140 likes | 297 Views
Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution. July 2007 Nomura Research Institute, Ltd. Infrastructure Solution Division 1. Recent Network Crimes. Actual # of Cases are on the Rise. * Published incidents only.
E N D
Introducing SecuSURF SACellular Phone-Based Single-Use Password Authorization Solution July 2007 Nomura Research Institute, Ltd. Infrastructure Solution Division 1
Recent Network Crimes Actual # of Cases are on the Rise * Published incidents only • <Online Banking>Unauthorized Withdraw 199 Cases; 300 Million Yen in Damages • Between 2003 and 2006, Japanese online banks and postal savings suffered 199 cases of unauthorized withdraw, with the accumulated damage exceeding 300 million yen. Online Banking provides fund transfer services via PC. According to a research conducted by the Financial Services Agency (FSA) on about 700 financial institutions, ranging from major banks to credit associations which the Agency supervises, there were 105 fraud cases with 174 million yen in total damages. Furthermore, the Japan Postal Service reported that it found 94 cases with the total loss of 139 million yen since 2004, making the combined totals 199 cases with 313 million yen in damages. • The FSA and other sources indicate that many of these cyber crimes involve malicious software programs such as spyware, which steal passwords from infected client PCs, and file exchange utilities leaking passwords. However, only a few cases have the exact methods of operation identified. • Phishing became the #1 Cause of Information Theft in just One Year • Japanese authority reported that the number of arrests made on information theft in 2006 increased 2.5 times from the previous year, and that phishing and spyware became the more popular methods for the cyber criminals. While the number of arrests increased from 277 in 2005 to 703 in 2006, the number of arrested persons showed only a modest increase from 116 to 130, indicating that more multiple crimes were committed by the same parties. No arrest was made on security hole attacks. The most popular method of stealing password and other data was phishing with 220 known cases. Although there was only one arrest made on phishing fraud in 2005, the number increased significantly in 2006. Use of spyware to steal information also increased significantly from 33 cases in 2005 to 197 cases in 2006. • Financial Service Agency's 2006 Cyber Crime Report • Online banking frauds doubled since the previous year to reach 98 cases and the number is on the rise.On the other hand, the average loss declined from 2.14 million yen to 1.05 million yen, almost a half of the previous year. About 67.5% of the cases were subject to compensation.
Examples of Specific Actions Periodic check-ups using site safety diagnostic services, etc. Single-use password, Two-factor authentication, Cross certificate, etc. Cross-certificate, Official site certification, Phishing detection, etc. Software keyboard, Key-stroke signal encryption, etc. Sendor domain authentication, S/MIME certification, etc. Use of spyware removal tools, careful mail handling, etc. Confirm the displayed URL and SSL server certificates. Enterprise Measures Trends Eliminate Site Vulnerability Corporate-only Measures Tighten User Auth. Corporate Actions Tighten Site Authentication Supports the users’ attentions & efforts Keylogger prevention Mail Sender Certification Spyware Detection/Removal Tighten Site Authentication User Actions Early Implementation Possible
Authentication Enhancement Status by Company (BtoC) * Measures such as the use of software keyboard are excluded.
SecuSURF SA Single-Use Password Authentication using a Cell Phone ・ Enhances the Authentication Level ・ Reduces the Enterprise Security Cost ・Provides the Users with Ease-of-Operation
Patent Pending SecuSURF SAFeatures • Single-use Passwords issued via Cellular Phone. • Users can issue single-use passwords by accessing the SecuSURF cell phone site with their own cellular phones. • Supports Wide Assortments of Devices and Users. • A wide range of applications are possible because users can use almost any cellular deviceswith Internet access capabilityregardless of their cell phone carriers. (Newer models are supported seamlessly.) • High-level Security can be Implemented. • Single-use passwords are issued only when the user enters his/her own passwords (PINs) on his/her own cellular phone (Two-factor authentication by what the user has and what the user knows). Even if the user loses both his/her cell phone and the PIN,simply stopping his/her cell phone service prevents a single-use password from being issued, effectively preventing illegal access by identity thieves. • Reduces Operating Cost • SecuSURF SA can significantly reduce the company's cost associated with procuring conventional single-use password generation devices and distributing such devices to the users. In addition, user support becomes easier because no software has to be installed into the cellular phone,eliminating the need of identifying each individual user's device configurationwhen the users request support. • If the customer requires,a software package can be made available. The single-use password issue/authentication processing service (ASP) can also be provided. • Possible Application into Cellular-based Services • SecuSURF SA'stwo-factor authentication featurecan be used by various cellular-based services to authenticate the userwithouthaving to issue/enter single-use passwords. Almost all cell phone models from NTT DoCoMo, au by KDDI, and SoftBank are supported, including 95% of all cellular phones released after April 2004.
