Embed Size (px)
Citation preview
Strong Authentication and Digital Signing using ArcotID
Christian HüschSenior Technical ConsultantArcot GmbH
II. Central and Eastern European Banking Technologies ConferenceApril 12th 2006
2
Agenda
Company Overview Strong Authentication for Banking Applications
Challenges and Goals / The Consumer Reality Authentication Approaches
Layered Authentication Approach Comparing Authentication Technologies Beyond Strong Authentication Deployment Examples Digital Signing Summary Questions
3
Arcot Systems
Founded 1997, HQ in Sunnyvale, CA, US Private Company, Venture Funded
Onset, Accel, Goldman Sachs, INVESCO Adobe, Visa International, Wachovia, SEB (SE), Oracle,
Novell Offices
European Offices in London (GB), Munich (DE) Development Center in Bangalore, India
Headcounts 100+
4
About Arcot Technology
Leadership in Consumer and Business Authentication Pioneered 3-D Secure e-commerce authentication
platform with Visa, MasterCard and JCB Currently in use by 10,000+ banks, over 7 million
consumers enrolled 300 million users protected with Arcot solutions in the
enterprise
Patented Two-factor technology Two-factor authentication, fully in software Layered with additional factors such as IP location,
Device ID, Scrambled PIN Pad, and Text-based Mutual Assurance Message
Digital Signature capable
Strong Authenticationin the Banking Environment
6
Challenges and Goals
Reduce cost by moving business processes online By Increasing use of online banking By Moving other applications online
Address phishing attacks to restore/increase consumer confidence in online banking
Enhance customer relationships, win new customers and add new products and applications
Be compliant with regulation and mitigate risk E.g. FFIEC in the US
Provide a viable solution from a TCO point of view Provide a solution for both employees and customers
7
The Consumer Reality
Customers are heterogeneous set of individuals
Varying level of expertise with computers and technology
Use Multiplicity of devices for access Home PC, office PC, Internet café etc.
Variety of tasks are performed Equally likely to embrace new solutions
or move to alternate channels
No one solution is going to make everybody happy; flexible solution
suites provide multiple options
8
FI as an extended enterprise
More systems open and accessible to non-employees
Technology creates increased reach and flexibility FIs no longer limited by geography or timing
Increased benefits and potentially increased risks
Employee
Consumer
Client
Partner
9
Risk Management in Financial Institutions
FIs trying to maintain a balance between security and user convenience…
On the one hand Need to reduce risk Need to provide assurance to
consumers (or they might switch to ‘less risky’ but potentially more expensive channels)
On the other hand Need to make experience simple;
and not drive away consumers Need to contain costs of solution
– proportionate to perceived risk
10
Threats facing the industry
Phishing Spurious message (likely, email) that induces user to enter
critical personal information at a bogus site Many variations exist, but email is easiest and cheapest for the
fraudster
Pharming Modifying DNS entries to redirect user to bogus site
Malware Programs planted in user’s desktop to capture key-strokes,
mouse clicks
Man-in-the-middle User redirected to intermediate site that behaves like genuine
site to the user and in turn behaves like user to the genuine site
11
Solution Categories
Server Authentication Identifying server to the User Assurance that user is at the right site, or that user received mail
from right source Base User Authentication
Determine that user is likely to be who he/she claims to be Based on device used by user, location of user, habits of user…
For example, activating a card by calling from home telephone number Typically achieved without user active participation
Strong (Unique User) Authentication Determine with high level of assurance that the user is who he/she
claims to be Based on credential issued to the individual – combination of
something he/she is, something he/she has, something he/she knows
User explicitly participates in the process
12
Considerations
Usability Consumer Ease of Use Distribution, Training,
Renewal, Help-Desk
Deployment Standards based –
vendor dependence Disruption to existing
applications Software required at
consumer desktop?
