Initiative for Open Authentication OATH Interoperability without Sacrificing Security

Similar documents
Open Source Authentication: Security without High Cost. Donald E. Malloy LSExperts May 18 th, 2016

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

Open Source Authen.ca.on: Security without High Cost. Donald E. Malloy LSExperts January 27 th, 2016

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Session 2: Understanding the payment ecosystem and the issues Visa Europe

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Jrsys Mobile Banking Solutions

Mobile Security / Mobile Payments

Whitepaper on AuthShield Two Factor Authentication with SAP

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Display Cards for Securing E Commerce

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

OATH : An Initiative for Open AuTHentication

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Who We Are! Natalie Timpone

Frauds & Scams. Why is the Internet so attractive to scam artists? 2006 Internet Fraud Trends. Fake Checks. Nigerian Scam

SxS Authentication solution. - SXS

Google Identity Services for work

PROVE IT! Matt and Dan, Dan and Matt, Those Fookers!

Target Breach Overview

PSD2 Compliance - Q&A

Safelayer's Adaptive Authentication: Increased security through context information

OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends

Authentication Technology for a Smart eid Infrastructure.

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Who What Why

How Next Generation Trusted Identities Can Help Transform Your Business

Online Security and Safety Protect Your Computer - and Yourself!

Integrated Access Management Solutions. Access Televentures

Credit Card Frauds Sept.08, 2016

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Evolution of Spear Phishing. White Paper

Modern two-factor authentication: Easy. Affordable. Secure.

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Keep the Door Open for Users and Closed to Hackers

3.5 SECURITY. How can you reduce the risk of getting a virus?

Using Biometric Authentication to Elevate Enterprise Security

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Online Banking Security

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Exploring the potential of Mobile Connect: From authentication to identity and attribute sharing. Janne Jutila, Head of Business Development, GSMA

Phishing is Yesterday s News Get Ready for Pharming

Maintaining Trust: Visa Inc. Payment Security Strategy

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Topics. Ensuring Security on Mobile Devices

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

PSD2 webinar session - Q&A

Phishing Activity Trends Report August, 2006

CUSTOMER TIPS: HOW TO GUARD AGAINST FRAUD WHEN USING ONLINE BANKING OR ATM s

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

MDES to support converged wallets CEESCA 2015 Dubrovnik

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

ADOPTING FIDO SearchSecurity

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Cyber Insurance: What is your bank doing to manage risk? presented by

Security Awareness. Chapter 2 Personal Security

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

The Role of PNT in Cybersecurity Location-based Authentication

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Phishing Activity Trends

Next Generation Authentication

Moser Baer Group 25 years of excellence

Better Mutual Authentication Project

Best Practices Guide to Electronic Banking

How To Remove Personal Antivirus Security Pro Virus Manually

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Guide to credit card security

FAQ. Usually appear to be sent from official address

Are You Flirting with Risk?

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Towards a uniform solution to identity theft

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Course Outline (version 2)

Are You Flirting with Risk?

Mobile Banking and Payments Emerging Trends and Opportunities

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Card Issuance/Encoding & PIN Pads

Ling Hsieh 謝姈諺 Deputy Sales Manager/ Marketing Department

OpenID: From Geek to Chic. Greg Keegstra OpenID Summit Tokyo Dec 1, 2011

Smart Payments. Generating a seamless experience in a digital world.

Defensible and Beyond

The security challenge in a mobile world

Secure Government Computing Initiatives & SecureZIP

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Building on existing security

Protect Yourself From. Identify Theft

Authentication Methods

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

Panda Security 2010 Page 1

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

IT & DATA SECURITY BREACH PREVENTION

About Lavasoft. Contact. Key Facts:

NEVIS Smart Solutions against sophisticated attackers

Transcription:

Initiative for Open Authentication OATH Interoperability without Sacrificing Security Donald E. Malloy, Jr. NagraID Security XCL@B September 7 th 2010

The Open Authentication Reference Architecture (OATH) initiative is a group of companies working together to help drive the adoption of open strong authentication technology across all networks. Q1

Why the need for OATH Fraud continues to grow world-wide 2008 285 million consumer records were breached resulting in almost $1Trillion in losses 10 Million Americans were victims of fraud last year This amounts to over $300M of online fraud last year alone Hacking into web sites and stealing passwords continue to be a main focus of fraudsters Static Passwords are not secure: 80% hacked

OPERATION PHISH PHRY Major Cyber Fraud Takedown The defendants in Operation Phish Phry targeted U.S. banks and victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled.

