Download presentation
Presentation is loading. Please wait.
1
Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking Technologies Conference April 12th 2006
2
2 Agenda Company Overview Strong Authentication for Banking Applications Challenges and Goals / The Consumer Reality Authentication Approaches Layered Authentication Approach Comparing Authentication Technologies Beyond Strong Authentication Deployment Examples Digital Signing Summary Questions
3
3 Arcot Systems Founded 1997, HQ in Sunnyvale, CA, US Private Company, Venture Funded Onset, Accel, Goldman Sachs, INVESCO Adobe, Visa International, Wachovia, SEB (SE), Oracle, Novell Offices European Offices in London (GB), Munich (DE) Development Center in Bangalore, India Headcounts 100+
4
4 About Arcot Technology Leadership in Consumer and Business Authentication Pioneered 3-D Secure e-commerce authentication platform with Visa, MasterCard and JCB Currently in use by 10,000+ banks, over 7 million consumers enrolled 300 million users protected with Arcot solutions in the enterprise Patented Two-factor technology Two-factor authentication, fully in software Layered with additional factors such as IP location, Device ID, Scrambled PIN Pad, and Text-based Mutual Assurance Message Digital Signature capable
5
Strong Authentication in the Banking Environment
6
6 Challenges and Goals Reduce cost by moving business processes online By Increasing use of online banking By Moving other applications online Address phishing attacks to restore/increase consumer confidence in online banking Enhance customer relationships, win new customers and add new products and applications Be compliant with regulation and mitigate risk E.g. FFIEC in the US Provide a viable solution from a TCO point of view Provide a solution for both employees and customers
7
7 The Consumer Reality Customers are heterogeneous set of individuals Varying level of expertise with computers and technology Use Multiplicity of devices for access Home PC, office PC, Internet café etc. Variety of tasks are performed Equally likely to embrace new solutions or move to alternate channels No one solution is going to make everybody happy; flexible solution suites provide multiple options
8
8 FI as an extended enterprise More systems open and accessible to non-employees Technology creates increased reach and flexibility FIs no longer limited by geography or timing Increased benefits and potentially increased risks Employee Consumer Client Partner
9
9 Risk Management in Financial Institutions FIs trying to maintain a balance between security and user convenience… On the one hand Need to reduce risk Need to provide assurance to consumers (or they might switch to ‘less risky’ but potentially more expensive channels) On the other hand Need to make experience simple; and not drive away consumers Need to contain costs of solution – proportionate to perceived risk
10
10 Threats facing the industry Phishing Spurious message (likely, email) that induces user to enter critical personal information at a bogus site Many variations exist, but email is easiest and cheapest for the fraudster Pharming Modifying DNS entries to redirect user to bogus site Malware Programs planted in user’s desktop to capture key-strokes, mouse clicks Man-in-the-middle User redirected to intermediate site that behaves like genuine site to the user and in turn behaves like user to the genuine site
11
11 Solution Categories Server Authentication Identifying server to the User Assurance that user is at the right site, or that user received mail from right source Base User Authentication Determine that user is likely to be who he/she claims to be Based on device used by user, location of user, habits of user… For example, activating a card by calling from home telephone number Typically achieved without user active participation Strong (Unique User) Authentication Determine with high level of assurance that the user is who he/she claims to be Based on credential issued to the individual – combination of something he/she is, something he/she has, something he/she knows User explicitly participates in the process
12
12 Considerations Usability Consumer Ease of Use Distribution, Training, Renewal, Help-Desk Deployment Standards based – vendor dependence Disruption to existing applications Software required at consumer desktop? Protection against Phishing Pharming Trojans, Spyware Man-in-the-middle attacks Additional features Strong Authentication Obsolescence Proof ROI enhancement What does it cost
13
