Assurity seminar 24 jan

3 3

Vulnerability of Smart Phones Smartphones are a permanent point of access to the internet (mostly on), they can be compromised easier than computers Implied permission •  this infection is based on the fact that the user has a habit of installing

software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware.

Common interaction •  this infection is related to a common behavior, such as opening an

MMS or email.

http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf

4 4

Dangers of Relying Solely on User ID / Password for sensitive data

•  Flexispy is a commercially available application for spying.

•  The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses.

6 6

Typical Mobile Malware Gameplan


7 7

Get Malware installed by user


8 8

What Hackers want to achieve


9 9

Level of enforcement before allowing apps on AppStore/ Goggle Play

Will a hacker be deterred by the need to provide IP/SMS or Credit Card? Is Corporate ID and Personal ID ( Drivers License) numbers good enough to ensure malware is not disguised as an App ?


10 10

Public Feedback on 2FA

11

National Authentication Framework

What is NAF •  nationwide platform for the adoption of strong

authentication •  for eServices that handle sensitive information and/

or facilitate transaction •  provide trusted and cost-effective authentication.

Why •  fulfill strong authentication requirements from

regulators, banks and financial institutions, government & healthcare

The National 2FA system has been operational since December 2011

12

Service Providers live on OneKey

12

13 13

•  Stronger security is required to protect sensitive data

•  This valuable repository of personal information includes income tax, CPF and HDB Loan Records.

•  Assurity, a subsidiary of IDA is the sole bidder

•  SingPass – set up for every resident aged 15 and above in 2003 …. There are more than 2.8 million SingPass users today.

14 14

OneKey can be used across multiple Service Providers, Banks, Government, online services, corporate VPN etc…

OneKey Mission: Consumer Security & Convenience

15 15

•  Stronger protection against online

identity theft & fraud •  Convenience to end-users: a single

authentication device across multiple online services ( e.g. banking, trading, govt e-services, insurance, online commerce etc)

•  Giving consumer a choice to manage their own security policies

OneKey’s Value Proposition

16 16

•  Current Offerings –  Assurity provides 2FA services via the OneKey Pad – a robust

and integrated mechanism that is secure, convenient and cost-effective

–  OneKey Pad offers 3 options of 2FA - OTP, Challenge

Response and Transaction Signing.

–  OneKey SMS – OTP delivered via SMS for convenience to

users

•  Under Development –  OneKey Card –  OneKey Mobile

OneKey: A Convenient, Secure Authentication Mechanism

17 17

*Compliances & Certifications •  Certified to ISO/IEC 27001:2005 •  **Complied to MAS IBTRM V3 & and 2012 Consultation Paper •  Complied to Government IM8 •  Complied to SS540 •  Complied to TIA942 •  Complied to FIPS *Certifications are renewed and audited annually ** Fully redundant active-active tier 3 data centres *** Assurity is the appointed NAF operator and works closely with MAS

OneKey: A Reliable & Trusted Security Device

Your complete solution to

compliance with ***MAS

2nd Factor Authentication requirements –

Quick,

Cost-Effective & Always Updated!

18 18

Send OneKey to End User Deliver SMS OTP to End User’s mobile device

SP – Service Providers OTP – One Time Password

Assurity’s Service Model

19 19

Basic Service Offering

§  2FA using OneKey Pads

§  2nd factor credential registration, issuance and management

§  Authentication Service : §  99.99% service availability §  90% within 800ms, 100% within 2 seconds

§  24x7 technical support

Additional Service Offerings §  Dedicated technical support packages

§  SMS OTP traffic charges

Committed Service Level

20 20

Item Service Level

Authentication Service Availability 99.99% in a month

Authentication requests completed 90% within 800 msec 100% within 2 sec

Issuance of tokens and password mailers to end-user

Within 3 and 3+2 working days*

Severity 1, 2, 3 requests 3 levels of service support •  Basic •  Gold •  Platinum

Service Levels

21 21

Use Cases of OneKey

1.  2FA for online services

2.  Incorporate OneKey 2FA into mobile apps so that consumers know that it is an authentic app

3.  Corporate VPN 2FA to access corporate application

Assurity provide SPs with test environment and specifications to connect to OneKey

22 22

•  Volume based pricing

•  Early-adoption special for SPs that signs up before Dec 2013

•  Billed monthly based on prorated volume •  Fees waived for 1st 2 years from system live-date

(Dec 2011 – Dec 2013)

Volume per year up to 3M

¢/Transac/on 6 cents

¢/Transac/on 4.5 cents

Budget to leverage on OneKey

23 23

•  SP’s Setup –  Application 2FA Page (Resources to develop, test) –  Connections to Assurity (MPLS or IPSec VPN over Internet)

•  SMS Traffic Cost for Authentications Using SMS OTP –  Connection to SMS aggregator, SMS traffic cost

•  Customer Support –  SPs handle 1st level of calls typically –  Assurity provides training materials to help SP helpdesk –  Assurity will offer 24 x 7 customer support for 2FA calls that require escalation

•  NAF Gateway from accredited partners –  Easier implementation –  Time to market

•  Budget range from SGD 70K – 250K depending on organisation’s requirements

Other Costs for Budgeting

24 24

Support Level Severity Initial Response* Communication Frequency ** Resolution ***

Basic Support

1 2 hours Every 2 hours 8 hours 2 4 hours Every business day 4 business days

3 8 hours Every 2 business days 7 business days

Gold Support

1 30 minutes Every 30 minutes 4 hours 2 1 hour Every 2 hours 8 hours 3 4 hours Every business day 4 business days

Platinum Support

1 15 minutes Every 15 minutes 2 hours 2 30 minutes Every 1 hour 4 hours 3 3 hours Every business day 3 business days

* Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported. ** Communication Frequency: Frequency at which support team updates the SP on the status of the issue. *** Resolution: Time allowed to resolve the issue.

Service Support Levels

25

Fully redundant Architecture

2 Data centres with: •  Dual tele-

communications providers and Internet service providers

•  Dual power supply •  Synchronised data

between both Active sites

NAF Technical Architecture

26

•  Fully redundant architecture (active-active)

•  NAF Systems to the SPs are NOT exposed directly to the Internet -  NAF AO connects to SPs only via Private Network

•  NAF’s infrastructure service availability and uptime ~ 99.999% availability and RTO=0

NAF Technical Architecture

27

THANK YOU

Jason Kong, Deputy Director Assurity Trusted Solutions, a wholly owned subsidiary of IDA [email protected] [email protected] Mobile: +65 9851 – 0020

Assurity seminar 24 jan

Documents

Transcript of Assurity seminar 24 jan