authentication and transaction s ecurity in e business
play

Authentication and Transaction S ecurity in E-Business AXSionics - PowerPoint PPT Presentation

Oct 23, 2023 •603 likes •1.21k views

next generation of access control Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S eevorstadt 103b, CH-2501 Biel-Bienne Lorenz Mller Mobile: + 41 79 341 03 26 Lorenz.mueller@axsionics.ch 1 next

  1. next generation of access control Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S eevorstadt 103b, CH-2501 Biel-Bienne Lorenz Müller Mobile: + 41 79 341 03 26 Lorenz.mueller@axsionics.ch 1

  2. next generation of access control Overview � Phising – what it is, how it works… � Malware – a landscape � Role of authentication and transaction security � Authentication with biometrics � AXS Authentication System TM 2

  3. next generation of access control Bank robbery – what is your style? 3

  4. next generation of access control Old goals – new methods The goal of most crimes is to get money! Classical attack Cyber attack � � Personal presence Remote attack � � Hard work Available tools � � Single copy Automated industrial copies � � Limited action range Worldwide action range � � High risk Low risk � � High success rate is critical Low success rate is sufficient 4

  5. next generation of access control Market perspectives and indicators E-Business B2B (EU) € 1640 Bil 34 % CAGR (2007) $ 45Bil 19% CAGR (2007) Security Logical Access Control Transaction Security Physical Access Control € 420 Mil 20 % CAGR € …. Mil … % CAGR € 2900 Mil 8-9 % CAGR - Extranet Access Management - On-line contracts - Building/facilities access - Identity and Access Management - Digital signatures - High-throughput access control - Secure payment Logical & Physical Access Control € 500 Mil 15 % CAGR -Unified management & security policies Source: Gartner Group 5

  6. next generation of access control Fraud Rate in the Cyber S pace US credit card based transactions: 2004 6

  7. next generation of access control Fraud Types in non-physical interactions US Federal Trade Commission’s: Top Categories in 2004 for Consumer Fraud Complaints Source ISACA 7

  8. next generation of access control Phising – what it is, how it works… � A few examples � How to set-up a phising attack � Facts and figures � The business case 8

  9. next generation of access control Phising Mail PayPal 9

  10. next generation of access control 10

  11. next generation of access control 11

  12. next generation of access control MITM phising – how to set up the attack 12

  13. next generation of access control Troj an horse phishing – how to set up the attack 4. Trojaner manipulates transaction data Client logs to bank account Client Bank Web Server 2. Generate and send Spam mails 5. Transfer to With Trojan horse Money courier 3. Trojaner retrieves online instruction from fraudulent server 1. Preparation - Fraudulent Server - Email addresses - Program Trojan horse - Hire money courier Fraudulent Attacker Money Server 6. Get money courier from courier 13 (Western Union)

  14. next generation of access control Troj an horse operates above TLS / S S L � [ID:1800 IP:200.165.211.68 12.10.2005 22:05:41] � check=1&PBLZ=32050000&KONTONUMMER=600000&kMH5 LW0ai9k=FS911&javascript=1&Anmelden.x=32&Anmelden .y=7 � Ihr persönliches Finanzportal 32050000 - Microsoft Internet Explorer � [-- bankingportal.sparkasse- krefeld.de/browserbanking/GvLogin --] 14

  15. next generation of access control Exchanging entry fields in XML data � [ID:1800 IP:200.16[06/02/06] 15:23:49: [SKIPPED TAN] : 552484 URL: https://bankingportal.ksk- fds.de/banking/gvueberweisungtransaction; logindata: https://bankingportal.ksk-fds.de/banking/: check:1;kontonumber:900000;sklx64ehwdx:82827;javasc ript:1;x:39;y:11nn5.211.68 12.10.2005 22:05:41] 15

  16. next generation of access control Phising: S tatistical Highlights for May 2007 Number of unique phishing reports received in May: 23415 Number of unique phishing sites recorded in May: 37438 Number of brands hijacked by phishing campaigns in May: 149 Number of brands comprising the top 80% of phishing campaigns in May: 11 Country hosting the most phishing websites in May: United States Contain some form of target name in URL: 15.5 % No hostname just IP address: 6 % Percentage of sites not using port 80: 1.1 % Average time online for site: 3.8 days Longest time online for site: 30 days Source: http://www.antiphishing.org 16

