May 20121(C) 2012 Platez Pty. Ltd. Patents Pending
The problem with all systems is that when you authenticate your identity, you are required to interact with the system in such a way that casual or systemic observation will invite compromise. i.e. enter a password or a PIN Every time you are physically validating your identify by entering it, i.e. at an ATM, when you logon to your computer at work or when you perform internet banking; you are at risk of having your identity stolen or misused. May 20122(C) 2012 Platez Pty. Ltd. The Problem
Ever been to an ATM and wondered if the transaction you are about to perform could somehow enable someone else to take money out of your account? 3 ATM Phishing Fraud May 2012(C) 2012 Platez Pty. Ltd.
Yes – thats a camera transmitting your PIN – they even do pinhole cameras mounted in the plastic above the keypad. 4 ATM Phishing Fraud And that device is one of many used to skim/copy your card. This approach defeats specialised card security methods. May 2012(C) 2012 Platez Pty. Ltd.
The challenge we undertook was to build a security method that would enable anyone, in any location, using any device to be able to prove their identity without fear of someone then being able to impersonate them and perform fraudulent actions. We also set the additional requirements of: A.The user must not require any other devices (i.e. No special cards or smart tags) and B.Systems should not require physical changes to implement it (i.e. ATMs, Merchant EFTPOS etc) as we dont necessarily have the ability to control or change these systems 5 The Goal May 2012(C) 2012 Platez Pty. Ltd.
Forticom can: 1.Protect you at the ATM 2.Protect you when you use your Credit Card 3.Stop face to face Teller Fraud (impersonation) 4.Stop internal Fraud 5.Stop Internet Banking Fraud 6.Stop identity theft 7.Protect you whether youre on your home PC, work PC, internet café, iPad or your mobile Forticom does not detect fraud post even, it stops the fraud from happening wherever you are required to provide an identity and authentication. Forticom can be introduced anywhere, regardless of industry, location or technology base. 6 The Result - Forticom May 2012(C) 2012 Platez Pty. Ltd.
Anything and everything – taking events in the recent news: -Twitter accounts compromised -Facebook accounts compromised -Internet banking scams -Fob systems compromised -Credit Card scams Forticom can protect -Over 120 billion in cash withdrawals annually -Reputations and credibility -Customers and regain lost confidence 7 What is really at risk? May 2012(C) 2012 Platez Pty. Ltd.
Existing security methods follow a similar process a)Enter your credential b)Secure it to the n th degree using a implausibly non-reversible crypto method (i.e. MD5) c)Secure the pipe between the place where you entered your credential and the place where it is verified d)Compare the non-reversible crytpo mash with the one stored in the system and if they match, then it must be you! Even the most complex systems using token/keyfobs are using an algorithm that is present in the card or device; and if that algorithm is compromised – then it can be defrauded. 8 Inside the square Heres where the problem exists – simple observation (i.e. someone looking over your shoulder) 100% compromises you – not just once, but forever. May 2012(C) 2012 Platez Pty. Ltd.
We are introducing the term SteelCode – it refers to the authentication code that a user enters when validating their identity using a Forticom integrated system. A SteelCode is a response to a system challenge, and can vary from system to system, and also from user to user. Forticom implements a set of keys, responses, rules and methods which are customisable at all levels. 9 Terminology May 2012(C) 2012 Platez Pty. Ltd.
There is no observable pattern to your SteelCode Using Forticom, I can attend an ATM and have my Card sniffed and my SteelCode recorded – and without any modification to card technology or the ATM technology – the observed information cannot be used to perform another transaction. Forticom allows for safe authentication in plain sight. 10 Forticom Claims - 1 May 2012(C) 2012 Platez Pty. Ltd.
Resilient to Raw Brute Force Attacks 3 fails in a row or 3 tries in 5 minutes assist against these attacks, but all systems can be attacked using brute force methods. In theory, if 10000 people accessed 10000 ATMs at the same time – with a copy of my card – and each tried a different PIN, one would get in – and worse, they could continue to get in until I report it Under Forticom, using the same 4 digit limitation; the odds of success are reduced to 1 in 10000 for each access attempt – and even if they fluke access, it would only be useful once, they could not do it again. 11 Forticom Claims - 2 May 2012(C) 2012 Platez Pty. Ltd.
