CertAnon
Anonymous WAN Authentication Service
Milestone Presentation
Red GroupCS410
April 5, 2007
April 5, 2007 Red Group 2
Presentation Outline
• Problem Description• Solution Description• Process Description• Solution Characteristics• Marketing Plan, ROI• Management Plan• Milestones, Deliverables, Budgets• Risk Management• Conclusion
April 5, 2007 Red Group 3
Who is Chockalingam Ramanathan?
• Part of a group using stolen passwords to empty investors’ accounts1
• Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab
• Resulted in more than $2 million in losses, which were absorbed by the brokers
• Fourth tech-intrusion case filed by the SEC since December 2006
1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html
April 5, 2007 Red Group 4
Fraud Stats
• From 2005 – 20062
– 8.9 million victims of online fraud or identity theft
– Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion
– Mean resolution time per incident skyrocketed from 28 to 40 hours per victim
2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html
April 5, 2007 Red Group 5
• Phishing sites are on the rise3
• Over 7 million phishing attempts per day
3. Anti-Phishing Working Group - http://www.antiphishing.org/
Going Phishing
April 5, 2007 Red Group 6
Consumers’ Online Activities
0
10
20
30
40
50
60
70
% of InternetUsers
% Time spentonline
Bank online
Make travelreservations
Communication
Commerce
%
4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html
April 5, 2007 Red Group 7
0
5
10
15
20
25
30
35
% of Surveyed Professionals
Have 6-15passwords
Have over 15passwords
%
6. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf
Password Overload
April 5, 2007 Red Group 8
• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure7
– Management of multiple strong passwords is difficult for individuals
– Fraudulent online account access and associated costs are increasing
7. http://www.schneier.com/crypto-gram-0503.html#2
The Problem
April 5, 2007 Red Group 9
• More online accounts = more passwords• Complexity of passwords is limited by the
human factor8
• Vulnerability is enhanced by the technology factor
• Dissemination is too easy• Once compromised, a password is no
longer effective for authentication
8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
The Endangered Password
April 5, 2007 Red Group 10
• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing
• Partner with online businesses
• Initial customers are Internet users
CertAnon – A New Proposal
April 5, 2007 Red Group 11
• Something you know– A single PIN
• Plus something you have– Hardware token generating pseudo-
random numbers
• Effectively changes your password every 60 seconds
9. RSA - http://www.rsasecurity.com/node.asp?id=1156
Two-Factor Authentication9
April 5, 2007 Red Group 12
RSA SecurID Users
April 5, 2007 Red Group 13
• Rolls Royce & Bentley Motor Cars– Uses RSA SecurID authentication– Enables them to use the Internet securely as a cost-effective
and efficient extension to their corporate network
• E*Trade Financial– Provides retail customers the option to add Digital Security
ID to their Internet security solution– Helps guard against unauthorized account access
Two-Factor Acceptance
April 5, 2007 Red Group 14
Goals and Objectives
• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!
April 5, 2007 Red Group 15
Data
Website Host
US East CoastRSA ACE server
Data
USA West CoastRSA ACE server
Data
UK RSAACE server
Data
AustraliaRSA ACE
server
Data
Login attempt
Login response
Auth request
Auth response
CertAnon website
Account setup Database update
Internet user withCertAnon token
What Would It Look Like?
April 5, 2007 Red Group 16
4. Bob goes to E*Trade's website to sign in.
Username: TraderBob
Password: 1a2b3c234836
His E*Trade usernameis TraderBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
5. And now he's in his E*Trade account!
SpamBob
1a2b3c184675
His Yahoo! usernameis SpamBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
Username:
Password:
7. And now he's in his Yahoo! account!
6. One minute later, he jumps to the Yahoo!mail page to check e-mail.
April 5, 2007 Red Group 17
• Two sales channels• Individual Internet user (210 million of them!)
– Purchases CertAnon token for one-time fee of $50– Obtaining a critical mass of customers makes
CertAnon a must have for online vendors– Could provide leverage to charge vendors on a
transaction basis in the future
• Security-conscious businesses– Purchase batches of tokens for redistribution to
their customers– Focus on those without proprietary solutions
Who is Our Customer?
