SEPIA: Secure-PIN-Authentication-as-a-Service for ATM using Mobile and Wearable Devices

Size: px
Start display at page:

Download "SEPIA: Secure-PIN-Authentication-as-a-Service for ATM using Mobile and Wearable Devices"

Transcription

1 SEPIA: Secure-PIN-Authentication-as-a-Service for ATM using Mobile and Wearable Devices Rasib Khan, Ragib Hasan, and Jinfang Xu SECRETLab, Department of Computer and Information Sciences University of Alabama at Birmingham, Birmingham, AL 35294, USA {rasib, ragib, Abstract Credit card fraud is a common problem in today s world. Financial institutions have registered major loses till today due to users being exposed of their credit card information. Shoulder-surfing or observation attacks, including card skimming and video recording with hidden cameras while users perform PIN-based authentication at ATM terminals is one of the common threats for common users. Researchers have struggled to come up with secure solutions for secure PIN authentication. However, modern day ubiquitous wearable devices, such as the Google Glass have presented us with newer opportunities in this research area. In this paper, we propose Secure-PIN-Authentication-as-a- Service (SEPIA), a secure obfuscated PIN authentication protocol for ATM and other point-of-service terminals using cloudconnected personal mobile and wearable devices. Our approach protects the user from shoulder-surfers and partial observation attacks, and is also resistant to relay, replay, and intermediate transaction attacks. A SEPIA user utilizes a Google Glass or a mobile device for scanning a QR code on the terminal screen to prove co-location to the cloud-based server and obtain a secure PIN template for point-of-service authentication. SEPIA ensures minimal task overhead on the user s device with maximal computation offloaded to the cloud. We have implemented a proof-of-concept prototype to perform experimental analysis and a usability study for the SEPIA architecture. Keywords-ATM, Authentication, Credit/Debit Card, Google Glass, Obfuscated PIN, PIN Template, Point-of-Service, Security I. INTRODUCTION Authentication of users at automatic teller machines (ATMs) is mostly dependent on PIN-based verification. Several usability factors have been studied so far in enhance the security for authentication of users at ATMs. Socio-physical factors, such as, queue length, distractions, length of time for the interaction, urgency, physical hindrance, memorization of PINs, co-located user display, speed of interaction, and the environment are all determinants of the secureness for the procedure [1, 2]. The major concerns from all of these factors are correlated to shoulder-surfing attacks, replay attacks, card cloning, and unintentional PIN sharing [2]. Multiple researches have also been conducted to detect fraudulent card transactions [3, 4]. Security of credit and debit card authentication may be considered as an evolving field to fight against the skillful fraudsters getting hold of modern and more effective means every day [5]. Researches have analyzed the current scenario of credit card fraud [6]. Systems supporting card-less transactions are getting popular, where users can use additional personal devices, such as mobiles phones, to perform the financial transaction [7, 8]. However, even today, incidents of exposure of credit card information are still a common event [9]. The total loss from consumer cyber-attacks in 2013 was estimated at approximately 38 million USD in the US, including 13 and 37 million in Europe and China respectively [9]. Shoulder-surfing attacks, also known as observation attacks, are most common for ATM authentication. In this case, the attacker simply observes the entry procedure of the PIN by the authorized user to get hold of the secret information. Credit and debit card frauds due to identity thefts are increasing every year [10, 11]. Unfortunately, users of such banking systems are still not legally protected by the banks and card companies [12]. Additionally, there are sophisticated scamming techniques using fake terminals, credit card cloning, and remote relay or wormhole attacks which make the process of user protection harder [13 16]. Researchers have studied the reasons for ATM malpractices and the ways users are exposed to attackers [2]. Credit or debit cards may have magnetic strips on them to store the PIN information. Cards with magnetic strips are easy to clone with readily available and cheap card readers [17, 18]. Even though chip-based (EMV) cards are recently gaining popularity, cards still come with the magnetic strips, and it will be a while till all point-of-service devices and banks are upgraded to support only EMV cards. Unfortunately, such EMV cards are still vulnerable to cloning of the bank s certificate and relay attacks [15, 16]. Research on shoulder-surfing resistant PIN entry has not been new [19, 20]. Newer technologies, such as ubiquitous wearable devices and mobile phones have also been utilized in developing secure PIN authentication technologies [21]. However, such devices are also considered as an opportunity for more complex attacks by malicious users [22]. In this paper, we propose the Secure-PIN-Authenticationas-a-Service (SEPIA) framework to enable obfuscated PIN authentication for ATM and other point-of-service terminals using cloud-connected personal mobile and wearable devices. SEPIA allows a user to scan a QR code from the screen of a point-of-service terminal and connects to the cloudbased bank s SEPIA server to obtain secure one-time-use PIN templates. Here, a PIN template is a sequence of digits with marked positions for the user to enter the actual PIN code. The QR code scanning is done using wearable devices,

2 such as the Google Glass 1 wear. The SEPIA service can also be used with a smart phone. The protocol is immune to shoulder-surfing attackers, and ensures resistance against relay and replay attacks by proving co-location with the ATM terminal to the cloud-based bank s server. Our design requires minimal overhead computation on the personal devices with most operations offloaded to the cloud and does not impose any hardware-oriented requirements on the terminals. Contributions: The contributions of this paper are summarized as follows: 1) We have proposed Secure-PIN-Authentication-as-a- Service (SEPIA), a secure obfuscated PIN-based authentication protocol for point-of-service terminals using cloud-connected personal devices. The proposed protocol works with a wearable or mobile device to allow an obfuscated PIN template entry and is resistant to shoulder-surfing, relay, and replay attacks. 2) We have implemented a proof-of-concept prototype for the SEPIA service, using a cloud-based bank server, a desktop-based Java ATM imitating application on Raspberry Pis, and user applications for both Google Glass and Android phones. 3) The implemented SEPIA prototype applications were used to perform experimental analysis, as well as a usability study to investigate the human factors involved in the SEPIA protocol. The rest of the paper is organized as follows. Section II describes the threat and the system model. The SEPIA protocol is presented in Section III. We present a security analysis of the design in Section IV. Section V presents the implementation and experiments for the proof-of-concept SEPIA components. A usability study is presented in Section VI. The related works and conclusion are presented in Sections VII and VIII respectively. II. THE SEPIA MODEL The SEPIA architecture is a protocol for secure ATM pointof-service user authentication using obfuscated PIN codes. In this section, we present the threat and system model to illustrate the functionality of the proposed SEPIA architecture. A. Threat Model The SEPIA threat model includes the definition of the assets and the attackers capabilities in the process of ATM authentication using PIN codes. 1) Assets: The asset for ATM point-of-service authentication is primarily the user s PIN code. The PIN is a secret information known only to the user of the card and is used by the user to authenticate at the ATM along with the credit and/or debit card. 1 Google Glass https://www.google.com/glass/start/ 2) Attacker s Capability: In the scenario where a user has presented a credit or debit card at an ATM and is about to present the PIN code for authentication, the following are considered to be the potential attacks by a malicious entity: 1) The attacker can be standing in queue behind the authenticating person and looking at the PIN entry and execute a shoulder-surfing or observation attack [19]. The attacker may also install a small camera on the top surface of the ATM terminal to record PIN entries of users at the point-of-service. 2) A bystander may be successful in a partial observation attack, where he is only able to see the partial PIN entry for the user. Given that most PIN codes are 4-digits long, the probability of a PIN-guessing attack still persists. 3) The attacker works at a local restaurant and owns a cheap and readily available card cloning device. A user may visit the restaurant, and when paying with the credit or debit card, the attacker clones the customer s card [14, 17, 18]. 4) The attacker has installed a card skimming device on the ATM machine to get hold of the user s card information. Such devices fit at the card slot on ATM machines and record the card information as the user slides in their card [23]. 5) The attacker can execute a relay attack on the user s card. The attacker operates a modified ATM terminal, and uses relayed card information from an actual credit card user to make payments at another remote terminal [16]. 6) The attacker has installed a legitimate-looking ATM terminal. Users are therefore tricked into thinking the terminal as a valid ATM and puts in their credit/debit card and loses the card information. 7) The user uses an advanced credit/debit card PIN protection service based on memorability and graphical image recall [13]. An attacker keenly follows the entry procedure of the user, or uses a mobile phone camera to record and gain knowledge about the user s graphical password entry and is successful in executing a shouldersurfing attack. 8) An attacker can execute an intermediate interaction attack. In this case, the attacker finds his way to steal the information as the user has been distracted for some reason and exposes the credentials to the attacker. 9) The user utilizes a mobile or wearable device, such as Google Glass to perform secure PIN authentication at the ATM terminal [21]. Unfortunately, the user loses the mobile phone or the Google Glass. The information stored on the device is also therefore lost and lets an attacker gain the knowledge of the user s credentials. B. System Model Next, we define the SEPIA system model, which will allow credit/debit card users to perform secure obfuscated PIN authentication at ATM point-of-service terminals. SEPIA is

