Knowledge-Based Authentication Challenge Response System



Similar documents
one admin. one tool. Providing instant access to hundreds of industry leading verification tools.

Compliance & Data Protection in the Big Data Age - MongoDB Security Architecture

How To Create A Global Signer For The Internet Of Everything

Payment Systems for E-Commerce. Shengyu Jin 4/27/2005

CoSign for 21CFR Part 11 Compliance

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

WHITEPAPER. Complying with the Red Flag Rules and FACT Act Address Discrepancy Rules

White paper. Implications of digital certificates on trusted e-business.

Commerce Management System

Unified Payment Platform Payment Pos Server Fraud Detection Server Reconciliation Server Autobill Server e-point Server Mobile Payment Server

COMMUNICATING ELECTRONICALLY WITH CUSTOMS

Reduce Fraud: Stop Fraudsters Before They Strike

PRIVACY, SECURITY AND THE VOLLY SERVICE

Improve Your Call Center Performance 7 Ways A Dynamic KBA Solution Helps. An IDology, Inc. Whitepaper

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Product. Onboard Advisor Minimize Account Risk Through a Single, Integrated Onboarding Solution

Information Protection

the better way to pay

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Managing SSL Security in Multi-Server Environments

CyberSource and NetSuite Getting Started Guide

How To Create Trust Online

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

HomeConvenience.com. Creating Trust Online CASE STUDY. Comodo Identity and Trust Assurance Suite. Content Verification Certificate.

Evaluate the Usability of Security Audits in Electronic Commerce

Licensing Symantec Certificates

Using Entrust certificates with VPN

Solving the Desktop Dilemma

Privacy Impact Assessment for the. E-Verify Self Check. March 4, 2011

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

Enabling Secure Payment Processing On Your Site. A guide to accepting and managing online payments for e-commerce

Securing ArcGIS Server Services: First Steps

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Payment Card Industry Data Security Standard

HOW SECURE IS YOUR PAYMENT CARD DATA?

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Licensing VeriSign Certificates

LexisNexis InstantID. Technical White Paper. Analyzing Results. For the following: LexisNexis Bridger Insight XG. Contact LexisNexis Sales:

Identity Relationship and Access Management for the Extended Enterprise

First Data E-commerce Payments Gateway

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Adobe PDF for electronic records

Simplify SSL Certificate Management Across the Enterprise

<Insert Picture Here> Oracle Identity And Access Management

Realex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Knowledge Based Authentication [KBA] is not just for onboarding new customers

HOL9449 Access Management: Secure web, mobile and cloud access

Elavon Payment Gateway Integration Guide- Remote

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

PCI Compliance Training

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES

Headache vs. Hassle-Free: How Technology Can Ease the Burden of Regulatory Compliance An Equifax White Paper

WHITE PAPER. Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations

Swedbank Payment Portal Implementation Overview

a CyberSource solution Merchant Payment Solutions

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013

Module 6. e-business and e- Commerce

How To Protect Your Credit Card Information From Being Stolen

Squaring the Circle in Payment Processing

PCI DATA SECURITY STANDARD OVERVIEW

Mobile Wallet Platform. Next generation mobile wallet solution

Identity Management: Securing Information in the HIPAA Environment

Welcome to the ODE Secure Web Portal User Guide

Quick Reference Guide

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust

a CyberSource solution Merchant Payment Solutions

CA Arcot RiskFort. Overview. Benefits

Vendor Risk Assessment Questionnaire

MASTERCARD PAYMENT GATEWAY SERVICES

Office of Finance and Treasury

esign Online Digital Signature Service

Cisco Advanced Services for Network Security

Vendor Questionnaire

MASTERCARD SECURECODE ISSUER BEST PRACTICES

CHOOSING A RACKSPACE HOSTING PLATFORM

Enterprise SSL FEATURES & BENEFITS

PCI Security Compliance

Patriot Act compliance for Finance and Commercial Loan Organizations

TrustDefender Mobile Technical Brief

CS 356 Lecture 28 Internet Authentication. Spring 2013

IT Security in Banque du Liban

Transcription:

Knowledge-Based Authentication Challenge Response System Kevin Trilli Director, Product Management VeriSign, Inc. Bill Andrews Sr. Manager, Product Management Lightbridge, Inc.

