Business transactions with credit card-not-present represents significant security risk. The following highlights demonstrate the scale and severity of the problem::
• Identity Theft is the fastest growing crime.
Source: U.S. the Federal Trade Commission
• 9.9 million adults are victims of identity fraud – The number of U.S. identity fraud victims increased 22 percent in 2008 to 9.9 million adults.
Source: Javelin Strategy & Research, February 2009 study
• 49% of consumers across eight countries would consider switching or definitely switch banks if they or someone they knew was hit by card fraud.
Source: ACI Worldwide – Wednesday, September 16, 2009
• Credit card fraud is the number form of Identity Theft and is American’s number one fear.
Source: UNISYS Security Index: United States, 4 March 2009 (Wave 4) – Lieberman Research Group)
• LexisNexis True Cost of Fraud Study uncovered six key findings:
o Merchants are paying $100 billion in fraud losses due to unauthorized transactions and fees/interest associated with chargebacks, nearly ten times the cost incurred by banks. Far surpassing bank costs of approximately $11 billion in 2008, merchant fraud losses also amounted to more than 20 times the total value of consumer losses (approximately $4.8 billion). Factoring in the additional cost of lost/stolen merchandise, U.S. retail merchants are suffering a total industry-wide fraud loss of $191 billion.
o One in five merchants experienced an increase in unauthorized transactions associated with identity fraud, which this study attributes to economic conditions and increased criminal sophistication. Certain merchant segments reveal a higher prevalence of fraudulent transactions such as large e-commerce retailers, of which 40% saw an upsurge.
o Changing consumer payment methods requires a dynamic fraud management strategy. Credit card crimes continue to rise sharply, but alternative payments represent a troubling new source of losses for large merchants. Credit cards are linked to nearly half of all fraudulent transactions for all merchants, and 50% of large retailers saw an upsurge in credit card fraud in 2008. Fraudsters are taking note of nontraditional payment methods: 29% of large retailers already reported an increase in alternative payments fraud during 2008.
o Friendly fraud accounts for more than one-third of the total fraud for online-accepting merchants. This equates to an average of 0.4% of total annual revenue lost to friendly fraud, whereby a consumer makes an Internet purchase via credit card and issues a chargeback after receiving the purchase.
The merchant or services provider issues an invoice to the consumer.The consumer fills in his credit card info , involving typically credit card number and expiration date. Since card-is-not-present – this is the key problem.
Our solution for Secure E-Commerce Online Transactions , from consumers desktop has been released earlier : http://www.sentry-com.net/Transaction.html.
Now we are proud to announce the availability of Secure E-Commerce Offline Transactions , not only from consumer’s desktop, but from any modern smart-phone or tablet as well, using on-the-shelf standard Remote Desktop Protocol (RDP) software app. This approach is valid for E-Commerce as well as Point-of-Sale.
This is how it works :
1. Business provider (point-of-sale merchant ,service provider, etc) uses his smart-phone / tablet / desktop to fill the invoice form with transaction details.
2. Using SMTP (email) the invoice form is transferred to transaction (service or sale) recipient for transaction authorization.
3. Consumer accesses his Remote Desktop and retrieves invoice from his mailbox. To approve the transaction – consumer fills in his credit card info and invoice copy is retained for future audit.
4. To authorize valuable transaction – the person performs 2-factor strong authentication over HTTPs vs. MACS-Managed Authentication &Crypto Service.
5. On-success: CryptoBiometrics™ binding is performed to digitally sign transaction form..
6. Digitally signed form is transferred to transaction provider using SMTP (email).
7. Digitally signed form is uploaded over HTTPs to payment processor.
8. Payment processor validates signed transaction over HTTPs vs. MACS-Managed Authentication &Crypto Service.
Few screenshots from Apple IPhone4 connected via Orange Mobile Provider:
Digitally signed invoice includes 2 parts: Transaction Certificate:
and invoice itself :
There is no more need to compromise between convenience, mobility and security.
Please contact SentryCom http://www.sentry-com.net/contactus.html for additional information.
Enabling mobility and security for C2C, B2C and B2B payments and transactions .
June 29th, 2011NSTIC – the right step. But is the direction right?
May 2nd, 2011NSTIC = The US National Strategy for Trusted Identities in Cyberspace.
