Pharming & Phishing… 25 April, 2005
Download
Report
Transcript Pharming & Phishing… 25 April, 2005
Challenges of Identity Fraud
Chris Voice, VP Technology
We are Security Specialists…
• Top 12 security software company with
~ $100M in annual revenues
• Industry pioneer and leader, with 500
employees and 100+ patents
• Best in class service and support, and
integration for leading technology
vendors
• Strong balance sheet, with significant
cash balance and no debt
– Publicly-listed (NASDAQ: ENTU)
© Copyright Entrust, Inc. 2005
2
Definitions
Identity Theft
© Copyright Entrust, Inc. 2005
Identity Fraud
3
Identity Theft Incidents
© Copyright Entrust, Inc. 2005
4
2005 Major Identity Theft Incidents
Users Impacted (000's)
1,500
Bank of
America
1,250
DSW
1,000
Orazio Lembo
Time Warner
750
500
250
Lexus Nexus
Choicepoint
0
© Copyright Entrust, Inc. 2005
5
?
© Copyright Entrust, Inc. 2005
6
?
© Copyright Entrust, Inc. 2005
7
Source: www.mailfrontier.com
© Copyright Entrust, Inc. 2005
8
Phishing Reports Received Nov ’04 – Nov ‘05
88% Year over Year Increase
20000
17500
15000
12500
10000
7500
5000
2500
0
Nov-04 Dec-04 Jan-05 Feb-05 Mar-05 Apr-05 May-05 Jun-05
© Copyright Entrust, Inc. 2005
Jul-05 Aug-05 Sep-05 Oct-05 Nov-05
9
More Complex Attacks
© Copyright Entrust, Inc. 2005
10
Password Stealing Malicious Code URLs
Over 300% in Seven Months
1250
1000
750
500
250
0
Apr-05
© Copyright Entrust, Inc. 2005
May-05
Jun-05
Jul-05
Aug-05
Sep-05
Oct-05
Nov-05
11
Online Identity Fraud Influencing Consumer Behavior
Forrester:
“…14% of online
consumers have stopped
using online banking and
bill pay due to email fraud
concerns.”
IDC Financial Insights:
“…6% admitted to
switching banks to reduce
their risk of becoming a
victim of identity theft.”
© Copyright Entrust, Inc. 2005
12
Online Identity Fraud Influencing Consumer Behavior
Gartner:
“…nearly 14 percent of them
[on-line bankers] have stopped
paying bills via online
banking."
Entrust:
“…18% of consumers have
decreased or outright stopped
doing on-line banking in the
last 12 months because of
concerns of identity security..”
© Copyright Entrust, Inc. 2005
13
Driving Legislative Impacts
© Copyright Entrust, Inc. 2005
14
Legislation
Have introduced Data Security Legislation
Have Not Introduced Data Security Legislation
© Copyright Entrust, Inc. 2005
15
Financial Service Mandates
• FFIEC considers single-factor authentication…to be
inadequate for high-risk transactions involving access to
customer information or the movement of funds to other
parties.
• Financial institutions should implement multifactor
authentication, layered security…by end of 2006.
© Copyright Entrust, Inc. 2005
16
How Can Security Help
People
Processes
Technology
Technology
Strong Authentication
© Copyright Entrust, Inc. 2005
Encryption
Content Control
17
Encryption
Two-thirds of fresh and
critical data is on employee
laptops and desktops –
not the servers.
Gartner, April 2004
By year-end 2007, 80% of
Fortune 1000 enterprises
will encrypt critical “data at
rest” (0.8 probability)
Gartner, April 2004
Companies typically lose 5-8% of their laptops per year.
The FBI estimates that 50% of network penetration is due
to information derived from a stolen laptop.
Meta, January 2005
© Copyright Entrust, Inc. 2005
18
Persistent Data Encryption
© Copyright Entrust, Inc. 2005
19
Benefits of Persistent Data Encryption
Any person or business that conducts business
in California…shall disclose any breach of the
security of the system following discovery or
notification of the breach in the security of the
data to any resident of California whose
unencrypted personal information was, or is
reasonably believed to have been, acquired by
an unauthorized person.
California SB1386
© Copyright Entrust, Inc. 2005
20
Content Scanning
Employees
IM
http://
Employees,
Partners, Customers
Automated Policy Enforcement
• Detection and Blocking across broad
set of outbound protocols
ftp://
© Copyright Entrust, Inc. 2005
21
Stronger Mutual Authentication
Understanding and
Countering the Phishing Threat
A Financial Services Industry Perspective
Solution Areas:
Prevent
Report
© Copyright Entrust, Inc. 2005
Detect
Defend
Top 3 Recommendations:
1. Focus on Mutual Customer/Financial
Institution Authentication
2. Improved Fraud Screening
3. Industry-wide Attack
Method/Mitigation Information Sharing
22
The Authentication Challenge
Usability &
Cost
Security
• Minimize customer experience impact
– Only impact user experience with stronger
authentication when necessary
– The right authentication for the right risk level
– at the right time
© Copyright Entrust, Inc. 2005
Fraud
Risk
23
Increasing Impact of Fraud
The Authentication Challenge –
Risk-based Authentication
Funds Transfer
Register Bill
Check
Balance
Risk based
authentication
requires a range
of capabilities
Login
Transaction Sequence
© Copyright Entrust, Inc. 2005
24
New Authentication Technologies
Purchase & Deployment Cost
$
Biometrics
Smartcards
One-Time-Password
Tokens
Passwords
Authentication Strength
© Copyright Entrust, Inc. 2005
25
Range of Risk-Based Strong Authentication
• Policy-based authentication allowing single authentication layer to
meet multiple business requirements
– Per transaction, per user, per application, per LOB…
Machine Auth
Grid Auth
Out-of-Band
Authorized set of
workstations
Grid location challenge
and response
One-time-passcode to
mobile device or phone
Knowledge Auth
Scratch Pad Auth
Challenge / response
questions
One-time password
list
© Copyright Entrust, Inc. 2005
26
Example – Grid Authentication
• Unique authentication card issued to each user
• Random characters in grid with row/column headers
• Separate plastic card or on existing card
Stand-Alone Card
© Copyright Entrust, Inc. 2005
Card Add-On
27
Grid Authentication Process
Personal ID
********
© Copyright Entrust, Inc. 2005
User enters ID &
Password as is
done today.
28
Grid Authentication Process cont’d
© Copyright Entrust, Inc. 2005
29
Grid Authentication Process cont’d
1
© Copyright Entrust, Inc. 2005
2
3
30
Authentication Needs to be Mutual
• Easy to use mechanisms for customers to recognize they
are on the right site.
Image Replay
Auth
Message Replay
Auth
Serial Replay
Auth
User selected image
User entered message
Grid card serial number
© Copyright Entrust, Inc. 2005
31
Announced Wins in 2H05
© Copyright Entrust, Inc. 2005
32
Summary
• Identity Fraud will change the way organizations protect
your sensitive information
– May require legislation to drive real action
• Identity Fraud will change the way you interact with your
financial institutions
– Focus on addressing your confidence to drive continued internet adoption
© Copyright Entrust, Inc. 2005
33
Thank You
[email protected]
www.entrust.com
888-690-2424