The acronym NFC stands for Near Field Communication. It’s a two-way communication technology based on RFID, but it is sometimes called “contactless” technology. The acronym RFID stands for Radio-Frequency IDentification. The technology has its origins in the microchips that have been used to tag both wild animals and household pets. Since this use, RFID has been used in many more industries, including animal husbandry and supply chain management. Items tagged with an RFID chip might also contain information about the object, what it is supposed to be, where it came from, where it’s going, etc. - especially in supply chain management.

There are also other applications of RFID that some people feel are more sinister, but which some governments insist are a necessity. These include “smart” passports and a variety of other digital identification cards that use RFID chips. Some people have even gone so far as to have RFID chips inserted into their bodies. RFID usage is spreading rapidly, and will affect the way we do business and pay for things or collect information.

NFC technology on the other hand is being used in a wide array of applications including “fast-lane” payment at gas stations and supermarkets, for transit payments, and more. The mobile phone industry including governments (cities like Oulu, Finland) have also moved forward in delivering services such as credit-card payments, Mobile Time Reporting, Smart Parking , Smart Theater for tickets with smart posters for information distribution, Information Tags in Restaurants for payment and ordering using hand-held devices, enabling Buses and Bus Stops with information and tickets, etc. This technology is already being used for services such as mobile ticketing and used to replace plastic credit and debit cards in consumers' pockets around the world.

It seems like there is good momentum and everyone is moving quickly to capitalize on the opportunity but on the other hand there has been fierce debates in the industry in the past about the security model including how to securely authenticate over the air and also where to locate the "secure element," or system for storing private data, in phones equipped with NFC (near field communications) technology.

So does NFC based solutions pose a huge fraud risk?
NFC used for phone payments represent an opportunity for sophisticated criminals to steal a lot of money as this space is fraudsters' biggest opportunity for the future, largely because many people still see their phone as a communication device, rather than something that they have to keep secure. In fact, hackers can break easily into NFC phones. Even if that's true, however, it doesn't mean NFC phones pose the greatest future threat to the security of consumers' financial details. Thieves could still steal small amounts of money often to reap huge sums.

It has been proven that using inexpensive off-the-shelf components, hackers can develop a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation Drivers licenses. Ethical hacker Chris Paget demonstrates ( http://www.net-security.org/secworld.php?id=6997 ) a low-cost mobile device that surreptitiously reads and clones RFID tags embedded in United States passport cards and enhanced drivers' licenses. The proof-of-concept device operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. Here is another example http://www.youtube.com/watch?v=hXSt_O3Mt20

The security of the Radio-Frequency Identification (RFID) tag, and its ability to resist malware, has also been questioned. At a hardware level, a RFID tag normally consists of a receiver and transmitter and a micro-controller that facilitates the exchange. However the micro-controller is not powerful enough to employ sophisticated means of a robust real-time encryption and is susceptible to attack. Normally, information stored on the tag has to be authenticated to prevent counterfeiting but tags are thought of most often as a disposable device the cost of manufacturing is kept low. Most of the time a RFID reader is connected to some sort of database software to process data received from the tag. Once the tag is compromised it further opens possibilities for various scenarios of security breaches.

How likely it is for a remote or wireless device to catch an ‘airborne' virus if it was in contact with an infected laptop or a PDA?
Potentially, if a virus broadcasts itself utilizing a wireless data transfer protocol and another system accepts this transmission and transfers control to the received data, then we may have a case of an ‘airborne' infection. The most plausible case scenario might include a virus that utilizes vulnerabilities in the driver of a wireless device or a service related to the communication protocols.

The industry is already responding to potential fraudulent transactions. One protection is the Card Verification Value code (CVV, also known as CVC). Each credit-card number is associated with a three- or four-digit code, located on the back of the physical card. It's static on all mag-strip cards, but it's dynamic on an NFC phone. So if a legitimate NFC phone is used, a new CVV is assigned. If a bogus phone is then used, it will have the wrong CVV and the transaction won't go through. If no CVV/CVC like features are available then fingerprinting the device using an intelligent One Time Code can help achieve this functionality.

