Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking.

Similar presentations


Presentation on theme: "Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking."— Presentation transcript:

1 Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking Technologies Conference April 12th 2006

2 2 Agenda  Company Overview  Strong Authentication for Banking Applications  Challenges and Goals / The Consumer Reality  Authentication Approaches  Layered Authentication Approach  Comparing Authentication Technologies  Beyond Strong Authentication  Deployment Examples  Digital Signing  Summary  Questions

3 3 Arcot Systems  Founded 1997, HQ in Sunnyvale, CA, US  Private Company, Venture Funded  Onset, Accel, Goldman Sachs, INVESCO  Adobe, Visa International, Wachovia, SEB (SE), Oracle, Novell  Offices  European Offices in London (GB), Munich (DE)  Development Center in Bangalore, India  Headcounts  100+

4 4 About Arcot Technology  Leadership in Consumer and Business Authentication  Pioneered 3-D Secure e-commerce authentication platform with Visa, MasterCard and JCB  Currently in use by 10,000+ banks, over 7 million consumers enrolled  300 million users protected with Arcot solutions in the enterprise  Patented Two-factor technology  Two-factor authentication, fully in software  Layered with additional factors such as IP location, Device ID, Scrambled PIN Pad, and Text-based Mutual Assurance Message  Digital Signature capable

5 Strong Authentication in the Banking Environment

6 6 Challenges and Goals  Reduce cost by moving business processes online  By Increasing use of online banking  By Moving other applications online  Address phishing attacks to restore/increase consumer confidence in online banking  Enhance customer relationships, win new customers and add new products and applications  Be compliant with regulation and mitigate risk  E.g. FFIEC in the US  Provide a viable solution from a TCO point of view  Provide a solution for both employees and customers

7 7 The Consumer Reality  Customers are heterogeneous set of individuals  Varying level of expertise with computers and technology  Use Multiplicity of devices for access  Home PC, office PC, Internet café etc.  Variety of tasks are performed  Equally likely to embrace new solutions or move to alternate channels No one solution is going to make everybody happy; flexible solution suites provide multiple options

8 8 FI as an extended enterprise  More systems open and accessible to non-employees  Technology creates increased reach and flexibility  FIs no longer limited by geography or timing  Increased benefits and potentially increased risks Employee Consumer Client Partner

9 9 Risk Management in Financial Institutions  FIs trying to maintain a balance between security and user convenience…  On the one hand  Need to reduce risk  Need to provide assurance to consumers (or they might switch to ‘less risky’ but potentially more expensive channels)  On the other hand  Need to make experience simple; and not drive away consumers  Need to contain costs of solution – proportionate to perceived risk

10 10 Threats facing the industry  Phishing  Spurious message (likely, email) that induces user to enter critical personal information at a bogus site  Many variations exist, but email is easiest and cheapest for the fraudster  Pharming  Modifying DNS entries to redirect user to bogus site  Malware  Programs planted in user’s desktop to capture key-strokes, mouse clicks  Man-in-the-middle  User redirected to intermediate site that behaves like genuine site to the user and in turn behaves like user to the genuine site

11 11 Solution Categories  Server Authentication  Identifying server to the User  Assurance that user is at the right site, or that user received mail from right source  Base User Authentication  Determine that user is likely to be who he/she claims to be  Based on device used by user, location of user, habits of user…  For example, activating a card by calling from home telephone number  Typically achieved without user active participation  Strong (Unique User) Authentication  Determine with high level of assurance that the user is who he/she claims to be  Based on credential issued to the individual – combination of something he/she is, something he/she has, something he/she knows  User explicitly participates in the process

12 12 Considerations  Usability  Consumer Ease of Use  Distribution, Training, Renewal, Help-Desk  Deployment  Standards based – vendor dependence  Disruption to existing applications  Software required at consumer desktop?  Protection against  Phishing  Pharming  Trojans, Spyware  Man-in-the-middle attacks  Additional features  Strong Authentication  Obsolescence Proof  ROI enhancement  What does it cost

13 13 Server Authentication  SSL Lock – yellow lock at bottom of page  Best possible technology solution  Not vulnerable to man-in-the-middle attacks  Provides complete assurance that user is at the right site  However two big limitations  Browser technologies allow this to be spoofed – not all users will know how to detect the spoof  FI are not standardized on which pages are SSL locked (often password entry page is not locked; only password submission triggers this)  Alternate/Addition is to provide an ‘assurance message’  Enter userid, wait for server to display ‘shared secret’, then enter password.  Shared secret can be text or other information the user is likely to recognise