  17. next generation of access control Number of attacks 17

  18. next generation of access control Innovation is guaranteed 18

  19. next generation of access control S urprise – it‘ s not the Russian Mafia (alone) 19

  20. next generation of access control Innovative methods – Troj an horses keyloggers 20

  21. next generation of access control Attacks are well targeted 21

  22. next generation of access control Why attackers do phising – the business case Business Case: 50 k Mails 0.5-1 % sucess 50 k$ revenue Approx. 40 k$ netto 22

  23. next generation of access control Overall costs � 25‘000 attacks / per month � 10 % successful � Approx. 50 k$ damage / successful attack � 125 Mio$ / month; approx. 1.5 Bill $ / year Example: Nordea Bank, Sweden Thomas Claburn (01/ 24/ 2007 6:00 PM ES T) URL: http:/ / www.eetimes.eu/ scandinavia/ 197000422 Cyber crime apparently pays quite well. S wedish bank Nordea has acknowledged that about 250 of its online banking customers have been robbed of about 8 million S wedish kronor -- roughly $1.14 million dollars -- as a result of a targeted phishing campaign. Customers were duped by a phishing scam coupled with a version of the Haxdoor Troj an installed on their computers. The attack took place over the past 15 months, according to Boo Ehlin, a spokesman for the bank. S wedish trade publication Computer S weden reported that 121 people may have been involved in carrying out the attack, but Ehlin could not confirm that figure. The article identified Russian cyber thieves as being behind the attack. 23

  24. next generation of access control Malware – a landscape � Taxonomy and definitions � Tools and methods � How attackers make money � Attacks on E-business and E-transactions 24

  25. next generation of access control Malware and crimeware Malware is unwanted software running on a user’ s computer that performs malicious actions. It encompasses among others � Adw are ( m alicious but legal) � Spyw are ( m alicious in a legal grey zone) � Viruses, W orm s ( destructive w ithout com m ercial purposes) � Crim ew are Crimeware is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software. Source: The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond A Joint Report of the US Department of Homeland Security – SRI International Identity Theft Technology Council and the Anti-Phishing Working Group. October, 2006 25

  26. next generation of access control Distribution of crimeware Crimeware is distributed via many mechanisms, including: � Social engineering attacks convincing users to open a malicious email attachment containing crimeware; � Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting ; � Exploiting security vulnerabilities through w orm s and other attacks on security flaws in operating systems, browsers, and other commonly installed software; � Insertion of crimeware into dow nloadable softw are that otherwise performs a desirable function. 26

  27. next generation of access control Aim of crimeware Crimeware can be used in many ways, including: � Theft of personal information for fraudulent use and/ or resale on a secondary market (as in a “ phishing” attack); � Theft of trade secrets and/or intellectual property , by commission, or for sale, blackmail or embarrassment; � Distributed denial-of-service attacks launched in furtherance of online extortion schemes; � Spam transmission ; � “Click fraud” that generates revenues by simulating traffic to online advertisements; � “Ransomware” that encrypts data and extorts money from the target to restore it; � Perform or support man-in-the-middle attack; � Manipulation of data in sensitive transactions; 27

  28. next generation of access control Transaction triangle in E-business - attacks 0101010 0101010 0110111 0110111 Identity theft Transaction manipulation 1001001 1001001 Denial of Service 28

  29. next generation of access control The role of authentication and transaction security � The weak spots in E-business schemes � Defense in depth � Raising the threshold � The AXS-AS approach 29

  30. next generation of access control Attacks on the E-business transaction 30

  31. next generation of access control Defense in depth 31

  32. next generation of access control Raising the threshold Security Personal Token Cluster Strong Authentication, Transaction signing offline credential stealing attack boundary Strong Authentication online channel breaking attack boundary Transaction Signing Offline phishing attacks (today) Spyware attacks (today) Hard Token PKI on Comfort (challenge based) Personal contact Hard Token PKI trusted platform (soft token PKI) Short Time PW Short time PW • mobility, (timer based) One-time PW (Credit Card) (TAN, iTAN) SSL / TLS SSL / TLS Certificate static PW • convenience 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non-

Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non-

Public Key Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non- :: Authenticity, e-business transaction Repudiation requirements for electronic :: Confidentiality and Integrity requirements ::

