may 20121(c) 2012 platez pty. ltd. patents pending

May 2012 1(C) 2012 Platez Pty. Ltd.

Introducing Forticom

Patents Pending

The problem with all systems is that when you authenticate your identity, you are required to interact with the system in such a way that casual or systemic observation will invite compromise. i.e. enter a password or a PIN

Every time you are physically validating your identify by entering it, i.e. at an ATM, when you logon to your computer at work or when you perform internet banking; you are at risk of having your identity stolen or misused.

May 2012 2(C) 2012 Platez Pty. Ltd.

The Problem

Ever been to an ATM and wondered if the transaction you are about to perform could somehow enable someone else to take money out of your account?

3

ATM Phishing Fraud

Not me – I’m too aware

May 2012 (C) 2012 Platez Pty. Ltd.

Yes – that’s a camera transmitting your PIN – they even do pinhole cameras mounted in the plastic above the keypad.

4

ATM Phishing Fraud

And that device is one of many used to skim/copy your card. This approach defeats specialised card security methods.


The challenge we undertook was to build a security method that would enable anyone, in any location, using any device to be able to prove their identity without fear of someone then being able to impersonate them and perform fraudulent actions.

We also set the additional requirements of:

A. The user must not require any other devices (i.e. No special cards or smart tags) and

B. Systems should not require physical changes to implement it (i.e. ATM’s, Merchant EFTPOS etc) as we don’t necessarily have the ability to control or change these systems

5

The Goal


Forticom can:

1. Protect you at the ATM

2. Protect you when you use your Credit Card

3. Stop face to face Teller Fraud (impersonation)

4. Stop internal Fraud

5. Stop Internet Banking Fraud

6. Stop identity theft

7. Protect you whether you’re on your home PC, work PC, internet café, iPad or your mobile

Forticom does not detect fraud post even, it stops the fraud from happening wherever you are required to provide an identity and authentication. Forticom can be introduced anywhere, regardless of industry, location or technology base.

6

The Result - Forticom


Anything and everything – taking events in the recent news:

- Twitter accounts compromised

- Facebook accounts compromised

- Internet banking scams

- Fob systems compromised

- Credit Card scams

Forticom can protect

- Over 120 billion in cash withdrawals annually

- Reputations and credibility

- Customers and regain lost confidence

7

What is really at risk?


Existing security methods follow a similar process

a) Enter your credential

b) Secure it to the nth degree using a implausibly non-reversible crypto method (i.e. MD5)

c) Secure the pipe between the place where you entered your credential and the place where it is verified

d) Compare the non-reversible crytpo mash with the one stored in the system and if they match, then it must be you!

Even the most complex systems using token/keyfobs are using an algorithm that is present in the card or device; and if that algorithm is compromised – then it can be defrauded.

8

Inside the square

Here’s where the problem exists – simple observation (i.e. someone looking over your shoulder) 100%

compromises you – not just once, but forever.


We are introducing the term SteelCode – it refers to the authentication code that a user enters when validating their identity using a Forticom integrated system.

A SteelCode is a response to a system challenge, and can vary from system to system, and also from user to user. Forticom implements a set of keys, responses, rules and methods which are customisable at all levels.

9

Terminology


There is no observable pattern to your SteelCode

Using Forticom, I can attend an ATM and have my Card sniffed and my SteelCode recorded – and without any modification to card technology or the ATM technology – the observed information cannot be used to perform another transaction.

Forticom allows for safe authentication in plain sight.

10

Forticom Claims - 1


Resilient to Raw Brute Force Attacks

“3 fails in a row” or “3 tries in 5 minutes” assist against these attacks, but all systems can be attacked using brute force methods. In theory, if 10000 people accessed 10000 ATM’s at the same time – with a copy of my card – and each tried a different PIN, one would get in – and worse, they could continue to get in until “I” report it

Under Forticom, using the same 4 digit limitation; the odds of success are reduced to 1 in 10000 for each access attempt – and even if they fluke access, it would only be useful once, they could not do it again.

