© Copyright 2004 PostX. All rights reserved.

Ruth Colombo

April 29, 2004

New Developments and Opportunities in Secure Messaging

w h y s e c u r e m e s s a g i n g ?

t h e i n i t i a l p r o b l e m

» the challenge• secure individual emails• limited set of recipients

» the solution• s/mime and pki

s / m i m e

» the promise – one set of credentials• send encrypted messages• authenticate sender• verify message integrity

» the problems• complicated• cumbersome• interoperability problems• not built into web-based email

» yahoo!, hotmail, aol

» the net effect• limited adoption

Cathy Graeber, Forrester

…every time we’ve asked consumers this question, and then as CheckFree asked it again, when we say “Where do you want to receive your bills?” we only have 6% of consumers that pick the bank, and we listed a lot of options for them. And over 75% say they prefer email delivery.

where consumers want to view their statements and bills

Source: Bank Technology News April 2002

a n d t h e p r o b l e m g r e w

web site16%

email76%

bank aggregation

6%

other2%

a n d p r i v a c y m a t t e r e d

» hippa

» gramm-leech-bliley

» california sb-1386

» pipeda

» european data directive

a l t e r n a t i v e : p r o p r i e t a r y ‘ p u s h ’

» advantages• less complicated• no certificate problems

» problems• required software at recipient• limited client support

» operating systems» email platforms

• too cumbersome» net effect

• limited adoption

a l t e r n a t i v e : w e b - b a s e d ‘ p u l l ’

» advantages• reach anyone with a web-browser

» problems• usability on recipient side

» receive

• resource burden on host side» storage and bandwidth capacity» 24x7 availability

» net effect• limited adoption

w e b - b a s e d ‘ p u l l ’ t h e e x p o s u r e

s e c u r e e m a i l : t h e n e x t g e n e r a t i o n

» recipient requirements• no recipient software• 100% reach• easy to use

» sender requirements• easy to manage• message types

» point-to-point ad hoc» automatically generated

• security model alternatives• authentication model choices• scalable enterprise solution

c r e a t e , m a n a g e , & d e l i v e r s e c u r e l y

» compose content-rich communications• statements, invoices, notifications• source data from multiple sources

» integrate with customer-communication applications

» insert targeted marketing messages» provide image and print fidelity

• offline & on-line» use flexible templating engine

c r e a t i o n c a p a b i l i t i e s

d e l i v e r y c a p a b i l i t i e s

» no client software required» all platforms

• windows, mac, unix, linux» all email systems

• exchange, notes, yahoo!, hotmail, aol, etc.

» online and offline

u n i q u e d e l i v e r y m e t h o d s

» push delivery• postx envelope™

» postx offline envelope» postx registered envelope

• s/mime» pull delivery

» postx websafe

» secure reply™

m a n a g e m e n t c a p a b i l i t i e s

» server administration• communications• web-facing components• policy engine rules• tracking levels

» message management• manual or rules-based message locking• rules-base response to delivery failure or

bounce-back• tracking and reporting engine

» s/mime• automated certificate harvesting and

distribution

c a s e s t u d y – c h a r l e s s c h w a b

challenge

» satisfy customers » reduce costs» differentiate service

requirements

» 100% reach» no client software required» offline viewing» high-value content

alternatives

» website “pull”» pdf “push”» postx activeSTATEMENTS

results

» savings: $120 / customer / yr

» profit: $275 / customer / yr

» net $395 / customer / yr

c a s e s t u d y – c h a r l e s s c h w a b

1. Pull 401k data from internal systems

3. Retrieve advice data from Morningstar

4. Create personalized, dynamic statements

6. Track and manage secure statement delivery

5. Secure in PostX envelope

6. Deliver offline statements with image and print fidelity

2. Combine with print stream data

c a s e s t u d y – j p m o r g a n c h a s e

challenge

» satisfy customers» coordinate 7 lobs » reduce phone costs» comply with legislation

requirements

» online message center» single sign-on integration» dynamic inquiry forms» accurate routing

resultsalternatives

» internal development» custom contract» postx activeENTERPRISE

» faster response» reduced cost» “gold standard”

livermore research» “#1 reuse application”