3 8. Transaction Request Verification SEPIA Server 3. Generate [PIN_Template, Tran_ID] 5. Generate QR [Loc_ID, Req_ID, Tran_ID] User 1. Touch screen to initiate 6. Scan QR Code 10. [PIN on PIN_Template] Touch to begin 11. Verify PIN ATM Fig. 1: The Secure-PIN-Authentication-as-a-Service (SEPIA) for Obfuscated PIN Authentication for ATM using Personal Mobile and Wearable Devices (e.g. Google Glass) dependent on three entities: the user, the ATM terminal, and the bank server. SEPIA Server: The SEPIA server is a cloud-based server owned by the bank and stores the user s SEPIA service profiles. The server incorporates a callable API server to communicate with the user application and the ATM terminal. In our case, we have considered RESTful APIs [24] over HTTPS and client-side certificate verification for all communication. Point-of-Service Terminal: The ATM point-of-service terminal has a unique location identifier, Loc ID, which is approved and assigned by the bank. The ATM incorporates network connectivity and can communicate with the bank over secure connection. User: The user owns a credit/debit card along with a valid PIN code for authentication at the point-of-service terminal. The user owns a personal wearable device, such as the Google Glass, for using the SEPIA service for secure obfuscated PIN authentication. The user may also choose to use a mobile device for using the SEPIA service. However, the larger and relatively impersonal display on the mobile device, compared to the Google Glass, creates some vulnerability for observation attacks. The SEPIA application is installed on the Google Glass or the mobile device. Initially, the user generates a username and password pair to be used for SEPIA on the Google Glass SEPIA app. The mobile application requires the user to log in using the SEPIA username and password. The web-based SEPIA service on the cloud allows the user to store and save the SEPIA username/password information, which is later used during the SEPIA protocol. The user can create a new password at any time, and update it on the bank website and the SEPIA application on the device(s) accordingly. III. THE SEPIA PROTOCOL The SEPIA protocol involves mutual interaction between all three pairs of entities: the user and the ATM, the ATM and the bank, and the user and the bank, as shown in Figure 1. The sequence of interactions and messages in the SEPIA protocol is described as follows. Step 1 [Initiation]: The user, along with the personal mobile or wearable device, approaches the ATM to perform a secure transaction. The ATM screen displays a Touch to begin information screen by default. The user touches the screen (or presses the button) to initiate the protocol. Step 2 [ATM Transaction Request]: At this point, the ATM sends an ATM TRAN REQ message to the bank s secure server. The structure of the message is defined as: ATM TRAN REQ [Req ID, Loc ID] (1) Here, the Req ID is a request identifier which is generated by the ATM for this current transaction request. The Loc ID is the unique and verified identifier for the particular ATM point-of-service assigned by the bank. Step 3 [PIN Template Generation]: Upon receiving the ATM TRAN REQ message from the ATM, the bank generates a transaction identifier, Tran ID, for this particular ATM transaction request. The bank then generates an obfuscated numeric template, PIN Template, for the transaction to be made at the ATM point-of-service. The PIN template is an N-digit numeric pattern, where N 2P, and P is the length of the PIN code required by the bank for the users. The PIN template is generated using a random N-digit generator, with a total of P number of digits marked as * at random places. For example, 8-digit PIN templates for a 4-digit PIN may look like [4 8 * * 2 9 * *], [* * * * 6], etc. Finally, the bank creates a record, REC, for the received ATM TRAN REQ message, and stores it on the local database. REC [Req ID, Loc ID, T ran ID, V alidity, P IN T emplate, T S, IsUsed] Here, TS is the timestamp at which the ATM TRAN REQ message was received by the bank from the ATM. The bank can specify a time limit for PIN template. The bank stores the Validity for the maximum period of time (e.g. 30 seconds) within which the PIN template has to be used. A Validity value too low will require the user to perform the ATM authentication very fast, while a higher value will make the (2)

