@terrygold2048

@IDanalyst

Fundamentals of Identity & Authentication

Terry Gold

FRAUD FORCE SUMMIT Portland, 2016

2

This Session

“Hackers”: Who, what and why….

Identity is a critical cross section for exploitation

Credentials are a “trust model” for implementation

Summary

Details What makes a “strong” credential?

How strong does it need to be?

Scope of credentials, payments types and brief analysis

3

1

IDENTITY

Who, What, & Why? 1

“Manipulating things to do what they were not designed to do”

Can be ANYTHING - not just computers.

Intent: Can be done for good – or bad

4

Hackers: Actors with intent

5

We are in a Major Paradigm Shift…

• Keep everyone out……………………......

• Secure the network…………………….….

• Virus was the threat…………………….…

• Enthusiasts & amateurs………………....

• File and Print; Core applications……..

• Firewall perimeter defined by IT…..…

• Internal employees……………………......

• Compliance achieves security….……..

Assume they get in

Secure the data

XXS, XSRF, malware, 0Day, Social Engineering

Crime rings, state-sponsored, hacktivists

Data is everywhere; increasingly pervasive

Defined by where the device/service is

Vendors, contractors, suppliers

Compliance is the minimum; not goal.

OLD PARADIGM NEW PARADIGM

6

Threat Ecosystem & Anatomy of Attacks

TARGET$

Plans

Customer Data

Formulas & Research

IP & Operations

Designs

Financials

METHOD

POS > InstallMalware

SQL Injection

MIM

Elevated Privelege

Passwords & Honeypots

Spear Phishing

VECTORS

Network

Physical

Application

Mobile

Social Engineering

Endpoint

WHO

Careless Employee

Disgruntled Employee

Lone Hacker

Organized Crime

State Sponsored

Group / CauseAnonymous

Sony Pictures

Target

DoD

WikiLeaks

Eli Lilly

Eric Holder

INDIVIDUALS

G

R

O

U

P

S

7

Reflection on Past Year

Analysis Use a variety of methods in an attack, not just one Common denominator – Identity exploitation Verizon 2014 annual DBIR: 2/3 breaches, lost or stolen credentials

> Method: Spear Phishing+ 3rd party vendor Credentials

Static username / password> Elevated Priv. credentials> Installed: Malware to POSs= Result: >100m CC #’s

> Method: zero-day+ Employee Network Credentials

Static username / Password+ 2 months before discovery= 76m customers PII

> Method: Cross-site Scripting+ Employee Credentials

Static username / Password> Installed: Malware= Result: PII: names, address, email, DOB, encrypted passwords

> Method: undisclosed+ Employee Credentials

Static username / Password Installed: Malware Elevated Priv Credentials= Result: Employee PII, medical, threats, IP, Operations, files.

8

Verticals and Identity Threat Models in Context

Impact Power Grid Distribution Water Supply Military & Economic

∆ SCADA Sys. Login∆ Cloning ID Cards∆ Spear Phishing∆ Access to Control Areas∆ Cross-site scripting∆ Defaults∆ Dr. & Admin Logins∆ Device Identity∆ Malware∆ Classified Access∆ Admin Accounts∆ Insecure Communications∆ Self-Service Logins∆ Health ID Cards∆ Insecure communication∆ Insufficient proofing∆ Unencrypted Lost/data∆ Man-In-the-Middle (MIM)

Critical Infrastructure

Healthcare

Financial Services

Hi-Tech

Government

Impact Exposing ePHI Fraud Abuse Compromise Operations

Impact Defense Systems Compromised Intelligence Systems, IP, Designs Strategy & Plans

Impact Credit Cards & PII Impact Brand/Trust Operations Financial losses

Impact Fraud / Losses Brand / trust Decrease online < profits

Impact IP & Trade Secrets Competitive Advantage R&D Losses

Retail

9

1

FUNDAMENTALS

Identity &

Authentication 2

10

Proof Relationship AttributesRole

oPolicieso EntitlementsoPermissionsoRules

oGovernmentoPersonaloCompany o Former last name

oPhone NumberoAddressoDrivers License #oBank Account #

oCredentials

Traits

o Eye ColoroHeightoPhysiologicaloRaceoGender

Identity Management is requisite for optimum security & business function itself. Credential Management is core to maintaining trust prior to a transaction in a relationship

DNA of Identity & Context of Use

Authorization

oRisk ScoresoRulesoPredictiveoContext

11

SOMETHING YOU KNOW

Examples:

+

+

+

Expensive longer-term (help desk)

Not user friendly (Mobile)

Prone to many attacks

Easy to Social Engineer

o Passwords o QBA o PIN*

Low up-front cost

Portability

Universal

User & Machine+

12

o Scratch Card

o ID Card

o Smart Card

SOMETHING YOU HAVE

+

+

Potentially expensive

Management cost can be high

Integration & Compatibility

Convenience vary

Great for auth.

Portability

! Standards and Trust

Multi Application

Physical Access

E-mail security (Smart Card)

Device dependent

!

!

