Challenges of Identity Fraud Chris Voice, VP Technology
Dec 14, 2015
© Copyright Entrust, Inc. 2005 2
We are Security Specialists…
• Top 12 security software company with ~ $100M in annual revenues
• Industry pioneer and leader, with 500 employees and 100+ patents
• Best in class service and support, and integration for leading technology vendors
• Strong balance sheet, with significant cash balance and no debt
– Publicly-listed (NASDAQ: ENTU)
© Copyright Entrust, Inc. 2005 5
2005 Major Identity Theft Incidents
Users Impacted (000's)
Bank of America
DSW
Orazio Lembo
ChoicepointLexus Nexus
Time Warner
0
250
500
750
1,000
1,250
1,500
Users Impacted (000's)
Bank of America
DSW
Orazio Lembo
ChoicepointLexus Nexus
Time Warner
0
250
500
750
1,000
1,250
1,500
© Copyright Entrust, Inc. 2005 9
Phishing Reports Received Nov ’04 – Nov ‘05
88% Year over Year Increase
© Copyright Entrust, Inc. 2005 12
Online Identity Fraud Influencing Consumer Behavior
IDC Financial Insights:“…6% admitted to switching banks to reduce their risk of becoming a victim of identity theft.”
Forrester:“…14% of online consumers have stopped using online banking and bill pay due to email fraud concerns.”
© Copyright Entrust, Inc. 2005 13
Online Identity Fraud Influencing Consumer Behavior
Gartner:“…nearly 14 percent of them [on-line bankers] have stopped paying bills via online banking."
Entrust:“…18% of consumers have decreased or outright stopped doing on-line banking in the last 12 months because of concerns of identity security..”
© Copyright Entrust, Inc. 2005 15
Legislation
Have introduced Data Security Legislation
Have Not Introduced Data Security Legislation
© Copyright Entrust, Inc. 2005 16
Financial Service Mandates
• FFIEC considers single-factor authentication…to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
• Financial institutions should implement multifactor authentication, layered security…by end of 2006.
© Copyright Entrust, Inc. 2005 17
How Can Security Help
People
Processes Technology
Technology
Strong Authentication Encryption Content Control
© Copyright Entrust, Inc. 2005 18
Encryption
Two-thirds of fresh and critical data is on employee laptops and desktops –not the servers.
Gartner, April 2004
Two-thirds of fresh and critical data is on employee laptops and desktops –not the servers.
Gartner, April 2004
Companies typically lose 5-8% of their laptops per year.
The FBI estimates that 50% of network penetration is due to information derived from a stolen laptop.
Meta, January 2005
Companies typically lose 5-8% of their laptops per year.
The FBI estimates that 50% of network penetration is due to information derived from a stolen laptop.
Meta, January 2005
By year-end 2007, 80% of Fortune 1000 enterprises will encrypt critical “data at rest” (0.8 probability)
Gartner, April 2004
By year-end 2007, 80% of Fortune 1000 enterprises will encrypt critical “data at rest” (0.8 probability)
Gartner, April 2004
© Copyright Entrust, Inc. 2005 20
Benefits of Persistent Data Encryption
Any person or business that conducts business in California…shall disclose any breach of the security of the system following discovery or
notification of the breach in the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably believed to have been, acquired by
an unauthorized person.
California SB1386
© Copyright Entrust, Inc. 2005 21
Content Scanning
Automated Policy Enforcement• Detection and Blocking across broad
set of outbound protocols
Employees, Partners, Customers
Employees
http://
ftp://
IM
© Copyright Entrust, Inc. 2005 22
Stronger Mutual Authentication
Understanding andCountering the Phishing Threat
A Financial Services Industry Perspective
Top 3 Recommendations:
1. Focus on Mutual Customer/Financial Institution Authentication
2. Improved Fraud Screening
3. Industry-wide Attack Method/Mitigation Information Sharing
Report Defend
DetectPrevent
Solution Areas:
© Copyright Entrust, Inc. 2005 23
The Authentication Challenge
Usability & Cost
Security
• Minimize customer experience impact– Only impact user experience with stronger
authentication when necessary– The right authentication for the right risk level
– at the right time
FraudRisk
© Copyright Entrust, Inc. 2005 24
The Authentication Challenge –Risk-based Authentication
Transaction Sequence
Incr
easi
ng
Imp
act
of
Fra
ud
Login
CheckBalance
Register Bill
Funds Transfer
Risk based authentication
requires a range of capabilities
Incr
easin
g Auth
entic
atio
n Stre
ngth
© Copyright Entrust, Inc. 2005 25
New Authentication Technologies
Authentication Strength
Pu
rch
ase
& D
eplo
ymen
t C
ost
Passwords
One-Time-Password Tokens
Smartcards
Traditi
onal
Biometrics
$
© Copyright Entrust, Inc. 2005 26
Range of Risk-Based Strong Authentication
• Policy-based authentication allowing single authentication layer to meet multiple business requirements
– Per transaction, per user, per application, per LOB…
Machine AuthAuthorized set of
workstations
Knowledge AuthChallenge / response
questions
Out-of-BandOne-time-passcode to mobile device or phone
Scratch Pad AuthOne-time password
list
Grid AuthGrid location challenge
and response
Additional
Technologies
to Come
© Copyright Entrust, Inc. 2005 27
• Unique authentication card issued to each user• Random characters in grid with row/column headers• Separate plastic card or on existing card
Example – Grid Authentication
Stand-Alone Card Card Add-On
© Copyright Entrust, Inc. 2005 28
Grid Authentication Process
User enters ID & Password as is done today.
User enters ID & Password as is done today.
Personal ID
********
© Copyright Entrust, Inc. 2005 31
Authentication Needs to be Mutual
• Easy to use mechanisms for customers to recognize they are on the right site.
Message Replay Auth
User entered message
Serial Replay Auth
Grid card serial number
Image Replay Auth
User selected image
© Copyright Entrust, Inc. 2005 33
Summary
• Identity Fraud will change the way organizations protect your sensitive information– May require legislation to drive real action
• Identity Fraud will change the way you interact with your financial institutions– Focus on addressing your confidence to drive continued internet adoption