4 system vulnerable to relay and replay attacks. Additionally, the IsUsed flag is set to FALSE and is saved to keep track if the particular transaction request has been successfully completed or not. Step 4 [ATM Transaction Response]: Next, the bank server responds to the transaction request made by the ATM using an ATM TRAN RES message. The structure of the message is defined as: ATM TRAN RES [T ran ID, V alidity, P IN T emplate] Here, the Tran ID is the identifier generated by the bank for this particular transaction request. The PIN Template is the numeric N-digit template generated by the bank. The bank also sends the Validity token, a timer for the maximum allowed time limit for the particular PIN template and transaction request for the current user. Step 5 [QR Code Generation]: Once the ATM receives the ATM TRAN RES message, it extracts the Tran ID, and generates a quick response (QR) code [25]. The QR code is generated from the following context: (3) QR Code [Loc ID, Req ID, T ran ID] (4) Here, the Loc ID, Req ID, and Tran ID are the location, request, and transaction identifiers respectively. The QR code is then displayed on the ATM screen. Step 6 [QR Code Scan]: At this point, the user is able to see the QR code displayed on the ATM screen. The user then uses his personal mobile or wearable device running the SEPIA application to scan the QR code. The advantage of using a personal wearable device, such as the Google Glass, is that the display of messages in the next phases are only visible to the interacting user. Upon a successful QR code scan, the Loc ID, Req ID, and Tran ID are transferred to the user s device from the ATM screen. Step 7 [User Transaction Request]: Once the user scans the QR code on the ATM screen, a USR TRAN REQ message is created and sent to the bank server over secure communication channel. The structure of the USR TRAN REQ message is as follows: USR TRAN REQ [Username, P assword, Loc ID, Req ID, T ran ID] In this message, the Loc ID, Req ID, and Tran ID had been obtained from the QR scan, and the username and password are the user s personal SEPIA service settings which have been previously saved on the bank s website. Step 8 [Transaction Request Verification]: The bank s cloud-based server receives the USR TRAN REQ message from the user s personal mobile or wearable device. The bank then executes the transaction request verification algorithm in the cloud, and responds to the user s personal device. The transaction verification algorithm as mentioned in Table I. (5) t r a n s a c t i o n r e q u e s t v e r i f y (USR TRAN REQ){ ( uname, pwd, locid, reqid, t r a n I D ) < p a r s e (USR TRAN REQ ) ; s u c c e s s < a u t h e n t i c a t e u s e r ( uname, pwd ) ; i f ( s u c c e s s ) t h e n : REC < g e t r e c ( locid, reqid, t r a n I D ) ; i f (REC!= n u l l ) t h e n : currtime < g e t s y s t e m t i m e ( ) ; i f ( ( currtime REC. TS ) < REC. V a l i d i t y ) t h e n : i f (REC. IsUsed == FALSE) t h e n : u p d a t e (REC. IsUsed, TRUE ) ; r e t u r n ( s u c c e s s, REC ) ; e l s e : r e t u r n ( f a i l u r e, Repeated t r a n s a c t i o n ) ; e l s e : r e t u r n ( f a i l u r e, E x p i r e d t r a n s a c t i o n ) ; e l s e : r e t u r n ( f a i l u r e, I n v a l i d t r a n s a c t i o n r e q u e s t ) ; e l s e : r e t u r n ( f a i l u r e, I n v a l i d u s e r ) ; } TABLE I: SEPIA Transaction Request Verification Algorithm Initially, the USR TRAN REQ is parsed to obtain the username, password, Loc ID, Req ID, and Tran ID. The username/password is used to validate a user for the SEPIA service offered by the bank. If authentication is unsuccessful, the process returns with a failure message and the reason Invalid user. If successful, the Loc ID, Req ID, and Tran ID is used to locate the transaction record, REC, from the banks database. If a REC is not found, the process returns with a failure status and the reason Invalid transaction request. Given that a REC is found in the database, the current system time is then compared to the saved timestamp, TS, within the REC. The time difference must be less than the allowed validity period for the ATM transaction by the user. If the time difference is above the allowed limit, the process returns a failure status and the reason Expired transaction. If the transaction request is still valid, the process then checks if the IsUsed is set to FALSE or not. If it set as TRUE, this means that this is a replay attack, and the process returns a failed status with the failure reason Repeated transaction. Given that the IsUsed flag is FALSE, the process updates the IsUsed flag in REC as TRUE and returns a success status along with the retrieved REC. Step 9 [User Transaction Response]: Given that the transaction request verification algorithm returns a success, the bank server then constructs a USR TRAN RES and sends it back to the user. The structure of the message is shown as below: USR TRAN RES [Status, [P IN T emplate, Rem V alidity] [Reason] ] Here, the status corresponds to the success of the USR TRAN REQ sent earlier. The PIN Template is obtained from the corresponding REC found in the request verification phase. Finally, the Rem Validity is the remaining time for the (6)

5 validity of the ATM transaction for the current user. This is calculated as follows: Rem Validity = REC.Validity - (Current System Time - TS). Alternatively, if the status is a failure in the request verification phase, the message includes a Reason for the failure. Step 10 [Obfuscated PIN Input]: Given that the user received a success status in the USR TRAN RES message, the PIN Template is then displayed on the users personal mobile or wearable device. In case on a mobile (smart) phone, the PIN Template is displayed and is visible on the phone screen and it depends on the user to prevent other people peeking at the phone screen. If using a Google Glass, the user does not need to worry about shoulder surfers, as the PIN Template will only be visible to the user. The user then enters the P-digit PIN code obfuscated within the N-digit PIN Template on the ATM s input screen. For example, the user is displayed the following 8-digit PIN Template: [4 8 * * 2 9 * *]. Assuming that the 4-digit PIN for the user is [ ], the user enters the following obfuscated PIN [ ]. Step 11 [PIN Verification]: The ATM receives the user s obfuscated PIN input on the screen. The PIN Template which the ATM received earlier in the ATM TRAN RES message is then used to extract the P-digit PIN code obfuscated within the N-digit PIN Template. The extracted PIN is then used by the ATM to authenticate the user and completes the SEPIA protocol. IV. DESIGN ANALYSIS This section presents the security and architectural design analysis for the proposed SEPIA architecture with respect to the threats mentioned in the SEPIA model in Section II. The SEPIA protocol requires a personal wearable device, such as Google Glass, for performing the obfuscated PIN authentication. The system also supports any other (smart) mobile device to be used with the service. However, as it has already been mentioned, the larger screen on the mobile device requires the user to be more careful than when using the user-only display on the Google Glass. Given that the display of the PIN Template is protected, SEPIA ensures shouldersurfing resistant PIN authentication. Any bystander observing or recording the PIN entry procedure will not be able to decipher the actual PIN code that pertains to the authentication of the card user. Let us assume that a non-authorized user scans the QR code while the user is performing the authentication process. There are two possible event scenarios: the user has already scanned the QR and sent the USR TRAN REQ before the attacker has scanned it, or the attacker scans it first before the user. In the first case, the REC for that particular transaction and the PIN Template will already be flagged as used. The attacker will therefore receive a Repeated transaction error code. In the second case, the user will receive the Repeated transaction error, in which case, the whole procedure can be restarted securely. In case an attacker attempts to perform the terminal authentication with the PIN code of a cloned card, the attacker will still require a username/password information. Without the SEPIA service username/password information, which is registered on the bank s website, the attacker will receive the Invalid user error status. Video recording bugs on an ATM terminal or bystanders recording the PIN entry procedure with mobile cameras will still protect the user from being exploited due to the one-timeuse PIN Template. Additionally, the N-digit PIN Template offers 10 (N P ) more numeric combinations for the PIN entry procedure. This makes the task of PIN-guessing with partial observation attacks much more difficult. The user proves colocation with the ATM terminal to the SEPIA server using the corresponding Req ID, Loc ID, and the Tran ID. Therefore, delegating information to a remote terminal and execution of a relay attack becomes impossible. A tainted ATM terminal will not be holding a valid Loc ID which have been assigned by the bank. As a result, the Tran ID for the requested transaction will not be validated by the bank and will be responded with a Invalid transaction request error from the SEPIA server. Similarly, the one-time-use PIN Template and the SEPIA server generated Tran ID also protects the user from replay attacks. Additionally, the timed validity period for each transaction and the corresponding PIN Template prevents users from intermediate interaction attacks. Given that the SEPIA service only allows the PIN Template to be used for Rem Validity time (e.g. 20 seconds), the transaction request gets expired and the user has to start the process from the beginning. Therefore, only an active interaction of the user at the point-of-service will allow the authentication process to be successful. Finally, given that the user loses his personal mobile or wearable device, the credentials are still safe with the user. Unlike other works [21], the devices do not store any information, such as certificates, to decrypt the one-time PIN. Instead, the username/password information is used to retrieve the PIN Template securely from the SEPIA service API, and then the PIN code is mapped by the user on the PIN Template for obfuscated authentication. The SEPIA protocol therefore protects the users even after their personal devices are lost. Unlike other previously proposed schemes [26], the SEPIA service running on the cloud performs the majority of the operation by allowing the user s device to offload the transaction request verification process. The user s personal mobile or wearable device merely acts as a requestor and receiver of the PIN Template from the cloud server. Moreover, SEPIA does not require any hardware upgrades to currently operating ATM or point-of-service terminals. The ATM software can be easily upgraded to incorporate the SEPIA cloud-enabled service for users with Internet-enabled devices. V. IMPLEMENTATION We have implemented a prototype for the proposed SEPIA protocol. The prototype consisted of a cloud-based SEPIA bank server, a Java based desktop application to imitate the ATM terminal, and SEPIA user applications for Android and Google Glass. In this section, we present the details and the experimental results from for prototype implementation. All