Financial institutions and Credit-card companies have software that analyzes transactions in real time in an effort to detect and hopefully prevent fraud. When an unusual activity occurs, a block is put on the account or card until the cardholder can be contacted. The same is true of phones used to make credit-card payments. Compare that to a mag-strip card. You would pay your dinner bill with a credit card, and the waiter would clone your card. The waiter's friends would use the card to make several purchases during the next three weeks, and you wouldn't learn about the fraudulent charges until you got your monthly statement.

Another option which banks use to deter fraudsters is by using an ‘Out of Band Authentication’ message like a digital receipt using SMS. Here's how it would work: If someone somehow were to hijack your account and wire money you would receive an SMS with the details on the transaction or a confirmation message in the hope that you could immediately call the bank and inform them about the problem. This allows the bank to cancel the transaction or put the transaction on hold. Similarly if a fraudster clones your NFC phone's payment capability and purchase a handbag or pack of cigarettes, you would receive a text message on your phone—a receipt, stating the item, time of purchase, price and retailer. You could then immediately call your credit card company and inform them of the problem.

Unfortunately, this reactive approach will not help prevent fraud in real time but certainly deters fraudsters. The more sophisticated and fool-proof way would be for the provider to force you to interact as part of the transaction by allowing the end user to confirm/deny the specific transaction in real time.

Over the Air (OTA) method of transferring data to a mobile device for personalization and security applets is another security measure. If a hacker finds a way to break into the secure sector of an NFC chip, you'd have to replace the NFC chip. With OTA, if there is a breach, you could just send out a security patch to the phone and dynamically fix the security issue.

No security model or solution can effectively solve this problem and the closest one can come to protecting the end users and reduce fraud is by simply assuming this risk or by utilizing solutions like real-time fraud prevention for highly sensitive transactions. This is analogous to what financial institutions and credit-card companies often deploy to protect consumers from fraudulent use of their cards. So articles like this one including security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point. Either you accept this technology and let the provider bear the costs because when a fake transaction occurs, it is voided and the merchant is often the party that takes the hit; or personally restrict it for transactions that are financially low in amounts.

By studying the way browsers use JavaScript, fraudsters have found a way to identify whether or not someone is logged into a Web site, provided they use a certain JavaScript function, thereby giving the bad guys a solution to the biggest problem facing phishers these days: how to reach new victims. In a traditional phishing attack, the scammers send out millions of phony e-mail messages disguised to look like they come from legitimate companies, such as banks or online payment companies. Those messages are often blocked by spam-filtering software, which fortunately has gotten quite good at catching and eliminating many email-based phishing attacks. Traditionally, these emails disguise themselves so that they appear to be from a legitimate source, and trick the recipient into providing login details or account numbers but with in-session phishing, the e-mail message is taken out of the equation, replaced by a pop-up browser window. The fact that the end user is currently in-session lends a lot of credibility to the phishing message.

Here's how an attack would work: It works by fraudsters attacking a legitimate web site and implanting code on it that generates an illegitimate pop-up when visitors go to the legitimate site. Using a JavaScript function, the attacker can determine whether or not users are logged into one of several banking web sites based on pre-defined logic, and then if they are logged in, then the illegitimate pop-up would appear. Of course, like in an email phish, the pop-up is made to appear as though it comes from the legitimate source. The pop-up asks for identity information, which is then used, for example, to drain a bank account or steal sensitive corporate data. Based on the technique used, this attack technique is somewhat sophisticated as it requires that a base Web site is compromised and then the attacker must know which Web site the victim user is currently logged into. Once implemented successfully, 'in-session phishing' can be highly effective because the average end user is likely to enter credentials without a second thought in spite of secure authentication solutions in place including hard & soft tokens.