252 views • 11 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
1 Transaction State Transaction State (Cont.) Active, the initial state; the transaction stays in

1 Transaction State Transaction State (Cont.) Active, the initial state; the transaction stays in

Transactions Transaction Concept Transaction State Implementation of Atomicity and Durability Lecture 8 Concurrent Executions Transactions Serializability Recoverability Implementation of Isolation Transaction

376 views • 6 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Introduction 2 Introduction - transaction All cash transaction Planned transaction $115 per

Introduction 2 Introduction - transaction All cash transaction Planned transaction $115 per

1 Introduction 2 Introduction - transaction All cash transaction Planned transaction $115 per share Delivering a 50% approximately cash premium $5 billion 3 Introduction - rationale Key strengths of StanCorp Consistent long-term

940 views • 43 slides
Transaction Processing Transaction Concept A transaction is a unit of program execution that

Transaction Processing Transaction Concept A transaction is a unit of program execution that

Transaction Processing Transaction Concept A transaction is a unit of program execution that accesses and possibly updates various data items. E.g. transaction to transfer $50 from account A to account B: 1. read ( A ) 2. A := A 50

861 views • 74 slides
SPAC 101 Transaction Basics and Current Trends Transaction Basics What is a SPAC? Blank

SPAC 101 Transaction Basics and Current Trends Transaction Basics What is a SPAC? Blank

SPAC 101 Transaction Basics and Current Trends Transaction Basics What is a SPAC? Blank check company formed for the purpose of effecting a merger, share exchange, asset acquisition, share purchase, reorganization or similar business

516 views • 20 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and Management Engineering Antonio Ruberti Sapienza University of Rome WHY W EB S ECURITY April 2013 recent studies conform a trend that has been

958 views • 62 slides
Good morning! Enterprise Systems An Overview of Transaction Processing Systems Transaction

Good morning! Enterprise Systems An Overview of Transaction Processing Systems Transaction

Good morning! Enterprise Systems An Overview of Transaction Processing Systems Transaction processing systems (TPSs): Capture and process detailed data necessary to update the organizations records about fundamental business

1.06k views • 66 slides
R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC RISC ) ) ( Bio: Bio: Antonios Atlasis Antonios Atlasis An IT engineer for more than 20 years, developer and instructor in several Computer

1.3k views • 80 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Systematic analysis of lattice attacks on noisy leakage of

549 views • 53 slides
Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019

Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019

Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019 2020 School % change 2018 % change 2019 vs Total Proposal Proposed (#) Total Proposal Proposed Total Proposal Proposed vs 2019 2020 (#)

281 views • 6 slides
Genera&ve Models and Model Cri&cism via Op&mized Maximum Mean Discrepancy Dougal J.

Genera&ve Models and Model Cri&cism via Op&mized Maximum Mean Discrepancy Dougal J.

Genera&ve Models and Model Cri&cism via Op&mized Maximum Mean Discrepancy Dougal J. Sutherland Gatsby unit, UCL Two-sample tes&ng Observe two different datasets: vs Y Q X P Ques&on we want to answer: is

688 views • 56 slides
TROUBLESHOOTING AND APPEALS Health Access Basic Benefits Training February 27, 2020 Nancy

TROUBLESHOOTING AND APPEALS Health Access Basic Benefits Training February 27, 2020 Nancy

TROUBLESHOOTING AND APPEALS Health Access Basic Benefits Training February 27, 2020 Nancy Lorenz Greater Boston Legal Services nlorenz@gbls.org 2 Troubleshooting Eligibility How do you know there is a problem? : Provider says

458 views • 15 slides
Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov

249 views • 21 slides
6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu

6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu

6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu Slides from Jakob Eriksson road decay unavoidable, hard to predict current monitoring methods costly/ineffective 3 the Pothole Patrol

592 views • 32 slides
Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security & Integrity

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security & Integrity

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security & Integrity 2.High availability 3.Fault Tolerance 4.Evolvability 5.Performance This ordering has architectural and performance implications. Pure

450 views • 21 slides
Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult

Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult

5/28/2016 Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult Service Ryan M. Gill What kind of case requires consultation? What kind of case requires consultation? 1. Common tumor, but something is

410 views • 24 slides

More recommend