“Why We Need It : Shopping, banking, social networking, accessing your employer’s intranet – these activities and more are all routinely done online. The increasing availability of these services results in greater opportunities for innovation and economic growth, but the online infrastructure for supporting these services has not evolved at the same pace. The National Strategy for Trusted Identities in Cyberspace addresses two central problems impeding economic growth online:
1. Passwords are inconvenient and insecure
2. Individuals are unable to prove their true identity online for significant transactions.”
The Stategy Highlights : “NSTIC provides a framework for individuals and organizations to utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation”.
“The user-centric Identity Ecosystem described in this Strategy. It is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices. Identification, authentication, and authorization provide the information and assurances necessary for the parties within a given transaction to trust each other. An identity provider (IDP) is responsible for establishing, maintaining, and securing the digital identity associated with that subject These processes include revoking, suspending, and restoring the subjects digital identity if necessary. The identity provider may also verify the identity of and sign up (enroll) a subject Alternatively, verification and enrollment may be performed by a separate enrolling agent. A relying party (RP) makes transaction decisions based upon its receipt, validation, and acceptance of a subjects authenticated credentials and attributes”.
Right step . There is no doubt that there is a need for Government intervention since the market that reportedly runs over $10 trillions annually has the potential of major failure. This is a right step.
And we are proud to be Identity Provider, providing its users strong authentication and data authorization
Wrong direction .That being said I think that the direction is not adequate to the problem we are facing today. FFIEC issued guidance to the banks in 2005 that passwords are insecure. To repeat that in 2011 is a little bit out-of-date… As prominent researcher Steven Bellovin notes: “The fundamental premise of the proposed (NSTIC) strategy is that our serious Internet security problems are due to lack of sufficient authentication. That is demonstrably false. The biggest problem was and is buggy code. All the authentication in the world won’t stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years”.
Buggy code is the fact of life and the result of software complexity. It is being exploited by malware. Surprisingly, the word malware appears only once in this 52 pages document.
But as it was already published in the past that “Security measures such as one-time passwords , smart-cards, biometrics and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud”, a 2009 report from research firm Gartner Inc. warns. As the result US FS ISAC alert urged business bank customers in 2010 to “carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”
The passwords are indeed insecure, but other security measures are insecure as well !
So if you are worried about $10 trillion market – you should be worried about malware.
And we cannot wait that long.The malware problem is an imminent threat and it will not wait 3 to 5 years for Identity Ecosystem to reach its interim benchmark as document says.
Why Sending Files Outside Your Enterprise Needs Approval.
March 24th, 2011Why would sending file outside your Enterprise need the approval of your supervisors? Because attackers may send file outside your Enterprise without approval…
Recent news leaves little room for doubt : the so-called APT ( Advanced Persistent Threat) may cause a major change in the way Enterprises protect their sensitive data.
Why change ? Because if the IT Security Leader such as RSA cannot protect the source code of its flagship product SecureID – then change is needed.
Let’s examine the existing technology of Data Loss Protection (DLP). According to Gartner – RSA is one of the market leaders in the field of content-aware DLP. So it is reasonable to assume that DLP was deployed at RSA.This brings the question why DLP was not able to withstand the APT attack?
The current perception of DLP was described in To DLP or not to DLP – Data Leakage/Loss Prevention:“The first and the foremost thing is to answer the question: What problem space are we talking about when we talk about Data Leakage? The Data Leakage problem can be defined as any unauthorized access of data due to an improper implementation or inadequacy of a technology, process or a policy.
The “unauthorized access” described above can be the result of a malicious, intentional, inadvertent data leakage, or a bad business/technology process from an internal or external user.
Next, the second question to answer is what part of the problem space defined above does the DLP product market solve? In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized access of data due to inadequacy or improper implementation of a process or a policy, but not technology. They are not designed to address data leakage issues resulting from external attacks.
So, it is not an information security data leakage issue that the DLP solution is trying to solve.
Hence the DLP solutions help mitigate following risks.
• Identifying insecure business processes. For example, use of FTP for transporting PHI data
• Accidental data disclosure by employees. For example, employee sending unencrypted email containing PHI data
• Intentional data leakage by employees. For example, disgruntled employees stealing data or an employee leaving the company with sensitive data”
DLP is not cheap… It requires considerable investment in sensitive Data classification. DLP is nontransparent – it is intentionally visible to end-user to change user behaviour.
We do not have the details of the APT attack – so we cannot answer the question how DLP was defeated . Perhaps one can pick few ideas at Ten Technical Questions to Make Your DLP Vendor Squirm: But if technology exists to defeat it then we can be sure it will be used.
What do we know for sure ? Enterprises need to commincate with outside world. DLP can do a good job with content- screening of email, but file content screening may be a bit too much for DLP – and this is the “sweat spot” being exploited by APT.
