Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introducing Forticode (formerly SteelPlatez) May 2012 1 (C) 2012 Platez Pty. Ltd.

Published byJeremy Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "Introducing Forticode (formerly SteelPlatez) May 2012 1 (C) 2012 Platez Pty. Ltd."— Presentation transcript:

1 Introducing Forticode (formerly SteelPlatez) May 2012 1 (C) 2012 Platez Pty. Ltd.

2 The Problem The problem with all systems is that when you authenticate your identity, you are required to interact with the system in such a way that casual or systemic observation will invite compromise. For example, when you enter a password or a PIN Every time you are physically validating your identify by entering it, as at an ATM, or when you logon to your computer at work, or when you perform internet banking; you are at risk of having your identity stolen or misused. May 2012 (C) 2012 Platez Pty. Ltd. 2

3 ATM Phishing Fraud Ever been to an ATM and wondered if the transaction you are about to perform could somehow enable someone else to take money out of your account? 3 May 2012(C) 2012 Platez Pty. Ltd.

4 ATM Phishing Fraud Yes – that’s a camera transmitting your PIN – they even do pinhole cameras mounted in the plastic above the keypad. 4 And that device is one of many used to skim/copy your card. This approach defeats specialised card security methods. May 2012(C) 2012 Platez Pty. Ltd.

5 The Goal The challenge we undertook was to build a security method that would enable anyone, in any location, using any device to be able to prove their identity without fear of someone then being able to impersonate them and perform fraudulent actions. We also set these additional requirements:  The user must not require any other devices (i.e. No special cards or smart tags) and  Systems should not require physical changes to implement Forticode since modifications to ATM’s, Merchant EFTPOS terminals etc would be largely impractical, because of scale. 5 May 2012(C) 2012 Platez Pty. Ltd.

6 The Result: Forticode Forticode can:  Protect you at the ATM  Protect you when you use your Credit Card  Stop face to face Teller Fraud (impersonation)  Stop internal Fraud  Stop Internet Banking Fraud  Stop identity theft  Protect you whether you’re on your home PC, work PC, internet café, iPad or on your mobile Forticode does not detect fraud, it stops the fraud from happening wherever you are required to provide an identity and authentication. Forticode can be introduced anywhere, regardless of industry, location or technology base. 6 May 2012(C) 2012 Platez Pty. Ltd.

7 What is really at risk? Read the recent news:  Target breached – 70 million credit card numbers stolen  JP Morgan breached – 10 million credit card numbers stolen  Chase Manhattan breached – 7 million credit card numbers stolen  Neiman Marcus breached – 10 million credit card numbers stolen  Home Depot breached – 7 million credit card numbers stolen  ATM crime responsible for 1.2 billion dollars worldwide If they’d all used Forticode, those credit card numbers would be totally useless to the hackers 7 May 2012(C) 2012 Platez Pty. Ltd.

8 Inside the square Existing security methods follow a similar process  Enter your credentials at the POS, ATM, banking page  Secure it to the n th degree using a implausibly non-reversible crypto method (e.g. MD5)  Secure the connection between the place where you entered your credential and the place where it is verified  Compare the non-reversible crytpo mash with the one stored in the system and if they match, then it must be you! Even the most complex systems using tokens or mobile phones are using an algorithm that is present in the card or device; and if that algorithm is compromised – then it can be defrauded. 8 Here’s where the problem exists – simple observation (i.e. someone looking over your shoulder) 100% compromises you – not just once, but forever. May 2012(C) 2012 Platez Pty. Ltd.

9 Terminology We are introducing the term SteelCode – it refers to the authentication code that a user enters when validating his identity using a Forticode integrated system. A SteelCode is a response to a system challenge, which will be different with each authentication and, therefore, the knowledge of which is useless to an attacker. It depends on a Keyword and a set of rules, or Methods, which are set by, and only known to the end user. 9 May 2012(C) 2012 Platez Pty. Ltd.

10 Forticode Claims - 1 There is no observable pattern to your SteelCode Using Forticode, I can attend an ATM and have my Card number and my SteelCode recorded and, without any modification to card technology or the ATM technology, the observed information cannot be used to perform another transaction. Forticode allows for safe authentication in plain sight. 10 May 2012(C) 2012 Platez Pty. Ltd.

11 Forticode Claims - 2 Resilient to Raw Brute Force Attacks The others use a time delay between unsuccessful logins to assist against these attacks, but all systems can be attacked using brute force methods. In theory, assuming a 4-digit PIN, if 10000 hack scripts accessed 10000 ATM’s, or bank accounts, at the same time, with a copy of my card, and each tried a different PIN, one would get in – and worse, they could continue to get in until I become aware, and report it Under Forticode, using a 4-character Keyword; the odds of success are reduced to 1 in 10000 for each access attempt – and even if they fluke access, it would only be useful once, they could not do it again. 11 May 2012(C) 2012 Platez Pty. Ltd.

12 Forticode Claims - 3 Observable Data Forticode is so novel that not only can the user’s login sequence be observed and recorded without compromising his Keyword, but the entire authentication data stream between entry point and the server where it is validated can also be recorded and analysed – again, without compromising the Keyword. 12 May 2012(C) 2012 Platez Pty. Ltd.

13 Forticode Claims - 4 Minimal Impact Converting to Forticode is a minimal impact undertaking; inasmuch that it does not change the flow of the way people interact with existing systems and it does not require changes to Human-Machine Interface devices, such as ATM’s or Point of Sale devices* Simply, you would approach an ATM, put your ATM Card in and then type in your SteelCode * This includes card-not-present transactions, such as online banking and shopping 13 May 2012(C) 2012 Platez Pty. Ltd.

