Securing Online Transactions with a Trusted Digital Identity Dave Steeves - [email protected]@microsoft.com Security Software Engineer Microsoft’s.

Securing Online Transactions with a Trusted Digital Identity

Dave Steeves - [email protected] Security Software EngineerMicrosoft’s Security Business & Technology UnitSystem Protection Products Team

© 2005. Microsoft Corporation.  All rights reserved.

Outline

Goals Rationale Securing Online Transactions Enabling Secure Scenarios

Trusted Digital Identity

Goals1. Enable customers to securely perform

online transactions on an insecure machine, over a hostile internet

Bellua Cyber Security Conference 2005

2. Find more secure scenarios which are enabled with a trusted digital identity

TIPPI Workshop

Online Bank Fraud in the News

“A Miami man blames Bank of America for more than $90,000 stolen in an unauthorized wire transfer to Latvia. Joe Lopez filed a lawsuit on Feb. 7 claiming that Bank of America had not alerted him to malicious code that could -- and indeed had -- infected his computer. A forensic investigation by the U.S. Secret Service revealed that a Trojan called Coreflood, which acts as a keystroke logger, had compromised one of his PCs.”

http://searchnetworking.techtarget.com

The Threat of Identity Theft

RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears.

"We are at a confidence crisis. For the first time we run the risk of taking a step backwards and the reason is the threat of identity theft," he said.

http://www.vnunet.com/news/1161914

Generic Transaction Model

Remember the User

Online Banking with User

Secure Protocol + USER

Threat 1: Phishing

Threat 2: “Man In the Middle”?

Threat 3: Computer is Fully Compromised; aka 0wn3d

Two-Factor Authentication “Protecting Against Phishing by Implementing

Strong Two-Factor Authentication” https://www.rsasecurity.com/products/securid/whitepapers

For example:

Bar is Raised, but High Enough?

Does strong authentication add enough security to bank online?

Threat 1*: Phishing

Threat 2*: Man in the Middleby Social Engineering

Threat 3*: Fully Compromised

Focus on Verification Stages

Secure Verification Content

Client Server

Human-User Server

Today’s Online Banking

Verification Stage

Secure Online Banking

Secure Online Banking

Secure the Receipt

Securing Online Transactions Recap

Current Online Transaction Models Threats Still Exist

Solution One Time Secret per Transaction Keep Secret Off Untrusted Device

Reduces Attack Surface Attack vectors localized

Hardware Hacking/Physically Present Tempest Attacks

Break Crypto

Trusted Digital Identity

Mini MAC Connectivity through DAC system Enable specific, fine grain scenarios

Scenarios

Online Transactions Digital Rights Management Secure, Redundant Storage. Security and System Configurations Paperless Money

LimitationsSize of mobile device interfaces are smallSize of mobile device is smallHorsepower of a mobile device

Realistic scenariosNot real timeNot heavily dependant on performance

Questions for TIPPI Attendees

What end-to-end scenarios can we enable or include with a v1 of this idea?

What end-to-end scenarios can we enable in the future?

Do we need to provide trusted interfaces with Mandatory Access Control (MAC) to achieve a trusted identity?

Do we need to ensure the user has the only access to the Identity interfaces?

© 2005. Microsoft Corporation.  All rights reserved.Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.   The names of actual companies and products mentioned herein may be the trademarks of their respective owners.