Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Similar documents
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Password-less Strong Authentication

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Cloud sicherung durch Adaptive Multi-factor Authentication

CONVENIENCE & SECURITY ARE THE KEYS TO SUCCESS NOW - SUBJECT TO THE SMART AUTHENTICATION. Kelly Ng Co-Founder

Breaking FIDO Yubico. Are Exploits in There?

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Authentication Technology for a Smart eid Infrastructure.

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

ADOPTING FIDO SearchSecurity

Digital Identity Trends in Banking

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

We Believe: The market will soon require:

SxS Authentication solution. - SXS

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Authentication Methods

Who What Why

Account Takeover: Why Payment Fraud Protection is Not Enough

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Bank Infrastructure - Video - 1

Yubico with Centrify for Mac - Deployment Guide

FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR. All Rights Reserved FIDO Alliance Copyright 2017

Using Biometric Authentication to Elevate Enterprise Security

How Next Generation Trusted Identities Can Help Transform Your Business

Hardware One-Time Password User Guide November 2017

Google Identity Services for work

Security Specification

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

Web Application Security. Philippe Bogaerts

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Getting Started with Duo Security Two-Factor Authentication (2FA)

Welcome to State Bank of Herscher s Online Banking!

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

RSA SecurID Implementation

Defeating the Secrets of OTP Apps

MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER

Secure single sign-on for cloud applications

Is Your Online Bank Really Secure?

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

ICE CLEAR EUROPE DMS GLOBAL ID CREATION USER GUIDE VERSION 1.0

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Pulseway Security White Paper

Hardware One-Time Password User Guide August 2018

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Managed Access Gateway One-Time Password Hardware Tokens. User Guide

HIPAA Compliance discussion

OneID An architectural overview

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Google Authenticator User Guide

SafeNet Authentication Manager

Lecture 14 Passwords and Authentication

FIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018

RSA Web Threat Detection

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Vorstellung von MFA CASb

Meeting the requirements of PCI DSS 3.2 standard to user authentication

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Keep the Door Open for Users and Closed to Hackers

Ethical Hacking and Prevention

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Introduction to Voltage Secur

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

Deliver Strong Mobile App Security and the Ultimate User Experience

Copyright

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Next Gen Security Technologies for Healthcare Authentication

OTP Server Authentication System Authentication Schemes V1.0. Feitian Technologies Co., Ltd. Website:

7. How do I obtain a Temporary ID? You will need to visit HL Bank or mail us the econnect form to apply for a Temporary ID.

Web Security. Thierry Sans

Identity & security CLOUDCARD+ When security meets convenience

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Rethinking Authentication. Steven M. Bellovin

Google on BeyondCorp: Empowering employees with security for the cloud era

Dissecting NIST Digital Identity Guidelines

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

Cyber security tips and self-assessment for business

Blackjacking. Daniel Hoffman. Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise. Wiley Publishing, Inc.

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

ODYSSEY. cryptic by intent. Snorkel-TX. Feature Highlights & Technical Specifications. Odyssey Technologies Ltd.

How Secured2 Uses Beyond Encryption Security to Protect Your Data

U.S. E-Authentication Interoperability Lab Engineer

DualShield. for. Microsoft UAG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

FACEBOOK SAFETY FOR JOURNALISTS. Thanks to these partners for reviewing these safety guidelines:

Secure Communication over MQTT. Ahmet Onat 2018

Remote Access with Imprivata Two-factor Authentication

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Transcription:

Addressing Credential Compromise & Account Takeovers: Bearersensitive OTPS Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Impact Across Every Industry

Phishing: Low Cost, Big Impact for Hackers Online industries most targeted by phishing attacks as of 2nd quarter 2018* *https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/

Hey, wait a second... We have 2-factor authentication!

2-Factor Authentication + My Little Password We are secure!

