Step-up authentication as-a-Service

2013/01/07

IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »


Tooling and methologies for privacy & security in the cloud

2012/08/12

We recently finished a project on privacy& security in the cloud for SURFnet (Dutch NREN, responsible for the Dutch research network and middleware services on top of this). Basically, we supplemented work of others that focussed on the contractual and legal perspective with a more technology perspective. We listed what an organisation can do themselves to improve privacy & security when taking applications to the cloud, focussing on authentication, autorisation, provisioning/account management and encryption. Below a more eloborate blog post in Dutch.

Zelf zorgen voor security en privacy in de cloud

Read the rest of this entry »


Internet banking fraud in the Netherlands: 3.5 times more damage in 2011 (phishing)

2012/03/27

The Dutch Banking Association (NVB) published new internet banking fraud numbers yesterday. Compared to their numbers about half a year ago, there is a very significant increase in amount of damage. Previous numbers indicated a factor of two for 2011 compared to 2010, but apparently the fraud further increased in the second half of 2011, resulting in a factor of 3.5 increase. The total damage is now also adding up to €35M. Although NVB is correct is stating this is relatively not a lot (0.001% of total internetbanking volume), €35M is still €35M. Note that this amount is what they reimbursed to customers that were a victim of internet banking fraud (i.e. phishing). Costs associated with prevention, detection etc are not part of this amount.

What worries me most is the relative increase of these numbers, from 2009 to 2010 the damages increased fivefold, and from 2010 to 2011 they increased by a factor of 3.5. Playing with these numbers, damages in 2012 could be €70M (if the banks manage to slow down the increase to a factor of 2) or €122M if it stays a factor of 3.5. Banks, of course together with police, (Electronic Crimes Taskforce etc), will need to slow down this growth.


Guide to classifying e-services to Levels of Assurance: a good first step

2012/02/09

A Dutch government body responsible for establishing open standards for elektronic exchange (Forum Standaardisatie) published a guide for government service providers to help them classify e-services to Levels of Assurance. They use the EU STORK Quality Authentication Assurance levels for this, which classify authentication solutions in four levels. Since Novay was responsible for defining these levels in the EU STORK project, and we’ve helped several clients in applying STORK levels, we read this guide with great interest. In the below text we discuss the Levels of Assurance concept, and give our opinion on the guide.

Read the rest of this entry »


SIM augmented authentication as alternative for SIM based?

2011/10/20

We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.

So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned  DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.

We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.

This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.

6 Conclusions

The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:

  • secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
  • while at the same time the ability to use the user-interface of the user’s existing GSM handset,
  • and, potentially, the use of the mobile phone’s GSM or 3G network.

As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.

The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see [10], apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).

On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.

The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in [8]) where the authentication application on the handset it triggered over the air.

From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.

Interesting features to add could be:

  • Lock the token to IMSI or IMEI (possible, according to [10])
  • Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
  • Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
  • Use the network to “blacklist” a token when a token is reported stolen
  • Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)

The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see [11]) and other mobile app solutions.

Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.


Internet banking fraud in Netherlands increases more than 4 fold

2010/10/15

The Dutch Banking Association (NVB) provided numbers on how much fraud there is in the Netherlands with internet banking (in Dutch). Since we’re doing a project called cidSafe for several companies in the financial sector in the Netherlands on consumer identity (see this recent presentation in English, or the website which is mostly in Dutch), I was very interested in these numbers.

The fraud with internet banking in NL is  €4.3M for the first 6 months. Although I agree with the NVB that this in itself is not a huge number, the increase is very big. In the whole of 2009 the fraud was €1.9M, thus an increase of about 450%! By the way, victims of internet banking fraud are usually reimbursed by their banks, and all Dutch banks use two-factor authentication. Compared to the numbers recently released in Germany, internet banking fraud seems a somewhat bigger problem in the Netherlands than in Germany (with an estimate of €17M in 2010 about twice as much fraud as NL, but with 5 times more inhabitants). Also in Germany there is a big increase in internet banking fraud compared to 2009.