14 Forticode Claims – 5 You can’t crack random Forticode gives you the ability to use your brain to convert a pure random sequence into something meaningful. Because it is truly random, there is no algorithm, there is no pattern, there is nothing to compromise. Even if a hacker reads the manual, and knows how the Forticode system works, this does not assist him. 14 May 2012(C) 2012 Platez Pty. Ltd.

15 How it works 15 May 2012(C) 2012 Platez Pty. Ltd. As a registered Forticode user I would specify a Keyword and a Method. The Keyword is based upon a set of symbols as defined by the Forticode Server – in the case of our online demonstration system – ‘A’ to ‘Z’ and ‘a’ to ‘z’- a total of 52 key symbols The Method is one or more of the following: Straight Keyword – e.g. FRED Offset Keyword – e.g. FRED but I add or subtract up to 5 Crawling Keyword – e.g. FRED by I add or subtract 1, then 2, then 3 etc Masking – i.e. ##FRED# - which obfuscates the length of the actual Key and more! I, as the user, define my Keyword and my Method --- and I NEVER again enter, expose, discuss or use them ever again – I don’t need to!

16 With each authentication, a newly-generated matrix of random numbers appears. The same matrix never appears twice, and is not a text display, but is one composite bitmap. So, let’s assume my Key is FRED and I have defined a Method of minus 1 When I go to authenticate I interpret the Matrix In this instance F=1, R=0, E=1 and D=1 So my SteelCode when I apply my Method and ignore any minus signs, would give me 0100 for this one-time login. If I’d used a Mask, like ##FRED#, I could replace the hashes with random numbers, and enter a SteelCode of 0101001, 1001000, 0001000… How it works… 16 May 2012(C) 2012 Platez Pty. Ltd.

17 The next time I access my account, a totally different matrix of random numbers appears. As before, my Key is FRED and I have defined a Method of minus 1 When I go to authenticate I interpret the Matrix In this instance F=1, R=1, E=1 and D=0 Applying my Method of subtracting 1 and ignoring signs, gives me a SteelCode of 0001 this time. How it works… 17

18 The network snooper can work out the Key word from the matrix and its solution, can’t it? Well, if that were what was transmitted, it possibly could – eventually, after hundreds of observations. However, that’s not what we transmit. Instead of sending data, we only send metadata – specifically, a SHA256 hash of the data. SHA256 is irreversible, and each matrix contains a different set of random numbers, so all observations are useless to the hacker. How it works… 18

19 How it works…  What about key loggers, when I change my Keyword? When you first enter or subsequently change your Keyword, you get a different type of matrix. This time, there are no numbers, and, it’s the letters that are randomised. Also, as with the login matrix, there is no text, but a composite image, from which the letters are identified by mouse position. The keylogger can still follow the button presses, but only knows the mouse coordinates, which are unique to this matrix and, as such, are meaningless. 19

20 Since I never actual enter my real credentials, it doesn’t matter if someone watches me, or if they record what I do. With the permutations available, there can be hundreds of thousands of combinations that would need to be considered in order to reverse engineer my Key and Method, allowing someone to then steal my identity. The benefits are widespread 1.I don’t need to change my password every 30 days 2.I don’t have to be ultra-paranoid about who could be watching 3.I don’t need to carry a mobile or a special security device in order to prove my identity 4.I get to control how complex my Key and Method is – for low risk items I can have a 4 character Key with a basic Method but, for high risk, I can use an 8 character Key with a numeric offset and multi-character Mask Why is all this useful? 20 May 2012(C) 2012 Platez Pty. Ltd.

21 If a web-based system I used was protected by Forticode, I would be able to walk into an internet café in my birthday suit, sit down at a computer that: 1.Was infested with Malware, Spyware and Keyloggers 2.Had a spy camera pointed at the screen and the keyboard 3.Had a sniffer relaying all data on the network in and out of the computer and log onto that site, perform whatever transactions I needed to, then log out knowing that even with all that information, the hackers cannot perform subsequent authentications as me. There is no system we can think of, for which we couldn’t make Forticode work. Just think… 21 May 2012(C) 2012 Platez Pty. Ltd.

22 Thank you For further information relating to Forticode please contact tony,smales@forticode.com marksitkowski@exemail.com.au  To view a working online system, with POS, banking, ATM and online shopping and trading demos, go to  http://www.designsim.com.au 22 May 2012(C) 2012 Platez Pty. Ltd.

Download ppt "Introducing Forticode (formerly SteelPlatez) May 2012 1 (C) 2012 Platez Pty. Ltd."

Similar presentations

May 20121(C) 2012 Platez Pty. Ltd. Patents Pending.

May 20121(C) 2012 Platez Pty. Ltd. Patents Pending.
PRESENTED BY: FATIMA ALSALEH Credit Cards Fraud - skimmers -

PRESENTED BY: FATIMA ALSALEH Credit Cards Fraud - skimmers -
The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
ICT at Work Banking and Finance.

ICT at Work Banking and Finance.
1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?

1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
251959084756578934940271832400483985714 292821262040320277771378360436620207075 955562640185258807844069182906412495150 821892985591491761845028084891200728449.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
1 Access Online. 2 VERY IMPORTANT!!! To run ACCESS ONLINE – you need: Pentium 120 MHz or higher 36 MB memory64 MB recommended to run reports Windows 95,

1 Access Online. 2 VERY IMPORTANT!!! To run ACCESS ONLINE – you need: Pentium 120 MHz or higher 36 MB memory64 MB recommended to run reports Windows 95,
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li

Similar presentations

Ads by Google