Securing today s identity and transaction systems:! What you need to know! about two-factor authentication! 1
Today s Speakers! Alex Doll! CEO OneID Jim Fenton! Chief Security Officer OneID 2
Contents! Today s threat landscape! Myths and realities of today s 2FA! Best practices for being FFIEC compliant! Four steps to a secure identity system! Questions! 3
Today s evolving threat landscape.! Top Five Six Common Attacks!! 4
1. Key Logging and Redirection! Keystrokes are monitored to! retrieve login credentials! 5
2. Man-in-the-Middle! Active eavesdropping where an attacker connects with victims and relays messages between them.! 6
3. Man-in-the-Browser! Web browser infection that modifies transactions and content, all without user or host website being aware! 7
4. Account Recovery! Today s recovery is easily manipulated! Hi,!! Good news -- you re just steps away from regaining access to your account! It looks like you are having trouble with 2step verification, so we've removed it from your account. Click this link to reset your password and sign in to your account:! 8
5. Third Parties You Didn t Invite! SMS-based 2FA systems rely on 3rd parties with the issuance, verification or communication with the device.! Australian Telecom lobby telling financial institutions to NOT use SMS for 2FA, citing insecurities! 9
6. DDoS! Distributed Denial of Service attacks are now commonplace.! 10
The Cost of Breaches! Ponemon/Symantec: 2013 Cost of Data Breach Study!! ü US Breaches cost $188/record! ü Average size of breach 28,765! ü Average org cost of breach: $5.4M! ü Cost drivers include:! Life Time Value of lost members! Loss of brand equity, costs to recover! Member communications! Actual fraud! 11
Today s Myths and Realities of! Two-Factor Authentication! 12
Defining 2FA and Out-of-Band Two-Factor Authentication Out-of-Band Additional form of authentication (can be in- or out-of-band)!! Hardware or software tokens (e.g. RSA)! Mobile device for onetime-use passcode (sent via SMS, email, or mobile app)! Independent communications channel from primary access!! SMS message to phone! Email with code or account recovery! Separate device confirmation (e.g. Mobile device)! 13
Myth #1: If you have suffered a breach, turning on 2FA is a good, quick fix.! Reality #1: There is nothing quick or easy about deploying 2FA.!! ü! Token deployment is expensive, time consuming, hard to manage, and users don t like it.! 14
Myth #2: 2FA is immune to today s threats! Reality #2: It improves overall security, but depending on how you deploy it, remains vulnerable.! ü ü ü SMS not a secure channel, easily breached Man-in-the-Middle a common attack Consumers blindly approve High convenience. Low security. 15
Myth #3: 2FA is synonymous with using a second device and cannot be accomplished on one device! Reality #3: Two-factor authentication on a single device is possible, and a better user experience.!! ü By using a cryptographic key stored in device plus something you know, identity authentication is more secure and more convenient! 16
Myth #4: Most 2FA solutions are similar with only minor differences in approach! Reality #4: There are a wide variety of 2FA flavors out there.!! ü ü Hardware tokens! Software tokens! ü SMS and other phone-based! ü Third-party services! ü Biometrics!! 17
Myth #5: 2FA is an annoying compliance requirement, without material security benefits! Reality #5: Depending on how it s deployed, 2FA offers greatly enhanced protections for institutions and members alike.!!!!!!! ü Marry security with usability! ü Flexible 2FA based on actual risk!! 18
Best practices to help you meet (and exceed) FFIEC requirements! 19
Setting the stage:! The landscape is changing! 20
Beyond the Browser Mobile! Then. Now 21
Mobile Internet IS the Future!
Looking to the future with Millennials! ü The digital experience is everything 90% of people visiting a banking website click to login and no where else on the home page.^ 75% of users turn to Internet as the preferred channel^ 29% of Millennials report using a mobile app to manage money* * Harris Interactive online survey, for Think Finance, May 2013 ^ Bank 2.0, Brett King 23
Best practices in this new, mobile world 24
Employ out-of-band verification to lower risk! ü With OOB, attackers now have to compromise multiple devices and platforms! ü Description of transaction being approved is needed to expose MITB rewriting of transactions! ü Best practice: The member s device should sign the notification so FI can document approval! 25
Ensure you have documented approval, it protects everyone! ü Ensure the description of the transaction is displayed and can be cryptographically signed by user device to deliver non-repudiation! ü Minimizes security dependencies on third parties: end-to-end secure! ü Require smart phone app for signatures (not available through SMS, phone, tokens)! 26
Require the right authentication for the risk! ü FFIEC guidance strongly supports the concept of authentication risk scoring! ü Ability to adjust authentication strength dynamically supports this! ü Example:! Simpler OOB approval (no PIN) when lower risk (i.e. lower amount for known payee)! Require OOB approval with PIN for higher-risk transactions (i.e. large amount to unknown payee)! 27
Make device management easy! ü Members will have many 2FA applications soon! 2FA becoming popular, even for social media! Analogous to management of usernames/ passwords today! ü Members will also have multiple 2FA devices! Mobile phone, tablets; watches soon?! How to enroll them all? Revoke when lost?! ü Management of devices into member accounts is needed! 28
Educate and motivate members! ü Ensure they understand the basics Good password hygiene How to spot phishing and spoofing ü Make it easy and safe to transact Improve login experience Enable safe online transactions (wire transfers) Integrated online, mobile and in-branch experience ü Exceed expectations 29
Four Steps to a Secure Identity System! 30
Step 1: Eliminate shared secrets; don t add more.! ü Stop defending your perimeter.! ü Replace your usernames/passwords and 2FA secrets with something of no value to attackers: public keys.! ü By using asymmetric cryptography instead - you get a two-fold effect:! There is no pay-day for attackers if you get breached, and! You are no longer likely a target.! 31
Step 2: Instead, store those secrets on members devices! ü Put the private keys back in control of the user -- it s their identity.! ü Without the responsibility of those keys, your liability of that data plummets.! ü With the explosive mobile growth, users have multiple devices for access - so make it easy for people to share those private keys with other devices.! 32
Step 3: Think of your member first and beyond your site.! ü Deploy a federated solution so your members only have to manage one set of authentication credentials -- for your site AND elsewhere that solution is accepted.! ü Your members will be delighted by the consideration of their identity experience beyond your online banking solution.! ü Stop security theater with marginal security solution designed just for your site.! 33
Step 4: Get rid of the site-specific username/password completely.! ü With a federated solution, a user only needs to remember ONE credential (password).! ü For 2FA -- the combination of the user-specific PIN plus the digital signature, makes it easy, convenient and secure for the member.! ü Protects against phishing, key-logging and similar attacks.!! 34
What does this all mean?! 35
Questions to ask your team! Security/IT Compliance Product Members What are we doing to stay ahead of the threat landscape? How are we anticipating future FFIEC guidelines? Are we making it easy for customers to transact? Do you know how to keep yourself secure online? How can we help? 36
Questions? Looking for help thinking through your specific identity and authentication needs? Contact us. Alex Doll Jim Fenton alex@oneid.com fenton@oneid.com 650.394.8404 650.394.8403 www.oneid.com 37