0

1
 WHAT KEEPS USERS AWAY?

I fear that my account 47%

information will be 46%
viewed 43%
by an unauthorized party 39%
40%
50%
I prefer dealing with
45%
people 2008
34%
2007
21%
15% 2006
I do not want to pay a fee
20% 2005
19%
13%
I do not find 26%
online banking 20%
valuable 12%
0% 10% 20% 30% 40% 50% 60%
2
©Javelin Strategy and Research, August 2008
 Identity Fraud –
Evolution and Solutions
SiliconIndia Security Conference 2011,
Mumbai
Agenda

Attack vectors
– Phishing
– Man-in-the-middle (MITM) attacks
– Malware

Solutions
– One-time passwords
– Transaction signatures
– Endpoint assessment

Summary

4
Phishing

5
Pharming
http://www http://www

Attacker Fake Website

www.n1cebank.com

http://www

Website
DNS Server www.nicebank.com
(Local or ISP)

User

6
Smishing

7
Vishing

8
Two factor authentication

Something the user has

Strengths
– Compromised user credentials less valuable for attacker
– Break down the traditional economic model of phishing attacks

9
Types of one-time-passwords

Counter-based one-time passwords

Time-based one-time passwords

Challenge-based one-time passwords

Mutual authentication one-time passwords

Out-of-Band one-time passwords

10
OATH (Open Authentication)

A group of technology and industry leaders
– 60+ members
– Open and royalty-free specifications
– Promote interoperability

Benefits

– Standardization drives down cost

– Prevents “vendor lock-in”
 MITM / MITB attacks
Man-in-the-middle attack
Web
End-User MITM Server

Man-in-the-browser attack
1. “John”, “psd” 1. “John”, “pswd” 1. “John”, “pswd”

End-User 2. OTP 2. OTP Banking 2. OTP NetBanking

Browser Trojan
“John” 3. $500 to Bob 3. $500 to Bob 3. $5000 to Bill Server

End-User’s Computer

12
Transaction Signing Soft Tokens

Signature = cryptographic Message Authentication Code
Transaction signature
Seal Transaction stored in Audit Log
with Signature for verification
Enter Account no Enter Amount Generate Signature

0243758 0243758
0243758
0243758 500.00 500.00
500.00
afcbff100 afcbff100

On the software token On Internet Banking

13
 Risk levels (NIST SP 800-63-1)

High

PKI
Medium OTP

OOB
Low
KBA

Minimal

14
Security Industry in 2001

Security Industry in 2011

15
Trojans / Malware

16
Endpoint Assessment

Endpoint Security Assessment

POLICY SCAN COMPARE

Personal Firewall Inventory Device using Compare device scan

Anti-Virus File Scan with access policy
Spyware Process Scan
Patches Registry Scan Allow
OS Scan Partial Pass
Decline

Session Clean-Up

17
Summary

Sophistication of identity fraud schemes is increasing

Authentication deployments are converging to:
– Hybrid solutions: >1 authentication method per end-user
– Risk-based authentication
– Endpoint security assessment

Choose a technology that
– Does not lock you in
– Provides entire solution – from authentication to endpoint assessment to
abolishment

18
Questions and Answers

E-mail: tejas.lagad@nexussafe.com
Mobile: +91 99229 39931
Twitter: @Ltejas