2

WHAT KEEPS USERS AWAY?

3

47%46%

43%39%

40%

50%45%

34%

21%15%

20%19%

13%26%

20%12%

I fear that my account information will be

viewed by an unauthorized party

I prefer dealing with people

I do not want to pay a fee

I do not find online banking

valuable

2008

2007

2006

2005

0% 10% 20% 30% 40% 50% 60%

©Javelin Strategy and Research, August 2008

Identity Fraud – Evolution and Solutions

AgendaAttack vectors

– Phishing

– Man-in-the-middle (MITM) attacks

– MalwareSolutions

– One-time passwords

– Transaction signatures

– Endpoint assessmentSummary

5

Phishing

6

Pharming

7

http://www

http://wwwhttp://www

User

Websitewww.nicebank.com

Fake Websitewww.n1cebank.com

Attacker

DNS Server(Local or ISP)

Smishing

8

Vishing

9

11

Two factor authenticationSomething the user hasStrengths

– Compromised user credentials less valuable for attacker

– Break down the traditional economic model of phishing attacks

12

Types of one-time-passwordsCounter-based one-time passwordsTime-based one-time passwordsChallenge-based one-time passwordsMutual authentication one-time passwordsOut-of-Band one-time passwords

OATH (Open Authentication)A group of technology and industry leaders

– 60+ members

– Open and royalty-free specifications

– Promote interoperability

Benefits– Standardization drives down cost

– Prevents “vendor lock-in”

MITM / MITB attacks

14

Man-in-the-middle attack

End-User“John”

1. “John”, “psd”

BrowserNetBankingServer

Banking Trojan

2. OTP

3. $500 to Bob

1. “John”, “pswd”

2. OTP

3. $500 to Bob

1. “John”, “pswd”

2. OTP

3. $5000 to Bill

End-User’s Computer

Man-in-the-browser attack

WebServerEnd-User MITM

Transaction Signing Soft TokensSignature = cryptographic Message Authentication Code

15

On Internet BankingOn the software token

Enter Account no

0243758

Enter Amount

0243758

500.00

Generate Signature

0243758

500.00

afcbff100

Seal Transaction with Signature

0243758

500.00

afcbff100

Transaction signature stored in Audit Log for verification

Risk levels (NIST SP 800-63-1)

16

Minimal

High

Medium

Low

KB

A

OT

P

PK

I

OO

B

17

Security Industry in 2001

Security Industry in 2011

18

Trojans / Malware

Endpoint AssessmentEndpoint Security Assessment

Session Clean-Up

19

POLICY

Personal FirewallAnti-VirusSpywarePatches

Inventory Device usingFile ScanProcess ScanRegistry ScanOS Scan

Compare device scan with access policy

SCAN COMPARE

AllowPartial PassDecline

20

SummarySophistication of identity fraud schemes is increasing Authentication deployments are converging to:

– Hybrid solutions: >1 authentication method per end-user

– Risk-based authentication

– Endpoint security assessmentChoose a technology that

– Does not lock you in

– Provides entire solution – from authentication to endpoint assessment to abolishment

Questions and Answers

E-mail: tejas.lagad@nexussafe.comMobile: +91 99229 39931Twitter: @Ltejas