6 Initialize SEPIA SEPIA Options (a) Java Desktop ATM Application Layout (b) SEPIA ATM Application Running on Model-B Raspberry Pis Fig. 2: SEPIA ATM Prototype Implementation identifiers within the protocol were generated using the Java universally unique identifier (UUID) package for 32-character long alpha-numeric strings. Network communication between the bank server in the cloud, the ATM, and the user is done via RESTful APIs over HTTPS using server side certificate. A. Bank Server Web Application The SEPIA service was implemented as a web-based application on a cloud instance using Apache Tomcat [27]. The server was deployed in an Amazon EC2 t2.small instance running Ubuntu Server The back-end was implemented using MySQL database, which was running on the same cloud instance. The response and control logic was developed using JavaServer Pages. The application generates 8-digit PIN Templates based on the Java random generator. The first step creates an 8-digit random number, and then replaces 4 random places to create the PIN Template. B. ATM Point-of-Service Terminal Application A real-life ATM terminal context is difficult to simulate within the lab environment. To analyze the complexity of the proposed protocol, we developed an imitated scenario for the ATM point-of-service using a graphical desktop application. The application was developed using Java and an intuitive interface similar to an ATM banking application. The graphical interface for the ATM application is shown in Figure 2a. The ATM application communicates with the bank server over HTTPS using client-side verification. The application was executed on Model B Raspberry Pis 2 with 512 MB RAM and cable network connectivity to communicate with the bank server, as shown in Figure 2b. The application had a start screen with a Start label to indicate users to begin interacting with the ATM for a transaction. Once clicked, the application displayed a QR code of dimention 200px*200px, along with a numeric keypad for the user to enter the PIN template. 2 Raspberry Pi OK Glass Tap to start Start SEPIA Create New Password Scan Code PIN Template 3 4 * * 9 * * 0 Creates New Google Glass Password Start Camera View New Password abcdefgh Scan QR code Display PIN Template Fig. 3: SEPIA Google Glass Application User Flow C. SEPIA User Application We developed the SEPIA user application for both Android mobile devices and the Google Glass. The Google Glass is a ubiquitous wearable device with the display only viewable to the person wearing the glass. The device therefore inherently filters off the imminent threats for observation attacks. The user control flow for the Google Glass interface is shown in Figure 3. The Google Glass application operates by displaying option cards to the user. Once the application is launched, there are two options: Create New Password, and Scan Code. We implemented a new password creation option for the Google Glass in terms of usability. It is not a trivial task to have manual inputs for the Google Glass device. Therefore, a user is expected to create a new password for the SEPIA Google Glass application. The new password is then displayed on the screen for the user, which he can enter and save on the SEPIA service profile on the bank s website. The other option for scanning the code starts the camera view. Once the user has successfully scanned the QR code, the protocol is automatically triggered and the PIN Template is displayed on the screen. The Android mobile application follows a similar user flow. However, the mobile application does not have the new password creation option. Rather, it has a username/password based login panel to log in to the SEPIA application. After the user logs in, the QR code can be scanned and the PIN Template will be displayed after the protocol is executed. D. Performance Experiment The SEPIA protocol introduces two additional message exchange compared to the single verification request in regular PIN validation protocols. The two message interactions are ATM TRAN REQ and ATM TRAN RES messages between the point-of-service and the bank server, and USR TRAN REQ and USR TRAN RES messages between the user and the bank server. We measured the time required for the two pairs of message interactions with the bank server for a total of 10,000 requests and responses. 1) ATM Request: The plot for sending and receiving 10,000 ATM TRAN REQ and ATM TRAN RES messages is displayed on Figure 4a. The plot also shows the line for the lambda-connectedness of the time measurement. The mean time required for sending and receiving the total 10,000

7 Mean: Mean: (a) ATM TRAN REQ & ATM TRAN RES (b) USR TRAN REQ & USR TRAN RES Fig. 4: Time Measurements between SEPIA Requests and Responses messages was milliseconds, with a standard deviation of milliseconds. The 25% and 75% quartiles were at milliseconds and milliseconds respectively. Even though in a small scale controlled environment, the results show negligible time requirements in terms of the request and response processing. 2) User Request: The user request times are measured between the USR TRAN REQ and USR TRAN RES messages. Figure 4b illustrates the scatter plot for the measured times between the 10,000 request response pairs. The mean required time was at milliseconds, with a standard deviation of milliseconds. The 25% and 75% quartlies were at milliseconds and milliseconds respectively. The times between the user request and response shows that it is more than that of the ATM s. The minimal increase in this case is due to the verification algorithm which runs on the bank server to verify the USR TRAN REQ request and ensure the security of the SEPIA protocol. The required time is still not a major overload in terms of the system overhead. VI. USABILITY STUDY The implemented SEPIA prototype was used to perform a usability study. In this case, we focused on the human factor that is oriented with the operation of the SEPIA service. The study consisted of 8 participant users and their timing measurements while interacting with the SEPIA service. We measured the times which were required for users to scan QR codes using both the Android mobile application and the Google Glass, as well as the times required to enter the PIN code using the PIN Template. A. Demographics and Procedure The usability study was conducted with 8 SEPIA participant users. There were 4 male users within the age range of 27 and 34, and 4 female users within the age range of 22 and 28. Most participants had never used a Google Glass before. The participants were therefore provided a short tutorial on the use of Google Glass. The users were then described the data collection procedure as follows: 1) The participants were provided with a pre-defined PIN code, and were given approximately 10 minutes to register the information in their short-term memory. 2) To observe the comfort of users scanning QR code with mobile devices, the QR code displayed on the SEPIA ATM was scanned for 10 times by each participant. 3) Next, each participant used the Google Glass SEPIA application to scan the QR code for 10 times from the SEPIA ATM application. 4) The ATM application interface was then used for each of the participants to enter their PIN code 10 times. 5) Next, the participants were asked to use the SEPIA protocol to obtain a PIN template and enter the same PIN, but this time, using the PIN template. The procedure was repeated 10 times for each participating user. B. QR Code Scanning We asked the participants to scan the SEPIA QR code using both the Google Glass and the Android application. In both the cases, the users performed the QR scan for at least 10 times. The Android phone, being more convenient and a known device, was easier to use for the users. This was an anticipated outcome, as the Google Glass is not yet a very common gadget to own by the participants. The QR scan times

8 PIN Entry Time Required (milliseconds) Response and PIN Template Entry Time Required (milliseconds) Times Required (milliseconds) QR Scan Time Required (milliseconds) Times Required (milliseconds) Phone Google Glass User (a) User-wise Distribution of QR Scan Times (b) Aggregate Data Distribution for QR Scan Times Fig. 5: QR Code (200px*200px) Scan Times using Mobile Phone and Google Glass Users (a) Only PIN Fig. 6: Time Required by Participants Users (b) PIN on PIN Template for both Google Glass and the Android phone for each of the 8 users is shown in Figure 5a. The smaller box plots for the phone measurements compared to Google Glass shows that the users displayed a more consistent behavior while scanning the QR codes with their phones. However, we observed that the usability and convenience of using the Google Glass to carry out the operation improved even within the 10 times the users performed the QR scan. The highest points for each of the users were among the first few attempts, which drastically improved for all users with repeated trials. We also show the aggregated data distribution for the QR scan times in Figure 5b. The figure also displays the box plot for the mean and the quartiles for the data including the outliers. The mean time required for scanning the QR code using the phone and Google Glass were 4.75 seconds and seconds respectively. The quartiles (25%, 50%, 75%) for the phone were at 3.80 seconds, 4.44 seconds, and 5.05 seconds respectively. The quartiles (25%, 50%, 75%) for the Google Glass were at 7.13 seconds, seconds, and seconds respectively. We saw that an overall approximate difference of