April 5, 2007 Red Group 18
Marketing Strategy
• Offer software modules for customer integration– Freely available to encourage adoption of the service
• Approach financial companies not already using a two-factor authentication method– Bulk token sales– Enable them to offer the same customer security as larger
competitors without the infrastructure expense– Token reusability will encourage faster customer adoption
• Advertising strategies– Internet advertising– Computer shows/trade shows– Promotional token giveaways
April 5, 2007 Red Group 19
• Reduce/eliminate need for multiple passwords
• Avoid password theft, unauthorized account access, and fraud
• Information isn’t stored on a card or device that can be lost
• Passwords are not stored in a hackable database that is a single point of failure
ROI for Consumers
April 5, 2007 Red Group 20
• Very low cost• Avoid implementing a costly proprietary
solution• Improves security of customer base by moving
more people away from passwords• Reduces losses from fraud reimbursement• Snaps into existing infrastructure with minimal
development• Customers who don't use CertAnon will be
unaffected
ROI for Businesses
April 5, 2007 Red Group 21
• Reliance on a physical token– Forgotten– Broken– Lost or stolen
• Inadequate for sight-impaired users
• Customer service coordination will need to be handled carefully
Cons
April 5, 2007 Red Group 22
Competition Matrix
April 5, 2007 Red Group 23
Management Plan
April 5, 2007 Red Group 24
Team Communications
• Team meetings (via AOL AIM):– Sunday/Tuesday 8:00 P.M.– Additional meetings as needed– Meetings with Professor Brunelle as
needed– Meetings with Technical Advisors as
needed
• Google Group for document management and messaging
April 5, 2007 Red Group 25
Phase 0 Gantt Chart
April 5, 2007 Red Group 26
Phase 1 Gantt Chart
April 5, 2007 Red Group 27
Phase 1 Organizational Chart
April 5, 2007 Red Group 28
Phase 1 Staffing Budget
Position Type Quantity Hours Rate TotalDocumentation Specialist Student 1 30 15$ 452$ Financial Director Student 1 36 15$ 542$ Hardware Manager Student 1 103 15$ 1,542$ Marketing Director Student 1 8 15$ 113$ Project Manager Student 1 74 15$ 1,116$ Risk Director Student 1 51 15$ 762$ Software Manager Student 1 498 15$ 7,474$ Web Developer Student 1 486 15$ 7,289$
Total Cost 19,290$ 40% Overhead 7,716$
Total Phase 1 Staffing Budget 27,005$
April 5, 2007 Red Group 29
Phase 1 Resource Budget
April 5, 2007 Red Group 30
Phase 2 Gantt Chart
April 5, 2007 Red Group 31
Phase 2 Organizational Chart
April 5, 2007 Red Group 32
Phase 2 Staffing BudgetPosition Type Quantity Hours Rate TotalDocumentation Specialist Staff 1 552 18$ 9,713$ Financial Director Staff 1 94 68$ 6,372$ Hardware Manager Staff 1 200 20$ 3,901$ HR Manager Staff 1 172 29$ 5,053$ Marketing Director Staff 1 48 48$ 2,305$ Project Manager Staff 1 136 29$ 3,883$ QA Engineer Staff 1 774 21$ 16,009$ Risk Director Staff 1 8 18$ 140$ Software Engineer 1 Staff 1 440 22$ 9,710$ Software Manager Staff 1 334 42$ 13,961$ Technical Director Staff 1 436 50$ 21,892$ Web Developer Staff 1 790 28$ 22,143$
Total Cost 115,082$ 40% Overhead 46,033$
Total Phase 2 Staffing Budget 161,115$
April 5, 2007 Red Group 33
Phase 2 Resource Budget
April 5, 2007 Red Group 34
Phase 3 Gantt Chart
April 5, 2007 Red Group 35
Phase 3 Organizational Chart
April 5, 2007 Red Group 36
Phase 3 Staffing Budget
Position Type Quantity Hours Salary TotalCustomer Service Reps Staff 5 2,080 30,400$ 152,000$ Documentation Specialist Staff 1 440 36,600$ 7,742$ Financial Director Staff 1 278 140,500$ 18,778$ Hardware Manager Staff 1 200 40,600$ 3,899$ HR Manager Staff 1 528 61,100$ 15,510$ Marketing Director Staff 1 1,161 99,900$ 55,763$ Project Manager Staff 1 1,391 59,600$ 39,866$ QA Engineer Staff 1 350 43,000$ 7,233$ Software Engineer 1 Staff 1 320 45,900$ 7,062$ Software Manager Staff 1 345 87,000$ 14,443$ Technical Director Staff 1 1,280 104,400$ 64,268$ Web Developer Staff 1 320 58,300$ 8,969$
Total Cost 395,533$ 40% Overhead 158,213$