More Hacks HIGH-TECH HEIST 2,100 ATMs Worldwide Hit at Once With cloned or stolen debit cards in hand and the PINs to go with them they hit more than 2,100 money machines in at least 280 cities on three continents, in such countries as the U.S., Canada, Italy, Hong Kong, Japan, Estonia, Russia, and the Ukraine. When it was all over incredibly within 12 hours the thieves walked off with a total of more than $9 million in cash. And that figure would ve been more, had the targeted ATMs not been drained of all their money

ATM Spews Money Barnaby Jack compromised 2 ATMs he purchased from EBAY and demonstrated at the recent Black Hat Security Conference He hacked into the firmware not the OS These are the type of ATMs found in bars and convenience stores He found he could upgrade the firmware via the USB interface The key provided by one ATM opened all others of the same model He also demonstrated a remote hack of the ATMs over the telephone more dangerous hack

Types of Bank Fraud Phishing Scams Phony Fraud Alert Credit Card Scams Card Skimming Nigerian 419 Scams Check overpayment Scams Transferring money Spyware and keylogging

Recent hacks this year As Social Networking develops into a payment model, the hacking in more than a nuisance problem, real money is being scammed. Koobface Has tormented users of numerous social networks for the past two years or so, including MySpace and Facebook. During that time, Koobface has evolved in a number of ways, and has been linked to rogue antivirus and malware posing as an Adobe Flash Player update. Weekend of the Clickjack During Memorial Day weekend, a clickjacking worm squirmed its way into the lives of hundreds of thousands of Facebook users. The scam worked this way: A message such as "The Prom Dress That Got This Girl Suspended from School" was used as a lure. Clicking on the link that came with the message led users to a third-party site, and clicking anywhere on that page published the initial message on the victim's Facebook page, marked the page as something the user liked and recommended the page to their Facebook friends. In response, Facebook blocked the malicious site associated with the attack.

Malicious Applications From time to time, social networks are hit with malicious applications. Trend Micro recently found a number of rogue apps on Facebook (with names such as "Stream" and "Birthday Invitations") that sent users to a known phishing domain with a page claiming they needed to enter their login credentials to use the application. Victims would then be directed to the Facebook site. Facebook removed six of the apps identified by Trend by Aug. 20. Unfortunately, more popped up. Users should be wary of applications from unknown developers and that request personal information.

Malvertising Hits Farm Town In April, users of the popular "Farm Town" game on Facebook were hit with a rogue antivirus scam tied to malicious advertising. Command and Control In 2009, security expert Jose Nazario found attackers were using Twitter as a means to send commands to infected computers. In July, EMC's RSA security division uncovered a scheme that used an unidentified social networking site to send commands to a Brazilian banker Trojan. The good news is once detected, removing these types of C&C points is relatively simple and quick.

Distracting Beach Babes Just when you thought it was safe to click on a link with a racy picture, the "Distracting Beach Babes" attack struck. Messages were posted on the walls of Facebook users, and the thousands who clicked on the messages were directed to a rogue Facebook app that, if given permission to run, urges users to upgrade their FLV player and directs them to download adware to their computer. Dislike the Disliking Scam This survey scam spread virally throughout Facebook. Using the tried-and-true method of enticing messages about celebrities and news (for example, "Justin Bieber trying to flirt"), the scammers tried to trick users into giving them access to their profiles. If a user installed the "dislike button," the app updated their Facebook status to promote the link that tricked them. The app then prompted users to fill out an online survey and directed them to a Firefox browser add-on.

