Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution

Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved.

Introducing SecuSURF SACellular Phone-Based Single-Use Password Authorization Solution

July 2007Nomura Research Institute, Ltd.

Infrastructure Solution Division 1


2

Recent Network Crimes July 11, 2007 Shinsei Bank Phishing Pharming

April 27, 2007 Resona, Saitama Resona Bank

Unauthorized Withdraw Password Leak (Cause unidentified)

Sept. 29, 2006 Saitama Resona Bank Unauthorized Withdraw Password Leak (Cause unidentified)

May 31, 2006 Saitama Resona Bank Unauthorized Withdraw Password Leak (Cause unidentified)

January 26, 2006 Japan Net Bank Unauthorized Withdraw Spyware

January 10, 2006 Suruga Bank Unauthorized Withdraw Password Leak (Cause unidentified)

* Published incidents only

Phishing became the #1 Cause of Information Theft in just One Year Japanese authority reported that the number of arrests made on information theft in 2006 increased 2.5 times from the previous year, and that phishing and spyware became the more popular methods for the cyber criminals. While the number of arrests increased from 277 in 2005 to 703 in 2006, the number of arrested persons showed only a modest increase from 116 to 130, indicating that more multiple crimes were committed by the same parties. No arrest was made on security hole attacks. The most popular method of stealing password and other data was phishing with 220 known cases. Although there was only one arrest made on phishing fraud in 2005, the number increased significantly in 2006. Use of spyware to steal information also increased significantly from 33 cases in 2005 to 197 cases in 2006. Financial Service Agency's 2006 Cyber Crime Report Online banking frauds doubled since the previous year to reach 98 cases and the number is on the rise. On the other hand, the average loss declined from 2.14 million yen to 1.05 million yen, almost a half of the previous year. About 67.5% of the cases were subject to compensation.

<Online Banking> Unauthorized Withdraw 199 Cases; 300 Million Yen in Damages Between 2003 and 2006, Japanese online banks and postal savings suffered 199 cases of unauthorized withdraw, with the accumulated damage exceeding 300 million yen. Online Banking provides fund transfer services via PC. According to a research conducted by the Financial Services Agency (FSA) on about 700 financial institutions, ranging from major banks to credit associations which the Agency supervises, there were 105 fraud cases with 174 million yen in total damages. Furthermore, the Japan Postal Service reported that it found 94 cases with the total loss of 139 million yen since 2004, making the combined totals 199 cases with 313 million yen in damages. The FSA and other sources indicate that many of these cyber crimes involve malicious software programs such as spyware, which steal passwords from infected client PCs, and file exchange utilities leaking passwords. However, only a few cases have the exact methods of operation identified.

Actual # of Cases are on the Rise


3

User Actions

Corporate Actions

Support

s th

e u

sers

’ att

enti

ons

& e

ffort

sC

orp

ora

te-o

nly

M

easu

res Eliminate Site Vulnerability

Tighten User Auth.

Mail Sender Certification

Tighten Site Authentication

Spyware Detection/Removal

Keylogger prevention

Tighten Site Authentication

Early Implementation Possible

Periodic check-ups using site safety diagnostic services, etc.

Single-use password, Two-factor authentication, Cross certificate, etc.

Examples of Specific ActionsExamples of Specific Actions

Cross-certificate, Official site certification, Phishing detection, etc.

Software keyboard, Key-stroke signal encryption, etc.

Sendor domain authentication, S/MIME certification, etc.

Use of spyware removal tools, careful mail handling, etc.

Confirm the displayed URL and SSL server certificates.

Enterprise Measures Trends


4

Authentication Enhancement Status by Company (BtoC)

Mitsui-Sumitomo Bank IB OTP, FA Hard-Token OTP (RSA), Fraud Action (IRSA)

Japan Net Bank IB OTP, FA Hard-Token OTP (RSA), Fraud Action (IRSA)

Mizuho Bank IB (Planned ） OTP, FA, FDS Hard-Token OTP (RSA), Fraud Action (IRSA)

Nomura Securities On-Training ＯＴＰ Hard-Token OTP (Verisign), SecuSURF

Kyoto Bank IB ＯＴＰ Cellular Application OTP (RSA)

Iwate Bank IB ＯＴＰ Cellular Application OTP (RSA)

Yokohama Bank IB (Planned ） OTP Hard-Token OTP (RSA)

Fukuoka Bank IB (Planned ） OTP Hard-Token OTP (RSA)

NTT Data ANSWER-WEB

ＯＴＰ Cellular Application OTP (RSA)

* Measures such as the use of software keyboard are excluded.


5

Single-Use Password Authentication using a Cell Phone

・ Enhances the Authentication Level・ Reduces the Enterprise Security Cost・ Provides the Users with Ease-of-Operation

SecuSURF SA


6

Single-use Passwords issued via Cellular Phone.Users can issue single-use passwords by accessing the SecuSURF cell phone site with their own cellular phones.