The NVB press release mentions phishing as the main method of fraud. I couldn’t find more details on this, but simple phishing of username/password won’t work since all internet banking services in NL use some form of two-factor authentication (smartcard or SMS one-time-password based). Malware attacks are becoming more advanced, as e.g. the recent “Zeus In The MObile” malware showed that can even spread from desktop to mobile using social engineering. This article (sorry, again in Dutch) states that most attacks are a combination of relatively simple phishing or malware (keylogggers) with social engineering to get the second factor.

If the increase in internet banking fraud would continue for a couple of years  this will become a very serious financial problem (€39M in 2011?, €174M in 2012?). Add to this the emotional impact on victims and reputation loss for banks, and this increase in fraud is something to worry about. The weakest links appears to be 1) the home PC (and smart phone) and people’s ability to keep this malware free, and 2) people being subject to social engineering attacks. The question for me therefore what is more effective for banks to invest in:

  • educating their customers, on the importance and ways to keep their PC/smartphone malware free, and to make them less susceptible to social engineering attacks, which will no doubt help but is not a silver bullet, or
  • invest in technology, by providing more secure authentication means that are (not or) less sensitive to malware and social engineering attacks, which is very expensive and can be very annoying for users.

The alternative for banks is to wait and see if others (police, government, operation system vendors, anti-malware vendors etc) will be able to counter this increase in internet banking fraud, this is however not what I expect they will do, as is also shown by the new awareness campaign by NVB.


Impressions from ISSE 2010

2010/10/06

I’m at the ISSE 2010 this week, which takes places in Berlin this year. I’ll share my impressions on two subjects that were hot (in the first two days, since I write this with one more day to go).

German eID

The ‘hottest’ item is the new German eID card (nPA), which will be issued starting 1 November. This is a ‘normal’ ID card, with an eID contactless chip. Technically the eID function seems to be better than what I’ve seen before, but more interesting for me was the business model behind it, and how they handle privacy.

With respect to the business model, it is interesting that it can be used for consumer-2-business authentication, thus increasing usage beyond citizen-2-government services.  This is for free from the perspective of the relying party (aka service provider). Of course, running a so-called eID server to ‘talk’ to the eID card is not trivial, and much more complicated than becoming e.g. an OpenID relying party. There are companies ready to take care of this on behalf of the relying party, this will of course costs money. Citizen have to pay for the card, but since it is (I think) mandatory to have one …

With respect to the digital signature function, this is not present by default. A citizen has to go to a commercial party for this, i.e., a different business model for the signature function as for the authentication function. Reason seems to be that this is not considered a government responsibility (contrary to authentication/identification), and companies are already offering this as a service (I expect not a lot to consumers though). This probably also means that there will be only very few people that go to this trouble (and costs), and thus little coverage for consumers/citizens.

With respect to privacy: what is interesting is the ability to be a pseudonym-only authentication device, that relying parties need to register and motivate which attributes they want to read, user consent and proof-of-age function that does not reveals ones age. Also interesting is that kids below 16 are not allowed to use it to identify themselves, for privacy reasons I assume (can’t trust those kids to know what they’re doing J).

The Germans life up to their reputation of being privacy-conscious with this new eID card, good for them. When looking at some of the details, they also life up to another reputation of being very sensitive to academic grades: Doktorgrad is a data field for the card… Not sure how important this is for security purposes though, but at least the border control or webshop can properly address “Herr Doktor” J

The big question is now if this takes off with both public and relying parties, and how long this takes. There are examples in other countries that were earlier, where this went very slowly of not at all (e.g., Belgium).

Phishing/malware

There were some, mostly German, talks on phishing and malware. Quite scary actually how this is progressing. Cybercrime seems to become more professional, and is scaling up. I’m a strong believer in “good enough” security, especially when it concerns damage that is ‘only’ money/fraud, contrary to privacy loss. To quote a number, the German government (Bundeskriminalamt) estimates a €17 million fraud for phishing/malware in Germany for online banking for 2010 (with €3500 average damage). This in itself is not a number that surprises me, it is even lower than I expected, but if the growing trend (71% up from last year!) continues the coming years this number will increase quickly. Of course, costs to properly counter these threats, and the userunfriendlyness that often comes with it, are also huge.