13 Server Authentication SSL Lock – yellow lock at bottom of page Best possible technology solution Not vulnerable to man-in-the-middle attacks Provides complete assurance that user is at the right site However two big limitations Browser technologies allow this to be spoofed – not all users will know how to detect the spoof FI are not standardized on which pages are SSL locked (often password entry page is not locked; only password submission triggers this) Alternate/Addition is to provide an ‘assurance message’ Enter userid, wait for server to display ‘shared secret’, then enter password. Shared secret can be text or other information the user is likely to recognise
14
14 Assurance Message Protects against phishing and pharming Provides a first level assurance (authenticate server to user) Widely deployed mechanism as part of 3-D Secure (Visa and MasterCard) Fingerprinting of “registered” computers Browser based - no client side software required Easy to use; simple to train end users Complements any form of user authentication Enter User Name Display Assurance Message Verification Dialog Enter Password Registered computer Unknown computer
15
15 Assurance Message Example
16
16 Limitations of Assurance Message Does not authenticate user to server Vulnerable to man-in-the-middle (MIM) attacks User conditioned to accept verification dialog Does not know why ‘fingerprinting’ failed Depends on ‘velocity checks’ for MIM IP addresses @ Real Bank Site Man-in-the-middle Attacker 1. User-id 2. User-id 3. Verification Dialog 4. Verification Dialog
17
17 Base User Authentication Circumstantial forensics, in addition to userid / password Combination of elements Machine fingerprint (including cookies left there) Location of IP address that transaction is originating Evaluate elements => determine if transaction is risky Action to be taken next is variable Flag to alert user Ask for secondary authentication (maybe different credential) Switch to second factor (email, call, SMS) Route through different process – CSR interrupt Deny transaction
18
18 Limitation of User ‘Approximation’ No protection against ‘friendly’ fraud People in same household or even at workplace Share machines, share IP address, share ‘location’ Risk scoring – inexact science False positives – user inconvenience Need number of transactions even to ‘learn’ pattern – several applications (including e-Banking) don’t lend themselves to such volume Action on risk detection SMS, Callback – not reliable for online activity Second authentication – again conditions user to expect this question – potential for phishing
19
19 Strong (Unique User) Authentication Issue strong credential to individual user User is told about strong credential User knows sharing credential opens him/her for risk Ask for strong authentication For all access For access to specific ‘high risk’ areas For ‘high risk’ transactions only (based on amount, type etc) Typical strong authentication is 2-factor Two of three things - something you have, something you know or something you are (biometrics)
20
20 Challenges to Strong Authentication Cost Issuing new credentials Training users Inconvenience Learning to use 2 factors Access when one factor is missing – user travels without something he/she has Application upgrade Applications need to know how to use this technology and authenticate users – new systems, new integration
21
21 Electronic Business Enablement View Beyond Compliance and Risk Mitigation Authentication strategy must Maintain simplicity Provide IT and business process flexibility Facilitate retention and acquisition of customers Allow new products/services to be delivered Strengthening Customer Relationship and adding new applications
22
Arcot’s Layered Authentication Approach
23
23 Digital Signing (En)/Decryption (ArcotID + certificates) Layered Authentication Approach Increasing Value and Benefits – Security + Other Uses (Signing/Encryption) UserID / Password Arcot Level 1 Solution Arcot Level 2 Solution Arcot Level 3 Solution Mutual Authentication / Assurance Message + Srambled PIN Pad Device ID Location ID Geo Location Crypto Strong Authentication (ArcotID)
24
24 Layered Authentication Approach Without user intervention Usage of machine and connection characteristics to determine whether user is genuine, e.g. IP address Browser version Comparison with last good access, or information at registration time With user intervention Strong Authentication using ArcotID Additional Security Features Personal Assurance message Scrambled PIN pad
25
25 Customizable Authentication Approach Scrambled PIN Pad – defeats Keyboard loggers “Assurance Message” – for Site Authentication ArcotID for Strong Authentication IP and Device Forensics – for Increased Identity assurance
26
26 The ArcotID Enabled Application Username Password ArcotID Software Smart Card The power of two-factor, with the simplicity of passwords …
27