Observable Data Forticom is so novel that not only can the user be observed and recorded without compromising their SteelCode, but the entire authentication data stream between entry point and the server where it is validated can also be recorded and analysed – also without compromising their SteelCode. 12 Forticom Claims - 3 May 2012(C) 2012 Platez Pty. Ltd.
Minimal Impact Converting to Forticom is a minimal impact undertaking; inasmuch that it does not change the flow of the way people interact with existing systems and it does not require changes to Human-Machine Interface devices such as ATMs or Point of Sale devices* i.e. You would approach an ATM, put your ATM Card in and then type in your SteelCode * There may be some systems we are not aware of that we cannot identify a solution path for 13 Forticom Claims - 4 May 2012(C) 2012 Platez Pty. Ltd.
You cant crack random Forticom gives you the ability to use your brain to convert a pure random sequence into something meaningful. Because it is truly random, there is no algorithm, there is no pattern, there is nothing to compromise. Having the complete code for the Forticom back end does not assist a potential hacker. 14 Forticom Claims – 5 May 2012(C) 2012 Platez Pty. Ltd.
How it works 15May 2012(C) 2012 Platez Pty. Ltd. As a registered Forticom user I specify a Key and a Method. The Key is based upon a set of symbols as defined by the Forticom Server – in the case of our demonstration system – A to Z and a to z- a total of 52 key symbols The Method is one or more of the following: Straight Keyword – i.e. FRED Offset Keyword – i.e. FRED but I add or subtract up to 5 Crawling Keyword – i.e. FRED by I add or subtract 1, then 2, then 3 etc Masking – i.e. FR#ED and more! I, as the user, define my Key and my Method --- and I NEVER again enter, expose, discuss or use them ever again – I dont need to!
How it works 16May 2012(C) 2012 Platez Pty. Ltd. With each authentication, a newly-generated matrix of random numbers appears. The same matrix never appears twice. So lets assume my Key is FRED and I have defined a Method of minus 1 When I go to authenticate I interpret the Matrix In this instance F=0, R=1, E=0 and D=1 So my SteelCode when I apply my Method and ignore any minus signs, would give me 1010 this time.
How it works 17 The next time I access my account, a totally different matrix of random numbers appears. As before, my Key is FRED and I have defined a Method of minus 1 When I go to authenticate I interpret the Matrix In this instance F=0, R=0, E=0 and D=1 Applying my Method of subtracting 1 and ignoring signs, gives me a SteelCode of 1110 this time.
What about key loggers, when I change my Keyword? When you first enter or subsequently change your Keyword, you get a different type of matrix. This time, the letters are randomised, and do not appear as text, but as images, with unrelated random names. The keylogger can still follow the button presses, but only knows to which image it relates, whose name is meaningless. How it works 18
Why is this useful? 19May 2012(C) 2012 Platez Pty. Ltd. Since I never actual enter my real credentials, it doesnt matter if someone watches me, or if they record what I do. With the permutations available, there can be hundreds of thousands of combinations that would need to be considered in order to reverse engineer my Key and Method, allowing someone to then steal my identity. The benefits are widespread 1.I dont need to change my password every 30 days 2.I dont have to be ultra-paranoid about who could be watching 3.I dont need to carry a mobile or a special security device in order to prove my identity 4.I get to control how complex my Key and Method is – for low risk items I can have a 4 symbol Key with a basic Method, for high risk, I can use an 8 symbol Key with a symbol based offset
Just think… 20May 2012(C) 2012 Platez Pty. Ltd. If a web-based system I used was protected by Forticom, I would be able to walk into an internet café in my birthday suit, sit down at a computer that: 1.Was infested with Malware, Spyware and Keyloggers 2.Had a spy camera pointed at the screen and the keyboard 3.Had a sniffer copying all data in and out of the computer and log onto that site, perform whatever transactions I needed to, then log out knowing that even with all that information, they cannot perform subsequent authentications as me. There is no system we can think of that we couldnt make Forticom work for.
For further information relating to Forticom please contact (e)sales@ForticomGroup.comsales@ForticomGroup.com (f)Tony.Smales@FortiComGroup.comTony.Smales@FortiComGroup.com (g)Mark.Sitkowski@ForticomGroup.com To view a working online system, with online banking, ATM and online securities trading go to http://www.designsim.com.au 21 Thank you May 2012(C) 2012 Platez Pty. Ltd.