So if you are sending file outside your Enterprise may need approval of your supervisors. DLP job will be to inspect whether this approval is valid. Your vendor job will be to convince you that attacker will not be able to fake this approval. If both can be achieved then attackers will not send file outside your Enterprise .
Wikileaks lessons for IT Security.
January 3rd, 2011Much has been written about Wikileaks incident . This blog looks on the lessons relevant to IT Security.
I will start with quoting Bruce Schneier – US IT Security expert:
“1. Encryption isn’t the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and — so it seems — put into an archive on SIPRNet, where lots of people had access to them in their unencrypted form.
2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public.
3. I’m not surprised these cables were available to so many people. We know access control is hard, and it’s impossible to know beforehand what information people will need to do their jobs.”
I would like to add that:
4. The issue of network complexity is paramount. While in the past, in the perimeterized networks, it was possible to seal the access and to enforce security policies – in today’s environment it becomes very difficult to police every endpoint.
5. Another problem is classifying information. At today’s technology level – we need humans to determine what is classified and what is not.
Surprisingly-the points 1 to 5 have some common denominator:
Although we are looking to protect sensitive information, the way to tackle it is not to safeguard every network element, but to manage people creating and using this information.
Let’s look at the flow of information that led to Wikileaks “flop” according to http://www.wired.com/threatlevel/2010/06/leak/ .
US diplomats around the Globe sent diplomatic cables, those were archived and people had access to them on need-to-know basis determined by archive administrators. One of these people, that had legitimate credentials to access the archive , downloaded TONS of DOCUMENTS to his RW-DVD, using a loophole on his endpoint device management policy.
The purpose of this blog is to propose the way to prevent this “Black Swan Event of IT security ” from happening. The goal is to reduce the potential damage.
Let’s modify the information flow that led to the “flop”. This modification does not require any changes to existing networks:
Any diplomat using Government computer and Government network is doing it for the purposes of his job description. So any document he/she generates should be classified by definition. Any classified document should be protected from the moment it is created, any time it is at motion on any network or any time it is stored anywhere in the world. Immediate issue: documents are protected by encryption, but we need to store those keys in secure fashion and we need to distribute those keys in real-time to decrypt these documents.Another problem is who reads this document – on “need to know” basis. Any person generating classified information may share it with group of people that “need to know”. Usually this group will be small in size, determined by the person generating the document.
Immediate issue: user authentication for group members must be done in real-time in most secure manner.Another immediate issue is cross-domain availability: encryption keys management and user authentication should be performed across the Globe, irrespective of infrastructure.Obviously the type of the document cannot be restricted, since any type of information can be classified.
It should be necessary that audit trail of information accessed by anyone to be preserved, and time expiration / information revocation to be built-in.
In case that information needs to be shared with people beyond the original group – liaison with other “group” may do so, by re-distributing it, again on need to know basis.
The classified information may still be archived in central archive, but only in encrypted form, so that need to know limitation is preserved.
Obviously Data Loss Prevention policies need to be implemented on endpoint workstations across the Globe: Any document needs to be classified (i.e. encrypted) at generation. The document encrypted should be also “fingerprinted” to prevent distribution in “un-encrypted” form. The following chart demonstrates SentrtCom Granular Authorization for real-time need-to-know file access enforced by DLP policies :
Does it prevent the “singularity” of individuals that needs access to vast amounts of classified information, such as analysts? It still may happen that this information may “channel” to them anyway. Since this is a very distinctive group of people – their security requirements needs to be dealt with in a VERY ELEVATED FASHION. But this may be very limited in geography and not so complicated to accomplish.
Conclusions:
1. In centralized data-depository every end-point is created equal. Failure in one end-point (Wikileaks “flop”) may cause catastrophic consequences.
2. In SentryCom need-to-know peer-to-peer data sharing scheme – failure in one endpoint do not cause much damage.
3. Singular group of people , receiving vast amounts of information on need-to-know basis need to be dealt with much greater care than today.
Behavior based transaction verification – more of the same, but looks different.
November 17th, 2010Malware, such as Zeus Trojan, is widespread. Nearly half of computers are infested. As the result: “Security measures such as one-time passwords , smart-cards ,biometrics and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud”, a report from research firm Gartner Inc. warns.
Consequently US FS ISAC alert urged business bank customers to “carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”
Therefore Gartner continues to recommend fraud detection that monitors user access behavior . This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human being.