27 Fully Flexible Solution Multiple levels of functionality available Authentication Only No installed software required Java/Flash on-demand Add Digital Signing, Encryption Requires client software for advanced functionality Staged approach possible addressing current business requirements and providing a future-proof solution using the same framework Provide the user with a security solution that addresses the risk and is still user-friendly
28
Comparing Authentication Technologies
29
29 Arcot & Identity Management / Authentication Authentication Hardware-based “Two Factor” Software-based “Multi-Key” “Passwords” Identity Management Authentication Multi-Party “3D Secure” Digital Signature Online BankingePayment Authorization Remote Access VPN Strong Weak
30
30 The Authentication Gap Strength of Authentication Strong Weak The Authentication Gap
31
31 Comparison ArcotID vs. Other Technologies Identity Management Strength of Authentication Cost of Deployment and Support User Experience Application Flexibility Strong Weak $$$$$ ImpactedTransparent Highly FlexibleApplication Specific
32
Beyond Strong Authentication
33
33 ROI Paper statements cost €0,60 Electronic statement cost€0,06 Savings per statement€0,54 12 statements a year€6,48 Cost for paper based statement€650.000 Annual cost for e.g. 100K users€150.000 Anticipated savings per 100K users up to €500.000 per year Beyond Strong Authentication: Secure Delivery of eStatements
34
34 Beyond Strong Authentication: Receiving a Secure Electronic Statement 1.Customer selects e-mail message 2.Customer opens PDF attachment and is prompted for a “username” and “password” – which unlocks their second factor, the ArcotID and gives access to the private key required for decryption in 3) 3.Transparent to the customer, the document is decrypted, verified for integrity and presented to the customer Username: Password: User Authentication rjones *********
35
35 Beyond Strong Authentication: Efficient Loan Origination ArcotID 1. Bank e-Mails encrypted PDF Loan Documents to Customer 2. Customer Verifies that Documents are Certified as having come from bank 3. Customer Digitally Signs Document using Arcot software and Adobe Reader 4. Customer e-mails signed, encrypted document to Bank
36
Deployments
37
37 Customer Deployment Examples Daimler-Chrysler Bank (DE) Secure portal access for Treasury department Protection of Citrix access for employees Swedbank (LU) Online banking access for customers via portal Protection of Citrix access for employees SSI Search Strong authentication to Financial Service Portal Certegy (US) Strong Authentication for VPN access by partners Wells Secure (US) Digital IDs for individuals and businesses Authentication and Digital Signing application
38
Summary
39
39 Arcot Strong Authentication Proven Consumer Authentication Platform 3-D Secure rolled out worldwide to millions Supported and marketed by Visa, MasterCard, JCB Proven Enterprise Authentication Platform Software two-factor solution in place at major corporations Worldwide installations – U.S., Asia-Pac, Europe Integration / Co-existence with other ID mgmt and auth solutions (hardware, etc.) Patented & proven mature technology, developed and in use since 1997 Industry-standards compliant – Identrus, SAFE, PKCS#11, MS-CAPI, X.509 Extensible to mobile and other devices Small footprint interfaces First Mobile pilots started in 2005
40
40 Arcot Benefits Beyond Authentication Enables digital signatures - Replace print & sign New saving / checking account opening Commercial Account Opening/ Changes of standing orders, direct debits etc. Online credit card applications Mortgages / home-equity line of credit Enable encryption PDF based secure communication of statements and other sensitive data to the end user Supports federation ArcotID PKI-based platform provides support for smart card implementations and other government initiatives Allow roaming of users Transferring user credentials temporarily to other machines Integrates as needed with Verified by Visa or MasterCard SecureCode, J-Secure by JCB consumer auth programs
41
41 Why Arcot? Long-standing player in the authentication space Experience on how to provide authentication to a large number of users Flexible, cost-effective and future-proof solution Local representation through our strong partner IND Strong technology partnerships with Adobe, Documentum and others
42
Questions?
43
Thank You ! For further information, please contact: Michael Seifert, Managing Director Arcot GmbH Michael.Seifert@arcot.com Or the local IND office
44
Backup Slides
45
45 Arcot & ePayment Infrastructure Merchants Card Issuers Card Holder 10,000+ 50,000+ Internet 3-D Secure
46
46 SAFE Infrastructure Physician Internet Pharmas Issuers FDA Universal Client™ Common Client to support Digital Signing Universal Client™ Common Client to support Digital Signing RegFort™ Registration Platform TrustFort™ Server-Side Signature Validation SignFort™ Server-Side Signature Generation
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.