3. Vulnerability of Smart Phones
Smartphones are a permanent point of access to the internet (mostly on),
they can be compromised easier than computers
Implied permission
• this infection is based on the fact that the user has a habit of installing
software. Most trojans try to seduce the user into installing attractive
applications (games, useful applications etc.) that actually contain
malware.
Common interaction
• this infection is related to a common behavior, such as opening an
MMS or email.
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
3
4. Dangers of Relying Solely on User ID /
Password for sensitive data
• Flexispy is a commercially
available application for spying.
• The program sends all information
received and sent from the
smartphone to a Flexispy server. It
was originally created to protect
children and spy on adulterous
spouses.
4
6. Typical Mobile Malware Gameplan
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
6
7. Get Malware installed by user
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
7
8. What Hackers want to achieve
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
8
9. Level of enforcement before allowing
apps on AppStore/ Goggle Play
Will a hacker be deterred by the need to provide IP/SMS or Credit Card?
Is Corporate ID and Personal ID ( Drivers License) numbers good enough to
ensure malware is not disguised as an App ?
http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf
9
11. National Authentication Framework
What is NAF
• nationwide platform for the adoption of strong
authentication
• for eServices that handle sensitive information and/
or facilitate transaction
• provide trusted and cost-effective authentication.
Why
• fulfill strong authentication requirements from
regulators, banks and financial institutions,
government & healthcare
The National 2FA system has been operational since
December 2011
11
13. • Stronger security is
required to protect • SingPass – set up for
sensitive data every resident aged 15
• This valuable repository • Assurity, a subsidiary and above in 2003 ….
of personal information of IDA is the sole There are more than
includes income tax, CPF bidder 2.8 million SingPass
and HDB Loan Records. users today.
1313
14. OneKey Mission: Consumer Security & Convenience
OneKey can be used across multiple Service
Providers, Banks, Government, online services,
corporate VPN etc…
14
15. OneKey’s Value Proposition
• Stronger protection against online
identity theft & fraud
• Convenience to end-users: a single
authentication device across multiple
online services ( e.g. banking, trading,
govt e-services, insurance, online
commerce etc)
• Giving consumer a choice to manage
their own security policies
15
16. OneKey: A Convenient, Secure
Authentication Mechanism
• Current Offerings
– Assurity provides 2FA services via the OneKey Pad – a robust
and integrated mechanism that is secure, convenient and
cost-effective
– OneKey Pad offers 3 options of 2FA - OTP, Challenge
Response and Transaction Signing.
– OneKey SMS – OTP delivered via SMS for convenience to
users
• Under Development
– OneKey Card
– OneKey Mobile
16
17. OneKey: A Reliable & Trusted Security Device
*Compliances & Certifications Your complete
• Certified to ISO/IEC 27001:2005 solution to
compliance with
• **Complied to MAS IBTRM V3 & ***MAS
and 2012 Consultation Paper 2nd Factor
Authentication
• Complied to Government IM8 requirements –
• Complied to SS540
Quick,
• Complied to TIA942 Cost-Effective &
• Complied to FIPS Always Updated!
*Certifications are renewed and audited annually
** Fully redundant active-active tier 3 data centres
*** Assurity is the appointed NAF operator and works closely with MAS
17
18. Assurity’s
Service Model
Send On
eKey Deliver SM
to End U SO
ser to End Us TP
er
mobile de ’s
vice
SP – Service Providers
OTP – One Time Password
18
19. Committed Service Level
Basic Service § 2FA using OneKey Pads
Offering
§ 2nd factor credential registration, issuance and
management
§ Authentication Service :
§ 99.99% service availability
§ 90% within 800ms, 100% within 2 seconds
§ 24x7 technical support
Additional Service
Offerings § Dedicated technical support packages
§ SMS OTP traffic charges
19
20. Service Levels
Item Service Level
Authentication Service Availability 99.99% in a month
Authentication requests completed 90% within 800 msec
100% within 2 sec
Issuance of tokens and password Within 3 and 3+2 working days*
mailers to end-user
Severity 1, 2, 3 requests 3 levels of service support
• Basic
• Gold
• Platinum
20
21. Use Cases of OneKey
1. 2FA for online services
2. Incorporate OneKey 2FA into mobile apps so that
consumers know that it is an authentic app
3. Corporate VPN 2FA to access corporate application
Assurity provide SPs with test
environment and specifications to connect
to OneKey
21
22. Budget to leverage on OneKey
• Volume based pricing
Volume
per
year
up
to
3M
¢/Transac/on
6
cents
• Early-adoption special for SPs that signs up before Dec 2013
¢/Transac/on
4.5
cents
• Billed monthly based on prorated volume
• Fees waived for 1st 2 years from system live-date
(Dec 2011 – Dec 2013)
22
23. Other Costs for Budgeting
• SP’s Setup
– Application 2FA Page (Resources to develop, test)
– Connections to Assurity (MPLS or IPSec VPN over Internet)
• SMS Traffic Cost for Authentications Using SMS OTP
– Connection to SMS aggregator, SMS traffic cost
• Customer Support
– SPs handle 1st level of calls typically
– Assurity provides training materials to help SP helpdesk
– Assurity will offer 24 x 7 customer support for 2FA calls that require escalation
• NAF Gateway from accredited partners
– Easier implementation
– Time to market
• Budget range from SGD 70K – 250K depending on organisation’s
requirements
23
24. Service Support Levels
Communication
Support Level Severity Initial Response* Resolution ***
Frequency **
1 2 hours Every 2 hours 8 hours
Basic 2 4 hours Every business day 4 business days
Support
Every 2 business
3 8 hours 7 business days
days
1 30 minutes Every 30 minutes 4 hours
Gold
2 1 hour Every 2 hours 8 hours
Support
3 4 hours Every business day 4 business days
1 15 minutes Every 15 minutes 2 hours
Platinum
2 30 minutes Every 1 hour 4 hours
Support
3 3 hours Every business day 3 business days
* Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported.
** Communication Frequency: Frequency at which support team updates the SP on the status of the issue.
*** Resolution: Time allowed to resolve the issue.
24
25. NAF Technical Architecture
Fully redundant
Architecture
2 Data centres with:
• Dual tele-
communications
providers and Internet
service providers
• Dual power supply
• Synchronised data
between both Active
sites
25
26. NAF Technical Architecture
• Fully redundant architecture
(active-active)
• NAF Systems to the SPs are NOT exposed directly to the
Internet
- NAF AO connects to SPs only via Private Network
• NAF’s infrastructure service availability and uptime ~
99.999% availability and RTO=0
26
27. THANK YOU
Jason Kong, Deputy Director
Assurity Trusted Solutions, a wholly owned subsidiary of IDA
jason@assurity.sg jason_kong@ida.gov.sg
Mobile: +65 9851 – 0020
27