The rationale for that : authentication methods described above fail to operate in malware-infested environment. Therefore we should add behavioral- based methods , which have one obvious advantage – they are transparent to a user .
But do they make a difference in preventing Identity Fraud???
Indeed behavioral-based methods may utilize web-site visit sequence, that may be specific for a user. For example one user usually logs-in , checks his balance , then goes to transfer funds , another user usually checks his balance , then checks his stock portfolio , and only then goes to transfer funds.
Therefore we may differentiate different users by this sequence monitoring. In other words to use it as user-transparent “authentication”. But does it provide malware-resistance we are looking for? Obviously not.
Malware is not a human – it does not need to generate its own sequence. All it needs is to change funds transfer destination. It has nothing to do with user behavior. Oops…
As we all know malware can even play games with behavior-based systems, by using key-logging and screen capture recording of web-site sequencing. So that next time malware will initiate its own visit sequence , without bothering the user to log-in. How “inconvenient” user transparency may evolve!
Behavior based transaction verification does not solve the problem of malware attack on third-party fund transfer.
Gartner , and others, should look elsewhere , to protect user’s acconts.
Meanwhile – the picture is not rosy . See for yourself:
http://www.batchgeo.com/map/483cd995e217a9dc46d4386db15413c5
Malware and Desktop-based Security Software.
October 10th, 2010Recent malware attacks require additional review of resiliency of desktop-based security software products, for example PGP.
PGP was originally developed for protecting data in transit from being intercepted by un-intended persons. PGP desktop-based software , incorporating RSA private-public keys crypto algorithms and was developed in 1991 to protect data in transit. Indeed, in 1996, cryptographer Bruce Schneier characterized an early version as being “the closest you’re likely to get to military-grade encryption.”
There are many publications showing that brute-force attacks on PGP encryption are failing to achieve their goal to break in. There is also a growing evidence that malware will be able to by-pass these defenses without the need to crack RSA algorithms.
Malware is known to circumvent algorithmic defenses during user activities.
The same may be true in the case of PGP. Breach of desktop-based security software may occur upon “unwilling user cooperation” . For example PGP security is based on password-protection of private key, stored on the desktop. Therefore malware including password recording using key-logger and/or dll injection for private key hijacking , such as described at
http://www.securityfocus.com/archive/1/513596
will be able to perform security breach.
Any desktop-based security software must be resilient to these kind of attacks to be applicable in today’s environment.
Client-server security software can make these kind of attacks obsolete.
Malware Attacks on Electronic Signatures Revisited – One More Time.
October 3rd, 2010This post is especially relevant in the context of Zeus Trojan attacks.
In my previous posts :
http://sentry-com.net/blog/?p=412 ,
http://sentry-com.net/blog/?p=409 ,
the issue of malware resilience was raised.
In 2006 Dr. Hanno Langweg has outlined the scheme to analyze the malware attack on electronic signature generating software . He investigated attacks on six different smart-card based electronic signature software products:
“We investigate attacks for which an expert attacker invests less than a day and uses no specialized equipment to find architectural vulnerabilities in the software as it was purchased. Exploitation should be possible automatically by laymen with appropriate tools. In terms of the Common Evaluation Methodology we hence operate with an attack potential at level “Low”. We require neither physical presence nor possession of the signature card, and we assume some programming skills. Special knowledge of the signature software is not needed, apart from what is publicly available or what is obtained from having the product at hand. Privileges for executing the resulting malicious programs are determined by the respective user and are usually those assigned to the subject associated with that user. No “administrator” or “super user” privileges are required for exploitation.
Data to be signed is prepared with an application program (and then typically transferred to a signature creation application (SCA) ) The SCA offers the signatory to present the data to be signed and after confirmation transmits data to the signature creation device (SCD), usually a smart card. The SCD receives a personal identification number (PIN) – either via the SCA or via the card terminal – to authenticate the signatory and verify their presence). Data is then transmitted from the SCA to the SCD that computes the signature. The signature is sent back to the SCA and can then be stored together with the data used as input to the signing process.”
The following figure illustrates the problem tackled by Dr. Langweg:
In our case (of Transaction Verification solution as described at http://www.sentry-com.net/Transaction.html) an application program is a browser . In our case signature creation device is the integral part of Transaction Verification solution and therefore no extra hardware is necessary. The flow is illustrated below:
Signed Filled Form is delivered over HTTP to the website serving the form and is retained for future audit by the client who signed this form. It contains the transaction details and signature details. But can we trust it?