Researchers have found vulnerability in the JavaScript engine of all leading browsers including Internet Explorer, Firefox, Safari and Chrome, which allows a Web site to check whether a user is currently logged onto another website. The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

As everyone knows those bad guys that are engaged in the phishing business are always trying to stay one step ahead of typical authentication schemes including out of band OTP & SMS, and like any good get-rich-quick criminals, will always have half a dozen new scams up their sleeves. But for these criminals, the hard part would be convincing victims that this pop-up notice is legitimate and this is where the new generation anti-phishing solutions like personalized interfaces or pads (like secure TextPad, PinPad, KeyPad, QuestionPad, Quizpad, etc.) that are unique to each end user can go a long way in incrementally deterring the fraudsters. Any end user logging into the site or entering OTP or transaction data or even answering challenge questions would do so using a personalized pad. Therefore, when the attacker prompts for the credentials in the popup window, they will not be requested through use of the pad as the hacker doesn’t have access to this. Therefore, the user would see this and (assuming they have been educated correctly) would not enter their credentials into this popup box despite the fact that it appears to come from the valid site.

Result: In-session phishing attack incrementally deterred!!

Other recommendations from security experts include users deploying turning off pop-ups in their browsers using browser security options; always logging out of banking and other sensitive online applications and accounts before navigating to other websites; being extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

Free email accounts aren't the only services that could be duped into giving up someone else's account password, there are much more issues than this at stake and these include accessing your bank accounts or access to enterprise resources because the same tactic could be used to hijack any account that some have argued was used to break into Gov. Sarah Palin's e-mail.

There are certainly many easy ways to hack into such accounts. One is to simply guess the answers to the questions asked when you've forgotten your password. Typical questions are things like your mother’s maiden name or the street where you live on. If someone gives this information, which is generally public when it comes to political figures, it's then possible to change the password. The second tactic t is to directly access the saved passwords on the end user’s browser. But there are also more sophisticated techniques. For example, a hacker can send an email to someone, which contains a virus that then sends back information from their computer, including their emails. Another way is to tap into the network. Then there are others.

You can protect yourself against the later type of attacks by using simple techniques - never save your passwords onto your browser. And to protect yourself from viruses, never open an attachment unless you're sure of what it is. Keep your anti-virus up-to-date, your personal firewall turned on, not use free networks, etc. But let's focus on the first kind because this is the most prevalent technique being implemented behind every web application today that simply relies on some kind of automated password reset scenarios to protect valued data. This can be easily abused by knowing a username associated with an account and an answer to a single security question.

So is KBA (Knowledge Based Authentication) a solution or a problem?

Depending on how it is implemented, KBA can be either.

There are various alternatives to perform automated resets on the site for higher assurance (such as a phone call from the registered device of record, speaking to a human, out of band via postal mail, etc.) But then these techniques though stronger simply counter the value proposition of using the web purely for the sole purpose of reducing costs and efficiency. Moreover these certainly help in closing the control and audit loop through notification of access/change - but is this really just a matter about the questions. Most institutions rely on publicly harvestable questions like: SSN, Mother's Maiden Name, Street grew up, City born in, Favorite color, movie, book, Pet's name, etc.

Most people don't even like these questions and specifically how many questions is a good threshold and what kinds of questions should be used?

My recommendation is to let the end user define the questions and answers, and advising the user to put in something and completely useless that he/she can easily remember, but never to use the same one twice at any site and not to provide any personal information. But then, most of us will end up writing down all of the questions and answers..and then keep that list with our computer for easy reference or potentially lose the lists..all of which is precisely why the institution should use dynamic KBA that uses information which it already has (e.g. recent bill amount, vacation balance, etc...) - so that it's not digging for more static information and it's not requiring you to make up something which will be hard to remember.

Ultimately, the quantity and nature of KBA questions have little value from a security perspective. The answers may be easily guessed and administratively known or compromised easily due to security weakness in the computer/network and pavlovian behavior or social engineering of the end user. Applications requiring lower identity assurance may be well-matched with basic KBA, though. For applications requiring higher identity assurance, risk-based dynamic KBA w/o 3rd party identity proofing services are better. Risk-based would entail ensuring only the registered device (computer/handheld) and network of the end user is allowed to reset or change the password and any transaction anomalous behavior challenged using dynamic KBA or other means. ID Proofing means that at this point the password reset (or other) system would go to 3rd party to proof the user's identity. This third party could be some service plugged into credit bureaus or public data, for example. This approach is certainly more expensive but perhaps the only option if the site does not have lots of transaction history on the user...

