Enhanced Authentication

679 views

Published on

Presentation I did in Trondheim
http://petergullberg.wordpress.com

(UPDATED, slideshare had some problem with the presentation, so I reomve the PPT-issues)

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
679
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • “uttrykkelig samtykke”<number>
  • “uttrykkelig samtykke”<number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • Enhanced Authentication

    1. 1. eCommerce How does the online user look like?…
    2. 2. eCommerce Like this?…
    3. 3. eCommerce … maybe like this? ...
    4. 4. eCommerce …, or simply unaware?
    5. 5. eCommerce We need to protect our users online …
    6. 6. eCommerce … without making it difficult for the user
    7. 7. eCommerce Sucess factors for online security? …
    8. 8. eCommerce Usability The user must understand how, and why to use a security solution
    9. 9. eCommerce Usability The user must understand how, and why to use a security solution If not, user will abandon, or simply try to skip it
    10. 10. eCommerce CONTEXT User awareness guarantees that user understand a certain action
    11. 11. eCommerce CONTEXT User awareness guarantees that user understand a certain action User awareness is achieved through context
    12. 12. eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent
    13. 13. eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent For a user to understand what he agrees on, he may need to confirm details
    14. 14. eCommerce CONSENT It is important that user can communicate his intention to the bank
    15. 15. eCommerce CONSENT It is important that user can communicate his intention to the bank If not, it might be used by an attacker
    16. 16. eCommerce Risk perception User must understand the risk in an action.
    17. 17. eCommerce Risk perception User must understand the risk in an action. Until it has been understood, the user is unaware (this photographer will use zoom lens next time!)
    18. 18. eCommerce Trust … Trust comes from T=r+d meeting and beating customer Trust = reliability + delight expectations.
    19. 19. eCommerce Is there a silverbullet? Bank need a solution, that everyone can use
    20. 20. eCommerce Is there a silverbullet? Bank need a solution, that everyone can use Users need a variety of solution, for different life styles
    21. 21. Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks
    22. 22. Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)?
    23. 23. Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)? • One-time-password for transaction authorization is reaching end-of-life (both Event AND Time)
    24. 24. Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK MitM’s Perspective Internet Bank’s Perspective INTERNET BANKING Ordinary C/R device BANK CR
    25. 25. Transfer From : Private Savings 0458-55326 LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 Amount : $ 125,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 Challenge: MitM’s Response: 123 456 Perspective End-User’s Internet Bank’s Perspective Perspective Cancel OK TRANSACTION INTERNET BANKING BANK CR
    26. 26. Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING MitM BANK CR
    27. 27. Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Challenge MitM 653 265 BANK CR
    28. 28. Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK CR
    29. 29. Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK SIGN MitM’S TRANSACTION CR MitM’s transaction approved !!
    30. 30. Todos Dynamic Signatures Risk based two-factor authentication
    31. 31. Q: “Would you sign a blank check?” (Or sign a contract without being able to review the contractual terms?)
    32. 32. Todos Dynamic Signatures  Risk based process flow: The reader supports the banks business processes, where the bank can make agile business decisions, which controls the process flow in the reader, decided by the bank in real-time  Mitigates Man-in-the-middle: The risk in the current transaction is analysed, and the user process flow is remotely controlled, based on the challenge value, to dynamically control which data fields that need to be signed in the transaction by the end-user  Prevents cross channel attacks: The reader protects against cross channel attacks, by introducing context and separating the buttons for; Login, Sign and e-commerce, where one response cannot be re-used in a different channel  Future proof: The solution secures the online bank over the next 5-7 years
    33. 33. Todos Dynamic Signatures  User convenience: 99.4% of all transactions are low risk, make sure these are user-friendly  Act-of-will: Dynamic Signatures allows customer to review and approve vital information in the transaction, to strengthen the act- of-will, “empower the user”  Connected and unconnected mode: The solution works both in connected and unconnected mode, enables a bank to use this for all channels  Second Channel Confirmation: The solution provides an Out Of Band confirmation inside the existing channel
    34. 34. Todos Dynamic Signatures, act of will Based on the challenge, the bank controls the process flow in the user„s device. ”Enter challenge:” ”21quot; ’1' : ”Enter amount:” ’2' : ”Select currency:” ’3' : ”Enter account no:” EUR USD GPB YEN OTHER ’4' : ”Enter phone number:” ’5' : Confirm transaction type ’6' : ”Enter V{1-8}:” ”Enter PIN:” _ _ _ _ V1-V8 ”Response: 123456quot;
    35. 35. Todos Dynamic Signatures Depending on the risk in the transaction customer participating in the authorisation process is reflected accordingly HIGH RISK LOW RISK Challenge? Challenge? 635 265 986 523 Account Number Enter PIN? 0459 9658 326 **** Amount: Response: 5 000,00 567 890 Enter PIN? **** Response: 723 905
    36. 36. Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.
    37. 37. Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.
    38. 38. Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today. You can at any time change which questions to ask user!
    39. 39. Todos Dynamic Signatures A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
    40. 40. Todos Dynamic Signatures Bank needs a standard device A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
    41. 41. Todos Dynamic Signatures Bank needs a standard device Users want this to fit his life-style A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See
    42. 42. Thank You

    ×