20/9/10 Issues Facing IT Managers

OATH History Created 5 years ago to provide open source strong authentication. It is an industry-wide collaboration that.. Leverages existing standards and creates an open reference architecture for strong authentication which users and service providers can rely upon, and leverage to interoperate. Reduces the cost and complexity of adopting strong authentication solutions. 20/9/10 Q1

OATH : Background Networked entities face three major challenges today. Theft of or unauthorized access to confidential data. The inability to share data over a network without an increased security risk limits organizations. The lack of a viable single sign-on framework inhibits the growth of electronic commerce and networked operations. 20/9/10 Q1

OATH : Justification The Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. The use of Multi-factor authentication products with an OATH application will protect against The ATM hacks mentioned previously. Q1

OATH Membership (Partial)

Standardized Authentication Algorithms - Open and royalty free specifications - Proven security: reviewed by industry experts - Choice: one size does not fit all HOTP OCRA T-HOTP - Event-based OTP - Based on HMAC, SHA-1 - IETF RFC 4226 - Based on HOTP - Challenge-response authentication - Short digital signatures - Time-based HOTP - Submitted to IETF - Standard expected end of 2010

Token Innovation and Choice HOTP applets on SIM cards and smart cards OTP embedded in credit card OTP so< token on mobile phones OTP Token HOTP OTP embedded in flash devices So< OTP Token 50+ products shipping Mul$ Func$on Token (OTP & USB Smart Card) Q11

OATH Reference Architecture: Establishing common ground Sets the technical vision for OATH 4 guiding principles Open and royalty-free specifications Device Innovation & embedding Native Platform support Interoperable modules v2.0 Risk based authentication Authentication and Identity Sharing 20/9/10 Q4

OATH Authentication Framework 2.0 Validation Framework Risk Interface Risk Evaluation & Sharing Authentication Methods HOTP Certificate Challenge/ Response Time Based Authentication Token Token Interface Client Applications Authentication Protocols Provisioning Protocol Applications (VPN, Web Application, Etc.) User Store Validation Protocols Validation Services Token Store Authentication and Identity Sharing Models Client Framework Provisioning Service Bulk Provisioning Protocols Credential Issuer(s) Provisioning Framework Q4

Credential Provisioning Token manufacturer offline model Portable Symmetric Key Container standard format (PSKC Internet-Draft) Dynamic real-time model Dynamic Symmetric Key Provisioning Protocol (DSKPP Internet-Draft) OTA provisioning to mobile devices, or online to PC/USB IETF KeyProv WG Current RFC submissions Q5

OATH Roadmap CHOICE of AUTHENTICATION METHODS CREDENTIAL PROVISIONING & LIFECYCLE APPLICATION INTEGRATION & ADOPTION - HOTP - OCRA - T-HOTP - PSKC - DSKPP - Certification program - WS Validation - Auth & Identity Sharing work

Objectives Understand the full lifecycle support needed for strong authentication integration Learn different approaches to supporting strong authentication in your applications Take away with the best practices for enabling strong authentication in applications

Certification Program The OATH Certification Program Intended to provide assurance to customers that products implementing OATH standards and technologies will function as expected and interoperate with each other. Enable customers to deploy best of breed solutions consisting of various OATH certified authentication devices such as tokens and servers from different providers. Introduced 2 Draft Certification Profiles at RSA Tokens HOTP Standalone Client Servers HOTP Validation Server 10 Additional Profiles to be introduced throughout the year

One Time Password Devices Ini'al Applica'ons Financial Most Governments have demanded more than sta'c passwords Online Authen'ca'on Physical Access

One Time Password Devices Subsequent Applica'ons Contactless Payment Secure Network Access E wallet applica'on

Layered Approach to Security Applica'ons OTP Pin Ac'va'on Challenge/Response Physical Access Contactless Payment Secure Network Access Cards will be used for: EMV Payment Debit Cards Single sign on and mul' apps

Payment or Authentication Recent certification by MasterCard announced at their Debit Conference in Budapest this summer. VISA trialing a PinPad OTP card in Europe at 9 different banks EMV for secure payment application OATH authentication device as well

