Domain: actividentity.com
Stories and comments across the archive that link to actividentity.com.
Comments · 8
-
What about digitags?My bank uses a combination of Digitag and SMS notification as added layers of security.
In South Africa, everyone with a bank account by law has to undergo a KYC process (know your client). This basically means that you as a client have to verify your ID at a branch (in person) with ID documents and some of your monthly bills. Your cellphone number is then captured to which all notifications of activity on your accounts are sent.
The Digitag is used during online authentication. As a further backup, a one time pin (OTP) is send to your cellphone. This OTP is required for certain transactions like once off payments.
Granted the system is not perfect (there is still human stupidity), but I would like to hear your comments on these tpye of systems, as they are becoming more and more part of our lives.
-
And in four years from nowwe will look back into these moments with a whiff of nostalgia while the snowcaps are melting...
It is actually worth to consider that in western society the internet and it's services has changed the way we live - you are now a second grade citizen if you don't have broadband internet access. The people that have internet access can get access to a lot more information - not only wikipedia but also lunch menus phonebooks and instant communication services that were in it's infancy just five years ago. For example Skype did on a good day maybe kiss the one million mark of online users but now it's rarely below the five million mark and is about to kiss the ten million mark.
The internet services and identity troubles that have arisen is something that is growing concerns. Of course - identity theft isn't something new but it's easier on a global scale today. However it isn't only about protecting your identity from being exposed - it is also about allowing it to get correctly verified. The ability to verify the identity of a person by cross-checking the data with other systems is an important factor when doing transactions. Of course - sometimes you want to do anonymous transactions - but that isn't a big problem.
And one item that has been up during the last year is all the bank frauds. Especially the Nordea case which got wide-spread publicity. This was caused by a substandard technique for user verification. And we are going to see more and more cases of intrusions into our bank accounts, which is worrying - but the important thing is that the banks must take responsibility for providing the best possible protective measures without making it overly complex for the users. The threats when doing bank transactions isn't only in the classical hacking but there are also the man in the middle attack and the man in the browser attack. The later is actually circumventing any encryption scheme which means that it doesn't matter how good your encryption is. A verification of the transaction has to be done by different means - and one way that is reasonably safe is by using a token (that isn't connected to the computer) with a challenge/response where the challenge data is user friendly (for example the account that money shall be sent to). This will still allow a criminal to read your data but make it a lot harder to actually modify your bank account unless the criminal has access both to the token algorithm and the secret key of the token. The one-time password tokens that are only generating a random number aren't sufficient since they does only verify the fact that you have the token - but that doesn't verify if the data you send along with the transaction isn't being compromised.
Of course - this means that you will still have to be on the forefront when it comes to protect your identity verification data, and that you actually shall demand of your bank and other online services that they provide you with good protective measures. However it also means that the public services also has to take measures to protect the citizens by having a reasonable setup where risk assessment has been done.
The more worrying part is that in many cases "security" actually resolves to "citizen monitoring" in a way that brings into mind the actions of Stasi and other similar agencies. This is actually counter-productive and is not doing any good at all for the citizens. It's like fishing for cod with a net sized for sharks - you may occasionally get a catch - but probably not the catch you expected or wanted. Just the publicity around the monitoring has caused the big criminals to think twice before doing anything that might be recorded and tracked. It doesn't mean that there aren't anyone communicating through the net for criminal reasons - just that the methods got a lot more covert. Type an online entry here as a blog comment, make a posting in slashdot - and sometimes encode a message into it through
-
Re:You should keep looking...
Binding a cert to a CN - and having a compliant cardreader - do not a card management system make.
Revocations? Temporary cards? Approvalsfor compliance with Certificate Practice Statements? Audit trails? This is not simple. CAs aren't simple - much less when you need validated access tokens.
These guys make such a system http://www.actividentity.com/products/activid_cms_ _home.php.
Again, the cost is more for a card system, than a whole identity and policy management infrastructure on AD. -
Re:Two ways already used in Europe
Some Swedish banks use OTP devices like these http://www.actividentity.com/products/tokens_otp_
_ home.php (I've got one like the third one down on that page). The device I use is accessed with a PIN code and then used to sign a challenge when logging in, it's also used to sign new target accounts when transferring money and to sign the amount of money at each transfer.
