Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | patrick-black |
View: | 212 times |
Download: | 0 times |
2
WHAT KEEPS USERS AWAY?
3
47%46%
43%39%
40%
50%45%
34%
21%15%
20%19%
13%26%
20%12%
I fear that my account information will be
viewed by an unauthorized party
I prefer dealing with people
I do not want to pay a fee
I do not find online banking
valuable
2008
2007
2006
2005
0% 10% 20% 30% 40% 50% 60%
©Javelin Strategy and Research, August 2008
Identity Fraud – Evolution and Solutions
AgendaAttack vectors
– Phishing
– Man-in-the-middle (MITM) attacks
– MalwareSolutions
– One-time passwords
– Transaction signatures
– Endpoint assessmentSummary
5
Phishing
6
Pharming
7
http://www
http://wwwhttp://www
User
Websitewww.nicebank.com
Fake Websitewww.n1cebank.com
Attacker
DNS Server(Local or ISP)
Smishing
8
Vishing
9
11
Two factor authenticationSomething the user hasStrengths
– Compromised user credentials less valuable for attacker
– Break down the traditional economic model of phishing attacks
12
Types of one-time-passwordsCounter-based one-time passwordsTime-based one-time passwordsChallenge-based one-time passwordsMutual authentication one-time passwordsOut-of-Band one-time passwords
OATH (Open Authentication)A group of technology and industry leaders
– 60+ members
– Open and royalty-free specifications
– Promote interoperability
Benefits– Standardization drives down cost
– Prevents “vendor lock-in”
MITM / MITB attacks
14
Man-in-the-middle attack
End-User“John”
1. “John”, “psd”
BrowserNetBankingServer
Banking Trojan
2. OTP
3. $500 to Bob
1. “John”, “pswd”
2. OTP
3. $500 to Bob
1. “John”, “pswd”
2. OTP
3. $5000 to Bill
End-User’s Computer
Man-in-the-browser attack
WebServerEnd-User MITM
Transaction Signing Soft TokensSignature = cryptographic Message Authentication Code
15
On Internet BankingOn the software token
Enter Account no
0243758
Enter Amount
0243758
500.00
Generate Signature
0243758
500.00
afcbff100
Seal Transaction with Signature
0243758
500.00
afcbff100
Transaction signature stored in Audit Log for verification
Risk levels (NIST SP 800-63-1)
16
Minimal
High
Medium
Low
KB
A
OT
P
PK
I
OO
B
17
Security Industry in 2001
Security Industry in 2011
18
Trojans / Malware
Endpoint AssessmentEndpoint Security Assessment
Session Clean-Up
19
POLICY
Personal FirewallAnti-VirusSpywarePatches
Inventory Device usingFile ScanProcess ScanRegistry ScanOS Scan
Compare device scan with access policy
SCAN COMPARE
AllowPartial PassDecline
20
SummarySophistication of identity fraud schemes is increasing Authentication deployments are converging to:
– Hybrid solutions: >1 authentication method per end-user
– Risk-based authentication
– Endpoint security assessmentChoose a technology that
– Does not lock you in
– Provides entire solution – from authentication to endpoint assessment to abolishment