fraud force summit portland, 2016...research ip & operations designs financials method pos >...
TRANSCRIPT
@terrygold2048
@IDanalyst
Fundamentals of Identity & Authentication
Terry Gold
FRAUD FORCE SUMMIT Portland, 2016
2
This Session
“Hackers”: Who, what and why….
Identity is a critical cross section for exploitation
Credentials are a “trust model” for implementation
Summary
Details What makes a “strong” credential?
How strong does it need to be?
Scope of credentials, payments types and brief analysis
3
1
IDENTITY
Who, What, & Why? 1
“Manipulating things to do what they were not designed to do”
Can be ANYTHING - not just computers.
Intent: Can be done for good – or bad
4
Hackers: Actors with intent
5
We are in a Major Paradigm Shift…
• Keep everyone out……………………......
• Secure the network…………………….….
• Virus was the threat…………………….…
• Enthusiasts & amateurs………………....
• File and Print; Core applications……..
• Firewall perimeter defined by IT…..…
• Internal employees……………………......
• Compliance achieves security….……..
Assume they get in
Secure the data
XXS, XSRF, malware, 0Day, Social Engineering
Crime rings, state-sponsored, hacktivists
Data is everywhere; increasingly pervasive
Defined by where the device/service is
Vendors, contractors, suppliers
Compliance is the minimum; not goal.
OLD PARADIGM NEW PARADIGM
6
Threat Ecosystem & Anatomy of Attacks
TARGET$
Plans
Customer Data
Formulas & Research
IP & Operations
Designs
Financials
METHOD
POS > InstallMalware
SQL Injection
MIM
Elevated Privelege
Passwords & Honeypots
Spear Phishing
VECTORS
Network
Physical
Application
Mobile
Social Engineering
Endpoint
WHO
Careless Employee
Disgruntled Employee
Lone Hacker
Organized Crime
State Sponsored
Group / CauseAnonymous
Sony Pictures
Target
DoD
WikiLeaks
Eli Lilly
Eric Holder
INDIVIDUALS
G
R
O
U
P
S
7
Reflection on Past Year
Analysis Use a variety of methods in an attack, not just one Common denominator – Identity exploitation Verizon 2014 annual DBIR: 2/3 breaches, lost or stolen credentials
> Method: Spear Phishing+ 3rd party vendor Credentials
Static username / password> Elevated Priv. credentials> Installed: Malware to POSs= Result: >100m CC #’s
> Method: zero-day+ Employee Network Credentials
Static username / Password+ 2 months before discovery= 76m customers PII
> Method: Cross-site Scripting+ Employee Credentials
Static username / Password> Installed: Malware= Result: PII: names, address, email, DOB, encrypted passwords
> Method: undisclosed+ Employee Credentials
Static username / Password Installed: Malware Elevated Priv Credentials= Result: Employee PII, medical, threats, IP, Operations, files.
8
Verticals and Identity Threat Models in Context
Impact Power Grid Distribution Water Supply Military & Economic
∆ SCADA Sys. Login∆ Cloning ID Cards∆ Spear Phishing∆ Access to Control Areas∆ Cross-site scripting∆ Defaults∆ Dr. & Admin Logins∆ Device Identity∆ Malware∆ Classified Access∆ Admin Accounts∆ Insecure Communications∆ Self-Service Logins∆ Health ID Cards∆ Insecure communication∆ Insufficient proofing∆ Unencrypted Lost/data∆ Man-In-the-Middle (MIM)
Critical Infrastructure
Healthcare
Financial Services
Hi-Tech
Government
Impact Exposing ePHI Fraud Abuse Compromise Operations
Impact Defense Systems Compromised Intelligence Systems, IP, Designs Strategy & Plans
Impact Credit Cards & PII Impact Brand/Trust Operations Financial losses
Impact Fraud / Losses Brand / trust Decrease online < profits
Impact IP & Trade Secrets Competitive Advantage R&D Losses
Retail
9
1
FUNDAMENTALS
Identity &
Authentication 2
10
Proof Relationship AttributesRole
oPolicieso EntitlementsoPermissionsoRules
oGovernmentoPersonaloCompany o Former last name
oPhone NumberoAddressoDrivers License #oBank Account #
oCredentials
Traits
o Eye ColoroHeightoPhysiologicaloRaceoGender
Identity Management is requisite for optimum security & business function itself. Credential Management is core to maintaining trust prior to a transaction in a relationship
DNA of Identity & Context of Use
Authorization
oRisk ScoresoRulesoPredictiveoContext
11
SOMETHING YOU KNOW
Examples:
+
+
+
Expensive longer-term (help desk)
Not user friendly (Mobile)
Prone to many attacks
Easy to Social Engineer
o Passwords o QBA o PIN*
Low up-front cost
Portability
Universal
User & Machine+
12
o Scratch Card
o ID Card
o Smart Card
SOMETHING YOU HAVE
+
+
Potentially expensive
Management cost can be high
Integration & Compatibility
Convenience vary
Great for auth.
Portability
! Standards and Trust
Multi Application
Physical Access
E-mail security (Smart Card)
Device dependent
!