Example of SecuSURF SAUsage A single-use password is issued each time the service is accessed, making the authentication extremely secure. SecuSURF ABC Bank SecuSURF · Single-use Pwd 1 * k9z32m6 SecuSURF menu ABC Bank Home PIN 1 * SecuSURF menu Go back 1 2 3 4 5 6 Online Banking Single-use Pwd Latest News Shopping Financial News About Security **** Send Site Top Enhanced Security Service Screen Login Screen (Conventional)
SecuSURF SAAuthentication Flow User Your Website SecuSURF SecuSURF issues & verifies pwd. (1) Accesses the specified URL to display authentication screen. (4) Verifies the device ID# registration status and generates a single-use password (the generated OTP is kept). (2) Enters PIN. (3) PIN & device ID transmitted Browser OTP ****** Auth. Data (5) Single-use password transmitted. (7) Inquires SecuSURF if the user's OTP is accurate. Application Application (6) Enters the single-use password. Browser OTP (8) Post-authentication screen.
Sample SecuSURF SAConfiguration Cell Phones Leased line or Internet SecuSURF server (Issues & validate OTP) i-mode network DoCoMo Leased line or Internet EZweb network au Leased line or Internet vodafone Softbank network k9z32m6 DB Single-use Pwd Hand-held browser SOAP Communication Single-use Password Enterprise Server Browser Internet Service Application Internet
Single-Use Password Usage Comparison Hardware Token Software Token Server Generated Client-Server Generated Issues OTP "8987369" after verifying the PIN & Device ID combination. Accessing Preparation Preparation Device model limitations 8987369 Generate & transmit a seed file for each user. Deliver a token card. Download required applications. Manage the serial # & user table. Enters the issued OTP. OTPServer Generate an OTC with i-application, etc. Generate an OTP. Accessing Accessing The server also generates an OTP and the two are compared. The server also generates an OTP and the two are compared. Verifies if the OTP matches the one just issued. OTPServer OTPServer 8987369 8987369 8987369 BankingWebServer BankingWebServer BankingWebServer
SecuSURF SA Variations Example of SecuSURF SA<Random# Table> Usage The cell phone displays a random number table. The login screen displays an instruction on how to select numbers to enter. The random number table may be re-displayed. SecuSURF ABC Bank SecuSURF PIN 1 * SecuSURF menu Return • Random# Table Use the notebook feature to store the table. 43 83 31 89 11 98 72 36 04 1 2 3 4 5 6 Online Banking Random# Table Latest News Shopping Financial News About Security **** Send High-level Security Site Top Login Screen (Conventional) Service Screen
SecuSURF SA Variations SecuSURF SA <OATH>Authentication Flow The OATH logic is used to issue an OTP. The enterprise server containing the OATH logic authentication process eliminates the need to access SecuSURF for authentication. Various OATH-compliant tokens may be used concurrently. Your Website Users SecuSURF issues SecuSURF (1) Access the specified URL to display the authentication screen. (4) Verifies the device ID number registration and generates a single-use password. (2) Enter PIN. Browser OTP ****** (3) PIN & device ID transmitted. Auth. Data OTP issue logic (5) Single-use password transmitted. (7) Generates the user’s OTP, and verifies the entered password. Application Auth. Data OTP issue logic Application (6) Single-use password entered. Browser OTP (8) Post-authentication Screen Validate without accessing SecuSURF Other OATH-compliant token devices