securing online transactions with a trusted digital identity dave steeves -...
TRANSCRIPT
![Page 1: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/1.jpg)
Securing Online Transactions with a Trusted Digital Identity
Dave Steeves - [email protected] Security Software EngineerMicrosoft’s Security Business & Technology UnitSystem Protection Products Team
© 2005. Microsoft Corporation. All rights reserved.
![Page 2: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/2.jpg)
Outline
Goals Rationale Securing Online Transactions Enabling Secure Scenarios
Trusted Digital Identity
![Page 3: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/3.jpg)
Goals1. Enable customers to securely perform
online transactions on an insecure machine, over a hostile internet
Bellua Cyber Security Conference 2005
2. Find more secure scenarios which are enabled with a trusted digital identity
TIPPI Workshop
![Page 4: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/4.jpg)
Online Bank Fraud in the News
“A Miami man blames Bank of America for more than $90,000 stolen in an unauthorized wire transfer to Latvia. Joe Lopez filed a lawsuit on Feb. 7 claiming that Bank of America had not alerted him to malicious code that could -- and indeed had -- infected his computer. A forensic investigation by the U.S. Secret Service revealed that a Trojan called Coreflood, which acts as a keystroke logger, had compromised one of his PCs.”
http://searchnetworking.techtarget.com
![Page 5: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/5.jpg)
The Threat of Identity Theft
RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears.
"We are at a confidence crisis. For the first time we run the risk of taking a step backwards and the reason is the threat of identity theft," he said.
http://www.vnunet.com/news/1161914
![Page 6: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/6.jpg)
Generic Transaction Model
![Page 7: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/7.jpg)
Remember the User
![Page 8: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/8.jpg)
Online Banking with User
![Page 9: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/9.jpg)
Secure Protocol + USER
![Page 10: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/10.jpg)
Threat 1: Phishing
![Page 11: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/11.jpg)
Threat 2: “Man In the Middle”?
![Page 12: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/12.jpg)
Threat 3: Computer is Fully Compromised; aka 0wn3d
![Page 13: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/13.jpg)
Two-Factor Authentication “Protecting Against Phishing by Implementing
Strong Two-Factor Authentication” https://www.rsasecurity.com/products/securid/whitepapers
For example:
![Page 14: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/14.jpg)
Bar is Raised, but High Enough?
Does strong authentication add enough security to bank online?
![Page 15: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/15.jpg)
Threat 1*: Phishing
![Page 16: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/16.jpg)
Threat 2*: Man in the Middleby Social Engineering
![Page 17: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/17.jpg)
Threat 3*: Fully Compromised
![Page 18: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/18.jpg)
Focus on Verification Stages
![Page 19: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/19.jpg)
Secure Verification Content
Client Server
Human-User Server
![Page 20: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/20.jpg)
Today’s Online Banking
![Page 21: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/21.jpg)
Verification Stage
![Page 22: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/22.jpg)
Secure Online Banking
![Page 23: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/23.jpg)
Secure Online Banking
![Page 24: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/24.jpg)
Secure the Receipt
![Page 25: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/25.jpg)
Securing Online Transactions Recap
Current Online Transaction Models Threats Still Exist
Solution One Time Secret per Transaction Keep Secret Off Untrusted Device
Reduces Attack Surface Attack vectors localized
Hardware Hacking/Physically Present Tempest Attacks
Break Crypto
![Page 26: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/26.jpg)
Trusted Digital Identity
Mini MAC Connectivity through DAC system Enable specific, fine grain scenarios
![Page 27: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/27.jpg)
Scenarios
Online Transactions Digital Rights Management Secure, Redundant Storage. Security and System Configurations Paperless Money
![Page 28: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/28.jpg)
LimitationsSize of mobile device interfaces are smallSize of mobile device is smallHorsepower of a mobile device
Realistic scenariosNot real timeNot heavily dependant on performance
![Page 29: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/29.jpg)
Questions for TIPPI Attendees
What end-to-end scenarios can we enable or include with a v1 of this idea?
What end-to-end scenarios can we enable in the future?
Do we need to provide trusted interfaces with Mandatory Access Control (MAC) to achieve a trusted identity?
Do we need to ensure the user has the only access to the Identity interfaces?
![Page 30: Securing Online Transactions with a Trusted Digital Identity Dave Steeves - dsteeve@microsoft.comdsteeve@microsoft.com Security Software Engineer Microsoft’s](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d185503460f949ed8e1/html5/thumbnails/30.jpg)
© 2005. Microsoft Corporation. All rights reserved.Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.