!
!
o USB Tokeno Wearableso ATM/Bank Card
Examples:
o OTP Tokeno Phoneo PKI Certificate
13
SOMETHING YOU ARE
Examples:
+
+
+
Poor for dynamic authentication
Lack comprehensive standards
Integration & Compatibility
No Revocation
Generally expensive
False Accept / Reject
Great for identification
Portability
Convenience
Physical Access+
o Fingerprinto Facialo Retina
o Iriso Palmo Vein
o Hand geometryo Voiceo heartbeat
14
DEVICE FORENSICS
Examples:
+
+
+
Low Assurance
Can be spoofed
Limited Revocation
Static
Typically Not Protected
Transparent to user
Portability
Convenience
Easy to add as 2nd layer+
o Mobile IMEIo Versions
o Serial Numbero Device Model
o Geolocationo ETC.
15
BEHAVIORAL
Examples:
+
+
+
Early maturity
No standards
Limited Revocation
Low Assurance
User-friendly
Portability
Convenience
Easy to add as 2nd layer+
o Keystrokeo Parameters
o Writingo Predictive
o Cadenceo Habitual
LEVELS OF ASSURANCE (TRUST)
Challenge
LOA 1No Proofing
LOA 2Add Proofing
LOA 4NIST Hardware Crypto
Issuer asserts defined criteria for
proof of identity
Requestor must repond with
required proof.
By systems and process that can be interrogated.
Response ValidationChallengeProofing
Verify and bind the person or
object to service
SECURITY
LOA 3Multi-Factor
DMZ
Admin Passwords
Crypto Keys
Customer Data (PII)
Datacenter
Lobby / Suite
HR Files
Network (intranet)
Equipment
Sales Office
Exec Offices
Main Building
PROCESSPOLICY
Inventory
App/Firmware Code
Storage
17
OPERATIONAL CONSIDERATIONS
Security
IT Infrastructure
Business Process
• Enrollment
• Workflows
• Lifecycle Management
• Integration
• Reporting
• Support & Helpdesk
• Software Distribution
• Network Configuration
• Directory & IDM
• Encoding
• Physical Access
• Design Layout
• Personalization
• Global distribution
• Printing services
• CA/PKI Integration
• Key Management & escrow
• Data Center & Infrastructure
BUSINESS PROCESS
ITINFRASTRUCTURE
SECURITY
• Enable User Experience
• Reduce Risk
• Economical at scale
• Operational Efficiency
• Compliance
• Governance
BUSINESS ENABLEMENT
18
1
PAYMENT
CREDENTIALS3
19
Compromise Card
Target Valid Cards Skim > Dump Clone Man-In-Middle (MIM) Phishing ATM Fuel Pumps
Honeypots Supply Chain Business Partners Malware Spear-Phishing SQL Injection Modify Stored Values Compromise POS
Attack Infrastructure
Open New Account Intercept Mail Third Party Phishing Paper Records Medicare (Soc#) Black Market
Steal Identity
PAYMENT CARD FRAUD
US is THE only country where fraud is growing consistently
o 25% of Global transactions yet nearly 50% of global fraud (Nilson Report)
Costs of Upgrade
o Issuer: EMV cards are $1.25 each (5x current) x 1.5b cards
o Merchant: POS $100 each x 12m = 7b+ upgrades (Nilson Report)
2012: US had 5.3b in card fraud. Largest category for merchants is Card-Not-Present (1/3)
20
“Partial” History of Payment Credentials
1958: Amex uses plastic1959: MasterCard: Revolving Credit
First Cash RegisterPaper rolls for recording
WW2: Audio RecordingTo steel tape by military1946: First Bank Card: “Charge-It” by John Biggins
1940s 1980s1930s1880s 1960s1950s
BankAmerica >> FranchisingLater to become VisaIBM: Magnetic on CardFirst ATM (UK)
Magnetic on Steel Tape (IBM)
Chips used for credit cards1995: EMV spec takes shapeEMVco established, revisions1999: PayPal founded
EMV Liability shifts take placeEurope (2005), Asia, Africa, Brazil, Colombia, So. AfricaPIV: Personal Identity Verificationby the US DoD > NIST > GSAICAO ePassports StandardsChip, PKI, International key mgt.2008/09: Bitcoin
IBM/Amex: Magnetic StripeIn use on credit cardSmart Card invented in FranceISO 7811, 7812, 7813
1990s 2000s1970s 2010s
2013: First Bitcoin ATMAmex uses plasticOct: 2015: USA Liability Shiftfor EMVOct 2017: USA Liability ShiftFor Gas Pumps
Development of ContactlessFor military uses. Hughes.
Magnetic for Physical AccessTo address keyed locks
ISO 7816: Contact smart cards
Made of Iron-based magnetic particles on magnetic band of material on card (stripe) 1930s – 1960s > / Audio Industry > US Gov > IBM 3 Tracks
Origin of Track Data Track 1: Airlines Industry (ATA) Track 2: Banking Industry (ABA) Thrift Savings Industry
Coercivelyo LoCoo HiCo
21
LEGACY: MAGNETIC STRIPE CARDS
22
DISECTING MAG STRIPE: ISO 1713
Source: MagTek
23
Make-Your-Own-Credit-Card
TRACK 2%4342562099508242=14101010000000229?