14 14 Assurance Message  Protects against phishing and pharming  Provides a first level assurance (authenticate server to user)  Widely deployed mechanism as part of 3-D Secure  (Visa and MasterCard)  Fingerprinting of “registered” computers  Browser based - no client side software required  Easy to use; simple to train end users  Complements any form of user authentication Enter User Name Display Assurance Message Verification Dialog Enter Password Registered computer Unknown computer

15 15 Assurance Message Example

16 16 Limitations of Assurance Message  Does not authenticate user to server  Vulnerable to man-in-the-middle (MIM) attacks  User conditioned to accept verification dialog  Does not know why ‘fingerprinting’ failed  Depends on ‘velocity checks’ for MIM IP addresses @ Real Bank Site Man-in-the-middle Attacker 1. User-id 2. User-id 3. Verification Dialog 4. Verification Dialog

17 17 Base User Authentication  Circumstantial forensics, in addition to userid / password  Combination of elements  Machine fingerprint (including cookies left there)  Location of IP address that transaction is originating  Evaluate elements => determine if transaction is risky  Action to be taken next is variable  Flag to alert user  Ask for secondary authentication (maybe different credential)  Switch to second factor (email, call, SMS)  Route through different process – CSR interrupt  Deny transaction

18 18 Limitation of User ‘Approximation’  No protection against ‘friendly’ fraud  People in same household or even at workplace  Share machines, share IP address, share ‘location’  Risk scoring – inexact science  False positives – user inconvenience  Need number of transactions even to ‘learn’ pattern – several applications (including e-Banking) don’t lend themselves to such volume  Action on risk detection  SMS, Callback – not reliable for online activity  Second authentication – again conditions user to expect this question – potential for phishing

19 19 Strong (Unique User) Authentication  Issue strong credential to individual user  User is told about strong credential  User knows sharing credential opens him/her for risk  Ask for strong authentication  For all access  For access to specific ‘high risk’ areas  For ‘high risk’ transactions only (based on amount, type etc)  Typical strong authentication is 2-factor  Two of three things - something you have, something you know or something you are (biometrics)

20 20 Challenges to Strong Authentication  Cost  Issuing new credentials  Training users  Inconvenience  Learning to use 2 factors  Access when one factor is missing – user travels without something he/she has  Application upgrade  Applications need to know how to use this technology and authenticate users – new systems, new integration

21 21 Electronic Business Enablement View  Beyond Compliance and Risk Mitigation  Authentication strategy must  Maintain simplicity  Provide IT and business process flexibility  Facilitate retention and acquisition of customers  Allow new products/services to be delivered  Strengthening Customer Relationship and adding new applications

22 Arcot’s Layered Authentication Approach

23 23 Digital Signing (En)/Decryption (ArcotID + certificates) Layered Authentication Approach Increasing Value and Benefits – Security + Other Uses (Signing/Encryption) UserID / Password Arcot Level 1 Solution Arcot Level 2 Solution Arcot Level 3 Solution Mutual Authentication / Assurance Message + Srambled PIN Pad Device ID Location ID Geo Location Crypto Strong Authentication (ArcotID)

24 24 Layered Authentication Approach  Without user intervention  Usage of machine and connection characteristics to determine whether user is genuine, e.g.  IP address  Browser version  Comparison with last good access, or information at registration time  With user intervention  Strong Authentication using ArcotID  Additional Security Features  Personal Assurance message  Scrambled PIN pad

25 25 Customizable Authentication Approach Scrambled PIN Pad – defeats Keyboard loggers “Assurance Message” – for Site Authentication ArcotID for Strong Authentication IP and Device Forensics – for Increased Identity assurance

26 26 The ArcotID Enabled Application Username Password ArcotID Software Smart Card The power of two-factor, with the simplicity of passwords …

27 27 Fully Flexible Solution Multiple levels of functionality available  Authentication Only  No installed software required  Java/Flash on-demand  Add Digital Signing, Encryption  Requires client software for advanced functionality  Staged approach possible  addressing current business requirements  and providing a future-proof solution using the same framework  Provide the user with a security solution that addresses the risk and is still user-friendly