Protection against Phishing Pharming Trojans, Spyware Man-in-the-middle
attacks
Additional features Strong Authentication Obsolescence Proof ROI enhancement
What does it cost
13
Server Authentication
SSL Lock – yellow lock at bottom of page Best possible technology solution Not vulnerable to man-in-the-middle attacks Provides complete assurance that user is at the right site However two big limitations
Browser technologies allow this to be spoofed – not all users will know how to detect the spoof
FI are not standardized on which pages are SSL locked (often password entry page is not locked; only password submission triggers this)
Alternate/Addition is to provide an ‘assurance message’ Enter userid, wait for server to display ‘shared secret’, then enter
password. Shared secret can be text or other information the user is likely to
recognise
14
Assurance Message
Protects against phishing and pharming Provides a first level assurance (authenticate server to user)
Widely deployed mechanism as part of 3-D Secure (Visa and MasterCard)
Fingerprinting of “registered” computers Browser based - no client side software required Easy to use; simple to train end users Complements any form of user authentication
Enter User Name
DisplayAssurance
Message
VerificationDialog
Enter Password
Registered computer
Unknown computer
15
Assurance Message Example
16
Limitations of Assurance Message
Does not authenticate user to server Vulnerable to man-in-the-middle (MIM) attacks
User conditioned to accept verification dialog Does not know why ‘fingerprinting’ failed
Depends on ‘velocity checks’ for MIM IP addresses
@
Real Bank Site
Man-in-the-middleAttacker
1. User-id
2. User-id
3. VerificationDialog
4. Verification Dialog
17
Base User Authentication
Circumstantial forensics, in addition to userid / password
Combination of elements Machine fingerprint (including cookies left there) Location of IP address that transaction is originating
Evaluate elements => determine if transaction is risky Action to be taken next is variable
Flag to alert user Ask for secondary authentication (maybe different credential) Switch to second factor (email, call, SMS) Route through different process – CSR interrupt Deny transaction
18
Limitation of User ‘Approximation’
No protection against ‘friendly’ fraud People in same household or even at workplace Share machines, share IP address, share ‘location’
Risk scoring – inexact science False positives – user inconvenience Need number of transactions even to ‘learn’ pattern –
several applications (including e-Banking) don’t lend themselves to such volume
Action on risk detection SMS, Callback – not reliable for online activity Second authentication – again conditions user to expect
this question – potential for phishing
19
Strong (Unique User) Authentication
Issue strong credential to individual user User is told about strong credential User knows sharing credential opens him/her for risk
Ask for strong authentication For all access For access to specific ‘high risk’ areas For ‘high risk’ transactions only (based on amount, type etc)
Typical strong authentication is 2-factor Two of three things - something you have, something you know
or something you are (biometrics)
20
Challenges to Strong Authentication
Cost Issuing new credentialsTraining users
InconvenienceLearning to use 2 factorsAccess when one factor is missing – user travels
without something he/she has
Application upgradeApplications need to know how to use this
technology and authenticate users – new systems, new integration
21
Electronic Business Enablement View
Beyond Compliance and Risk MitigationAuthentication strategy must
Maintain simplicityProvide IT and business process flexibilityFacilitate retention and acquisition of
customersAllow new products/services to be delivered
Strengthening Customer Relationship and adding new applications
Arcot’s LayeredAuthentication Approach
23
Digital Signing(En)/Decryption (ArcotID + certificates)
Layered Authentication Approach
Increasing Value and Benefits – Security + Other Uses (Signing/Encryption)
UserID / Password
Arcot Level 1 Solution
Arcot Level 2 Solution
Arcot Level 3 Solution
Mutual Authentication /Assurance Message +Srambled PIN Pad
Device ID
Location IDGeo Location
Crypto StrongAuthentication (ArcotID)
24
Layered Authentication Approach
Without user intervention Usage of machine and connection characteristics to
determine whether user is genuine, e.g. IP address Browser version
Comparison with last good access, or information at registration time
With user intervention Strong Authentication using ArcotID
Additional Security Features Personal Assurance message Scrambled PIN pad
25
Customizable Authentication Approach
Scrambled PIN Pad – defeatsKeyboard loggers
“Assurance Message” – for
Site Authentication
ArcotID for
Strong Authentication
IP and DeviceForensics – for
IncreasedIdentity assurance
26
The ArcotID Enabled Application
Username
Password
ArcotIDArcotID
Software Smart Card
