ISS SA le presenta IdentityGuard Mobile de Entrust
-
Upload
information-security-services-sa -
Category
Technology
-
view
951 -
download
3
description
Transcript of ISS SA le presenta IdentityGuard Mobile de Entrust
© Copyright Entrust, Inc. 2010
Ganando la batalla contra el Man-in-the-Browser
© Copyright Entrust, Inc. 2010
Let’s talk about
Man-in-the-Browser
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
How does it work?
4
User visits bank and logs into account
1
Malware ‘wakes up’ based on URL watch list
2
3User initiates ACH or Wire Transfer
4 Malware intercepts user’s request, substitutes alternate amount and destination
Bank receives malware’s request, sends transaction details for review and requests one-time-passcode (OTP)
5Malware intercepts site’s transaction detail confirmation, modifies them to correspond to user’s initial request
6
7User views transaction details (which look fine) then enters OTP token code into Web browser
Bank receives and validates OTP, transacting the malware-modified transaction without the user ever knowing
8
© Copyright Entrust, Inc. 2010
Alternative approaches to capturing user information…
5
Malware modifies web pages to prompt for OTP so it can silently execute a wire transfer or send OTP to criminal via Instant Message
© Copyright Entrust, Inc. 2010
H. Chen
La Alternativa: la verificación de transacciones fuera de banda mediante una aplicación móvil
© Copyright Entrust, Inc. 2010
Demonstration
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010 15
User phone automatically wakes up and notifies user of transaction
© Copyright Entrust, Inc. 2010 16
Application is PIN protected to ensure security
© Copyright Entrust, Inc. 2010 17
User reviews and confirms transaction details…
…or gets instructions if transaction is suspect
© Copyright Entrust, Inc. 2010 18
If transaction details OK, user gets confirmation code to enter on web browser
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010 21
Transaction history maintained for future reference
© Copyright Entrust, Inc. 2010
Entrust IdentityGuard Mobile
What is it?• Downloaded application installed on a users
mobile device– iPhone, Blackberry, Windows Mobile, Java based
smart phones
What does it do?1. Soft token
– All the features of a Entrust Mini Token OT but on a mobile device
2. Transaction Notification Service– Confirms transaction details Out-of-Band and
provides confirmation OTP to defeat Man-in-the-Browser
– Same application, optional service (upsell opportunity)
© Copyright Entrust, Inc. 2010
H. Chen
Entrust IdentityGuard Mobile
© Copyright Entrust, Inc. 2010
Multiple Identities, one device
Mix of Soft token only and Transaction Notification
Independent activation and control
Customizable branding per identity
Multiple Identities
© Copyright Entrust, Inc. 2010
Entrust Mobile - Soft Token only
OATH compliant
Time-based soft token
30 second time window
Brandable interface
© Copyright Entrust, Inc. 2010
IDG Mobile - with Transaction Verification (TVS)
OATH Time-based Soft Token
Transaction details confirmed out of band on mobile device
No data entry
OATH signature of transaction contents
User confirms transaction or acts on suspect details
© Copyright Entrust, Inc. 2010
IDG Mobile – 1 product, 2 functions
Mobile – Soft Token only and
Mobile – Soft Token with TVS
Not separate productsSame downloadProfile determined by activation codeUpsell opportunity for TVS
Different identities can have different options
© Copyright Entrust, Inc. 2010
How Transaction Verification Works
28
User attempts to undertake a risky transaction (ex: Wire Transfer)
1 2Banking application requests OOB Transaction Verification from on-
premise IDG
User opens Entrust Mobile Application3
IDG Mobile retrieves transaction details from bank’s IDG & displays to user
45 User confirms details and enters OTP in web browser OR reads how to deal with a suspect transaction
Customer
Banking Application
Self Service Module
IdentityGuard
© Copyright Entrust, Inc. 2010
How the Optional Notification Service Works
29
Apple Notification Service
Transaction Notification Service
Transaction Notification Request
Transaction Notification
Request
User attempts to undertake a risky transaction (ex: Wire Transfer)
1 2Banking application requests OOB Transaction Verification from on-
premise IDG
3 IDG sends notification message to Entrust cloud service
4 Entrust cloud service sends notification to appropriate provider
Provider sends message to device & wakes up IDG Mobile
5
IDG Mobile retrieves transaction details from bank’s IDG & displays to user
67 User reads details and enters OTP in web browser OR reads how to deal with a suspect transaction
Q4, 2010
Customer
Banking Application
Self Service Module
IdentityGuard
© Copyright Entrust, Inc. 2010 CONFIDENTIAL 30
Time-based OTP
Transaction Confirm & Sign
August 2010
August 2010
Q4/2010
Early 2011
TBD
Early 2011 Early 2011
© Copyright Entrust, Inc. 2010
Thank you!
Information Security Services S.A. Regus CiticenterAv. Mariscal López Nro. 3794 – Piso 4CP 1.892 – Asunción / ParaguayFono: 595 21 6207768 Fax: 595 21 6207701
Visite nuestro sitio -> www.iss.com.pyEncuéntrenos en -> http://www.facebook.com/ISS.Paraguay