securing online transactions with a trusted digital identity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Online Transactions with a Trusted Digital Identity PowerPoint Presentation
Download Presentation
Securing Online Transactions with a Trusted Digital Identity

Loading in 2 Seconds...

play fullscreen
1 / 30

Securing Online Transactions with a Trusted Digital Identity - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

© 2005. Microsoft Corporation.  All rights reserved. Securing Online Transactions with a Trusted Digital Identity. Dave Steeves - dsteeve@microsoft.com Security Software Engineer Microsoft’s Security Business & Technology Unit System Protection Products Team. Outline. Goals Rationale

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Securing Online Transactions with a Trusted Digital Identity


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. © 2005. Microsoft Corporation.  All rights reserved. Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.com Security Software Engineer Microsoft’s Security Business & Technology Unit System Protection Products Team

    2. Outline • Goals • Rationale • Securing Online Transactions • Enabling Secure Scenarios • Trusted Digital Identity

    3. Goals • Enable customers to securely perform online transactions on an insecure machine, over a hostile internet • Bellua Cyber Security Conference 2005 • Find more secure scenarios which are enabled with a trusted digital identity • TIPPI Workshop

    4. Online Bank Fraud in the News “A Miami man blames Bank of America for more than $90,000 stolen in an unauthorized wire transfer to Latvia. Joe Lopez filed a lawsuit on Feb. 7 claiming that Bank of America had not alerted him to malicious code that could -- and indeed had -- infected his computer. A forensic investigation by the U.S. Secret Service revealed that a Trojan called Coreflood, which acts as a keystroke logger, had compromised one of his PCs.” http://searchnetworking.techtarget.com

    5. The Threat of Identity Theft RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears. "We are at a confidence crisis. For the first time we run the risk of taking a step backwards and the reason is the threat of identity theft," he said. http://www.vnunet.com/news/1161914

    6. Generic Transaction Model

    7. Remember the User

    8. Online Banking with User

    9. Secure Protocol + USER

    10. Threat 1: Phishing

    11. Threat 2: “Man In the Middle”?

    12. Threat 3: Computer is Fully Compromised; aka 0wn3d

    13. Two-Factor Authentication • “Protecting Against Phishing by Implementing Strong Two-Factor Authentication” • https://www.rsasecurity.com/products/securid/whitepapers • For example:

    14. Bar is Raised, but High Enough? • Does strong authentication add enough security to bank online?

    15. Threat 1*: Phishing

    16. Threat 2*: Man in the Middleby Social Engineering

    17. Threat 3*: Fully Compromised

    18. Focus on Verification Stages

    19. Secure Verification Content • Client Server • Human-User Server

    20. Today’s Online Banking

    21. Verification Stage

    22. Secure Online Banking

    23. Secure Online Banking

    24. Secure the Receipt

    25. Securing Online Transactions Recap • Current Online Transaction Models • Threats Still Exist • Solution • One Time Secret per Transaction • Keep Secret Off Untrusted Device • Reduces Attack Surface • Attack vectors localized • Hardware Hacking/Physically Present • Tempest Attacks • Break Crypto

    26. Trusted Digital Identity • Mini MAC • Connectivity through DAC system • Enable specific, fine grain scenarios

    27. Scenarios • Online Transactions • Digital Rights Management • Secure, Redundant Storage. • Security and System Configurations • Paperless Money

    28. Limitations • Size of mobile device interfaces are small • Size of mobile device is small • Horsepower of a mobile device • Realistic scenarios • Not real time • Not heavily dependant on performance

    29. Questions for TIPPI Attendees • What end-to-end scenarios can we enable or include with a v1 of this idea? • What end-to-end scenarios can we enable in the future? • Do we need to provide trusted interfaces with Mandatory Access Control (MAC) to achieve a trusted identity? • Do we need to ensure the user has the only access to the Identity interfaces?

    30. © 2005. Microsoft Corporation.  All rights reserved. • Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.   The names of actual companies and products mentioned herein may be the trademarks of their respective owners.