Supports Wide Assortments of Devices and Users. A wide range of applications are possible because users can use almost any cellular devices with Internet access capability regardless of their cell phone carriers. (Newer models are supported seamlessly.)

High-level Security can be Implemented. Single-use passwords are issued only when the user enters his/her own passwords (PINs) on his/her own cellular phone (Two-factor authentication by what the user has and what the user knows). Even if the user loses both his/her cell phone and the PIN, simply stopping his/her cell phone service prevents a single-use password from being issued, effectively preventing illegal access by identity thieves.

Reduces Operating Cost SecuSURF SA can significantly reduce the company's cost associated with procuring conventional single-use password generation devices and distributing such devices to the users. In addition, user support becomes easier because no software has to be installed into the cellular phone, eliminating the need of identifying each individual user's device configuration when the users request support. If the customer requires, a software package can be made available. The single-use password issue/authentication processing service (ASP) can also be provided.

Possible Application into Cellular-based ServicesSecuSURF SA's two-factor authentication feature can be used by various cellular-based services to authenticate the user without having to issue/enter single-use passwords.

SecuSURF SA 　 Features

Almost all cell phone models from NTT DoCoMo, au by KDDI, and SoftBankare supported, including 95% of all cellular phones released after April 2004.

Patent Pending


7

123456

ABC Bank

Online BankingSingle-use PwdLatest NewsShoppingFinancial NewsAbout Security

PIN

1*

SecuSURF

SecuSURF menuGo back

Send

· Single-use Pwd

1*

SecuSURF

k9z32m6

SecuSURF menuABC Bank Home

A single-use password is issued each time the service is accessed, making the authentication extremely secure.

Site Top Login Screen (Conventional) Enhanced Security Service Screen

****

Example of SecuSURF SA Usage


8

Your Website

Application

(2) Enters PIN.

(3) PIN & device ID transmitted

(1) Accesses the specified URL to display authentication screen.

(5) Single-use password transmitted.

Auth. Data

Application

SecuSURF

Browser

OTP

Browser

OTP******

(4) Verifies the device ID# registration status and generates a single-use password (the generated OTP is kept).

(6) Enters the single-use password.

(8) Post-authentication screen.

(7) Inquires SecuSURF if the user's OTP is accurate.

SecuSURF issues & verifies pw

d.

SecuSURF issues & verifies pw

d.

User

SecuSURF SA Authentication Flow


9

DB

Internet

Single-use Pwd

k9z32m6

Cell Phones

Hand-held browser

Browser

DoCoMo

au

vodafone

EZweb network

Softbank network

i-mode network

Sample SecuSURF SA Configuration

Internet Service Application

Enterprise Server

SecuSURF server (Issues & validate OTP)

SOAP Communication

Leased line or Internet



Single-use Password


10

OTPServer

BankingWebServer

8987369

OTPServer

BankingWebServer

8987369

Download required

applications.

Download required

applications.

Preparation

Generate an OTC with i-application, e

tc.

Generate an OTC with i-application, e

tc.

The server also generates an OTP

and the two are compared.

The server also generates an OTP

and the two are compared.

Deliver a token card.

Deliver a token card.

8987369

BankingWebServer

Issues OTP "8987369"

after verifying the PIN & Device ID

combination.

Issues OTP "8987369"

after verifying the PIN & Device ID

combination.

OTPServer

Verifies if the OTP matches the one just

issued.

Verifies if the OTP matches the one just

issued.

8987369

PreparationAccessing

Generate an OTP.

Generate an OTP.

Software TokenHardware Token

Server Generated Client-Server Generated

Enters the issued OTP.

Enters the issued OTP.

Accessing Accessing

Device model limitations

Generate & transmit a

seed file for each user.

Generate & transmit a

seed file for each user. Manage the

serial # & user table.

Manage the serial # & user

table.

The server also generates an OTP and the two are compared.

The server also generates an OTP and the two are compared.

Single-Use Password Usage Comparison


11

123456

ABC Bank

Online BankingRandom# TableLatest NewsShoppingFinancial NewsAbout Security

PIN

1*

SecuSURF

SecuSURF menuReturn

Send

SecuSURF

• Random# TableUse the notebook feature to store the table.

　　 43 83 31　　 89 11 98　　 72 36 04

Site Top Login Screen (Conventional) High-level Security Service Screen

****

Example of SecuSURF SA <Random# Table> Usage

The cell phone displays a random number table. The login screen displays an instruction on how to select numbers to enter. The random number table may be re-displayed.

SecuSURF SA Variations


12

Your Website

Application

(2) Enter PIN.

(3) PIN & device ID transmitted.

(1) Access the specified URL to display the authentication screen.

(5) Single-use password transmitted.

Application

SecuSURF

Browser

OTP

Browser

OTP******

(6) Single-use password entered.

