Your SlideShare is downloading. ×
Todos Dynamic Signatures Next Generation Security Solution
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Todos Dynamic Signatures Next Generation Security Solution

1,087

Published on

A short presentation on Todos innovative concept of "Todos Dynamic Signatures", which is a risk based authentication solution

A short presentation on Todos innovative concept of "Todos Dynamic Signatures", which is a risk based authentication solution

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,087
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1.
      • Next generation innovative security solution
      Todos Dynamic Signatures www.todos.se
    • 2. Existing OTP and C/R solutions
      • Challenge/Response is vulnerable to Man-in-the-Middle (MitM) attacks
      • Transaction Data Signing does not add context; is “1133200” = “$ 11,332.00” or “1133-200” (account number)?
      • Transaction Data Signing is sensitive to certain kind of cross channels attack we might see in the future
      • One-time-password for transaction authorization is reaching end-of-life
      (both Event AND Time)
    • 3. BANK Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK INTERNET BANKING Man-in-the-Middle! SIGN MitM’S TRANSACTION TRANSACTION CHALLENGE RESPONSE CR MitM’s Perspective Internet Bank’s Perspective Response 123 456 Challenge 653 265 MitM’s transaction approved !! MitM
    • 4. BANK Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK INTERNET BANKING Man-in-the-Middle! SIGN MitM’S TRANSACTION TRANSACTION CHALLENGE RESPONSE CR MitM’s transaction approved !! MitM’s Perspective Internet Bank’s Perspective Response 123 456 Challenge 653 265 123 456 123 456 MitM Ordinary C/R device End-User’s Perspective LOGIN From : Private Savings 0458-55326 James A.A 0459-9658,326 Amount : $ 125,00 Transfer To : OK Cancel End-User’s Perspective LOGIN From : Private Savings 0458-55326 Mr Evil 9544-6663,002 Amount : $ 50 000,00 Transfer To : OK Cancel 653 265 Challenge: Response: 653 265 Challenge: Response:
    • 5. What are other banks doing?
    • 6. Case #1 Nordea Nordeas own words
    • 7. Case #1 Nordea
      • Nordea e-kod
      • Nordea acted strong to re-establish trust
      • Nordea replaced their existing one-time-password solution
      • Nordea implemented stronger than CAP security solutions with ”Advanced Signing”
      • The new security solution have effectively stopped all attacks on the internet bank
    • 8. Case #2 ABN AMRO Source: Finextra 2/4-07
    • 9.
      • ABN AMRO e.dentifer2
      • ABN Amro had to act strongly
      • One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2”
      • Protects banking customers over the next 5-7 years.
      • True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ”Sign-What-You-See” (SWYS)
      • ” The most secure end-user device today” (ABN Amro’s own statement)
      Case #2 ABN AMRO
    • 10.
      • A solution needs to handle many different services!
      • Banking, Shopping, Government etc.
      • It must be portable, trustworthy & attractive!
      • Used everywhere
      • It must host different security options!
      • Security when needed, virus free environment, configurable; high risk, low risk, legal demands etc.
      • Low total cost of ownership!
      • Easy to use, Simple logistic
      Requirements FOR A SECURITY SOLUTION The authentication solution must be flexible , a simple one function device is no more…
    • 11. Todos Dynamic Signatures The future of eBanking & eCommerce
    • 12. Todos Dynamic Signatures (business rule agility)
      • Mitigates Man-in-the-middle: The risk in the current transaction is analysed, and the user process flow is remotely controlled, based on the challenge value, to dynamically control which data fields that need to be signed in the transaction by the end-user
      • Prevents cross channel attacks: The reader protects against cross channel attacks, by having separated buttons for; Login, Sign and e-commerce, where one response cannot be re-used in a different channel
      • Future proof: The solution will secure the online bank over the next 5-7 years