FC
TRACK 1%B4342562099508242^GOLD/TERRENCE J^1410101000000000000 00229000000?
PAN FS NAME FS EXP SVC CODE DD: DISCRETIONARY DATASTX ETX
Only in America – No, REALLY!
*We’ll come back to this
WHAT IS IT?• Stands for Europay, MasterCard, Visa• Cards and terminals contain “chips” (embedded dedicated microprocessor).• Open standard, set of specifications to define mechanisms for interoperability and security• Designated for smart cards, terminals, and other services within the transaction
WHAT IS THE “CHIP”?• Embedded purpose-built secure microprocessor• Cryptographic private key to carry out transaction• Designed with anti-tampering measures (Micro HSM)• Signatures, hashes, random # generators, secure PIN
BENEFITS• Card Authentication: Not reliant only on PAM• Cardholder Verification: Capability to bind credential/card to authorized cardholder• Transaction Authorization: Issuer to accept or decline with expanded parameters
IMPACT• Resistance to fraud • Very difficult to reuse thereby decreasing opportunity to monetize on scale.
24
EMV
TWO TYPES• Chip and PIN • Chip and Signature
INTERESTING POINTS:• Still has Magnetic stripe for transition• Chip also contains PAN (Account Number and other details)• Merchant decides to enforce EMV (Issuer may influence this)• Tokenization• Mobile and Contactless• Adds “offline” mode to transactions
WHO GOVERNS IT?• EMV cards, also known as “smart cards” or “Chip-and-PIN”• Managed by EMVco
25
EMV (Points that matter)
• Harvest & Clone to Mag Stripe
• Exploit Terminal
• Encode new card to mag. Use where EMV not required.
• TVR Attack > Circumvent PIN without exploiting it
• Downgrade CVM (Cardholder Verification Method)
• User Not Present Transactions
• Bank Issuance Controls (Insider Exploitation)
• Kaptoxa = “potato” = Stolen Credit Card data (Russian)
2006 Shell : Conversation Capturing between cards and terminals, >1m #
2008 Europe: Tampered terminals during manufacturing in China. > 100g weight of circuitry. Sent over mobile networks to Pakistan. Tens of millions $. Led to SPVA and better agreement of POS lifecycle. Pre ICVV forced ICVV upgrades.
2010: Hidden Hardware to disable PIN checking
2011: CVM Downgrade to offline PIN
2014: Cambridge University, compromised PIN process. https://www.youtube.com/watch?v=Ks_w352BS-Q
26
EMV Card Hacks
CAN IT BE TRUSTED?• EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa• Industry self-regulation model with core stakeholders having highly leveraged interests• Personal Opinion: The improvement has been significant and the process transparent.
IMPLEMENTATION• Liability shift doesn’t guarantee EMV readers or enforcement of EMV transactions. • Signature vs. PIN. Optional to be enforced by bank. Mainly still signature based in US• Signature cannot provide high assurance of individual using the card• Offline mode while more secure, technically, only responds to static parameters vs analysis from
real-time parameters.
GOVERNANCE• Specification is fairly clear, but there are various modes; some mandatory and some guidance• Lacks consistent policy across ecosystems (bank records for validation)• Authentication methods are not standardized (2nd factor, biometrics, Verified by Visa, etc.)• Results in “gaps” where hackers will focus and live
BIGGEST RISK• Industry Associations, Banks, and Vendors are dismissive of vulnerabilities• When hacks reported, often dismissed as “not feasible”, “no credible evidence of scale”, criminals
not smart enough – enables “gaps”
27
CHALLENGES
Down in one vector rise in another (that is easier)
• Criminals likely to shift focus to “CNP”
• CNP (Card-not-present) crime rises
o Online transactions
o Phone transactions
o *User does not have a cryptographic terminal to enter PIN
STILL NO EMV:
• ATMS (2016)
• Gas Pumps (2017)
2018:
• Attack Surface gets significantly smaller
• EMV Issuance in the US likely to reach mass scale and parity with other countries
• Attacks declines in numbers due to skill, time and resources
2020
• Well organized, funded and highly skilled criminals focused on exploiting EMV “gaps”
• Fewer breaches, but elaborate and effective at scale
• Deeply compromising systems = poor detection and hard to remediate. 28
PREDICTION ON CRIME PATTERNS IN US
NEAR TERM
• Tighter coupling between authentication & authorization
• Apply Layers + Risk Score (context)
• Mobile as platforms
• Real-time in transaction
• Consumer Control
• Orchestrations & approvals
• Decentralized ecosystems
LONGER TERM
• Wearables as key stores (User Identity)
• On-board hardware key storage (Device Identity)
• Indirect & Repurposed Issuance
• Ubiquity
• Commoditized RA’s for binding29
Predictions on Future of Authentication
30
Thank You!
Terry Gold
Principal Analyst
t: 213-341-0433
@d6research.com
Where thoughts are my own: @terrygold2048