Welcome Advanced 2FA Phishing Automation! Tokens (One-time Codes) SMS Approval (Out-of-Band)

Welcome Advanced 2FA Phishing Automation! Tokens (One-time Codes) SMS Approval (Out-of-Band)

Current 2nd Factor Authentication Space All are vulnerable to Credential Harvesting and Account Compromise MAN-IN-MIDDLE PHISHING OVER-THE-SHOULDER KEYLOGGER MALWARE Bearer-agnostic Credentials can be intercepted and spoofed by all the above

Regular Token Scenario How it Works: Account Takeover Account takeover after victim follows phishing link with current 2-factor authentication Victim Requests Login Page Authentication Server Proxies Login Request Login Page Served Submits Credentials (including 2FA) Man-in-Middle Proxy Server ACCOUNT TAKEOVER Login Page Served Proxy Submits Credentials Verifies & Accepts Credentials (sets Authenticated state cookies)

SCENARIO B SCENARIO A Equivalent in Credential Stealing Victim Man-in-Middle Proxy Server Authentication Server Simulate This Snoop on Victim Passcodes (Step 1) Uses the Snooped Passcodes to Login (Step 2) Authentication Server

How was Man-in-Middle aka Proxy Spoof? Time for Hacking Game! url: https://gmail.com OTP: on the screen

We Learnt that + My Little Password Current 2FA is Bearer-agnostic and insecure!

Protect From Credential Spoofing? FIDO-based Challenge-response with public-private key pair BEARER-AWARE OTP GENERATION An enhancement to OATH OTP Bearer-aware one time passcode (BOTP)

FIDO2 ASSYMETRIC PRE-ESTABLISHED PUBLIC-PVT KEYS Fast Identity Online (FIDO) Alliance with U2F Utilize pre-established public-private key pairs to do challengeresponse authentication Key chain-stored typically in USBs (h/w) Near Field Comm (NFC) or Bluetooth Lightweight Energy (BLE) devices for communication with browser

How Does FIDO Work?

How Does FIDO Work?

Key Highlights of FIDO2 User-credential verification is no longer with service/relying parties but with Authentication agent very important to ensure it is secure risk management and policy enforcement is very important SSO and Federations are broken; retrofit and customization Public keys can be replaced with attacker keys Backup keys additional, and account resets cumbersome Application changes new libraries

Simpler Way to Protect Credentials? BEAR-AWARE ONE-TIME PASSCODES An enhancement to OATH OTP Bearer aware one time passcode (BOTP) OTP generation takes additional factors into account capture device fingerprint Shrink the attack surface

BOTP Scenario How it Works: No Account Takeover BOTP Prevent Account Takeover Victim Requests Login Page BOTP Authentication Server Proxies Login Request Login Page Served Submits Bearer-Aware BOTP Man-in-Middle Proxy Server NO ACCOUNT TAKEOVER Login Page Served Proxy Submits Credentials Verifies who is the Bearer in addition to proof-of-shared secret Rejects credentials NO authenticated state cookies

Lets Hack Again? Time for Hacking Game! BOTP: on the screen

Key Highlights of BOTP No changes to SSO, Federation, Application and works with all browsers No browser lock-in Credential verification is done at authentication server end no reliance on end-user agents Shared secrets never leave the devices and massexposure is minimized (eliminated) due to nonharvestable BOTPs

BOTP vs. FIDO Works with All browsers Verification Control at Authentication Server No Changes to Existing Federated & Single Sign On (SSO) Quantum-safe? No Changes to Existing Applications s BOTP YES Yes Yes Yes Yes Fido2 No, Only FIDO compliant No, Relies on enduser s agent Needs custom retrofits Vulnerable No- Needs substantial software changes

BOTPs based on shared secret Bearer-sensitive OTP generation, make bearer-aware anti-spoofing anti-phish codes; Cost-effective, No Browser lock-in; No changes to infrastructure and applications Summary Bear-agnostic authentication schemes (OATH OTP, SMS, RSA, Password etc.) can be spoofed FIDO2 -> Public-Private Keys, Shift Risk and Verification on to end-user devices, substantial changes to browser, and infrastructure

Thank you! Q&A More information: https://uberpasscodes.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback