• Save
Enhanced Authentication
Upcoming SlideShare
Loading in...5
×
 

Enhanced Authentication

on

  • 1,022 views

Presentation I did in Trondheim

Presentation I did in Trondheim
http://petergullberg.wordpress.com

(UPDATED, slideshare had some problem with the presentation, so I reomve the PPT-issues)

Statistics

Views

Total Views
1,022
Views on SlideShare
998
Embed Views
24

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 24

http://petergullberg.wordpress.com 24

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • “uttrykkelig samtykke”
  • “uttrykkelig samtykke”

Enhanced Authentication Enhanced Authentication Presentation Transcript

  • eCommerce How does the online user look like?…
  • eCommerce Like this?…
  • eCommerce … maybe like this? ...
  • eCommerce …, or simply unaware?
  • eCommerce We need to protect our users online …
  • eCommerce … without making it difficult for the user
  • eCommerce Sucess factors for online security? …
  • eCommerce Usability The user must understand how, and why to use a security solution
  • eCommerce Usability The user must understand how, and why to use a security solution If not, user will abandon, or simply try to skip it
  • eCommerce CONTEXT User awareness guarantees that user understand a certain action
  • eCommerce CONTEXT User awareness guarantees that user understand a certain action User awareness is achieved through context
  • eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent
  • eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent For a user to understand what he agrees on, he may need to confirm details
  • eCommerce CONSENT It is important that user can communicate his intention to the bank
  • eCommerce CONSENT It is important that user can communicate his intention to the bank If not, it might be used by an attacker
  • eCommerce Risk perception User must understand the risk in an action.
  • eCommerce Risk perception User must understand the risk in an action. Until it has been understood, the user is unaware (this photographer will use zoom lens next time!)
  • eCommerce Trust … Trust comes from T=r+d meeting and beating customer Trust = reliability + delight expectations.
  • eCommerce Is there a silverbullet? Bank need a solution, that everyone can use
  • eCommerce Is there a silverbullet? Bank need a solution, that everyone can use Users need a variety of solution, for different life styles
  • Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks
  • Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)?
  • Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)? • One-time-password for transaction authorization is reaching end-of-life (both Event AND Time)
  • Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK MitM’s Perspective Internet Bank’s Perspective INTERNET BANKING Ordinary C/R device BANK CR
  • Transfer From : Private Savings 0458-55326 LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 Amount : $ 125,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 Challenge: MitM’s Response: 123 456 Perspective End-User’s Internet Bank’s Perspective Perspective Cancel OK TRANSACTION INTERNET BANKING BANK CR
  • Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING MitM BANK CR
  • Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Challenge MitM 653 265 BANK CR
  • Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK CR
  • Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK SIGN MitM’S TRANSACTION CR MitM’s transaction approved !!
  • Todos Dynamic Signatures Risk based two-factor authentication
  • Q: “Would you sign a blank check?” (Or sign a contract without being able to review the contractual terms?)
  • Todos Dynamic Signatures  Risk based process flow: The reader supports the banks business processes, where the bank can make agile business decisions, which controls the process flow in the reader, decided by the bank in real-time  Mitigates Man-in-the-middle: The risk in the current transaction is analysed, and the user process flow is remotely controlled, based on the challenge value, to dynamically control which data fields that need to be signed in the transaction by the end-user  Prevents cross channel attacks: The reader protects against cross channel attacks, by introducing context and separating the buttons for; Login, Sign and e-commerce, where one response cannot be re-used in a different channel  Future proof: The solution secures the online bank over the next 5-7 years
  • Todos Dynamic Signatures  User convenience: 99.4% of all transactions are low risk, make sure these are user-friendly  Act-of-will: Dynamic Signatures allows customer to review and approve vital information in the transaction, to strengthen the act- of-will, “empower the user”  Connected and unconnected mode: The solution works both in connected and unconnected mode, enables a bank to use this for all channels  Second Channel Confirmation: The solution provides an Out Of Band confirmation inside the existing channel
  • Todos Dynamic Signatures, act of will Based on the challenge, the bank controls the process flow in the user„s device. ”Enter challenge:” ”21quot; ’1' : ”Enter amount:” ’2' : ”Select currency:” ’3' : ”Enter account no:” EUR USD GPB YEN OTHER ’4' : ”Enter phone number:” ’5' : Confirm transaction type ’6' : ”Enter V{1-8}:” ”Enter PIN:” _ _ _ _ V1-V8 ”Response: 123456quot;
  • Todos Dynamic Signatures Depending on the risk in the transaction customer participating in the authorisation process is reflected accordingly HIGH RISK LOW RISK Challenge? Challenge? 635 265 986 523 Account Number Enter PIN? 0459 9658 326 **** Amount: Response: 5 000,00 567 890 Enter PIN? **** Response: 723 905
  • Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.
  • Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.
  • Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today. You can at any time change which questions to ask user!
  • Todos Dynamic Signatures A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
  • Todos Dynamic Signatures Bank needs a standard device A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
  • Todos Dynamic Signatures Bank needs a standard device Users want this to fit his life-style A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
  • Thank You