JPMC CIO

c a s e s t u d y – j p m o r g a n c h a s e

2. Integration with the bank’s single sign-on system provides ease-of-use and ensures security.

6. All secure communication is tracked and managed through PostX Platform

4. CSRs receive inquiry and respond via WebSafe

5. Responses are delivered and stored in customers secure inbox

1. Customers initiate a secure account inquiry to any of the 7 retail banking lines of business.

3. PostX pulls customer data from multiple systems and routes completed query to correct line of business.

c a s e s t u d y – j p m o r g a n c h a s e

» secure online message center• provides “yahoo-like”

functionality

» message retrieval activity tracking

» manual or rules-based message expiry

• e.g., after 6 weeks

» customer-initiated secure inquiry support

c a s e s t u d y – m a y o c l i n i c

challenge

» comply with hipaa» secure point-to-point email» satisfy patients, providers,

researchers, payors

requirements

» no client software required» seamless email integration» automated enrollment

process

resultsalternatives

» s/mime » asp hosted solution» postx trustedMESSAGING

» automated ‘standard’ encryption

» one-click ‘designated’ encryption

» secure external replies

c a s e s t u d y – m a y o c l i n i c

2. PostX integrates with Mayo’s existing Outlook email infrastructure

1. Mayo healthcare professionals use SecureDirect to pro-actively encrypt sensitive documents

5. PostX manages and tracks delivery of secure messages

3. Encrypted messages are secured and delivered in PostX envelopes

4. Recipients can open and view encrypted messages without installing software

c a s e s t u d y – a t & t w i r e l e s s

challenge

» reduce costs» drive top-line revenue» differentiate service

requirements

» 100% reach» no client software required» offline viewing» targeted upsell offers

resultsalternatives

» website “pull”» pdf “push”» postx activestatements

» rapid customer adoption» reduced billing costs» fast ROI

c a s e s t u d y – a t & t w i r e l e s s

1. Pull customer data

4. Create personalized statements with embedded links to website.

7. Manage and track delivery of secure statements

5. Encrypt and secure statements in PostX envelopes

6. Deliver offline statements with image and print fidelity

2. Billing data

3. And marketing data

t h e n e x t c h a l l e n g e :

s p o o f i n g & p h i s h i n g

s i z e o f t h e p r o b l e m

number description source

$50 billion yearly cost of identity theft in the us ftc

600 hoursindividual time spent recovering

from identity theftidentity theft resource

center

500% identity theft growth in 3 years public interest research

group

50%financial services consumers

fearing identity theftforrester research

3%estimated number of people who

actually report fraud to ftcftc

2 0 0 3 U S A c o s t s

Source: FTC, Top 10 Fraud 2003

new accounts & other frauds

misuse of existing accounts (both credit card & non-credit card)

all id theft

number of people 3.23 million 6.68 million 9.91 million

average loss per victim

$10,200 $2,100 $4,800

total losses $32.9 billion $14 billion $47.6 billion

hours spent resolving per victim

60 hours 15 hours 30 hours

total hours spent resolving

194 million hours

100 million hours297 million

hours

t h e b a i t

http://205.214.89.85/ebay.htmlwww.citibank.com:ac%398HAAA9UWDTYAZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT3Aac%398HAAA9UWDTYAZJWVWAAAA9pYWwgc2l6ZT00PjxTVgc2l6ZT00PjxT@211.155.234.84

» spoofing the email headers» stealing the enterprise brand» compelling event

t h e h o o k

fraudulent sitelegitimate site

» cloned web site» stealing the enterprise brand

e n t e r p r i s e a l e r t i n g s e r v i c e s

examples

» brightmail

» cyota

» cyveillance

» envisional

valueserves as an early warning system by monitoring web sites and e-mail traffic

drawbacks» reactive – doesn’t actually stop phishing, just helps you

know that it’s happening early in the attack cycle

» only notifies target organizations, not their customers

examples » postx

value

» allows e-mail gateway and client to determine whether message is from purported sender

» framework can be potentially expanded to provide message privacy (encryption)

drawbacks» customer’s email client needs to support it

» customers must be trained to look for validation

e m a i l v e r i f i c a t i o n

examples

» spf: dns registration (aol)

» caller-id: dns registration (microsoft)

» lmap: (ietf)

» domain keys: yahoo!

valueallows e-mail gateway to determine whether message is from purported sender

drawbacks

» customer’s gateway needs to support it and provide mechanism for passing status to customer

» timeframe for adoption and standardization

» no industry agreement on which method to use

» potential incompatibility with e-mail forwarding services

s e n d e r v a l i d a t i o n

examples» passmark

» geotrust

valueallows customer to determine whether web site is registered

drawbacks

» customers must be trained to look for validation

» customers must maintain records or knowledge of what is an authentic validation versus a spoofed validation

» isn’t proactive to prevent spoofed email forms and customer knowledge of the risks

w e b s i t e v e r i f i c a t i o n

© Copyright 2004 PostX. All rights reserved.

Ruth ColomboPostX Corporation408-861-3567 (office)415-595-6643 (cell)rcolombo@postx.com