Typical Application Scenario Transaction authentication & Signing Log on to Bank s web site Give user name and password Bank sends a challenge number used to create pin User enters number into card and new secure pass code is generated User then submits this new number to the bank s web site Transaction is then authorized by the bank

Interoperability Sharing between devices Organization wants various devices USB key for office personnel Card based token for travelers Mobile for other travelers All connects to same back end providing numerous options for banks to secure their online access

20/9/10 Recommended Validation Framework

Authentication Integration Architecture Direct authentication integration over standard protocol Plugin based authentication integration

Plugin Based Enable two-factor authentication in your existing third party authentication server for user password Your application codes don t need to change Out of box strong authentication support in your existing third party authentication server Integration Connectors available from authentication solution vendors, e.g. RSA, VeriSign e.g. CDAS plugin for IBM Tivoli Access Manager Develop your customized plugin for your existing third party authentication server

Open Source Implementation RADIUS Client Java http://wiki.freeradius.org/radiusclient.net C/C++ Authentication Server with OTP Support Radius server http://www.freeradius.org/ Need to add OTP auth plugin Triplesec http://cwiki.apache.org/dirxtriplesec/

References and Resources Initiative for Open AuTHentication (OATH) http://www.openauthentication.org HOTP: An HMAC-Based One-Time Password Algorithm RFC 4226 http://www.ietf.org/rfc/rfc4226.txt OATH Reference Architecture http://www.openauthentication.org Other draft specifications http://www.openauthentication.org

Key is being Involved Visit the OATH website Download Reference Architecture v2 Download and review draft specifications Engage - contribute ideas, suggestions Review public draft specifications Get involved in developing specifications Become a member! 3 levels - Coordinating, Contributing, Adopting Become an active participant

An industry-wide problem mandates an industry wide solution Strong Authentication to stop identity theft across all the networks A reference architecture based on open standards Foster innovation & lower cost Drive wider deployment across users and networks Minimal bureaucracy to get the work done!

Other Trends The movement toward 3 factor authentication What a person knows password What a person has card or token What a person is or how he behaves biometric and behavioral keystroke patterns Security in the Cloud Who has your data? Where is your data?

Questions & Answers Thank You!

Backup Slides

OATH Timeline Common OTP Algorithm OATH Reference Architecture 1.0 - New HOTP devices - Membership expansion - Public Roadmap release Roadmap Advances - Portable Symmetric Key Container - Challenge-Response Mutual Authentication - Provisioning Protocol OATH Reference Architecture 2.0 - Risk-based Authentication - Authentication Sharing - IETF KeyProv - Interop Demo HOTP A humble beginning! Steady Progress Q3

Risk Based Authentication Architecture Risk-based authentication Convenient authentication for low risk transactions Stronger authentication for higher risk transactions OATH will define standardized interfaces Risk Evaluation Sharing fraud information (ThraudReport) Q7

Authentication and Identity Sharing Promotes use of single credential across applications Force multiplier! Multiple approaches One size does not fit all Models that leverage identity sharing technologies Liberty, SAML, OpenID, etc. Models to enable sharing of 2 nd factor authentication only Simpler liability models

Authentication Sharing Centralized Token Service model Token is validated centrally in the validation service Same token can be activated at multiple sites Easy integration for application web site(s). Can leverage OATH Validation Service work! Q8

Authentication Sharing Distributed Validation Model Inspired by DNS Rich set of deployment models Standalone system can join the network by publishing token discovery information There needs to be a central Token Lookup Service. OATH considering developing Token Lookup protocol. Q8

Authentication Sharing Credential Wallet Shared device Multiple credentials Credentials are dynamically provisioned onto the device. Leverage OATH Provisioning specifications. Q8

Identity Federation & OATH Enables user to use same identity across website(s) Traditional federation (Liberty) User-centric models (OpenID, CardSpace) Single Identity becomes more valuable Needs to protected using strong authentication OATH: promote the user of strong authentication with these technologies!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback