Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Todos Dynamic Signatures Next Generation Security Solution


Published on

A short presentation on Todos innovative concept of "Todos Dynamic Signatures", which is a risk based authentication solution

  • Be the first to comment

Todos Dynamic Signatures Next Generation Security Solution

  1. 1. <ul><li>Next generation innovative security solution </li></ul>Todos Dynamic Signatures
  2. 2. Existing OTP and C/R solutions <ul><li>Challenge/Response is vulnerable to Man-in-the-Middle (MitM) attacks </li></ul><ul><li>Transaction Data Signing does not add context; is “1133200” = “$ 11,332.00” or “1133-200” (account number)? </li></ul><ul><li>Transaction Data Signing is sensitive to certain kind of cross channels attack we might see in the future </li></ul><ul><li>One-time-password for transaction authorization is reaching end-of-life </li></ul>(both Event AND Time)
  3. 3. BANK Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK INTERNET BANKING Man-in-the-Middle! SIGN MitM’S TRANSACTION TRANSACTION CHALLENGE RESPONSE CR MitM’s Perspective Internet Bank’s Perspective Response 123 456 Challenge 653 265 MitM’s transaction approved !! MitM
  4. 4. BANK Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK INTERNET BANKING Man-in-the-Middle! SIGN MitM’S TRANSACTION TRANSACTION CHALLENGE RESPONSE CR MitM’s transaction approved !! MitM’s Perspective Internet Bank’s Perspective Response 123 456 Challenge 653 265 123 456 123 456 MitM Ordinary C/R device End-User’s Perspective LOGIN From : Private Savings 0458-55326 James A.A 0459-9658,326 Amount : $ 125,00 Transfer To : OK Cancel End-User’s Perspective LOGIN From : Private Savings 0458-55326 Mr Evil 9544-6663,002 Amount : $ 50 000,00 Transfer To : OK Cancel 653 265 Challenge: Response: 653 265 Challenge: Response:
  5. 5. What are other banks doing?
  6. 6. Case #1 Nordea Nordeas own words
  7. 7. Case #1 Nordea <ul><li>Nordea e-kod </li></ul><ul><li>Nordea acted strong to re-establish trust </li></ul><ul><li>Nordea replaced their existing one-time-password solution </li></ul><ul><li>Nordea implemented stronger than CAP security solutions with ”Advanced Signing” </li></ul><ul><li>The new security solution have effectively stopped all attacks on the internet bank </li></ul>
  8. 8. Case #2 ABN AMRO Source: Finextra 2/4-07
  9. 9. <ul><li>ABN AMRO e.dentifer2 </li></ul><ul><li>ABN Amro had to act strongly </li></ul><ul><li>One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2” </li></ul><ul><li>Protects banking customers over the next 5-7 years. </li></ul><ul><li>True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ”Sign-What-You-See” (SWYS) </li></ul><ul><li>” The most secure end-user device today” (ABN Amro’s own statement) </li></ul>Case #2 ABN AMRO
  10. 10. <ul><li>A solution needs to handle many different services! </li></ul><ul><li>Banking, Shopping, Government etc. </li></ul><ul><li>It must be portable, trustworthy & attractive! </li></ul><ul><li>Used everywhere </li></ul><ul><li>It must host different security options! </li></ul><ul><li>Security when needed, virus free environment, configurable; high risk, low risk, legal demands etc. </li></ul><ul><li>Low total cost of ownership! </li></ul><ul><li>Easy to use, Simple logistic </li></ul>Requirements FOR A SECURITY SOLUTION The authentication solution must be flexible , a simple one function device is no more…
  11. 11. Todos Dynamic Signatures The future of eBanking & eCommerce
  12. 12. Todos Dynamic Signatures (business rule agility) <ul><li>Mitigates Man-in-the-middle: The risk in the current transaction is analysed, and the user process flow is remotely controlled, based on the challenge value, to dynamically control which data fields that need to be signed in the transaction by the end-user </li></ul><ul><li>Prevents cross channel attacks: The reader protects against cross channel attacks, by having separated buttons for; Login, Sign and e-commerce, where one response cannot be re-used in a different channel </li></ul><ul><li>Future proof: The solution will secure the online bank over the next 5-7 years </li></ul><ul><li>Risk based process flow: The reader supports the banks business processes, where the bank can make agile business decisions, which affects the business rules in the reader, decided by the bank in real-time </li></ul>
