IMB377-PDF-EnG Red Force Labs - Desbloqueado
IMB377-PDF-EnG Red Force Labs - Desbloqueado
IMB377-PDF-EnG Red Force Labs - Desbloqueado
SREELATA JONNALAGEDDA
Professor Sreelata Jonnalagedda prepared this case for class discussion. This case is not intended to serve as an endorsement, source of primary
data, or to show effective or inefficient handling of decision or business processes.
Copyright 2012 by the Indian Institute of Management Bangalore. No part of the publication may be reproduced or transmitted in any form or
by any means electronic, mechanical, photocopying, recording, or otherwise (including internet) without the permission of Indian Institute of
Management Bangalore.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 2 of 12
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 3 of 12
providing additional authentication and validation, an online alert system for card holders during transactions of a
value of over Rs. 5,000, redressal of grievances for wrong billing, and reporting of cases to police and ensuring
follow-up action v.
What is a token?
A security token (or, sometimes a hardware token, hard token, authentication token, Universal Serial Bus (USB)
token, cryptographic token, or key fob) is a physical device that an authorized user of computer services is given for
authentication. The term may also refer to software tokens. Security tokens are used to prove one's identity
electronically (as in the instance of customers trying to access their bank account). The token is used in addition to
or in place of a password to prove that the customer is who he/she claims to be. The token is similar to an electronic
key which can be used for online access.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 4 of 12
Hardware tokens are typically small enough to be carried in a pocket or purse and are often designed to attach to the
user's keychain. Some may store cryptographic keys such as a digital signature, or biometric data such as a
fingerprint minutia. Some designs feature tamper-resistant packaging, while others may include small keypads to
allow entry of a PIN or a simple button to start a generating routine with some display capability to show a
generated key number. Special designs include a USB connector, RFID (radio frequency identification) functions or
Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.
The simplest security tokens do not need any connection to a computer. The client enters the number to a local
keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when
asked to do so. Other tokens connect to the computer using wireless techniques such as Bluetooth. These tokens
transfer a key sequence to the local client or to a nearby access point.
Alternatively, the new form of tokens in 2012 that were entering the mainstream were mobile devices which were
communicated with out-of-band channels (such as voice, short message service, and unstructured supplementary
services data) that also rendered the authentication and identity protection much stronger when compared to
conventional simple synchronous dynamic password tokens. Other tokens could still be plugged into the computer.
For these, one had to connect the token to the computer using an appropriate input device and enter the PIN if
necessary.
Maintenance of Authentication
Following are the methods by which authentication was maintained.
Two-factor authentication (T-FA or 2FA)
Security tokens provide the "what you have" component in two-factor authentication and multi-factor authentication
solutions. Some tokens provide up to three factors of authentication, or allow you to combine different factors to
create multifactor authentication.
One-time passwords
A one-time password is a password that changes after each login, or changes after a set time interval. A one-time
password uses a complex mathematical algorithm, such a hash chain, to generate a series of one-time passwords
from a secret shared key. Each password is unique, even when previous passwords are known. The open source
OATH algorithm is standardized, while other algorithms are covered by US patents.
SMS OTP
Latency and thus transaction completion failure very high (online transaction completion dropped to under
40% for online payments after RBI introduced SMS PIN)
SIM cloning is vulnerable.
Open vulnerability with telecom company system administrators
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 5 of 12
Digital Signatures
Grid
Static grid can be captured over a period of time by a malware as all numbers on the grid will be covered in
about 40 transactions for 16 slots.
Cumbersome to use uses a combination of a physical chip card, card reader, and a PIN
Multiple cards one for each account or bank
Higher-end security devices need secure data entry keypads far more cumbersome.
All the above solutions are vulnerable to MitM/MiB/pharming attacks perpetrated by malware on the client PC. This
was the critical gap which RFL identified to introduce a more secure system.
RFL Token
RFL token device was a specific self-contained device with on-board crypto processor that could not be tampered
with either electronically or physically. The token board was epoxy-coated so that there was no access to internals.
There were no leads to tap in as it was surface-mounted with un-exposed tracks. There was neither any content to be
read on the token from the computer, nor any clear-text ever sent by the token to the PC it was attached to; there was
a proprietary message token exchange protocol between token and server, minimizing the vulnerability to misuse.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 6 of 12
Thus, there was no single point vulnerability across manufacturer, solution developers, implementation partners or
bank system administrator/operators.
The RFL token:
RFL DigitaID
RFL DigitaID actively thwarted MitM/MiB, pharming, domain name system poisoning, and replay attacks unique
as none of the others performed this function. The technology had a patent pending, and was enabled to tackle these
problems ground-up and not incrementally over existing solutions. The product had the advantages of signing
transaction data and the transaction uniqueness of one-time password. It had a token-based cryptographic 2nd/3rd
factor with interactive confirmation per transaction, and was completely synchronous with the transactions and
hence all transactions were completely secure. Another advantage was that there was a common token across banks
that had deployed RFL DigitaID, yet a personalized token capable of 10 service profiles, which could be used for
access of any service, e.g., online banking, Internet card payments, etc. Broadly, RFLs security product did not
suffer from any of the disadvantages of other 2FA mechanisms. The following discussion provides the specifics.
Characteristics of RFL Authentication Server
The DigitaID Architecture which made RFLs proposition superior is discussed in Exhibit 6.
