iss sa le presenta identityguard mobile de entrust
DESCRIPTION
La aplicación avanzada de autenticación móvil es un componente de un enfoque de seguridad de capas para frustrar los ataques maliciosos de software Man-in-the-Browser - como el vil Zeus Trojan - y está ya disponible como parte de la versión más reciente de Entrust IdentityGuard 9.3."Para combatir con efectividad las cadenas cada vez más sofisticadas de software malicioso, incluyendo los ataques Man-in-the-Browser, las instituciones financieras deberían utilizan un enfoque por capas dirigido por soluciones de seguridad basadas en identidad demostradas", "Además de los sólidos métodos de autenticación y fraude, la verificación de transacciones fuera de banda mediante una aplicación móvil puede demostrar ser efectiva para ayudar a combatir los ataques Man-in-the-Browser".TRANSCRIPT
© Copyright Entrust, Inc. 2010
Ganando la batalla contra el Man-in-the-Browser
© Copyright Entrust, Inc. 2010
Let’s talk about
Man-in-the-Browser
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
How does it work?
4
User visits bank and logs into account
1
Malware ‘wakes up’ based on URL watch list
2
3User initiates ACH or Wire Transfer
4 Malware intercepts user’s request, substitutes alternate amount and destination
Bank receives malware’s request, sends transaction details for review and requests one-time-passcode (OTP)
5Malware intercepts site’s transaction detail confirmation, modifies them to correspond to user’s initial request
6
7User views transaction details (which look fine) then enters OTP token code into Web browser
Bank receives and validates OTP, transacting the malware-modified transaction without the user ever knowing
8
© Copyright Entrust, Inc. 2010
Alternative approaches to capturing user information…
5
Malware modifies web pages to prompt for OTP so it can silently execute a wire transfer or send OTP to criminal via Instant Message
© Copyright Entrust, Inc. 2010
H. Chen
La Alternativa: la verificación de transacciones fuera de banda mediante una aplicación móvil
© Copyright Entrust, Inc. 2010
Demonstration
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010 15
User phone automatically wakes up and notifies user of transaction
© Copyright Entrust, Inc. 2010 16
Application is PIN protected to ensure security
© Copyright Entrust, Inc. 2010 17
User reviews and confirms transaction details…
…or gets instructions if transaction is suspect
© Copyright Entrust, Inc. 2010 18
If transaction details OK, user gets confirmation code to enter on web browser
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010
© Copyright Entrust, Inc. 2010 21
Transaction history maintained for future reference
© Copyright Entrust, Inc. 2010
Entrust IdentityGuard Mobile
What is it?• Downloaded application installed on a users
mobile device– iPhone, Blackberry, Windows Mobile, Java based
smart phones
What does it do?1. Soft token
– All the features of a Entrust Mini Token OT but on a mobile device
2. Transaction Notification Service– Confirms transaction details Out-of-Band and
provides confirmation OTP to defeat Man-in-the-Browser
– Same application, optional service (upsell opportunity)
© Copyright Entrust, Inc. 2010
H. Chen
Entrust IdentityGuard Mobile
© Copyright Entrust, Inc. 2010
Multiple Identities, one device
Mix of Soft token only and Transaction Notification
Independent activation and control
Customizable branding per identity
Multiple Identities
© Copyright Entrust, Inc. 2010
Entrust Mobile - Soft Token only
OATH compliant
Time-based soft token
30 second time window
Brandable interface
© Copyright Entrust, Inc. 2010
IDG Mobile - with Transaction Verification (TVS)
OATH Time-based Soft Token
Transaction details confirmed out of band on mobile device
No data entry
OATH signature of transaction contents
User confirms transaction or acts on suspect details
© Copyright Entrust, Inc. 2010
IDG Mobile – 1 product, 2 functions
Mobile – Soft Token only and
Mobile – Soft Token with TVS
Not separate productsSame downloadProfile determined by activation codeUpsell opportunity for TVS
Different identities can have different options
© Copyright Entrust, Inc. 2010
How Transaction Verification Works
28
User attempts to undertake a risky transaction (ex: Wire Transfer)
1 2Banking application requests OOB Transaction Verification from on-
premise IDG
User opens Entrust Mobile Application3
IDG Mobile retrieves transaction details from bank’s IDG & displays to user
45 User confirms details and enters OTP in web browser OR reads how to deal with a suspect transaction
Customer
Banking Application
Self Service Module
IdentityGuard
© Copyright Entrust, Inc. 2010
How the Optional Notification Service Works
29
Apple Notification Service
Transaction Notification Service
Transaction Notification Request
Transaction Notification
Request
User attempts to undertake a risky transaction (ex: Wire Transfer)
1 2Banking application requests OOB Transaction Verification from on-
premise IDG
3 IDG sends notification message to Entrust cloud service
4 Entrust cloud service sends notification to appropriate provider
Provider sends message to device & wakes up IDG Mobile
5
IDG Mobile retrieves transaction details from bank’s IDG & displays to user
67 User reads details and enters OTP in web browser OR reads how to deal with a suspect transaction
Q4, 2010
Customer
Banking Application
Self Service Module
IdentityGuard
© Copyright Entrust, Inc. 2010 CONFIDENTIAL 30
Time-based OTP
Transaction Confirm & Sign
August 2010
August 2010
Q4/2010
Early 2011
TBD
Early 2011 Early 2011
© Copyright Entrust, Inc. 2010
Thank you!
Information Security Services S.A. Regus CiticenterAv. Mariscal López Nro. 3794 – Piso 4CP 1.892 – Asunción / ParaguayFono: 595 21 6207768 Fax: 595 21 6207701
Visite nuestro sitio -> www.iss.com.pyEncuéntrenos en -> http://www.facebook.com/ISS.Paraguay