Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution.

Similar presentations


Presentation on theme: "Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution."— Presentation transcript:

1 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution July 2007 Nomura Research Institute, Ltd. Infrastructure Solution Division 1

2 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 1 Recent Network Crimes July 11, 2007Shinsei BankPhishingPharming April 27, 2007Resona, Saitama Resona Bank Unauthorized WithdrawPassword Leak (Cause unidentified) Sept. 29, 2006Saitama Resona BankUnauthorized WithdrawPassword Leak (Cause unidentified) May 31, 2006Saitama Resona BankUnauthorized WithdrawPassword Leak (Cause unidentified) January 26, 2006Japan Net BankUnauthorized WithdrawSpyware January 10, 2006Suruga BankUnauthorized WithdrawPassword Leak (Cause unidentified) * Published incidents only  Phishing became the #1 Cause of Information Theft in just One Year Japanese authority reported that the number of arrests made on information theft in 2006 increased 2.5 times from the previous year, and that phishing and spyware became the more popular methods for the cyber criminals. While the number of arrests increased from 277 in 2005 to 703 in 2006, the number of arrested persons showed only a modest increase from 116 to 130, indicating that more multiple crimes were committed by the same parties. No arrest was made on security hole attacks. The most popular method of stealing password and other data was phishing with 220 known cases. Although there was only one arrest made on phishing fraud in 2005, the number increased significantly in 2006. Use of spyware to steal information also increased significantly from 33 cases in 2005 to 197 cases in 2006.  Financial Service Agency's 2006 Cyber Crime Report Online banking frauds doubled since the previous year to reach 98 cases and the number is on the rise. On the other hand, the average loss declined from 2.14 million yen to 1.05 million yen, almost a half of the previous year. About 67.5% of the cases were subject to compensation.  Unauthorized Withdraw 199 Cases; 300 Million Yen in Damages Between 2003 and 2006, Japanese online banks and postal savings suffered 199 cases of unauthorized withdraw, with the accumulated damage exceeding 300 million yen. Online Banking provides fund transfer services via PC. According to a research conducted by the Financial Services Agency (FSA) on about 700 financial institutions, ranging from major banks to credit associations which the Agency supervises, there were 105 fraud cases with 174 million yen in total damages. Furthermore, the Japan Postal Service reported that it found 94 cases with the total loss of 139 million yen since 2004, making the combined totals 199 cases with 313 million yen in damages. The FSA and other sources indicate that many of these cyber crimes involve malicious software programs such as spyware, which steal passwords from infected client PCs, and file exchange utilities leaking passwords. However, only a few cases have the exact methods of operation identified. Actual # of Cases are on the Rise

3 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 2 User Actions Corporate Actions Supports the users’ attentions & efforts Corporate-only Measures Eliminate Site Vulnerability Tighten User Auth. Mail Sender Certification Tighten Site Authentication Spyware Detection/Removal Keylogger prevention Tighten Site Authentication Early Implementation Possible Periodic check-ups using site safety diagnostic services, etc. Single-use password, Two-factor authentication, Cross certificate, etc. Examples of Specific Actions Cross-certificate, Official site certification, Phishing detection, etc. Software keyboard, Key-stroke signal encryption, etc. Sendor domain authentication, S/MIME certification, etc. Use of spyware removal tools, careful mail handling, etc. Confirm the displayed URL and SSL server certificates. Enterprise Measures Trends

4 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 3 Authentication Enhancement Status by Company (BtoC) Mitsui-Sumitomo BankIBOTP, FAHard-Token OTP (RSA), Fraud Action (IRSA) Japan Net BankIBOTP, FAHard-Token OTP (RSA), Fraud Action (IRSA) Mizuho Bank IB (Planned ) OTP, FA, FDSHard-Token OTP (RSA), Fraud Action (IRSA) Nomura SecuritiesOn-Training OTP Hard-Token OTP (Verisign), SecuSURF Kyoto BankIB OTP Cellular Application OTP (RSA) Iwate BankIB OTP Cellular Application OTP (RSA) Yokohama Bank IB (Planned ) OTPHard-Token OTP (RSA) Fukuoka Bank IB (Planned ) OTPHard-Token OTP (RSA) NTT DataANSWER- WEB OTP Cellular Application OTP (RSA) * Measures such as the use of software keyboard are excluded.