The following table consists of the following columns: attack and results of smart-card based products, attack description, countermeasure proposed by Dr. Langweg and our implementation of defense against respective attack. Our analysis is based upon the same assumptions of attack potential, user privileges, etc.
We conclude that under the following conditions:
• Exploitation should be possible automatically by laymen with appropriate tools without requiring physical presence, i.e. Trojan.
• No “administrator” privileges are required for exploitation.
Our solution solves the vulnerabilities exposed by Dr. Langweg
Cybercrime victims feel ripped off and what do we do about it?
September 19th, 2010New Norton Study of 7,000 Web Users Is First to Gauge Emotional Impact of Cybercrime; Victims Feel Ripped Off … and Pissed Off .Two-thirds (65 percent) of Internet users globally, and almost three-quarters (73 percent) of U.S. Web surfers have fallen victim to cyber-crimes, including computer viruses, online credit card fraud and identity theft. As the most victimized nations, America ranks third, after China (83 percent) and Brazil and India (tie 76 percent). that victims’ strongest reactions are feeling angry (58 percent), annoyed (51 percent) and cheated (40 percent), and in many cases, they blame themselves for being attacked. Only 3 percent don’t think it will happen to them, and nearly 80 percent do not expect cyber-criminals to be brought to justice— resulting in an ironic reluctance to take action and a sense of helplessness..
Relating to that – US White House published a Draft on “National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy”.
Few quotes from this document:
“Cyberspace – the interdependent network of information technology components that
underpins many of our communications – is a crucial component of the Nation’s critical
infrastructure. We use cyberspace to exchange information, buy and sell products and
services, and enable many online transactions across a wide range of sectors, both nationally and internationally. As a result, a secure cyberspace is critical to the health of our economy and to the security of our Nation. In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.
The Strategy’s vision is:
Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable
identity solutions to access online services in a manner that promotes confidence, privacy,choice, and innovation.
Fraudulent transactions within the banking, retail, and other sectors along with intrusions against the Nation’s critical infrastructure assets that are essential to the functioning of our society and economy (utilities, transportation, financial, etc.) are all too common. As more commercial and government services become available online, the amount of sensitive and financial data transmitted over the Internet is ever increasing. Consequently, the probability of loss associated with data theft and corruption, fraud, and privacy breaches increases as well. The poor identification, authentication, and authorization practices associated with these identity solutions are the focus of this Strategy.
Identity Solutions will be Secure and Resilient:
Securing identity solutions against attack or misuse is paramount. Security ensures the confidentiality, integrity, and availability of identity solutions: Strong cryptography, the use of open and well-vetted security standards, and the presence of auditable security processes are critical to the trustworthiness of an identity solution. Identity solutions should have security built into them such that they detect and prevent intrusions, corruption, and disruption to the maximum extent possible.
Identity solutions should be resilient, able to recover and adapt to drastic or abrupt change.Identity Solutions will be Cost-Effective and Easy To Use. Identity solutions should be simple to understand, intuitive, easy to use, and enabled by technology that requires minimal user training.”
I have submitted my proposal to this initiative at :
http://www.nstic.ideascale.com/a/dtd/Protecting-Online-Transactions-and-Sensitive-Data-Files-with-Malware-resilient-Software-as-a-Service./45573-9351
Your comments are welcome.
Finding trusted path in un-trusted computers.
September 6th, 2010Intro.
In my previous blog on ” Malware-resilient Software-as-a-Service Strong Authentication” the issue of trust was raised. The current blog quotes publication named ” Extending the Trusted Path in Client-Server Interaction” by Hanno Langweg and Tommy Kristiansen
“Interacting with the local human user is the weak point in client-server communications. While machines can employ crypto-graphical mechanisms to ensure authenticity, integrity, and confidentiality of communication, humans are not capable of this. They rely on their local computer to present data and transmit their input to a server reliably. Today’s operating systems provide protection against unauthorized modification of operating system components and offer mechanisms like discretionary access control and process separation to users and processes. Often, all processes of the same user operate with the same privileges. Malicious software (malware) can exploit this fact to read input destined for other processes (e.g. a key-logger) or modify the output displayed to the user (e.g. local phishing attack).
A server application needs a trusted path to the user at a network node. This concept is not new and exists in operating systems. The secure attention sequence Ctrl+Alt+Del in MicrosoftWindows is an example of how the user can invoke a trusted path to the operating system to log on. Output of a trusted path cannot be manipulated by other processes and input cannot be read. The process using a trusted path can be sure that input and output are shared only with the user.
Trusted Path definition : A mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software.’