!

o USB Tokeno Wearableso ATM/Bank Card

Examples:

o OTP Tokeno Phoneo PKI Certificate

13

SOMETHING YOU ARE

Examples:

+

+

+

Poor for dynamic authentication

Lack comprehensive standards

Integration & Compatibility

No Revocation

Generally expensive

False Accept / Reject

Great for identification

Portability

Convenience

Physical Access+

o Fingerprinto Facialo Retina

o Iriso Palmo Vein

o Hand geometryo Voiceo heartbeat

14

DEVICE FORENSICS

Examples:

+

+

+

Low Assurance

Can be spoofed

Limited Revocation

Static

Typically Not Protected

Transparent to user

Portability

Convenience

Easy to add as 2nd layer+

o Mobile IMEIo Versions

o Serial Numbero Device Model

o Geolocationo ETC.

15

BEHAVIORAL

Examples:

+

+

+

Early maturity

No standards

Limited Revocation

Low Assurance

User-friendly

Portability

Convenience

Easy to add as 2nd layer+

o Keystrokeo Parameters

o Writingo Predictive

o Cadenceo Habitual

LEVELS OF ASSURANCE (TRUST)

Challenge

LOA 1No Proofing

LOA 2Add Proofing

LOA 4NIST Hardware Crypto

Issuer asserts defined criteria for

proof of identity

Requestor must repond with

required proof.

By systems and process that can be interrogated.

Response ValidationChallengeProofing

Verify and bind the person or

object to service

SECURITY

LOA 3Multi-Factor

DMZ

Admin Passwords

Crypto Keys

Customer Data (PII)

Datacenter

Lobby / Suite

HR Files

Network (intranet)

Equipment

Sales Office

Exec Offices

Main Building

PROCESSPOLICY

Inventory

App/Firmware Code

Storage

17

OPERATIONAL CONSIDERATIONS

Security

IT Infrastructure

Business Process

• Enrollment

• Workflows

• Lifecycle Management

• Integration

• Reporting

• Support & Helpdesk

• Software Distribution

• Network Configuration

• Directory & IDM

• Encoding

• Physical Access

• Design Layout

• Personalization

• Global distribution

• Printing services

• CA/PKI Integration

• Key Management & escrow

• Data Center & Infrastructure

BUSINESS PROCESS

ITINFRASTRUCTURE

SECURITY

• Enable User Experience

• Reduce Risk

• Economical at scale

• Operational Efficiency

• Compliance

• Governance

BUSINESS ENABLEMENT

18

1

PAYMENT

CREDENTIALS3

19

Compromise Card

Target Valid Cards Skim > Dump Clone Man-In-Middle (MIM) Phishing ATM Fuel Pumps

Honeypots Supply Chain Business Partners Malware Spear-Phishing SQL Injection Modify Stored Values Compromise POS

Attack Infrastructure

Open New Account Intercept Mail Third Party Phishing Paper Records Medicare (Soc#) Black Market

Steal Identity

PAYMENT CARD FRAUD

US is THE only country where fraud is growing consistently

o 25% of Global transactions yet nearly 50% of global fraud (Nilson Report)

Costs of Upgrade

o Issuer: EMV cards are $1.25 each (5x current) x 1.5b cards

o Merchant: POS $100 each x 12m = 7b+ upgrades (Nilson Report)

2012: US had 5.3b in card fraud. Largest category for merchants is Card-Not-Present (1/3)

20

“Partial” History of Payment Credentials

1958: Amex uses plastic1959: MasterCard: Revolving Credit

First Cash RegisterPaper rolls for recording

WW2: Audio RecordingTo steel tape by military1946: First Bank Card: “Charge-It” by John Biggins

1940s 1980s1930s1880s 1960s1950s

BankAmerica >> FranchisingLater to become VisaIBM: Magnetic on CardFirst ATM (UK)

Magnetic on Steel Tape (IBM)

Chips used for credit cards1995: EMV spec takes shapeEMVco established, revisions1999: PayPal founded

EMV Liability shifts take placeEurope (2005), Asia, Africa, Brazil, Colombia, So. AfricaPIV: Personal Identity Verificationby the US DoD > NIST > GSAICAO ePassports StandardsChip, PKI, International key mgt.2008/09: Bitcoin

IBM/Amex: Magnetic StripeIn use on credit cardSmart Card invented in FranceISO 7811, 7812, 7813

1990s 2000s1970s 2010s

2013: First Bitcoin ATMAmex uses plasticOct: 2015: USA Liability Shiftfor EMVOct 2017: USA Liability ShiftFor Gas Pumps

Development of ContactlessFor military uses. Hughes.

Magnetic for Physical AccessTo address keyed locks

ISO 7816: Contact smart cards

Made of Iron-based magnetic particles on magnetic band of material on card (stripe) 1930s – 1960s > / Audio Industry > US Gov > IBM 3 Tracks

Origin of Track Data Track 1: Airlines Industry (ATA) Track 2: Banking Industry (ABA) Thrift Savings Industry

Coercivelyo LoCoo HiCo

21

LEGACY: MAGNETIC STRIPE CARDS

22

DISECTING MAG STRIPE: ISO 1713

Source: MagTek

23

Make-Your-Own-Credit-Card

TRACK 2%4342562099508242=14101010000000229?