  13. 13. Todos Dynamic Signatures, cont. (business rule agility) <ul><li>Informed consent: Dynamic Signatures allows customer to review and approve vital information in the transaction, to strengthen the act-of-will </li></ul><ul><li>User convenience: 99.4% of all transactions are low risk, make sure these are user-friendly </li></ul><ul><li>Connect and unconnected mode : The solution works both in connected and unconnected mode, enables a bank to use this for all channels </li></ul>
  14. 14. Todos Dynamic Signatures adds functionality to the process/device that forces the user to actively make decisions in the process , increasing customer awareness in the transaction process. The challenge decides which combination of questions to be asked. Todos Dynamic Signatures, act of will
  15. 15. Todos Dynamic Signatures LOW RISK Sign Cancel From Account Transaction data Privat acc 0458-3865,986 Privat acc 0458-6532,659 Amount 100,00 To Account 986 523 Challenge Response 567 890 Transaction Successful Sign Challenge? 986 523 Enter PIN? **** Response: 567 890 S IGN C ODE B UY L OGIN OK
  16. 16. Todos Dynamic Signatures HIGH RISK Sign Cancel From Account Transaction data Privat acc 0458-3865,986 James A.A 0459-9658,326 To Account 653 265 Challenge Response 723 905 Transaction Successful Sign Challenge? 635 265 Amount: 5 000,00 Enter PIN? **** Response: 723 905 Account Number 0459 9658 326 S IGN Acount 0459 9658 326 Amount 5 000,00 (EUR) C ODE B UY L OGIN OK
  17. 17. The solution is designed to meet changes in authentication demands due to; Handle new type of risks, emergency change of security levels and new and improved methods of managing risk in the future . You can at any time change the set of “chosen” questions! Todos Dynamic Signatures, risk based Function Low risk Medium risk High risk National transfer <1000€ OTP >1000€ C/R >10000€ C/R+DS International credit transfer N/A >100€ C/R+DS C/R+DS Recurring transfer Account to account transfer Online shopping transaction
  18. 18. <ul><li>Solves the problem of missing context for a particular transaction, supporting Act-of-Will (end-user awareness) </li></ul><ul><li>Risk based system enabling the bank to control the risk in each and every transaction </li></ul><ul><li>Allows low risk transactions to be carried out more easily and straight forward, i.e. C/R </li></ul><ul><li>Only high-risk transactions will be handled in a more complex manor, i.e. SWYS </li></ul><ul><li>Put more intelligence in the end-user’s device by pre-loading it with several action lists, i.e. templates </li></ul><ul><li>Changing at one point (back-end) changes the behavior for all end user devices </li></ul><ul><li>Leverages on MasterCard CAP / VISA dpa </li></ul>Todos Dynamic Signatures SUMMARY
  19. 19. - Do it whenever it is needed! With the tools you already have rolled out ” In 1996 we knew where our security level was at and the capability of the fraudster. Today we do not know when our solution will be hacked, we do however know that it will be” - Internet Bank Director Security Levels ” HOW MUCH DO WE NEED TO RAISE OUR SECURITY LEVEL AND WHEN?” DYNAMIC SIGNATURES SECURITY LEVEL 2008 1996 FRAUDSTER CAPABILITY
  20. 20. One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation ... Make sure you take a dynamic leap
  22. 22. Todos’ Promise A UNIQUE POSITION <ul><li>Todos holds a unique position by offering… </li></ul><ul><li>… One system for all Solutions </li></ul><ul><li>All devices can be used simultaneously </li></ul><ul><li>One end-user can have multiple devices </li></ul><ul><li>Multi issuer service </li></ul><ul><li>Cost efficient with low total cost of ownership </li></ul><ul><li>… a Wide range of Devices </li></ul><ul><li>From Printed Cards, tokens to connectable Readers </li></ul><ul><li>Enables true segmentation of users </li></ul><ul><li>… High technical knowledge </li></ul><ul><li>Secure Domain Separation </li></ul><ul><li>Todos Dynamic Signatures – True agility </li></ul><ul><li>Sign-What-You-See </li></ul><ul><li>Customization: tailor made look and feel </li></ul>
  23. 23. Thank You Peter Gullberg VP Product Strategy [email_address]