In the Microsoft Windows operating system, applications typically receive information about user actions by messages. Since these can be sent by malicious programs
as well, they are a convenient attack vector. It is a vulnerability by design – Windows treats all processes equally that run on the same desktop. If one needs an undisturbed interface, a separate desktop attached to the interactive window station should be assigned. However, managing separate desktops can be cumbersome for software developers. So most of today’s software that interacts with a local user runs in a single desktop shared by benign and malign programs.
A number of applications today are structured after the client-server pattern: internet banking, contract signing, e.g. in e-government, or online voting. Here, the main application is run on highly protected servers. Users connect to the server from their local machine. The machine acts as a smart terminal, collecting user input, transmitting it to the server, receiving server data and displaying server output.
The local user initiates and completes transactions with the server application.
The user interacts with a local application via the local user interface. Some problems immediately arise:
1. How do user and application know which server they are talking to?
2. How does the server know which application it is talking to?
3. How does the user know which application input is directed to?
4. How does the user know which application produces the output?
5. How does the application know that user received the output?
6. How does the application know where input comes from?
The first two problems can be solved by using a cryptographic protocol that offers secure authentication of the communicating parties and integrity of the communication, e.g. SSL. The strength of the cryptographic algorithm relies on access of the adversary to encrypted data and on it being computationally infeasible to decrypt the data or forge
a digital signature.
The remaining four questions demand a trusted path between the local application and the user. The local user interface is the weak link in the interaction of the user with
the server application. An adversary is much more likely to attack here than spending resources on breaking a cryptographic algorithm – breaking cryptography is typically either a formidable mathematical challenge or requires a large amount of computing resources. Attacks on the server are another option. However, a server is usually easier to protect than a large number of clients.
It may be possible to distinguish users and untrustworthy programs by observing their input behavior…”
Our approach.
Our approach to finding trusted path does not rely on particular PC architectural strengths or weaknesses but rather on basic limitation on malware.
Fig.1 : Malware un-capable to speak to PC microphone.
Limitation 2: Manipulating displayed data by one program is detectable by another program.
Protecting integrity of the information displayed to the user from being manipulated by malware is another issue. In the case malware does not care much to attack authentication mechanism , all it cares about is manipulating display.
If all processes share the same display, then it is possible to detect the discrepancy between the data presented to the user for his/her confirmation and the data being actually digitally signed. Here again we are taking the physical path – malware can manipulate display, but this manipulation can be detected.
Fig.2 Malware is capable to manipulate display, but un-capable to steal transaction.
Malware-resilient Software-as-a-Service Strong Authentication.
August 20th, 2010There is good chance that your computer is infested with malware. In most of the cases the purpose of malware is perpetrate Identity Fraud for financial gain of the fraudsters.
The purpose of this blog is to demonstrate the need for Malware-Resilient Software-as-a-Service strong authentication.
Malware-resiliency.
The problem we are facing today is that we cannot trust our computers anymore. The passwords we enter are stolen by key loggers, the transaction data we enter in browser is modified by Trojans, etc.
Given the scale of the problem and potential cost, especially in fragile economy, it is highly unlikely that the solution to the problem will be too expensive in terms of up-front, distribution and maintenance costs. Software-as-a-Service (SaaS) is the natural candidate.
But can SaaS be malware-resilient ?
In other words can we trust this SaaS, if we cannot trust our computer???
If this SaaS is computer client-only software – the answer is no. Malware will find ways to circumvent it- no matter how secure it may look.
SaaS must utilize client-server architecture to be trustworthy. We put our trust in server…
Strong Authentication.
Strong authentication may include a combination of something you have (your PC), something you know (your PIN) and something you are (your Biometrics).
But malware residing on your PC may key-log your PIN and replay your Biometrics, so that your “trusted” server will not be able to detect the problem. Therefore one needs to design the client in such a way that malware will not be able to bypass its security features. For example it is well known that CAPTCHA is used to distinguish between humans and computer programs. It is also well known that fraudsters use “human service providers” who decode CAPTCHA online for few $.
Another way to distinguish between malware and humans is SPEECH. Malware will not be able to speak to PC microphone, while humans can do it quite easily, making malware prevention straightforward , provided all the ways to circumvent it are blocked.
Scalability.
Malware-resilient Strong Authentication may be 2-factor (PC ID and PIN) and without the need for extra hardware and to take no more then 5 sec of users time.
If application needs extra level of security , at the expense of longer session (15 sec) – then Live Voice Biometrics can be added.