9 Success/Failure (Percentage) Success/Failure (Percentage) 8 to 10 seconds between the QR scan times for the phone and the Google Glass. Additionally, these measurements were for participants who were probably using Google Glass for the first time. This is not a major usability concern for the users, given that we observed the gradual improvement in their use of Google Glass with subsequent trials. Another important factor was the size of the QR code which was being displayed. To introduce the maximum constraint on the users, we generated 200px*200px sized QR images. The performance of scanning using the Google Glass is expected to increase with larger sizes of QR-code images. C. PIN and Obfuscated PIN Entry The participants were asked to perform two procedures. Initially, they were asked to enter only the 4-digit PIN code. The distribution of the time taken and the quartile ranges for the 8 participants for the simple PIN entry is shown in Figure 6a, and the corresponding success/failure ratio is shown in Figure 7a. The mean time taken by all the participants for only the successful attempts was milliseconds. Next, the participants entered the PIN using the PIN Template. We measured two time segments; the response time, and the entry time. The response time was the time required the users to look at the current PIN Template and start the process of entering the numbers. The entry time is the time required for the numbers to be entered as the user mentally superimposes the PIN on the PIN Template. The measured times for all participants is shown in Figure 6b, and the corresponding success/failure ratio is shown in Figure 7b. The mean response and entry time for all successful attempts was milliseconds and milliseconds respectively. The time difference between the two cases allowed us to compare the additional overhead that is being imposed on the users. The total mean time difference, including the response and entry time, between simple PIN entry and SEPIA was seconds. This can be considered to be a minimal overtime that the users have spent for SEPIA compared to the simple PIN entry. We also observed that the users performed better after a few attempts. Initial attempts took longer times compared to the next ones. This can be seen from the small interquartile range for the PIN Template entry compared to its maximum value. Additionally, the number of failed attempts were also minimal, with a total of only 5% failed attempts, compared to 2.5% for the simple PIN entry. VII. RELATED WORK Luca et al. in [2] and Bhatia et al. [6] have presented an analysis of credit card fraud schemes and loopholes exploited by attackers. Asokan et al. [28] have analyzed the attacks on compromised ATM terminals and presented approximate solutions for the identified security issues. Relay-attacks, particularly on credit cards, have been studied by Drimer et al. [16]. Coventry et al. [1] proposed a biometric-based authentication scheme for ATMs. Raj et al. [3] and Sethi et al. [4] have presented surveys on numerous advanced credit card fraud detection mechanisms. The protocol design for Success/Failure Success/Failure Success/Failure for Users Users (a) Only PIN Success/Failure for Users Users (b) PIN on PIN Template Fig. 7: Success/Failure Ratio for Each Participant the SEPIA service addresses these these possible credit card attacks. Modern solutions for secure financial transactions involve card-less interactions, where users generally rely on a secondary device to perform the operation [7, 8]. However, such solutions have also triggered an increase in stolen credentials which occur with lost devices. There are numerous gamebased authentication techniques, such as the cognitive trapdoor game [29], used to secure PIN entry and authentication for ATMs. Unfortunately, these cognition-centric designs for security will always have limited usability for general users. Sasamoto et al. [13] presented Undercover, a shoulder-surfing resistant PIN authentication. Luca et al. presented Vibraass [26], which uses the phone s vibration channel as a tactile input for preventing shoulder-surfing. These solutions rely on additional hardware requirements at the ATM terminals and may not be a ready-to-deploy solution for secure PIN authentication. SEPIA can work with currently supported hardware on ATM and point-of-service terminals. Lee et al. have presented a similar PIN-mapping technique in [19], and proposed quantitative techniques to evaluate the security for PIN-based authentication approaches. With the introduction

10 of modern devices as the Google Glass, usability of such secure systems can be leveraged greatly. A similar work to ours, Ubic, uses Google Glass to perform decryption of an onscreen QR-based password using the client s certificate [21]. However, SEPIA does not rely on stored client certificates, and can be considered resistant to attacks even if the user loses the personal device. Moreover, the SEPIA service allows the users devices to offload any security critical operations to the cloud and is highly scalable without imposing any resourcehungry operations on the personal mobile or wearable devices. VIII. CONCLUSION ATM authentication using PIN-based entry is highly susceptible to shoulder-surfing or observation attacks. Credit/Debit cards are also not resilient to relay and other skimming and cloning attacks. In this paper, we propose the Secure-PIN- Authentication-as-a-Service (SEPIA), a cloud-based obfuscated PIN-based authentication service for ATMs or point-ofservice terminals using personal mobile or wearable devices. We have focused the security design for SEPIA based on visual privacy of users for a one-time-use PIN template and address the security vulnerabilities in PIN-based authentication. The protocol does not require any additional hardware support for currently operating ATM terminals and employs offloaded computation from the mobile device for verifying the transaction requests. A proof-of-concept prototype implementation was used to perform experimental analysis and a usability study. Results show that users are easily adapted to the process of template-based authentication. Our future work involves applying the SEPIA service to newer application fields, such as, PIN-enabled doors and visual authentication mechanisms. ACKNOWLEDGMENT This research was supported by a Google Faculty Research Award, the Department of Homeland Security Grant FA , and by the National Science Foundation CAREER Award CNS REFERENCES [1] L. Coventry, A. De Angeli, and G. Johnson, Usability and biometric verification at the atm interface, in Proceedings of the SIGCHI conference on Human factors in computing systems. ACM, 2003, pp [2] A. De Luca, M. Langheinrich, and H. Hussmann, Towards understanding atm security: a field study of real world atm use, in Proceedings of the 6th Symposium on Usable Privacy and Security. ACM, [3] S. Raj and A. Portia, Analysis on credit card fraud detection methods, in Computer, Communication and Electrical Technology (ICCCET), 2011 International Conference on, March 2011, pp [4] N. Sethi and A. Gera, A revived survey of various credit card fraud detection techniques, International Journal of Computer Science and Mobile Computing, vol. 3, no. 4, pp , April [5] M. Dlamini, J. H. Eloff, and M. M. Eloff, Information security: The moving target, Elsevier Computers & Security, vol. 28, no. 3, pp , May [6] T. P. Bhatla, V. Prabhu, and A. Dua, Understanding credit card frauds, Cards business review, vol. 1, no. 6, [7] G. Stanley, Card-less financial transaction, Apr , US Patent App. 14/257,588. [8] S. N. White, Secure mobile-based financial transactions, Feb 2013, US Patent 8,374,916. [9] E. Weise, Home depot s credit cards may have been hacked, Online at Sep 2014, usatoday. [10] R. Khan, M. Mizan, R. Hasan, and A. Sprague, Hot zone identification: Analyzing effects of data sampling on spam clustering, Journal of Digital Forensics, Security and Law (JDFSL), vol. Vol. 9, no. 1, pp , [11] Bureau of Justice Statistics, Identity Theft Supplement (ITS) to the National Crime Victimization Survey, Online at content/pub/pdf/vit12.pdf. [12] R. Anderson, Why cryptosystems fail, in Proceedings of the 1st ACM Conference on Computer and Communications Security. ACM, 1993, pp [13] H. Sasamoto, N. Christin, and E. Hayashi, Undercover: Authentication usable in front of prying eyes, in Proceeding of The 26th Annual SIGCHI Conference on Human factors in Computing Systems. New York, NY, USA: ACM, 2008, pp [14] M. Roland and J. Langer, Cloning credit cards: A combined pre-play and downgrade attack on emv contactless. in Proceedings of The 7th USENIX Workshop on Offensive Technologies, [15] R. Anderson and S. J. Murdoch, Emv: Why payment systems fail, Communications of the ACM, vol. 57, no. 6, pp , Jun [Online]. Available: [16] S. Drimer and S. J. Murdoch, Keep your enemies close: Distance bounding against smartcard relay attacks. in Proceedings of The 16th USENIX Security Symposium, 2007, pp [17] S. Schaible, How thieves clone your credit cards, Online at http: //www.wfla.com/story/ /credit-cards-cloned, Jul 2014, wfla News Report. [18] J. Kegley, Financial crimes: Credit card cloning is a growing form of identity theft, Online at /financial-crimes-credit-card-cloning.html, Jun [19] M.-K. Lee and H. Nam, Secure and usable pin-entry method with shoulder-surfing resistance, in HCI International 2013-Posters Extended Abstracts. Springer, 2013, pp [20] M.-K. Lee, Security notions and advanced method for human shouldersurfing resistant pin-entry, IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp , April [21] J. Hsu, How google glass can improve atm banking security, Online at Mar 2014, ieee Spectrum. [22] S. Safavi and Z. Shukur, Improving google glass security and privacy by changing the physical and software structure, Life Science Journal, vol. 11, no. 5, pp , [23] B. Krebs, Would you have spotted the fraud? Online at http: //krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/, Jan 2010, krebs on Security, In-depth security news and investigation. [24] L. Richardson and S. Ruby, RESTful web services. O Reilly Media, Inc., [25] Y. Liu, J. Yang, and M. Liu, Recognition of qr code with mobile phones, in Control and Decision Conference, CCDC Chinese, July 2008, pp [26] A. De Luca, E. von Zezschwitz, and H. Huβmann, Vibrapass: Secure authentication based on shared lies, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI 09. New York, NY, USA: ACM, 2009, pp [27] A. Vukotic and J. Goodwill, Apache Tomcat 7, 1st ed. Berkely, CA, USA: Apress, [28] N. Asokan, H. Debar, M. Steiner, and M. Waidner, Authenticating public terminals, Computer Networks, vol. 31, no. 8, pp , [29] V. Roth, K. Richter, and R. Freidinger, A pin-entry method resilient against shoulder surfing, in Proceedings of the 11th ACM Conference on Computer and Communications Security. New York: ACM, 2004, pp