The RFL DigitaID Key could be plugged into the USB port of any computer and create a direct, secure channel to a
banks online transaction server, bypassing the PC which could be infected by malicious software (malware) or
susceptible to hacker attacks.
The consumer could use the security stick to logon and validate all transactions via a display, while the USB device
was securely connected to the server, safeguarding against the most fiendish forms of attacks that could manipulate
data in the background, hidden from the consumer and the bank. The USB device added an extra level of security to
the existing authentication solutions provided by smart card, PIN or one-time validation code, in order to counter the
newest and most highly manipulative security threats.
Even if a users PC was infected by malware that manipulated the information flow in the PC, the user could cancel
the transaction displayed on the DigitaID device. What the user saw on the DigitaID Key display was identical to
what the server saw, no matter what malicious intervention may occur on the PC or anywhere in the Internet.
Owing to the direct secure connection between DigitaID Key and server, the device essentially provided a safe
window to the server, states Yash. Moreover, the DigitaID was designed such that no change was required in either
the server software or the software running on the client's PC. It could be run on all major home computing
operating systems.3
Yash knew that his product was superior to many of the competitor products as it was able to prevent MitM attacks
by updating itself with the capability to counter increasingly sophisticated viruses.
A secure system offered by RFL would be a strong pillar to the quest of most of the growing Indian banks who vied
to establish seamless intelligent infrastructure and branchless banking. A secure system was the basis of integration
of several financial products and solutions. The added customer security translated into higher revenues for the bank
as it encouraged end-users to increase volume of online business. A bank such as ICICI had approximately a total of
44 million transactions, with 3.67 million unique visitors per month. vi
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 7 of 12
COMPETITORS
With competitors, even if small in number, such as the Pune-based UNIKEN, New York-based RSA, and Swissbased VASCO vying for their own space, the market for secure financial transactions in the India was fragmented
and nascent.
RSA, the security division of EMC2 and also the no. 1 online security company in the world was named after Ron
Rivest, Adi Shamir, and Len Adleman, who started it in 1977. It was set up in India in 2007. The various products
that this company offered are the RSA Adaptive Authentication, RSA Adaptive Authentication for eCommerce,
RSA Authentication Manager Express, RSA Digital Certificate Solution, RSA Identity Verification, RSA SecurID,
and the RSA Transaction Monitoring. In 2009, HDFC was the first Indian Bank to implement layered components
of the RSA Identity Protection and Verification Suite.4
Remarks Yash, which may explain some of the reluctance towards RSAs products in the Indian market:
RSA has tried to penetrate the market with a device price as low as $5, but with limited success.
They have a high brand value owing to their longevity in the market. However, they have not
come up with a proven technology/device for sophisticated malware and MitM attacks. Added to
that, customers are known to have been frustrated with the high upgradation and maintenance
costs giving them a feeling of being locked-in to RSA.
UNIKEN, a product innovation company was started in 2003, in Boston, Massachusetts, USA. It created various
products such as the Virtual Private Secure Internet, REL-ID (Relative Identity) 5, Secure Content Delivery Suite
and various security devices such as USB, CD, etc. UNIKEN carved a niche in the public sector, serving SBI, Bank
of India, and Canara Bank.
VASCO was founded by T. Kendall Hunt in 1997 and provided authentication for mobile banking, corporate
banking, and retail banking with a price point at $2850 per 50 customers for 10 incidents per year. Having entered
India (2007), they made headway in the market with the sale of VASCOs DIGIPASS GO 3 to Reliance Money, the
financial solutions arm of Reliance Capital. Although VASCOs strength was in supporting large volumes of
authentication requests and mass deployment in a variety of applications, its products were based on 2FA, which
was proven to be inadequate against certain kinds of Internet frauds.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 8 of 12
_____________________
Kumar Rakesh Ranjan, Ramana Charan and Pooja Krishnan provided research assistance for this case.
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 9 of 12
Exhibit 1
Potential intervention areas for RFL
Needs
Transaction
Secure
Identification/Authentication
Authorization
Messaging
Core Banking
Yes
Yes
No
Online Banking
Yes
Yes
Yes
Yes
Yes
Yes
ATM
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Application
Source: RFL
Exhibit 2
Country-wise volume break-up of online frauds
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 10 of 12
Exhibit 3
Online frauds in terms of value
No. of I-banking frauds registered
2007
102
2.39
2008
113
5.53
2009
269
6.90
Exhibit 4
Security measures of leading banks
Bank
Prevents
HDFC
Bank
Static phishing
Axis
Bank
NetSecure system generates a code using desktop software/SMS/iTouch device which serves as a 2nd-level authentication
Static phishing
Citi
Bank
SBI
Note: HDFC Housing Development Finance Corporation; SBI State Bank of India
Source: Vista 2011.
Exhibit 5
RFL token
Source: RFL
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860
Page 11 of 12
Exhibit 6
DigitaID architecture of RFL
Design Specifications
Benefits
Mutually authenticated
session establishment
end-to-end
USB module
Source: RFL
Exhibit 7
Product comparison chart
Source: RFL
This document is authorized for educator review use only by Carlos Azabache, Universidad Peruana de Ciencias Aplicadas (UPC) until May 2017. Copying or posting is an infringement of
copyright. [email protected] or 617.783.7860