Authentication under Coresion

clearsleepingbagSecurity

Nov 30, 2013 (3 years and 10 months ago)

72 views

Authenticated Access Under Coercion

1

Marv Williams, CISSP


Adjunct Instructor


NCTC


Associate Director


Cognizant
Technologies

Agenda


Coercion


System Security’s use of Authentication


What’s the Problem



One of the most common situations


Previous Solutions to address the Problem


A New Approach to the Problem


Implications and Issues


Epilogue


On any Solution Approach

2


Coercion and IT Systems


What is coercion




to coerce


Coerce : to restrain or dominate by force


To compel to an act or choice


To achieve by force or threat (subtle)


Extort


to obtain from a person by force


Money


Information


Property


Terrorism

3

Basic Constructs of System Security



Protect the System: Basically three types
often called CIA


Confidentiality


Only approved individuals may access information


Integrity


Information is correct and unmodified


Availability


Information is accessible to authorized users






Basic Methods to Secure Information



Techniques to Secure the System


Authentication


Individual is who they claim to be


Authorization


Grant ability to access information


Accounting


Provides tracking of events


Authentication attempts to address the “who”

5

What’s the Problem with Authentication


Authentication under Coercion


Authentication is correct


The system is working
as designed


there’s no problem.



The design is not taking into account the
“reason” or “intent” for authentication.



Increasing the Authentication factors:


Something you know


Something you have


Who you are
-

Biometrics

http://www.youtube.com/watch?v=1EO9y4rGxvk



Can decrease your personal safety when dealing
with the determined perpetrator


6

Difficulties in Defending Against Attacks


Previous Difficulties in Defending Against Attacks:


Universally connected devices


Increased speed of attacks


Greater sophistication of attacks


Availability and simplicity of attack tools


Faster detection of vulnerabilities


Newer Difficulties in Defending Against Attacks


Distributed and disconnected devices connecting ad
-
hoc (hiding in the
cloud)


Attacks are becoming more
unsophisticated


Availability and simplicity of finding victims


Differentiating between an attack from anomalies


Withdrawing from ATM in another state


Family emergency for major withdrawal


Withdrawing $9,999.99


7

8

Attack Tree to Steal at Bank

(Level 2)

(Level 3)

Let’s Quantify the Risk


Risk Assessment


Single Loss Expectancy
-

SLE


Exposure Factor


EF


Asset Value
-

AV


SLE = AV * EF



The formula works


Two basic problems


Data: What is the exposure factor (How many times are people coerced?)


Who’s asset


-

the institution’s assets


-

the individual’s assets


-

assigned value to possessions


-

assigned value to life




9

10



Various studies (from the ABA and BAI)
indicate that 3000 to 5500 banking
customers are the victims of crime at or
near an ATM or night depository every year.


©2010 GMR Protection Resources, Inc.



ATM extortions are only one kind of
coercion of an information system. Perhaps
most common and most likely.
-

Criminals
are following Willie Sutton’s advice.




Victims are becoming more specifically
targeted:
http://www.youtube.com/watch?v=w96aZhrK28w&noredirect=1










Where’s the Data ?

Most Common Authentication
Coercion


Sutton’s Law (ATMs
)



Federal Laws: Electronic Funds Transfer Act
(Regulation E) and the Bank Protection Act
(Regulation P) (12 CFR
§

216.1).


Problem: Primarily addresses matters related to
the security of the ATMs themselves and to
fraudulent transactions, not matters related to an
ATM users' safety.


Let’s get the FBI Crimes Statistics and see what’s
happening at the ATMs


Identity thief


Kidnapping


Financial fraud



Need correlation to an Information System

11

Handling Authentication under
Coercion at the ATMs


Accept


Diminish


The state of California (Cal. Fin. Code
§

13000
-
070) and
the city of New York (N.Y. Admin. Code
§

10
-
160)
pioneered minimum security standards for ATMs.
Among the other states that have enacted similar laws
are Nevada (Nev. Rev. Stat. Ann.
§§

660.115

.235),
Washington (Wash. Rev. Code Ann.
§

19.174), Oregon
(Or. Rev. Stat.
§

714.280

.315), Georgia (Ga. Code.
Ann.
§§

7
-
8
-
1 to 8
-
8), Louisiana, Maryland (Md. Code
Ann., Fin. Inst.
§

1207), Florida (Fla. Stat. Ann.
§§

655.960

.965), Illinois, New York, and New Jersey.


Personally diminishing the risk.


12

Handling Authentication under
Coercion at the ATMs (cont.)