28 Comparing Authentication Technologies

29 29 Arcot & Identity Management / Authentication Authentication Hardware-based “Two Factor” Software-based “Multi-Key” “Passwords” Identity Management Authentication Multi-Party “3D Secure” Digital Signature Online BankingePayment Authorization Remote Access VPN Strong Weak

30 30 The Authentication Gap Strength of Authentication Strong Weak The Authentication Gap

31 31 Comparison ArcotID vs. Other Technologies Identity Management Strength of Authentication Cost of Deployment and Support User Experience Application Flexibility Strong Weak $$$$$ ImpactedTransparent Highly FlexibleApplication Specific

32 Beyond Strong Authentication

33 33  ROI  Paper statements cost €0,60  Electronic statement cost€0,06  Savings per statement€0,54  12 statements a year€6,48  Cost for paper based statement€650.000  Annual cost for e.g. 100K users€150.000  Anticipated savings per 100K users up to €500.000 per year Beyond Strong Authentication: Secure Delivery of eStatements

34 34 Beyond Strong Authentication: Receiving a Secure Electronic Statement 1.Customer selects e-mail message 2.Customer opens PDF attachment and is prompted for a “username” and “password” – which unlocks their second factor, the ArcotID and gives access to the private key required for decryption in 3) 3.Transparent to the customer, the document is decrypted, verified for integrity and presented to the customer Username: Password: User Authentication rjones *********

35 35 Beyond Strong Authentication: Efficient Loan Origination ArcotID 1. Bank e-Mails encrypted PDF Loan Documents to Customer 2. Customer Verifies that Documents are Certified as having come from bank 3. Customer Digitally Signs Document using Arcot software and Adobe Reader 4. Customer e-mails signed, encrypted document to Bank

36 Deployments

37 37 Customer Deployment Examples  Daimler-Chrysler Bank (DE)  Secure portal access for Treasury department  Protection of Citrix access for employees  Swedbank (LU)  Online banking access for customers via portal  Protection of Citrix access for employees  SSI Search  Strong authentication to Financial Service Portal  Certegy (US)  Strong Authentication for VPN access by partners  Wells Secure (US)  Digital IDs for individuals and businesses  Authentication and Digital Signing application

38 Summary

39 39 Arcot Strong Authentication  Proven Consumer Authentication Platform  3-D Secure rolled out worldwide to millions  Supported and marketed by Visa, MasterCard, JCB  Proven Enterprise Authentication Platform  Software two-factor solution in place at major corporations  Worldwide installations – U.S., Asia-Pac, Europe  Integration / Co-existence with other ID mgmt and auth solutions (hardware, etc.)  Patented & proven mature technology, developed and in use since 1997  Industry-standards compliant – Identrus, SAFE, PKCS#11, MS-CAPI, X.509  Extensible to mobile and other devices  Small footprint interfaces  First Mobile pilots started in 2005

40 40 Arcot Benefits Beyond Authentication  Enables digital signatures - Replace print & sign  New saving / checking account opening  Commercial Account Opening/ Changes of standing orders, direct debits etc.  Online credit card applications  Mortgages / home-equity line of credit  Enable encryption  PDF based secure communication of statements and other sensitive data to the end user  Supports federation  ArcotID PKI-based platform provides support for smart card implementations and other government initiatives  Allow roaming of users  Transferring user credentials temporarily to other machines  Integrates as needed with Verified by Visa or MasterCard SecureCode, J-Secure by JCB consumer auth programs

41 41 Why Arcot?  Long-standing player in the authentication space  Experience on how to provide authentication to a large number of users  Flexible, cost-effective and future-proof solution  Local representation through our strong partner IND  Strong technology partnerships with Adobe, Documentum and others

42 Questions?

43 Thank You ! For further information, please contact: Michael Seifert, Managing Director Arcot GmbH Michael.Seifert@arcot.com Or the local IND office

44 Backup Slides

45 45 Arcot & ePayment Infrastructure Merchants Card Issuers Card Holder 10,000+ 50,000+ Internet 3-D Secure

46 46 SAFE Infrastructure Physician Internet Pharmas Issuers FDA Universal Client™ Common Client to support Digital Signing Universal Client™ Common Client to support Digital Signing RegFort™ Registration Platform TrustFort™ Server-Side Signature Validation SignFort™ Server-Side Signature Generation


Download ppt "Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking."

Similar presentations


Ads by Google