Total Annual Phase 3 Staffing Budget 553,747$
April 5, 2007 Red Group 37
Phase 3 Resource Budget
April 5, 2007 Red Group 38
Total Project CostStaffing Resources Phase Total
Phase 1 27,005$ 26,071$ 53,076$ Phase 2 161,115$ 45,687$ 206,802$ Phase 3 (One Year) 553,747$ 92,958$ 646,705$ Total Phases 1-3 741,867$ 164,716$ 906,583$
Out Years (Annual) 397,935$ 67,200$ 465,135$
Item Marginal Cost Per # of Customers Cost per CustomerToken 30$ 1 30.00$ Authentication Server 2,908$ 250,000 0.01$ RSA Auth Mgr License 3,000$ 250,000 0.01$ Secure Hosting (3 Years) 36,000$ 250,000 0.14$
Total Cost 30.17$ 40% Overhead 12.07$
Total Marginal Cost Per Customer 42.23$ Marginal Revenue Per Customer 50.00$
Profit Per Customer 7.77$
April 5, 2007 Red Group 39
Break Even Analysis
Cumulative Break Even Analysis(First Year = Phase 3)
$-$10,000,000$20,000,000$30,000,000$40,000,000$50,000,000$60,000,000
0 1 2 3Year
Re
ven
ue
Total RevenueTotal Cost
Year Tokens Sold Total Revenue Total Cost Profit0 - -$ 259,878$ (259,878)$ 1 150,000 7,500,000$ 7,241,786$ 258,214$ 2 500,000 25,000,000$ 22,489,060$ 2,510,940$ 3 1,000,000 50,000,000$ 44,071,537$ 5,928,463$
April 5, 2007 Red Group 40
Funding Plan
• SBIR Funding Agency: National Science Foundation – Phase 1: $100,000– Phase 2: $750,000 or two years
• Phase 3– Small business loan– Venture capital investment– Revenue from token sales
April 5, 2007 Red Group 41
Risk Management Plan
• Identify project risks • Determine the phase that the risk is in• Categorize risks according to probability
and impact• Reduce risks before or as they happen
with mitigation actions• Continue to reevaluate risks during all
phases• Watch for new risks
April 5, 2007 Red Group 42
Impact
5 5 2 1
4
3 6 3
2 7 4
1
1 2 3 4 5
Probability
# Risk Mitigation
1 Trust Beta-testing
2 Customerunderstanding
Tutorials on website
3 Reliance on token sales revenue
Encourage early partner site adoption
4 Viable alternatives Single source two-factor
5
Token loss Provide temporary password access
6 Token availability Offer online and through retail outlets
7 Government vs. Anonymity
Follow the lead of encryption products (1-Low to 5-High)
Risks and Mitigation
April 5, 2007 Red Group 43
Evaluation Plan
• Time– Measured against baseline project plan
• Cost– Measured against budget plan by phase
• Scope– Measured against requirement document
• Quality– Measured by customer adoption rate and
satisfaction
April 5, 2007 Red Group 44
Evaluation Phases
• Phase 0– Idea developed– Project website developed– Funding secured
• Phase 2– Product design– Software module
development– Software module testing– Integration testing– Finished product
• Phase 1– Prototype design– Working prototype– Initial customer
demonstration
• Phase 3– First sale completed– Product released– Marketing plan developed– Successful marketing– New contracts acquired
April 5, 2007 Red Group 45
• Available, affordable, and proven technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Scaleable service
• Manageable project scope, achievable milestones
Conclusion
April 5, 2007 Red Group 46
• “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html>.
• “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>.
• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.
• “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >.
• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.
References
April 5, 2007 Red Group 47
References (cont.)• “Phishing Activity Trends: Report for the Month of November, 2006.”
Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.
• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.
• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.
• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.
• “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>.
April 5, 2007 Red Group 48
Appendix
• Abstract• Management Plan• Staffing Plan• Risk Management Plan• Evaluation Plan• Marketing Plan• Resource Plan• Funding Plan• Hardware Specifications• SBIR Document• Additional Diagrams
Top Related