5 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 4 Single-Use Password Authentication using a Cell Phone ・ Enhances the Authentication Level ・ Reduces the Enterprise Security Cost ・ Provides the Users with Ease-of-Operation SecuSURF SA

6 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 5 Single-use Passwords issued via Cellular Phone. Users can issue single-use passwords by accessing the SecuSURF cell phone site with their own cellular phones. Supports Wide Assortments of Devices and Users. A wide range of applications are possible because users can use almost any cellular devices with Internet access capability regardless of their cell phone carriers. (Newer models are supported seamlessly.) High-level Security can be Implemented. Single-use passwords are issued only when the user enters his/her own passwords (PINs) on his/her own cellular phone (Two- factor authentication by what the user has and what the user knows). Even if the user loses both his/her cell phone and the PIN, simply stopping his/her cell phone service prevents a single-use password from being issued, effectively preventing illegal access by identity thieves. Reduces Operating Cost SecuSURF SA can significantly reduce the company's cost associated with procuring conventional single-use password generation devices and distributing such devices to the users. In addition, user support becomes easier because no software has to be installed into the cellular phone, eliminating the need of identifying each individual user's device configuration when the users request support. If the customer requires, a software package can be made available. The single-use password issue/authentication processing service (ASP) can also be provided. Possible Application into Cellular-based Services SecuSURF SA's two-factor authentication feature can be used by various cellular-based services to authenticate the user without having to issue/enter single-use passwords. SecuSURF SA Features Almost all cell phone models from NTT DoCoMo, au by KDDI, and SoftBank are supported, including 95% of all cellular phones released after April 2004. Patent Pending

7 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 6 123456123456 ABC Bank Online Banking Single-use Pwd Latest News Shopping Financial News About Security PIN 1 * SecuSURF SecuSURF menu Go back Send · Single-use Pwd 1 * SecuSURF k9z32m6 SecuSURF menu ABC Bank Home A single-use password is issued each time the service is accessed, making the authentication extremely secure. Site Top Login Screen (Conventional) Enhanced SecurityService Screen **** Example of SecuSURF SA Usage

8 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 7 Your Website Application (2) Enters PIN. (3) PIN & device ID transmitted (1)Accesses the specified URL to display authentication screen. (5) Single-use password transmitted. Auth. Data Application SecuSURF Browser OTP Browser OTP ****** (4)Verifies the device ID# registration status and generates a single-use password (the generated OTP is kept). (6) Enters the single-use password. (8) Post-authentication screen. (7)Inquires SecuSURF if the user's OTP is accurate. SecuSURF issues & verifies pwd. User SecuSURF SA Authentication Flow

9 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 8 DB Internet Single-use Pwd k9z32m 6 Cell Phones Hand-held browser Browser DoCoMo au vodafone EZweb network Softbank network i-mode network Sample SecuSURF SA Configuration Internet Service Application Enterprise Server SecuSURF server (Issues & validate OTP) SOAP Communication Leased line or Internet Single-use Password

10 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 9 OTPServer BankingWebServer 8987369 OTPServer BankingWebServer 8987369 Download required applications. Preparation Generate an OTC with i-application, etc. The server also generates an OTP and the two are compared. Deliver a token card. 8987369 BankingWebServer Issues OTP "8987369" after verifying the PIN & Device ID combination. OTPServer Verifies if the OTP matches the one just issued. 8987369 Preparation Accessing Generate an OTP. Software Token Hardware Token Server GeneratedClient-Server Generated Enters the issued OTP. Accessing Device model limitations Generate & transmit a seed file for each user. Manage the serial # & user table. The server also generates an OTP and the two are compared. Single-Use Password Usage Comparison

11 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 10 123456123456 ABC Bank Online Banking Random# Table Latest News Shopping Financial News About Security PIN 1 * SecuSURF SecuSURF menu Return Send SecuSURF Random# Table Use the notebook feature to store the table. 43 83 31 89 11 98 72 36 04 Site TopLogin Screen (Conventional) High-level Security Service Screen **** Example of SecuSURF SA Usage The cell phone displays a random number table. The login screen displays an instruction on how to select numbers to enter. The random number table may be re-displayed. SecuSURF SA Variations

12 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 11 Your Website Application (2) Enter PIN. (3) PIN & device ID transmitted. (1) Access the specified URL to display the authentication screen. (5) Single-use password transmitted. Application SecuSURF Browser OTP Browser OTP ****** (6) Single-use password entered. (8) Post-authentication Screen Users SecuSURF SA Authentication Flow Auth. Data SecuSURF issues OTP issue logic Auth. Data OTP issue logic (4) Verifies the device ID number registration and generates a single-use password. (7) Generates the user’s OTP, and verifies the entered password. Validate without accessing SecuSURF Other OATH-compliant token devices The OATH logic is used to issue an OTP. The enterprise server containing the OATH logic authentication process eliminates the need to access SecuSURF for authentication. Various OATH-compliant tokens may be used concurrently. SecuSURF SA Variations

13 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 12

14 Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. 13


Download ppt "Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution."

Similar presentations


Ads by Google