Enhanced Authentication

56 %
44 %
Information about Enhanced Authentication
Finance

Published on March 6, 2009

Author: peter_gullberg

Source: slideshare.net

Description

Presentation I did in Trondheim
http://petergullberg.wordpress.com

(UPDATED, slideshare had some problem with the presentation, so I reomve the PPT-issues)

eCommerce How does the online user look like?…

eCommerce Like this?…

eCommerce … maybe like this? ...

eCommerce …, or simply unaware?

eCommerce We need to protect our users online …

eCommerce … without making it difficult for the user

eCommerce Sucess factors for online security? …

eCommerce Usability The user must understand how, and why to use a security solution

eCommerce Usability The user must understand how, and why to use a security solution If not, user will abandon, or simply try to skip it

eCommerce CONTEXT User awareness guarantees that user understand a certain action

eCommerce CONTEXT User awareness guarantees that user understand a certain action User awareness is achieved through context

eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent

eCommerce This is NOT the normal yada-yada When a user understands and agrees on an action he is taking is referred to as consent For a user to understand what he agrees on, he may need to confirm details

eCommerce CONSENT It is important that user can communicate his intention to the bank

eCommerce CONSENT It is important that user can communicate his intention to the bank If not, it might be used by an attacker

eCommerce Risk perception User must understand the risk in an action.

eCommerce Risk perception User must understand the risk in an action. Until it has been understood, the user is unaware (this photographer will use zoom lens next time!)

eCommerce Trust … Trust comes from T=r+d meeting and beating customer Trust = reliability + delight expectations.

eCommerce Is there a silverbullet? Bank need a solution, that everyone can use

eCommerce Is there a silverbullet? Bank need a solution, that everyone can use Users need a variety of solution, for different life styles

Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks

Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)?

Existing OTP and Challenge/Response solutions, are not sufficient • Challenge/Response does not protect against Trojans or Man-in-the-Middle (MitM) attacks • Transaction Data Signing (V1-V8) does not add context for eBanking; is “1133200” = “$ 11,332.00” or “1133-200” (account number)? • One-time-password for transaction authorization is reaching end-of-life (both Event AND Time)

Weakness with Challenge / Response MAN-IN-THE-MIDDLE (MitM) ATTACK MitM’s Perspective Internet Bank’s Perspective INTERNET BANKING Ordinary C/R device BANK CR

Transfer From : Private Savings 0458-55326 LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 Amount : $ 125,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 Challenge: MitM’s Response: 123 456 Perspective End-User’s Internet Bank’s Perspective Perspective Cancel OK TRANSACTION INTERNET BANKING BANK CR

Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING MitM BANK CR

Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Challenge MitM 653 265 BANK CR

Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK CR

Transfer Transfer From : Private Savings 0458-55326 From : Private Savings 0458-55326 LOGIN LOGIN Weakness with Challenge / Response To : James A.A 0459-9658,326 To : Mr Evil 9544-6663,002 Amount : Amount : $ 125,00 $ 50 000,00 MAN-IN-THE-MIDDLE (MitM) ATTACK 653 265 653 265 Challenge: Challenge: MitM’s Response: Response: 123 456 123 456 Perspective End-User’s End-User’s Internet Bank’s Perspective Perspective Cancel Perspective Cancel OK OK TRANSACTION Man-in-the-Middle! INTERNET BANKING CHALLENGE Response RESPONSE MitM 123 456 BANK SIGN MitM’S TRANSACTION CR MitM’s transaction approved !!

Todos Dynamic Signatures Risk based two-factor authentication

Q: “Would you sign a blank check?” (Or sign a contract without being able to review the contractual terms?)