Transfer risk to someone else


No insurance programs


introduces insurance fraud






Denial


Ignore


Obfuscation


13

ATMS are only one case of Authentication

14


Cell phones as credit cards


At home, at work


Anywhere authentication is required.

15


Information
Security
C
omponents

© Cengage Learning 2012

Approaching a Solution
-

Techniques

Solution Needs to Address Values


Property vs. People


-

Most security experts agree when being coerced, the victim should comply


-

Solution should follow same guidelines



Who pays for the Solution



-

Eventually the consumer


-

But who controls costs




-

built
-
in costs into the infrastructure




-

pay
-
as
-
you
-
go Solution




-
pay
-
as

you
-
use
-
it



Is the Solution Complete



Encompasses the right technology


Right People


Right Procedures

16

Prior Art and Solutions


Personal Responsibility for your Safety


Understood for access ATMs, but what about home invasion
and at work.


http://www.clipsyndicate.com/video/play/356802/doctor_s_family_killed_in_brutal_home_invasion


Know your ATM, be aware of your environment, properly
lighted and surveillance devices.


Legislation


Laws on ATM. Must have lighting and surveillance.



No laws or guidelines regarding eBanking, processes and
procedures.



Liability on Banks and Institutions


Civil Law and lawsuits.



17

Mechanisms for ATM Users to summon Police


Panic buttons installed on the ATM. Some security consultants and police,
however, worry that panic buttons will just exacerbate the false
-
alarm
problem that is already burdening police resources.


Telephones next to the ATM.


Live microphones in the ATM. A security company can monitor such
microphones.


Door alarms. Door alarms can be set so that they are automatically
activated if a door to an enclosed vestibule is left open too long.


Reverse PIN technology. An ATM user can activate a silent alarm by entering
his or her PIN in reverse order or by entering an additional digit after the
PIN. This so
-
called "reverse PIN" technology has been patented, but is not
known to be in use yet anywhere. A study of its feasibility conducted for
the state of Illinois concluded it was cost prohibitive and unlikely to be
effective because robbery victims are under such extreme stress.

Reference : 2012 POP Conference Oct 22
-
24, 2012 Providence, RI

http://www.popcenter.org/problems/robbery_atms/3






18

Approaching an System Solution


Must encompass all facets


Procedures, People (trained and tested), Products
(mechanisms).


Detect if user is being coerced on the
System



1.) Implicit: Heuristically determine possibility of
coercion similar to IDS systems.

creates false positives.



2.) Explicit: User explicitly notifies the system
during or after of the situation. Can be similar to
reverse pin, i.e., direct inputs.


User can set a
Defined Profile
of coercion behavior.


e.g..
-

I’m withdrawing more than $10,0000. from my educational account
.


19

20

1.) Authentication Occurs

User’s Criteria for coercion

Is activated.

2.) User’s Designated Proxy(ies) is notified

and/or users' receive tactile feedback for confirmation.

e.g., change of user’s terms agreement.

e.g., confirm amount.

3.) Proxy either attempts communication


with victim (as nothing is wrong)

and/or dispatches police.

4.) Police are given details of situations

From proxy and data collected by system

at scene.

Approaching an System Solution

Secondary Matters


Cognizant of the situation


do not jeopardize
safety


Send GPS, IP address, and associated information.


Optionally activate web cams, microphones
physical sensors, etc.


Preserve the evidence


Order of volatility must be followed to preserve most
fragile data first


Meet evidence standards


Cognizant of the situation


do not jeopardize
safety


21

Forensic Procedures Automatically
Activated


Four basic steps are followed


Secure the crime scene


Collect the electronic evidence


Establish a chain of custody


Examine for evidence


Secure the electronic crime scene


Goal: preserve the evidence


Damage control steps taken to minimize loss of
evidence


(Secondary issues)

22

Implementation and Implications


Empower the User


User is defining criteria for which they believe
they can work under duress.


User could be wrong


User define proxies.


Keep your friends close and your proxies closer


Liability releases from implementers



In 2005,
House Bill

4155 would have made
forced

ATM

withdrawals a distinct felony, thus allowing the police
to connect Crime A to Crime B.



23


Epilogue


Serious Matter


CISSP Code of Ethics


Protect society, the commonwealth, and the infrastructure.


Directly dealing with the life and well being of the user.


Recognition that the same IT systems that can make our lives better can
put our lives at risk.


Time is of the essence


Time of getting institutions and governments to catch
-
up, and gathering Data


Time that it takes the system to notify the authorities



No perfect solution and every solution has it’s associated
risks
.


24

Questions ?

Answers