FC

TRACK 1%B4342562099508242^GOLD/TERRENCE J^1410101000000000000 00229000000?

PAN FS NAME FS EXP SVC CODE DD: DISCRETIONARY DATASTX ETX

Only in America – No, REALLY!

*We’ll come back to this

WHAT IS IT?• Stands for Europay, MasterCard, Visa• Cards and terminals contain “chips” (embedded dedicated microprocessor).• Open standard, set of specifications to define mechanisms for interoperability and security• Designated for smart cards, terminals, and other services within the transaction

WHAT IS THE “CHIP”?• Embedded purpose-built secure microprocessor• Cryptographic private key to carry out transaction• Designed with anti-tampering measures (Micro HSM)• Signatures, hashes, random # generators, secure PIN

BENEFITS• Card Authentication: Not reliant only on PAM• Cardholder Verification: Capability to bind credential/card to authorized cardholder• Transaction Authorization: Issuer to accept or decline with expanded parameters

IMPACT• Resistance to fraud • Very difficult to reuse thereby decreasing opportunity to monetize on scale.

24

EMV

TWO TYPES• Chip and PIN • Chip and Signature

INTERESTING POINTS:• Still has Magnetic stripe for transition• Chip also contains PAN (Account Number and other details)• Merchant decides to enforce EMV (Issuer may influence this)• Tokenization• Mobile and Contactless• Adds “offline” mode to transactions

WHO GOVERNS IT?• EMV cards, also known as “smart cards” or “Chip-and-PIN”• Managed by EMVco

25

EMV (Points that matter)

• Harvest & Clone to Mag Stripe

• Exploit Terminal

• Encode new card to mag. Use where EMV not required.

• TVR Attack > Circumvent PIN without exploiting it

• Downgrade CVM (Cardholder Verification Method)

• User Not Present Transactions

• Bank Issuance Controls (Insider Exploitation)

• Kaptoxa = “potato” = Stolen Credit Card data (Russian)

2006 Shell : Conversation Capturing between cards and terminals, >1m #

2008 Europe: Tampered terminals during manufacturing in China. > 100g weight of circuitry. Sent over mobile networks to Pakistan. Tens of millions $. Led to SPVA and better agreement of POS lifecycle. Pre ICVV forced ICVV upgrades.

2010: Hidden Hardware to disable PIN checking

2011: CVM Downgrade to offline PIN

2014: Cambridge University, compromised PIN process. https://www.youtube.com/watch?v=Ks_w352BS-Q

26

EMV Card Hacks

CAN IT BE TRUSTED?• EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa• Industry self-regulation model with core stakeholders having highly leveraged interests• Personal Opinion: The improvement has been significant and the process transparent.

IMPLEMENTATION• Liability shift doesn’t guarantee EMV readers or enforcement of EMV transactions. • Signature vs. PIN. Optional to be enforced by bank. Mainly still signature based in US• Signature cannot provide high assurance of individual using the card• Offline mode while more secure, technically, only responds to static parameters vs analysis from

real-time parameters.

GOVERNANCE• Specification is fairly clear, but there are various modes; some mandatory and some guidance• Lacks consistent policy across ecosystems (bank records for validation)• Authentication methods are not standardized (2nd factor, biometrics, Verified by Visa, etc.)• Results in “gaps” where hackers will focus and live

BIGGEST RISK• Industry Associations, Banks, and Vendors are dismissive of vulnerabilities• When hacks reported, often dismissed as “not feasible”, “no credible evidence of scale”, criminals

not smart enough – enables “gaps”

27

CHALLENGES

Down in one vector rise in another (that is easier)

• Criminals likely to shift focus to “CNP”

• CNP (Card-not-present) crime rises

o Online transactions

o Phone transactions

o *User does not have a cryptographic terminal to enter PIN

STILL NO EMV:

• ATMS (2016)

• Gas Pumps (2017)

2018:

• Attack Surface gets significantly smaller

• EMV Issuance in the US likely to reach mass scale and parity with other countries

• Attacks declines in numbers due to skill, time and resources

2020

• Well organized, funded and highly skilled criminals focused on exploiting EMV “gaps”

• Fewer breaches, but elaborate and effective at scale

• Deeply compromising systems = poor detection and hard to remediate. 28

PREDICTION ON CRIME PATTERNS IN US

NEAR TERM

• Tighter coupling between authentication & authorization

• Apply Layers + Risk Score (context)

• Mobile as platforms

• Real-time in transaction

• Consumer Control

• Orchestrations & approvals

• Decentralized ecosystems

LONGER TERM

• Wearables as key stores (User Identity)

• On-board hardware key storage (Device Identity)

• Indirect & Repurposed Issuance

• Ubiquity

• Commoditized RA’s for binding29

Predictions on Future of Authentication

30

Thank You!

Terry Gold

Principal Analyst

t: 213-341-0433

e: terry@D6research.com

@d6research.com

Where thoughts are my own: @terrygold2048