      • Risk based process flow: The reader supports the banks business processes, where the bank can make agile business decisions, which affects the business rules in the reader, decided by the bank in real-time
    • 13. Todos Dynamic Signatures, cont. (business rule agility)
      • Informed consent: Dynamic Signatures allows customer to review and approve vital information in the transaction, to strengthen the act-of-will
      • User convenience: 99.4% of all transactions are low risk, make sure these are user-friendly
      • Connect and unconnected mode : The solution works both in connected and unconnected mode, enables a bank to use this for all channels
    • 14. Todos Dynamic Signatures adds functionality to the process/device that forces the user to actively make decisions in the process , increasing customer awareness in the transaction process. The challenge decides which combination of questions to be asked. Todos Dynamic Signatures, act of will
    • 15. Todos Dynamic Signatures LOW RISK Sign Cancel From Account Transaction data Privat acc 0458-3865,986 Privat acc 0458-6532,659 Amount 100,00 To Account 986 523 Challenge Response 567 890 Transaction Successful Sign Challenge? 986 523 Enter PIN? **** Response: 567 890 S IGN C ODE B UY L OGIN OK
    • 16. Todos Dynamic Signatures HIGH RISK Sign Cancel From Account Transaction data Privat acc 0458-3865,986 James A.A 0459-9658,326 To Account 653 265 Challenge Response 723 905 Transaction Successful Sign Challenge? 635 265 Amount: 5 000,00 Enter PIN? **** Response: 723 905 Account Number 0459 9658 326 S IGN Acount 0459 9658 326 Amount 5 000,00 (EUR) C ODE B UY L OGIN OK
    • 17. The solution is designed to meet changes in authentication demands due to; Handle new type of risks, emergency change of security levels and new and improved methods of managing risk in the future . You can at any time change the set of “chosen” questions! Todos Dynamic Signatures, risk based Function Low risk Medium risk High risk National transfer <1000€ OTP >1000€ C/R >10000€ C/R+DS International credit transfer N/A >100€ C/R+DS C/R+DS Recurring transfer Account to account transfer Online shopping transaction
    • 18.
      • Solves the problem of missing context for a particular transaction, supporting Act-of-Will (end-user awareness)
      • Risk based system enabling the bank to control the risk in each and every transaction
      • Allows low risk transactions to be carried out more easily and straight forward, i.e. C/R
      • Only high-risk transactions will be handled in a more complex manor, i.e. SWYS
      • Put more intelligence in the end-user’s device by pre-loading it with several action lists, i.e. templates
      • Changing at one point (back-end) changes the behavior for all end user devices
      • Leverages on MasterCard CAP / VISA dpa
      Todos Dynamic Signatures SUMMARY
    • 19. - Do it whenever it is needed! With the tools you already have rolled out ” In 1996 we knew where our security level was at and the capability of the fraudster. Today we do not know when our solution will be hacked, we do however know that it will be” - Internet Bank Director Security Levels ” HOW MUCH DO WE NEED TO RAISE OUR SECURITY LEVEL AND WHEN?” DYNAMIC SIGNATURES SECURITY LEVEL 2008 1996 FRAUDSTER CAPABILITY
    • 20. One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation ... Make sure you take a dynamic leap
    • 21. Solution by Todos AUTHENTICATOR 300 217U 417U EZTOKEN SIGNATURE READER EZTOKEN PIN AUTHENTICATOR 214 ARGOS MINI TALK EZSIGN ECODE SERVER
    • 22. Todos’ Promise A UNIQUE POSITION
      • Todos holds a unique position by offering…
      • … One system for all Solutions
      • All devices can be used simultaneously
      • One end-user can have multiple devices
      • Multi issuer service
      • Cost efficient with low total cost of ownership
      • … a Wide range of Devices
      • From Printed Cards, tokens to connectable Readers
      • Enables true segmentation of users
      • … High technical knowledge
      • Secure Domain Separation
      • Todos Dynamic Signatures – True agility
      • Sign-What-You-See
      • Customization: tailor made look and feel
    • 23. Thank You Peter Gullberg VP Product Strategy [email_address]

    ×