11

Forticom Claims - 2


Observable Data

Forticom is so novel that not only can the user be observed and recorded without compromising their SteelCode , but the entire authentication data stream between entry point and the server where it is validated can also be recorded and analysed – also without compromising their SteelCode .

12

Forticom Claims - 3


Minimal Impact

Converting to Forticom is a minimal impact undertaking; inasmuch that it does not change the flow of the way people interact with existing systems and it does not require changes to Human-Machine Interface devices such as ATM’s or Point of Sale devices*

i.e. You would approach an ATM, put your ATM Card in and then type in your SteelCode

* There may be some systems we are not aware of that we cannot identify a solution path for

13

Forticom Claims - 4


You can’t crack random

Forticom gives you the ability to use your brain to convert a pure random sequence into something meaningful.

Because it is truly random, there is no algorithm, there is no pattern, there is nothing to compromise. Having the complete code for the Forticom back end does not assist a potential hacker.

14

Forticom Claims – 5


How it works

15May 2012 (C) 2012 Platez Pty. Ltd.

As a registered Forticom user I specify a Key and a Method. The Key is based upon a set of symbols as defined by the Forticom Server – in the case of our demonstration system – ‘A’ to ‘Z’ and ‘a’ to ‘z’- a total of 52 key symbols

The Method is one or more of the following:• Straight Keyword – i.e. FRED• Offset Keyword – i.e. FRED but I add or subtract up to 5• Crawling Keyword – i.e. FRED by I add or subtract 1, then 2, then

3 etc• Masking – i.e. FR#EDand more!

I, as the user, define my Key and my Method --- and I NEVER again enter, expose, discuss or use them ever again – I don’t need to!

How it works


With each authentication, a newly-generated matrix of random numbers appears.The same matrix never appears twice.

So let’s assume my Key is FRED and I have defined a Method of minus 1

When I go to authenticate I interpret the Matrix In this instance F=0, R=1, E=0 and D=1

So my SteelCode when I apply my Method and ignore any minus signs, would give me 1010 this time.

How it works

17

The next time I access my account, a totally different matrix of random numbers appears.

As before, my Key is FRED and I have defined a Method of minus 1

When I go to authenticate I interpret the Matrix In this instance F=0, R=0, E=0 and D=1Applying my Method of subtracting 1 and ignoring signs, gives me a SteelCode of1110 this time.

What about key loggers, when I change my Keyword?

When you first enter or subsequently change your Keyword, you get a different type of matrix. This time, the letters are randomised, and do not appear as text, but as images, with unrelated random names. The keylogger can still follow the button presses, but only knows to which image it relates, whose name is meaningless.

How it works

18

Why is this useful?


Since I never actual enter my real credentials, it doesn’t matter if someone watches me, or if they record what I do. With the permutations available, there can be hundreds of thousands of combinations that would need to be considered in order to reverse engineer my Key and Method, allowing someone to then steal my identity.

The benefits are widespread1. I don’t need to change my password every 30 days2. I don’t have to be ultra-paranoid about who could be watching3. I don’t need to carry a mobile or a special security device in

order to prove my identity4. I get to control how complex my Key and Method is – for low risk

items I can have a 4 symbol Key with a basic Method, for high risk, I can use an 8 symbol Key with a symbol based offset

Just think…


If a web-based system I used was protected by Forticom, I would be able to walk into an internet café in my birthday suit, sit down at a computer that:1. Was infested with Malware, Spyware and Keyloggers2. Had a spy camera pointed at the screen and the keyboard3. Had a sniffer copying all data in and out of the computer

and log onto that site, perform whatever transactions I needed to, then log out knowing that even with all that information, they cannot perform subsequent authentications as me.

There is no system we can think of that we couldn’t make Forticom work for.

For further information relating to Forticom please contact

(e) [email protected]

(f) [email protected]

(g)[email protected]

To view a working online system, with online banking, ATM and online securities trading go to

http://www.designsim.com.au

21

Thank you


mailto:[email protected]

mailto:[email protected]

may 20121(c) 2012 platez pty. ltd. patents pending

Documents