Improving Online Security with Strong, Personalized User Authentication

Improving Online Security with Strong, Personalized User Authentication Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware

More information

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc. Implementing two-factor authentication: Google s experiences Cem Paya (cemp@google.com) Information Security Team Google Inc. Google services and personalization Identity management at Google 1. Internal

More information

ATM FRAUD AND COUNTER MEASURES

ATM FRAUD AND COUNTER MEASURES ATM FRAUD AND COUNTER MEASURES GENESIS OF ATMs An automated teller machine was first introduced in 1960 by City Bank of New York on a trial basis. The concept of this machine was for customers to pay utility

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Multi Factor Authentication API

Multi Factor Authentication API GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

How Secure is your Authentication Technology?

How Secure is your Authentication Technology? How Secure is your Authentication Technology? Compare the merits and vulnerabilities of 1.5 Factor Authentication technologies available on the market today White Paper Introduction A key feature of any

More information

International Journal of Software and Web Sciences (IJSWS) www.iasir.net

International Journal of Software and Web Sciences (IJSWS) www.iasir.net International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) ISSN (Print): 2279-0063 ISSN (Online): 2279-0071 International

More information

Pass-Image Authentication Method Tolerant to Video-Recording Attacks

Pass-Image Authentication Method Tolerant to Video-Recording Attacks Proceedings of the Federated Conference on Computer Science and Information Systems pp. 767 773 ISBN 978-83-60810-22-4 Pass-Image Authentication Method Tolerant to Video-Recording Attacks Yutaka Hirakawa

More information

IBM Tivoli Security using Two-Factor Authentication against PHISHING

IBM Tivoli Security using Two-Factor Authentication against PHISHING IBM Tivoli Security using Two-Factor Authentication against PHISHING IBM Tivoli Security IBM Tivoli Security provides an integrated family of security products that provide a comprehensive and scalable

More information

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER Mrs. P.Venkateswari Assistant Professor / CSE Erode Sengunthar Engineering College, Thudupathi ABSTRACT Nowadays Communication

More information

Single Sign-On Secure Authentication Password Mechanism

Single Sign-On Secure Authentication Password Mechanism Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India 3D PASSWORD Tejal Kognule Yugandhara Thumbre Snehal Kognule ABSTRACT 3D passwords which are more customizable and very interesting way of authentication. Now the passwords are based on the fact of Human

More information

Authentication using Mixed-mode approach.

Authentication using Mixed-mode approach. International Journal of Computer Sciences and Engineering Open Access Technical Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Authentication using Mixed-mode approach. Prasad N. Urankar 1* and Prasanna J.

More information

WHITE PAPER Usher Mobile Identity Platform

WHITE PAPER Usher Mobile Identity Platform WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction

More information

Assignment # 1 (Cloud Computing Security)

Assignment # 1 (Cloud Computing Security) Assignment # 1 (Cloud Computing Security) Group Members: Abdullah Abid Zeeshan Qaiser M. Umar Hayat Table of Contents Windows Azure Introduction... 4 Windows Azure Services... 4 1. Compute... 4 a) Virtual

More information

Protected Cash Withdrawal in Atm Using Mobile Phone

Protected Cash Withdrawal in Atm Using Mobile Phone www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 2 Issue 4 April, 2013 Page No. 1346-1350 Protected Cash Withdrawal in Atm Using Mobile Phone M.R.Dineshkumar

More information

Modern two-factor authentication: Easy. Affordable. Secure.

Modern two-factor authentication: Easy. Affordable. Secure. Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks

More information

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS ftrsecure.com Can You Separate Myths From Facts? Many Internet myths still persist that could leave you vulnerable to internet crimes. Check out

More information

Framework for Biometric Enabled Unified Core Banking

Framework for Biometric Enabled Unified Core Banking Proc. of Int. Conf. on Advances in Computer Science and Application Framework for Biometric Enabled Unified Core Banking Manohar M, R Dinesh and Prabhanjan S Research Candidate, Research Supervisor, Faculty

More information

Entrust IdentityGuard

Entrust IdentityGuard +1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's

More information

White Paper: Multi-Factor Authentication Platform

White Paper: Multi-Factor Authentication Platform White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all

More information

Adding Stronger Authentication to your Portal and Cloud Apps

Adding Stronger Authentication to your Portal and Cloud Apps SOLUTION BRIEF Cyphercor Inc. Adding Stronger Authentication to your Portal and Cloud Apps Using the logintc April 2012 Adding Stronger Authentication to Portals Corporate and consumer portals, as well

More information

Two-Factor Authentication and Swivel

Two-Factor Authentication and Swivel Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide

