1 / 19

Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010

Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010. Security solutions. Government solutions. Cards for payment and telecommunications. Banknote processing. Banknote and security paper. Banknote and security printing. 1964. 1977. 1852. 2007.

wren
Download Presentation

Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Giesecke & Devrient PresentationOASIS – Identity Management ConferenceDC, Sept 27th 2010

  2. Security solutions Government solutions Cards for payment and telecommunications Banknote processing Banknote and security paper Banknote and security printing 1964 1977 1852 2007 Giesecke & Devrient ―From Printing Paper Securities to Providing High-Tech Solutions

  3. …Stepping into the shoes of an evangelist Thorsten Roeske (Head of Products & Marketing for Giesecke & Devrient’s eIDentity Business Unit) • For two decades security experts have been persuading us that a move away from passwords, in favor of utilizing multifactor authentication technologies, will bring the necessary level of security for online systems • This paradigm may have been true with typical attacks although in recent years a close look at active attack vectors (exploited by malware like ZEUS) together with visible trends in malware development question their true effectiveness • This presentation will highlight why hardware technology alone fails to provide identity assurance in today’s threat and attack environment

  4. What You Know - What You Have - What You AreThe Role of Hardware Technologies to Provide Identity Assurance What is the best role for hardware-based authentication solutions (such as smart cards, smart phones, RFID devices and other hardware tokens) in identity management systems? How scalable are they, what deployments today have been successful, and what does the future hold for their use?

  5. Changing Attack Vectors

  6. Changing Attack Vectors

  7. Changing Attack Vectors man-in-the-PC man-in- the-middle man-in-the browser

  8. Emerging Attack Example – It’s real…

  9. … very real….

  10. >$100k LOW HACKING ROI …..preventing online crime is about economics! Standard Browser (e.g. Firefox) with 2-Factor Authentication like OTP, SMART CARD or EMV Card HIGH HACKING ROI <$2k The nature of online Fraud Ross Anderson, Prof. Security Engineering, Computer Labs, University of Cambridge: "Computer criminals differ from ordinary criminals in that they're more rational. The bulk of street crime is done by disadvantaged young men, often illiterate and with drug or alcohol problems. The bulk of e-crime is done by technically sophisticated people… So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders…. "

  11. The nature of online Fraud Ross Anderson, Prof. Security Engineering, Computer Labs, University of Cambridge: "Computer criminals differ from ordinary criminals in that they're more rational. The bulk of street crime is done by disadvantaged young men, often illiterate and with drug or alcohol problems. The bulk of e-crime is done by technically sophisticated people… So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders…. " Highest ROI

  12. The nature of online Fraud Robert G. Ferrell, Information Systems Security Specialist, U.S.A. Dept. of Defense: "….. Far more relevant to security are the browser clients a consumer is using irrespective of the operating system or hardware platform. Even more critical from a safety standpoint is the level of security awareness exhibited by that consumer. If you haphazardly visit every Web link …sooner or later you're going to get nailed. Period."

  13. Attacks focusing on the OS and/or the Browser provide the greatest return on investment (for the bad guys!) Examples of MITPC and MITB Current Attacks: APP-STEER = Application Steering BROW-CERT = Browser Certificate Store Compromise BROW-DNS = Browser DNS Library Compromise BROW-SSL = Browser SSL Library Compromise CERT-SPOOF = Certificate Spoofing CH-BREAK = Channel Breaking CODE-INJ = Code Injection DNS-SPOOF = DNS Spoofing/Poisoning DOM-CAPTCH = DOM Data Capturing/Patching HFILE-MAN = Hosts File Manipulation INFACE-MAN = Interface Manipulation IP-RROUTE = IP Rerouting KEY-LOG = Keystroke Logging MOUSE-LOG = Mouse Event Logging MEM-DUMP = Memory Dumping MEM-PATCH = Memory Patching OS-CERT = OS Certificate Store Compromise OS-DNS = OS DNS Library Compromise OS-SSL = OS SSL Library Compromise REV-ENG = Reverse Engineering SCREEN-C = Screen Capturing SCRIPT = Script Injection SOC-ENG = Social Engineering DATA-SNIFF = User Data Sniffing WIND-OVER = Window Overlay

  14. Versatile Authentication Methods – The Reality Today Biometrics(Biological) Biometrics(Behavioral) Smart Card (PKI) OTP Token / EMV Soft Token Out-of-BandAuthentication Knowledge-Based Authentication Lightweight OTP Adaptive Authentication Advanced Password Password Barrier to Entry / Complexity Assurance Strength

  15. Versatile Authentication Methods – With Hardened Browser Biometrics(Biological) Biometrics(Behavioral) Smart Card (PKI) OTP Token / EMV Soft Token Out-of-BandAuthentication Knowledge-Based Authentication Lightweight OTP Adaptive Authentication Advanced Password Password Barrier to Entry / Complexity Assurance Strength

  16. Addressing the Weakest Link: The Browser • A Hardened Web browser protecting the user against new attack vectors by • using code OBFUSCATION • POLYMORPHIC and VIRTUALIZATION techniques • PERIODIC UPDATES of the executable code (confuses hackers forcing them to renew efforts when developing code to attack the hardened application) • No Installation nor special rights required of the user • Optimized for online transactions • Easy integration into Application Servers at the back end (such as eBanking Portals) • Operates without changes to existing IT infrastructure • Constant updates to mitigate the ever increasing attack landscape

  17. What You Know - What You Have - What You AreThe Role of Hardware Technologies to Provide Identity Assurance • Indications are that the use of traditional HW technology continues to increase • Used in combination with a Trusted UI (such as a Hardened Browser), HW Technology plays a key role in user authentication • New B2C markets are looking to embrace HW Technology for strong authentication • …but the ecosystem is evolving

  18. Looking Forward - Vendors are paying close attention... • A Trusted Execution Environment (TEE) can be utilized in parallel to any rich OS in the mobile device (inc. Netbooks and Tablets) • TEE’s can be considered as “virtual smart cards” deeply embedded in the mobile device • TEE applications, so called Trustlets, execute security critical processes in isolated processing space on the controller • TEE’s can integrate with other security technologies such as SIM cards and/or Secure MicroSD cards • Applications and Credentials can be securely provisioned over the air (OTA) Application Processor

  19. “Creating Confidence” Thank You!!

More Related