The power of two-factor, with the simplicity of passwords …
27
Fully Flexible Solution
Multiple levels of functionality available
Authentication Only No installed software required Java/Flash on-demand
Add Digital Signing, Encryption Requires client software for advanced functionality
Staged approach possible addressing current business requirements and providing a future-proof solution using the same
framework
Provide the user with a security solution that addresses the risk and is still user-friendly
Comparing Authentication Technologies
29
Arcot & Identity Management / Authentication
Authentication
Hardware-based“Two Factor”
Software-based“Multi-Key”
“Passwords”
IdentityManagement
Authentication
Multi-Party“3D Secure”
Digital SignatureOnline Banking ePayment Authorization Remote Access VPN
StrongWeak
30
The Authentication Gap
Strength of AuthenticationStrongWeak
The Authentication Gap
31
Comparison ArcotID vs. Other Technologies
IdentityManagement
Strength of Authentication
Cost of Deployment and Support
User Experience
Application Flexibility
StrongWeak
$$$$ $
Impacted Transparent
Highly FlexibleApplication Specific
Beyond StrongAuthentication
33
ROIPaper statements cost €0,60Electronic statement cost €0,06Savings per statement €0,5412 statements a year €6,48Cost for paper based statement €650.000Annual cost for e.g. 100K users €150.000Anticipated savings per 100K users up
to €500.000 per year
Beyond Strong Authentication: Secure Delivery of eStatements
34
Beyond Strong Authentication:
Receiving a Secure Electronic Statement
1. Customer selects e-mail message
2. Customer opens PDF attachment and is prompted for a “username” and “password” – which unlocks their second factor, the ArcotID and gives access to the private key required for decryption in 3)3. Transparent to the customer, the document is decrypted, verified for integrity and presented to the customer
Username:
Password:
User Authentication
rjones
*********
35
Beyond Strong Authentication: Efficient Loan Origination
ArcotID
1. Bank e-Mails encrypted PDF Loan Documents to Customer
2. Customer Verifies that Documents are Certified as having come from bank
3. Customer Digitally Signs Document using Arcot software and Adobe Reader
4. Customer e-mails signed, encrypted document to Bank
Deployments
37
Customer Deployment Examples
Daimler-Chrysler Bank (DE) Secure portal access for Treasury department Protection of Citrix access for employees
Swedbank (LU) Online banking access for customers via portal Protection of Citrix access for employees
SSI Search Strong authentication to Financial Service Portal
Certegy (US) Strong Authentication for VPN access by partners
Wells Secure (US) Digital IDs for individuals and businesses Authentication and Digital Signing application
Summary
39
Arcot Strong Authentication
Proven Consumer Authentication Platform 3-D Secure rolled out worldwide to millions Supported and marketed by Visa, MasterCard, JCB
Proven Enterprise Authentication Platform Software two-factor solution in place at major corporations Worldwide installations – U.S., Asia-Pac, Europe Integration / Co-existence with other ID mgmt and auth
solutions (hardware, etc.) Patented & proven mature technology, developed and in use
since 1997 Industry-standards compliant – Identrus, SAFE, PKCS#11, MS-
CAPI, X.509 Extensible to mobile and other devices
Small footprint interfaces First Mobile pilots started in 2005
40
Arcot Benefits Beyond Authentication
Enables digital signatures - Replace print & sign New saving / checking account opening Commercial Account Opening/ Changes of standing orders,
direct debits etc. Online credit card applications Mortgages / home-equity line of credit
Enable encryption PDF based secure communication of statements and other
sensitive data to the end user Supports federation
ArcotID PKI-based platform provides support for smart card implementations and other government initiatives
Allow roaming of users Transferring user credentials temporarily to other machines
Integrates as needed with Verified by Visa or MasterCard SecureCode, J-Secure by JCB consumer auth programs
41
Why Arcot?
Long-standing player in the authentication space Experience on how to provide authentication to a
large number of users Flexible, cost-effective and future-proof solution Local representation through our strong partner
IND Strong technology partnerships with Adobe,
Documentum and others
Questions?
Thank You !
For further information, please contact:
Michael Seifert, Managing Director Arcot [email protected] the local IND office
Backup Slides
45
Arcot & ePayment Infrastructure
Merchants
Card Issuers
Card Holder
10,000+
50,000+
Internet
3-D Secure
46
SAFE Infrastructure
Physician
InternetPharmas
Issuers
FDAUniversal Client™
Common Clientto support Digital Signing
Universal Client™
Common Clientto support Digital Signing
RegFort™
Registration Platform
TrustFort™Server-Side
Signature Validation
SignFort™Server-Side
Signature Generation