More information

Risks of Offline Verify PIN on Contactless Cards

Risks of Offline Verify PIN on Contactless Cards Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nicholas Little, and Aad van Moorsel School of Computing Science, Newcastle University, Newcastle upon Tyne, UK {martin.emms,budi.arief,n.little,aad.vanmoorsel}@ncl.ac.uk

More information

PASS-IMAGE AUTHENTICATION METHOD TOLERANT TO RANDOM AND VIDEO-RECORDING ATTACKS

PASS-IMAGE AUTHENTICATION METHOD TOLERANT TO RANDOM AND VIDEO-RECORDING ATTACKS International Journal of Computer Science and Applications Technomathematics Research Foundation Vol. 9, No. 3, pp. 20 36, 2012 PASS-IMAGE AUTHENTICATION METHOD TOLERANT TO RANDOM AND VIDEO-RECORDING ATTACKS

More information

An Innovative Two Factor Authentication Method: The QRLogin System

An Innovative Two Factor Authentication Method: The QRLogin System An Innovative Two Factor Authentication Method: The QRLogin System Soonduck Yoo*, Seung-jung Shin and Dae-hyun Ryu Dept. of IT, University of Hansei, 604-5 Dangjung-dong Gunpo city, Gyeonggi do, Korea,

More information

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user

More information

A SECURE METHOD FOR SIGNING IN USING QUICK RESPONSE CODES WITH MOBILE AUTHENTICATION

A SECURE METHOD FOR SIGNING IN USING QUICK RESPONSE CODES WITH MOBILE AUTHENTICATION A SECURE METHOD FOR SIGNING IN USING QUICK RESPONSE CODES WITH MOBILE AUTHENTICATION Kalpesh Adhatrao 1, Aditya Gaykar 2, Rohit Jha 3, Vipul Honrao 4 Department of Computer Engineering, Fr. C.R.I.T., Vashi,

More information

Securing Corporate Email on Personal Mobile Devices

Securing Corporate Email on Personal Mobile Devices Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...

More information

That Point of Sale is a PoS

That Point of Sale is a PoS SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach

More information

Relay attacks on card payment: vulnerabilities and defences

Relay attacks on card payment: vulnerabilities and defences Relay attacks on card payment: vulnerabilities and defences Saar Drimer, Steven J. Murdoch http://www.cl.cam.ac.uk/users/{sd410, sjm217} Computer Laboratory www.torproject.org 24C3, 29 December 2007, Berlin,

More information

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Beyond passwords: Protect the mobile enterprise with smarter security solutions IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive

More information

A puzzle based authentication method with server monitoring

A puzzle based authentication method with server monitoring A puzzle based authentication method with server monitoring GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus

More information

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim tkkim@stu.ac.kr

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim tkkim@stu.ac.kr Mobile Security Framework; Advances in Mobile Governance in Korea TaeKyung Kim tkkim@stu.ac.kr I. e-banking in Korea 1. e-banking? BIS (Bank for International Settlements) - e-finance(electronic banking)

More information

Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN 2319-9725

Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN 2319-9725 Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN 2319-9725 Rahul Kale Neha Gore Kavita Nilesh Jadhav Mr. Swapnil Shinde Bachelor s Degree program in Information Technology Engineering

More information

Application-Specific Biometric Templates

Application-Specific Biometric Templates Application-Specific Biometric s Michael Braithwaite, Ulf Cahn von Seelen, James Cambier, John Daugman, Randy Glass, Russ Moore, Ian Scott, Iridian Technologies Inc. Introduction Biometric technologies

More information

Providing Data Protection as a Service in Cloud Computing

Providing Data Protection as a Service in Cloud Computing International Journal of Scientific and Research Publications, Volume 3, Issue 6, June 2013 1 Providing Data Protection as a Service in Cloud Computing Sunumol Cherian *, Kavitha Murukezhan ** * Department

More information

SECUDROID - A Secured Authentication in Android Phones Using 3D Password

SECUDROID - A Secured Authentication in Android Phones Using 3D Password SECUDROID - A Secured Authentication in Android Phones Using 3D Password Ms. Chandra Prabha K M.E. Ph.D. 1, Mohamed Nowfel 2 E S, Jr., Gowtham V 3, Dhinakaran V 4 1, 2, 3, 4 Department of CSE, K.S.Rangasamy

More information

Security Levels for Web Authentication using Mobile Phones

Security Levels for Web Authentication using Mobile Phones Security Levels for Web Authentication using Mobile Phones Anna Vapen and Nahid Shahmehri Department of computer and information science Linköpings universitet, SE-58183 Linköping, Sweden {annva,nahsh}@ida.liu.se

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on

More information

IDRBT Working Paper No. 11 Authentication factors for Internet banking

IDRBT Working Paper No. 11 Authentication factors for Internet banking IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

More information

A Secure Authenticate Framework for Cloud Computing Environment

A Secure Authenticate Framework for Cloud Computing Environment A Secure Authenticate Framework for Cloud Computing Environment Nitin Nagar 1, Pradeep k. Jatav 2 Abstract Cloud computing has an important aspect for the companies to build and deploy their infrastructure

More information

A brief on Two-Factor Authentication

A brief on Two-Factor Authentication Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

More information

Risk Analysis in Skype Software Security

Risk Analysis in Skype Software Security Risk Analysis in Skype Software Security Afnan AlOmrani, Rasheed AlZahrani, Eyas ElQawasmeh Information System Department College of Computer and Information Sciences King Saud University Riyadh, Saudi

More information

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Whitepaper W H I T E P A P E R OVERVIEW Arcot s unmatched authentication expertise and unique technology give organizations

More information

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

A secure email login system using virtual password

A secure email login system using virtual password A secure email login system using virtual password Bhavin Tanti 1,Nishant Doshi 2 1 9seriesSoftwares, Ahmedabad,Gujarat,India 1 {bhavintanti@gmail.com} 2 SVNIT, Surat,Gujarat,India 2 {doshinikki2004@gmail.com}

More information

ENHANCED ATM SECURITY SYSTEM USING BIOMETRICS

ENHANCED ATM SECURITY SYSTEM USING BIOMETRICS www.ijcsi.org 352 ENHANCED ATM SECURITY SYSTEM USING BIOMETRICS Prof. Selina Oko 1 and Jane Oruh 2 1 Department of Computer Science, Ebonyi State University Abakaliki, Nigeria 2 Department of Computer

More information

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT Dmitry Barinov SecureKey Technologies Inc. Session ID: MBS-W09 Session Classification: Advanced Session goals Appreciate the superior

More information

Dashlane Security Whitepaper

Dashlane Security Whitepaper Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.