The following features should be minimally supported for any successful KBA deployment:
Security – KBA questions and responses should be protected and encrypted at the point of entry, ensuring maximum protection. Anti-Theft Logic to prevent dictionary attacks so fraudsters cannot phish the entire database of questions. Additionally, each customer is assigned a specific sub-set of questions to select from. This ensures no single customer has access to all questions in the database at any time.

User experience – Should provide in-built logic to intelligently detect correct responses (i.e. detects initials, acronyms, fat-finger, common misspellings, etc.) for a more user-friendly experience and fewer false negatives without compromising security.

Applicability – Data may be limited depending on location and user type (contractors / immigrants / students), so adequate questions may not be available for all end customers. So the solution should support advanced processing logic to ensure that a given challenge question set contains questions applicable to all customers. Advanced logic normally include, randomly generated sub-set of questions that are still applicable to the user by relying on categorization. Common categories include sports, family, education, entertainment, etc.

Reporting - Predefined, comprehensive KBA reporting capabilities

Cost –3rd party database solutions look up information in public sources and/or credit bureaus as part of their dynamic question set with an additional cost associated per look up. So the solution should offer a layered KBA model that allows for the best of breed end user experience and cost effective auto-selection of questions based on business rules and/or applicability factor. For instance, utilizing a layered and tiered approach as highlighted below will always help reduce costs to the enterprise.
Primary layer - Integrates with the institution's existing internal customer information databases.
Secondary layer - Integrates with the KBA platform’s in-built question bank
Tertiary layer - Integrates with external 3rd party challenge question providers, like credit bureaus, which generate unique questions each time

And finally the most important lesson to learn from this is that large enterprises are also susceptible to this same kind of fraud considering user provisioning and administration solutions are often used to automate the process of adding, updating, and deleting user accounts from applications and directories; and most rely on static KBA for automated user provisioning and de-provisioning with additional capabilities that include password management and approval workflow to cut costs. These systems often offer rich identity administration capabilities to direct end-users for self-service and delegation capabilities of the identity administration console that are extended to let partners centrally create, modify, lock, unlock and delete user accounts, as well as manage groups/roles, in various targets in heterogeneous environments, via a centralized web-based provisioning console. The administrators can delegate provisioning and de-provisioning tasks to other administrators based on multiple criteria – specific sets of applications, specific geographical locations, specific departments/divisions, etc.

In all such scenarios KBA if implemented with risk based controls will ensure only known or user registered devices or known network locations (detect & block annonmyzing proxies) are only authorized to perform self-service capabilities to be able to update their own profile information, including passwords, using the centralized web-based console.

As we are increasingly seeing, risky access from unknown networks or un-registered or malware-ridden computers or smart phones can easily compromise passwords including the basic KBA solutions. Enterprises on the other hand should consider taking steps to protect and use this sensitive information in a secure fashion within their existing Identity management systems or on-going provisioning projects by introducing a risk-aware provisioning process that can be leveraged from technologies like OAAM (Oracle Adaptive Access Manager) and in the case of Oracle Identity Management customers this integration is easily supported.

Just this simple deployment of a ‘risk-aware & secure’ identity management platform to manage your provisioning requirements that can proactively and incrementally secure against Identity theft including keylogging, phishing, pharming, cross-site scripting etc., would go a long way in avoiding an embarrassing palinode after your widely publicized security and compliance sponsored provisioning initiative within your corporate environment.

But unfortunately, most of us including the certified security professionals assume that these two access management technologies are enough to thwart fraudulent attempts to steal sensitive information. So to put my concerns into perspective I am going to start by re-articulating basics, in the hope that this will help us clearly understand where the weakness’s in the current infrastructure and processes are; and how our time tested assumptions go awry when it comes to access security.

