such as that at work and home?

You're right, most of the company telephone systems send unique CLID,
enabling all people calling from same company is certainly not good and
undesired.

But SAINTlogin is intended top be used for cellphone validation, in that
case identification is certainly unique.

If your concerns are around user acceptability, just think that this system
guarantees users and providers too from unauthorized access, today
cellphones are not an expensive resource, and almost everyone owns one....

Rgds
Marco