(8) Post-authentication Screen

Users

SecuSURF SA <OATH> Authentication Flow

Auth. Data

SecuSURF issues

SecuSURF issues

OTP issue logicOTP issue logic

Auth. DataOTP issue logicOTP issue logic

(4) Verifies the device ID number registration and generates a single-use password.

(7) Generates the user’s OTP, and verifies the entered password.

Validate without accessing SecuSURF

Validate without accessing SecuSURF

Other OATH-compliant token devices

The OATH logic is used to issue an OTP. The enterprise server containing the OATH logic authentication process eliminates the need to access SecuSURF for authentication. Various OATH-compliant tokens may be used concurrently.

SecuSURF SA Variations


13

General

Authentication Authentication Authentication Authentication Authentication

・Internet serv ices f or PCs ・Internet serv ices f or PCs ・Internet serv ices f or PCs ・Internet serv ices f or PCs ・Internet serv ices f or PCs

・Internet serv ices f or cell phones ・Internet serv ices f or cell phones ・Internet serv ices f or cell phones ・Internet serv ices f or cell phones

・ATM ・ATM ・ATM

・Corporate network access ・Corporate network access ・Corporate network access ・Corporate network access ・Corporate network access

・User authentication f or the entire

serv ice・User authentication f or the entire




serv ice

CorporatePerspective

Compatible cell phonesmust be identifiedSeed file distributionmanaged

Ease of APL Dev. ○ ○ ○ ○ ○ ○Inquiry Inquiry & Response

・Model-dependant issues ・Lost, damaged, f aulty token

dev ice

・Sy nc error w/ serv er ・Sy nc error w/ serv er

Software proc. cost S/W, H/W proc. cost

Software maint. cost S/W, H/W maint. cost

Multi-year contract Multi-year contract

Others ○ SecuSURF server isavailable forauthentication process

◎ OATH-compatible tokendevices may be usedconcurrently

× Compatible phones arelimited

×

Token display

Extra item to carry

・Forget to carry, lost, multiple devices

Others △ OTP cannot be issued inrealtime if cell service isunavailable

△ OTP cannot be issued inrealtime if cell service isunavailable

◎ Can be used without cellservice; familier randomtable type

△ Cell phones can storelimited # of APLs

Tw o-factor auth. Tw o-factor auth. Tw o-factor auth.

Know (PIN) + Hav e (phone's

dev ice ID)


dev ice ID)


dev ice ID)

Anti-Phishing(Spoofedwebsite)

◎ Time-sensitive OTP ◎ Time-sensitive OTP ◎ Time-sensitive OTP ◎ Time-sensitive OTP △Stolen OTP may be useduntil the next valid login ◎

Anti-Phishing(Man-in-the-middle attack)Official sitetampering

Anti-Spyware(Keylogger) ◎

True single-usepassword △

Password may be usedrepeatedly within thegiven time interval

◎True single-usepassword △

Password may be usedrepeatedly within thegiven time interval

◎True single-usepassword △

Anti-Phishing(Pharming) ◎ Time-sensitive OTP ◎ Time-sensitive OTP ◎ Time-sensitive OTP ◎ Time-sensitive OTP △

Stolen OTP may be useduntil the next valid login ◎

Using the user's cellphone

SecurityLevel

OTP Solution does not apply

◎ ×

User'sPerspective

Ease ofOperation

○ Using cell phone'sbrowser

Hard Token

With OTP ◎ ◎ ◎ × Security lev el is lower in

continuous display model△ Security level is low er in non-

PIN entry model×

△

×

◎

×

・Client & serv er generate the same OTP

based on seeds & counters.

○

× The token device must bedistributed

○ Using i- or EZ-application,etc.

△

Portability ◎ Using the user's cellphone

◎ Using the user's cellphone

◎ Using the user's cellphone



△

ImplementationCost

○ Software procurementcost



△ ×

×

Ease ofMaintenance

◎ User can manage accountsuspention & new cellphones via net



△

No hardware/softwaredistribution required

◎ No hardware/softwaredistribution required

×Ease ofImplementation

◎ No hardware/softwaredistribution required

◎

Application Area ◎ ◎ ◎ △ ○

Server-centric withRandom Number Table

Table must be obtained ahead of(or any) time by accessing theserver with cell phone.

OTP generation program (i- or EZ-application, etc.) must be installedinto the cell phone.

An OTP generation device must bedelivered to each user.・Client & serv er generate the same OTP

based on seeds & time.

Counter Sync Type Time Sync Type

An OTP generation device must bedelivered to each user.

Overview Cell phone's generic browser isused to access the server toobtain the OTP.

Cell phone's generic browser isused to access the server toobtain the OTP.

Feature Soft Token (Cellular)Server-centric Type Server-centric with OATH Individual Program Type

[RSA Cell Token]


14

Documents

Copyright © 2007 Nomura Research Institute, Ltd. All rights reserved. Introducing SecuSURF SA Cellular Phone-Based Single-Use Password Authorization Solution