You have to pick up the device in person and provide ID and they also make you set the PIN when you check it out. All the signing might be a bit of a hassle, but feels way easier than handling dual passwords and sheets of one time codes like some banks. I don't know anyone who has a problem using it.
Given the level of security this provides it's a great solution for the customers. -
Re:New mantra?
Troll on, but you miss the mark, my uninformed friend.
This is nothing to do with data aggregation, targeted advertising or behavior tracking. It is not invasive software, surreptitiously installed while a user beleives they are performing another action.
This is more akin to "soft token" technologies:
http://www.rsasecurity.com/rsalabs/node.asp?id=214 1
http://www.actividentity.com/en/products/4_2_6_sof tware_token.php
http://www.securehq.com/group.wml&deptid=80&groupi d=566
The catcher is that this is not tied to X.509 PKI infrastructures, per se. Identity is established by locally configurable means - usually a Kerberos ID - and presented by signed XML markups, rather than the static, signed ASN.1 encodings in certificates. The exchange is still fundamentally an RSA public key validation type problem, but with an extensible policy mechanism in XML. This is an application of the work done by multiple vendors in the WS-Security space. Dynamic policy, negotiated in a federated manner between endpoints, is not possible with x.509, which has permanent policy encoded in the cert.
There is integration with Windows AD Federation, which means there is possibility to interoperate with SAML clients. Trust can also be established by reputation - with attesters signing a keychain for particular identities.
The short story is that this could end phishing attacks.
The long story is that most banks and investment firms won't make this mandatory for transactions, since their Businesses still insist on Win95/IE4 compatibility from their IT and InfoSec personnel. -
So how far can this be trusted?Since not even XP Service Pack 2 with firewall enabled is safe from intrusion it should be interesting to see how well it fares.
A friend of mine (who is an IT pro) installed a machine with Win XP, installed SP2 and enabled the firewall and then connected the machine to the internet and got infected within 20 seconds - which at least proves that the internet contain some really bad things. It also proves that M$ is rather unsuccessful when it comes to fighting off threats. It may be that Windows is more targeted than *NIX-boxes, and the reason is probably that there are a lot more of them connected to the net.
Currently most of the threats are still either proof of concept or just using machines as bots on the net. Highly annoying and consumes resources. A few are actually tapping your traffic, and if you have a bank that doesn't use a two-factor authentication with a token that also signs your transactions I would recommend you to switch bank. The mini-token is not sufficient, and the soft-token is outrageously stupid to use since if your computer is infected - then that token can be accessed without your knowledge. The use of pre-generated passwords that you get from a scratchpaper is also insufficient. Any malware may just lay dormant until you have accessed your bank that way and then when you perform your transactions it can provide you with an overlay that covers the real transactions in the background. This may happen with any solution that doesn't require a signing of the actual amount you are paying.
Me - Paranoid? Well... just because you are paraniod doesn't mean they aren't out trying to get you.
-
So how far can this be trusted?Since not even XP Service Pack 2 with firewall enabled is safe from intrusion it should be interesting to see how well it fares.
A friend of mine (who is an IT pro) installed a machine with Win XP, installed SP2 and enabled the firewall and then connected the machine to the internet and got infected within 20 seconds - which at least proves that the internet contain some really bad things. It also proves that M$ is rather unsuccessful when it comes to fighting off threats. It may be that Windows is more targeted than *NIX-boxes, and the reason is probably that there are a lot more of them connected to the net.
Currently most of the threats are still either proof of concept or just using machines as bots on the net. Highly annoying and consumes resources. A few are actually tapping your traffic, and if you have a bank that doesn't use a two-factor authentication with a token that also signs your transactions I would recommend you to switch bank. The mini-token is not sufficient, and the soft-token is outrageously stupid to use since if your computer is infected - then that token can be accessed without your knowledge. The use of pre-generated passwords that you get from a scratchpaper is also insufficient. Any malware may just lay dormant until you have accessed your bank that way and then when you perform your transactions it can provide you with an overlay that covers the real transactions in the background. This may happen with any solution that doesn't require a signing of the actual amount you are paying.
Me - Paranoid? Well... just because you are paraniod doesn't mean they aren't out trying to get you.
-
Re:Federal Govt. Use
Most of the CAC card deployments use software from http://www.actividentity.com/ which also makes products geared towards the corporate market. I've installed them in the past and the combination of PKI, card management, and SSO software is hard to beat.