Organized  by THE  FAILURE  (AND  FUTURE)  OF TWO  FACTOR  AUTHENTICATION Dug  Song,  CEO,  Duo  Security    RAPHAEL  MUDGE

Louisiana firm sues Capital One after losing thousands in online bank fraud December 7, 2009, 4:15 PM EST CredenBal  TheE:  $1B  A  Year  in  Banking  Alone 2 Michigan firm sues bank over theft of $560,000 Experi-Metal says Comerica Bank's online security practices resulted in theft February 12, 2010 A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year. FDIC: Hackers took more than $120M in 3 months March 08, 2010, 8:24 PM EST Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to more than $120 million in the third quarter of 2009 Poughkeepsie, N.Y. slams bank for $378,000 online theft February 8, 2010 In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine. Hackers Take $1 Billion a Year as Banks Blame Their Clients August 4, 2011 In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine.

The  EvoluBon  of  Threats 3

The  Problem  With  Passwords 4  Lost  Stolen  Shared  Guessed  Cracked  Forgo4en

MulBfactor  AuthenBcaBon  To  The  Rescue? 5 Know Have Are Do Passwords ID  QuesBons Secret  Images Token Card Phone Faceprint Iris  Scan Fingerprint Behavior LocaBon ReputaBon  Strong  authenBcaBon  as  a  combinaBon  of  something  you:

2FA  FTW:  Apache.org  April  2010  Breach  Apr  5:  New  JIRA  entry  with  XSS  to  steal  JIRA  admin  rights  Apr  9:  JIRA  backdoored  to  save  passwords,  phishing  mails  sent  A_acker  logs  in  to  admin  account  with  sudo  privileges  Finds  users  with  SSH  keys  to  main  login  server  On  main  login  server,  a_acker  thwarted  by  OTPs 6 “Limited use passwords, especially one-time passwords, were a real lifesaver. If JIRA passwords had been shared with other services/hosts, the attackers could have caused widespread damage to the ASF’s infrastructure.”

Old  School  Two-­‐Factor  One-­‐Time  Passwords  &  PKI • S/Key,  OPIE,  Grid  /  TAN  Cards,   RSA  SecurID  tokens • PKI  smartcards,  USB  tokens  Legacy  integraBon  schemes • RADIUS,  TACACS+,  GINA  20+  years  old  and  sBll  in  style? 7 Courtesy Marcus J. Ranum

Can  You  Feel  The  Pain? 8

What  The..  I  Don’t  Even... 9

Contemporary  Two-­‐Factor  Security  images  &  idenBty  quesBons    Device-­‐based • Secrets:  SSL  cerBficates,  SSH  keys,  cookies • ReputaBon,  enrollment  Out-­‐of-­‐Band  channel • Phone  callback • SMS  One-­‐Time  Passcodes  Modern  integraBon  points • LDAP,  Web 10

Classic  Threats  to  AuthenBcaBon 11  Know:  Intercep?on  Have:  Hijacking  Are:  Forgery  Do:  Mimicry

Layered  Defense 12 Threat Mul*factor  Defense Keylogging Passive  Phishing OTP  Tokens,  Graphical  passwords,   On-­‐screen  keyboards Password  sharing,  guessing,  stealing OTP  Tokens,  Device  enrollment/ reputaBon,  IP/geolocaBon AcBve  Phishing Man-­‐In-­‐The-­‐Middle Out-­‐of-­‐Band  Voice  /  SMS Remote  Access  Trojan Man-­‐in-­‐the-­‐Browser OOB  TransacBon  VerificaBon

2006 2007 2008 2009 2010 2011 Google buys Postini: $625M July 2007 Barracuda buys Purewire October 2009 IBM buys ISS: $1.2B October 2006 Entrust buys Business Signatures: $50M July 2006 Heartland settles w/ Visa: $60M January 2010 SYMC buys MessageLabs: $695M October 2008 Banking trojans 2005 Chinese "Aurora" attacks January 2010 CVS HIPAA Fine: $2.25M February 2010 FFIEC multifactor requirement: Dec 2006 June 2005 FTC Red Flags Rule January 2008 Deadline extended 7 times now Jan 2011 HIPAA HITECH Act October 2009 HITECH: CT Attorney General vs. Health Net January 2010 HIPAA Security Rule Deadline April 2005 RSA buys Cyota: $145M December 2005 FBI Alert: Rampant ACH Fraud November 2009 “malware and work-at-home scams” Thoma Bravo buys Entrust July 2009 ABA: Commercial Banking Under Attack August 2009 “Only use dedicated PC for online banking” EMC buys RSA: $2.1B June 2006 ISS OEM's Arbor February 2006 Oracle buys Bharosa: $48M July 2007 McAfee buys MX Logic: $140M July 2009 RSA buys Passmark: $44M April 2006 Cisco buys ScanSafe: $183M December 2009 SYMC buys VRSN auth: $1.2B May 2010 So  How  Are  We  Doing?  2005:  First  banking  trojans  in  Brazil  2006:  FFIEC  mul?factor  requirement  2009:  FBI  Alert  on  Rampant  ACH  Fraud 13

As  Malware  Grows,  So  Do  Financial  Crimes... 14 US  Treasury  FinCEN  SARs:  Delaware AV-­‐Test  Malware  Samples

31% 14% Up to Date 55% No Antivirus Not Up to Date Up to Date Zeus vs. Antivirus Hackers entice users to click on contaminated websites or trick users to open e-mail attachments Users open the file, installing the malware The malware sends back stored logins and data typed into web pages The malware checks in periodically for updates, providing a gateway to the internal network Trojan 66% 18% 7% 6%3% Trojan Adware Virus Spyware Worm Other 2009 Malware Source: Panda Labs, Jan 2010 Source: Trusteer, Sept 2009 Source: Washington Post PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion Jon Oberheide, M. Bailey, & F. Jahanian Users:  The  Backdoor  to  the  Network 15

16 ჾ ჾ ჾ ჾ ჾ Rogue/Open Wireless Consultants, Vendors Phishing, Malware, Drive-by Downloads Remote Users “The Cloud” The  Crumbling  Perimeter

Bypassing  Two-­‐Factor  Auth  Endpoint  compromise • Session  riding • Man-­‐In-­‐The-­‐Browser  Factor  compromise • Token  seeds:  RSA  breach • TDOS:  account  phone   number  changes • SMS  forwarding:  Zitmo,   Spitmo 17

Dealing  with  Endpoint  Compromise  IBM  Zone  Trusted  Info  Channel  Beneficial  Man-­‐In-­‐The-­‐Middle 18

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  A  Mobile  “Trusted  Path”  “Context-­‐aware”  authenBcaBon • Present  full  transacBon  details  Dual  control  via  disBnct  channels • Message-­‐level  security  Device  security • AnB-­‐malware  &  integrity  verificaBon  Least  privilege • No  shared  secret • Remotely  revocable 19

Future:  Ubiquitous  Coverage 20 smart device dumb device online offline SMARTPHONE  PUSH  (2010) SOFT  TOKENS  (90s)  VOICE  CALLBACK  /SMS  (2000s) HARDWARE  TOKENS  (80s)

Future:  Open  Source,  APIs,  Security  Model  OATH:  HOTP,  TOTP  (RFC  4226) • Google  AuthenBcator  Web  services  APIs • MailChimp’s  AlterEgo • Duo  Security  :-­‐) - h_ps://github.com/duosecurity  Trust  On  First  Use  (TOFU)  self-­‐service  enrollment 21

Organized  by THANK  YOU! Dug  Song Duo  Security @dugsong