More information

The Security Behind Sticky Password

The Security Behind Sticky Password The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and

More information

ABSTRACT I. INTRODUCTION

ABSTRACT I. INTRODUCTION Mobile Backup Web Application Using Image Processing Authentication 1 Walse Reshma S. 2 Khemnar Archana M. 3 Padir Maya S. 4 Prof.K.P.Somase Department Of Computer Engineering, Jcoe(Kuran),Tal:Junnar,Dist:Pune

More information

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions

More information

Layered security in authentication. An effective defense against Phishing and Pharming

Layered security in authentication. An effective defense against Phishing and Pharming 1 Layered security in authentication. An effective defense against Phishing and Pharming The most widely used authentication method is the username and password. The advantages in usability for users offered

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

a. StarToken controls the loss due to you losing your Internet banking username and password.

a. StarToken controls the loss due to you losing your Internet banking username and password. 1. What is StarToken? StarToken is the next generation Internet banking security solution that is being offered by Bank of India to all its Internet Banking customers (Retail as well as Corporate). StarToken

More information

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 4, April 2014,

More information

IDENTITY THEFT WHAT YOU NEED TO KNOW. Created by GL 04/09

IDENTITY THEFT WHAT YOU NEED TO KNOW. Created by GL 04/09 IDENTITY THEFT WHAT YOU NEED TO KNOW Created by GL 04/09 Table of Contents 1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do

More information

Microsoft.NET Passport, a solution of single sign on

Microsoft.NET Passport, a solution of single sign on Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based

More information

How CA Arcot Solutions Protect Against Internet Threats

How CA Arcot Solutions Protect Against Internet Threats TECHNOLOGY BRIEF How CA Arcot Solutions Protect Against Internet Threats How CA Arcot Solutions Protect Against Internet Threats we can table of contents executive summary 3 SECTION 1: CA ArcotID Security

More information

Two Factor Zero Knowledge Proof Authentication System

Two Factor Zero Knowledge Proof Authentication System Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted

More information

Device-Centric Authentication and WebCrypto

Device-Centric Authentication and WebCrypto Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

Biometric Authentication Platform for a Safe, Secure, and Convenient Society 472 Hitachi Review Vol. 64 (2015), No. 8 Featured Articles Platform for a Safe, Secure, and Convenient Society Public s Infrastructure Yosuke Kaga Yusuke Matsuda Kenta Takahashi, Ph.D. Akio Nagasaka, Ph.D.

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes AUTHENTIFIERS Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes Authentify delivers intuitive and consistent authentication technology for use with smartphones,

More information

Awase-E: Image-based Authentication for Mobile Phones using User s Favorite Images

Awase-E: Image-based Authentication for Mobile Phones using User s Favorite Images Awase-E: Image-based Authentication for Mobile Phones using User s Favorite Images Tetsuji TAKADA 1 and Hideki KOIKE 2 1 SONY Computer Science Laboratories Muse Bldg. 3-14-13 Higashigotanda, Shinagawa-ku,

More information

Password Management Evaluation Guide for Businesses

Password Management Evaluation Guide for Businesses Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various

More information

Secure cloud access system using JAR ABSTRACT:

Secure cloud access system using JAR ABSTRACT: Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan International Journal of Scientific & Engineering Research, Volume 5, Issue 7, July-2014 1410 Secured Authentication Using Mobile Phone as Security Token Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin

More information

May 2010. For other information please contact:

May 2010. For other information please contact: access control biometrics user guide May 2010 For other information please contact: British Security Industry Association t: 0845 389 3889 f: 0845 389 0761 e: info@bsia.co.uk www.bsia.co.uk Form No. 181.

More information

One Time Password Generation for Multifactor Authentication using Graphical Password

One Time Password Generation for Multifactor Authentication using Graphical Password One Time Password Generation for Multifactor Authentication using Graphical Password Nilesh B. Khankari 1, Prof. G.V. Kale 2 1,2 Department of Computer Engineering, Pune Institute of Computer Technology,

More information

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,

More information

Payment Fraud and Risk Management

Payment Fraud and Risk Management Payment Fraud and Risk Management Act Today! 1. Help protect your computer against viruses and spyware by using anti-virus and anti-spyware software and automatic updates. Scan your computer regularly

More information

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION A SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PAIRED WITH THE FACT THAT THREATS

More information

Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card

Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card C. Koner, Member, IACSIT, C. T. Bhunia, Sr. Member, IEEE and U. Maulik, Sr. Member, IEEE

More information

Guide to Evaluating Multi-Factor Authentication Solutions

Guide to Evaluating Multi-Factor Authentication Solutions Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor

More information

White Paper: Are there Payment Threats Lurking in Your Hospital?

White Paper: Are there Payment Threats Lurking in Your Hospital? White Paper: Are there Payment Threats Lurking in Your Hospital? With all the recent high profile stories about data breaches, payment security is a hot topic in healthcare today. There s been a steep

More information

PINsafe Multifactor Authentication Solution. Technical White Paper

PINsafe Multifactor Authentication Solution. Technical White Paper PINsafe Multifactor Authentication Solution Technical White Paper Abstract PINsafe is a flexible authentication solution that offers a wide range of authentication models. The use of the patented one-time

More information

Securing Virtual Desktop Infrastructures with Strong Authentication

Securing Virtual Desktop Infrastructures with Strong Authentication Securing Virtual Desktop Infrastructures with Strong Authentication whitepaper Contents VDI Access Security Loopholes... 2 Secure Access to Virtual Desktop Infrastructures... 3 Assessing Strong Authentication

More information

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

More information

Accessing the bank account without card and password in ATM using biometric technology

Accessing the bank account without card and password in ATM using biometric technology Accessing the bank account without card and password in ATM using biometric technology Mini Agarwal [1] and Lavesh Agarwal [2] Teerthankar Mahaveer University Email: miniagarwal21@gmail.com [1], lavesh_1071985@yahoo.com

More information

Welcome Guide for MP-1 Token for Microsoft Windows

Welcome Guide for MP-1 Token for Microsoft Windows Welcome Guide for MP-1 Token for Microsoft Windows Protecting Your On-line Identity Authentication Service Delivery Made EASY Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made

More information

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Whitepaper on AuthShield Two Factor Authentication with ERP Applications Whitepaper on AuthShield Two Factor Authentication with ERP Applications By INNEFU Labs Pvt. Ltd Table of Contents 1. Overview... 3 2. Threats to account passwords... 4 2.1 Social Engineering or Password

More information

Two-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification

Two-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification Guaranteeing you the Highest Levels of Security Online At FEXCO CFX, we are dedicated to ensuring that our clients enjoy the highest standards of security. In order to combat the risk of online fraud and

More information

IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS

IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS Chapter 18 IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS Franscois van Staden and Hein Venter Abstract This paper proposes the use of monitoring tools to record data in support of

More information

RSA SecurID Software Token 1.0 for Android Administrator s Guide

RSA SecurID Software Token 1.0 for Android Administrator s Guide RSA SecurID Software Token 1.0 for Android Administrator s Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA,

More information

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information

More information

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

CA ArcotOTP Versatile Authentication Solution for Mobile Phones PRODUCT SHEET CA ArcotOTP CA ArcotOTP Versatile Authentication Solution for Mobile Phones Overview Consumers have embraced their mobile phones as more than just calling or texting devices. They are demanding

More information

Global Deployment of Finger Vein Authentication

Global Deployment of Finger Vein Authentication Global Deployment of Finger Vein Authentication Hitachi Review Vol. 61 (2012), No. 1 35 Yutaka Matsui Akihito Sawada Shigenori Kaneko Yuji Nakamaru Ravi Ahluwalia Dipak Kumar OVERVIEW: Finger vein authentication

More information

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION A RECENT SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PARED WITH THE FACT THAT

More information

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to

More information

Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones

Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones Pramote Kuacharoen School of Applied Statistics National Institute of Development Administration 118 Serithai Rd. Bangkapi,

More information

Moving to Multi-factor Authentication. Kevin Unthank

Moving to Multi-factor Authentication. Kevin Unthank Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that

More information

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation By Marc Ostryniec, vice president, CSID The increase in volume, severity, publicity and fallout of recent data breaches

More information

MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security You re more connected, but more at risk too Enterprises are increasingly engaging with partners, contractors

More information