Todos Dynamic Signatures  Risk based process flow: The reader supports the banks business processes, where the bank can make agile business decisions, which controls the process flow in the reader, decided by the bank in real-time  Mitigates Man-in-the-middle: The risk in the current transaction is analysed, and the user process flow is remotely controlled, based on the challenge value, to dynamically control which data fields that need to be signed in the transaction by the end-user  Prevents cross channel attacks: The reader protects against cross channel attacks, by introducing context and separating the buttons for; Login, Sign and e-commerce, where one response cannot be re-used in a different channel  Future proof: The solution secures the online bank over the next 5-7 years

Todos Dynamic Signatures  User convenience: 99.4% of all transactions are low risk, make sure these are user-friendly  Act-of-will: Dynamic Signatures allows customer to review and approve vital information in the transaction, to strengthen the act- of-will, “empower the user”  Connected and unconnected mode: The solution works both in connected and unconnected mode, enables a bank to use this for all channels  Second Channel Confirmation: The solution provides an Out Of Band confirmation inside the existing channel

Todos Dynamic Signatures, act of will Based on the challenge, the bank controls the process flow in the user„s device. ”Enter challenge:” ”21quot; ’1' : ”Enter amount:” ’2' : ”Select currency:” ’3' : ”Enter account no:” EUR USD GPB YEN OTHER ’4' : ”Enter phone number:” ’5' : Confirm transaction type ’6' : ”Enter V{1-8}:” ”Enter PIN:” _ _ _ _ V1-V8 ”Response: 123456quot;

Todos Dynamic Signatures Depending on the risk in the transaction customer participating in the authorisation process is reflected accordingly HIGH RISK LOW RISK Challenge? Challenge? 635 265 986 523 Account Number Enter PIN? 0459 9658 326 **** Amount: Response: 5 000,00 567 890 Enter PIN? **** Response: 723 905

Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.

Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today.

Todos Dynamic Signatures, risk based Low risk Medium High risk Function risk National <1000€ >1000€ >10000€ transfer OTP C/R C/R+DS International N/A >100€ C/R+DS credit C/R+DS transfer Recurring transfer Account to account transfer Online shopping transaction The solution to support new banking services in the future, where it is possible to mitigate risks not seen today. You can at any time change which questions to ask user!

Todos Dynamic Signatures A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See

Todos Dynamic Signatures Bank needs a standard device A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See

Todos Dynamic Signatures Bank needs a standard device Users want this to fit his life-style A300 onMobile (mobile otp) Authenticator Token XML-Sign inSim What You See

Thank You

Add a comment

Related presentations

Related pages

Enhanced Authentication FAQs - netit.financial-net.com

What is Enhanced Authentication? Why are we introducing Enhanced Authentication? How is Enhanced Authentication more secure? How does Enhanced ...
Read more

Vodafone Mobile Enhanced Authentication

Vodafone Mobile Enhanced Authentication can make a meaningful and significant impact on the day-to-day operations of financial institutions, ...
Read more

Enhanced Two-Factor Authentication - Palo Alto Networks

Two-factor authentication enables strong authentication by using a pre-deployed client certificate or a dynamic password, such as one-time password (OTP ...
Read more

Online Banking Enhanced Authentication - EECU Credit Union

Online Banking Enhanced Authentication Frequently Asked Questions 1. Why does online banking sometimes ask me to send an authentication code when I log in?
Read more

Intel® Authenticate Technology: Hardware-Enhanced Security

Learn about Intel® Authenticate Technology, a hardware-enhanced multifactor authentication security solution to help strengthen identity protection.
Read more

Enhanced Authentication | VACU

Enhanced Authentication is an Online Banking feature that helps safeguard your Online Banking sessions by using multiple levels of security during the ...
Read more

Enhanced Authentication - Webmin Documentation

Enhanced Authentication can be achieved in a number of ways. Two-Factor Authentication. Webmin versions 1.660 and above support two-factor authentication ...
Read more

Enhanced Authentication Profile (EAP) Working Group | OpenID

About Charter Status Repository What is the EAP Working Group? Working Group Name: Enhanced Authentication Profile (EAP) Overview The
Read more

Enhanced Authentication - Intro

What is it? A new tool that provides extra protection for your online data and helps guard against fraudulent online activities like phishing scams ...
Read more

Lloyds Bank - Online Security - Stay Safe With Our ...

Lloyds Bank is improving security to keep you safe online with leading edge security and anti-fraud system called Enhanced Internet Authentication (EIA).
Read more