Purpose and Agenda Purpose Explain deployment example for KBA Cover challenges of quantifying Challenge/Response (C/R) Agenda Overview of VeriSign Authentication Service Bureau Challenge/Response in Action: On-Line Auction Site Challenge/Response System Configuration

VeriSign Security Services Provide Critical Security and Payment Infrastructures that Maximize Efficiency, Remove Complexity, and Reduce Risk 380,000+ secure sites & servers 4,000+ enterprise customers 90,000 merchants ~25% of N. America E-CommerceE 380,000+ 4,000+ 90,000 ~25% 90,000+ consumers verified 30,000+ certificates issued ~5M payment transactions $700M processed 90,000+ 30,000+ ~5M $500M-$700M 3

VeriSign Intelligence and Control SM Solutions Provide targeted Solutions to business needs Business Continuity Network Infrastructure Continuity Regulatory Compliance HIPAA, FDA Business Partner Integration Secure Extranets Commerce Enablement Security, Payments With flexibly deployed Offerings Strong Authentication Secure Access To Networks Network Security Intelligent Monitoring & Management Application Security Secure Web Services Commerce Security Fraud Protection Leveraging World-Class Assets Delivered from Solid Infrastructure Technology Data Intelligence/ Expertise (Managed Security Services, DNS, PKI, Trust Gateway, SSL, Payment Gateway) (enterprise event data, 9 billion DNS transactions, 25% N. American payment volume, SSL certificate validation) (Internet health monitoring, event correlation, fraud detection engine) Atlas, 24*7 redundancy, secure operations, PKI roots

VeriSign set of Offerings: Credentialing and ID Proofing Services Credentialing Systems Managed Strong Authentication Service Platform PKI, Strong Authentication Commercial and Public Sector Offerings FIPS-140 Federal Bridge Compliant Mortgage Banker s Association ID Proofing Services Physician Authentication using VeriSign s AMA Database Consumer Authentication using Lightbridge Services Business Authentication using D&B Database In-Person Proofing Services Notary Postal Service

Consumer Authentication Service Various levels of customer authentication Non intrusive Tier 1: Identity Verification Based on application data Name, Address, Phone Optional: email, date of birth, drivers license Custom Risk Score Interactive Tier 2: Interactive Query Based on credit report Dynamic out of wallet questionnaire Manual Review For exception handling and support 24x7 live person in call center Physical Proof Faxing in passport, drivers license, utility billing

VeriSign/Lightbridge Online Identity Management: Authentication in Seconds A consumer initiates a transaction online. Before completing the transaction the merchant or institution submits the consumer data to VeriSign/Lightbridge for validation, verification and authentication. Firewall CAS Tier 1 validates and verifies consumer data using a unique online fraud model and returns a numeric score indicating the consumer s relative level of risk. Consumer Databases Internet CAS SSL Client Authentication Decisioning Online Consumer E-commerce Web Server VeriSign/ Lightbridge Web Server System CAS Tier 2 compares the consumer data to multiple consumer databases, creates a customer profile, and formulates a unique set of out of wallet questions which are sent back to the consumer through the merchant web server. After receiving the consumer s answers, the CAS decision engine scores the answers and returns an authentication decision to the merchant web server. Decision Engine

ebay Deployment Example

Deployment example Consumer Portal / Application VeriSign CAS Credit Bureaus Name & Address End Users Public Records XML XML DMV and SSN Higher Risk Data Proprietary Blacklists Real time Transaction XML Interface 24x7x365 support Guaranteed SLA Audit Trail Reporting Custom Configuration

Case Study: Online Marketplace Business Challenge Provide a safe and secure marketplace for both buyers and sellers Track and screen out fraudulent users Non-intrusive process that is private and confidential VeriSign Solution Identity verification methods that cross verify identity information using 50+ data sources 24x7 call support to handle exceptions Leverage VeriSign brand to build consumer confidence Results Instant account verification of all users Custom risk score to flag accounts requiring additional monitoring Tier based authentication approach to managing risks

Be prepared to provide specific information about your financial data.

CAS gathers data about the individual and creates a challenge only the user should know.

Successful registration!

Ebay User is now ID Verified!

C/R Configuration Parameters

C/R Authentication Questions (Automated) Credit Card Questions Previous Address Payment Questions Account Number Questions

C/R Authentication Questions (Manual Review) Unanswered Automated Questions Bank/Institution Questions Employment Questions

C/R Configuration Settings Allowable Visits: Number of allowable authentication attempts per user in a specified period of time. Allowable Visits Counter: Period by which authentication attempts counter is reset. Question Sets: Number of potential automated question sets in a given session Min./Max: Questions per set: Minimum and Maximum number of automated authentication questions per question set. Passing Score Questions Correct: Number of correct answers required for passing automated process. Passing Score Percentage Correct: Percentage of correct answers required for passing automated process. Borderline Score Questions Correct: Number of correct questions required for Borderline Score. Borderline Score Percentage Correct: Percentage of correct questions required for Borderline Score.

C/R Configuration Settings Question Variances Payment Amount Questions: Difference between answer provided and information in consumer profile on a per question basis. Manual Review: Offline Authentication Process handled by the Lightbridge Call Center whereby consumers verbally answer authentication questions.

Challenges in Quantifying C/R Requires merchant/agency involvement Time lag between fraudulent event and knowledge of event Fraud data Sensitive to customers Inaccurate/lack of reporting Requires macro view of multiple systems and direct involvement of customer