What is authentication?
Authentication is the process of determining if a user or identity is who they claim to be. Authentication is accomplished using something the user knows (e.g. password), something the user has (e.g. security token) or something of the user (e.g. biometric).

The authentication process is based on a measure of risk. High risk systems, applications and information require different forms of authentication that more accurately confirm the user's digital identity as being who they claim to be than would a low risk application, where the confirmation of the digital identity is not as important from a risk perspective. This former process is commonly referred to as "stronger authentication". Stronger authentication certainly means higher trust of an authentication process with regards to an identity.

So what is an Identity?
Every individual has a unique identity in this real world but in the digital world (the internet or intranet), where we spend most of our time socially or otherwise, our digital identities cannot be guaranteed to be that unique and very prone to misuse and identity-theft. This is because we use and rely on technology that was designed and fostered for computation (computers) and communication (networks) but unfortunately abounding with security problems since security was always an after-thought. Traditional stronger authentication methods include digital certificates, security tokens and biometrics but unfortunately all of these types of solutions have been compromised of late.

Security token authentications, such as hardware OTP tokens, are used to authenticate an identity (something that you have) during the Login process, or if required by a single sign on system for a higher risk application, this identity is verified by entering in the numbers appearing on the token screen along with their unique id. Since the numbers change randomly to the user viewing the screen (but is understood by the central authentication server), there is a higher degree of trust associated with this form of authentication but simple social engineering attacks like Phishing/Pharming can easily circumvent this authentication process and inject fraudulent transactions without the knowledge of the end user. Often, many enterprises use combination's of these including passwords, to place a higher degree of trust for higher risk applications or information access but with no real security advantage.

On the other hand using Public key infrastructure (PKI) authentication is yet another way of performing identity authentication. An identity is given a digital certificate by a Certificate Authority (CA). This is then presented during the authentication process to verify an identity is who they say they are. The level of authentication trust varies for digital certificates depending on the level of identity verification done during the identity registration process as well as the digital certificate revocation process. Unfortunately these digital certificates were designed to be used for encryption and not as an authentication tool as these can easily be stolen from host machines or spoofed although these have been deployed to authenticate and verify an identity in single sign on systems, document management systems and in web services.
Smart cards are utilized as another form of authentication token (something you have). Often they contain a digital certificate as well as additional identity attribute information. Smart card authentication is becoming wide spread but has the same weakness as token when it comes to compromising the PIN which is used to unlock the smartcard. These same smart cards that are used in an authentication process are now commonly used as well for access control mechanisms to enter physical facilities, buildings, floors and rooms.

However, on top of these security concerns the operating costs for tokens/smart cards and biometrics are much higher since they must be physically issued, replaced and recovered. In spite of the various options available for authentication with its associated pros and cons there is no authentication scheme which can claim to be 100% secure and this gets worse when our infrastructure and sensitive business applications simply rely on this Boolean process. This unfortunate assumption is why Identity theft has become a silent crime that most people don't realize they are victims of until they apply for a loan or open a bank account. With mounting levels of identity fraud and authentication technologies not being able to overcome this, on-line organizations are literally faced with the challenge of how to improve protection of their end customers’ identities. This does not just come from the direct impact of fraud losses but, even more importantly, from the impact to consumer confidence. With phishing attacks appearing in the consumer’s inbox every day and new incidents of Man-in-the-Middle attacks, customers are increasingly wary of the safety of their identities while on-line irrespective of the kind of identity verification solutions in place including just passwords or tokens. The result has been a slow down in the adoption of on-line products and services and most recently even banks have been forced to shut down some of their online ACH operations – a real loss to organizations given the expense of traditional delivery channels and more over the direct pressure of the real bottom line due to the current downtrend in the markets.

However, addressing these challenges has represented an ambitious undertaking for on-line organizations given the conventional options available to improve identity security. Traditional methods like tokens and smart cards are expensive and significantly impact the user experience coupled with known security weaknesses, often making the cure worse than the disease. These challenges are clearly visible due to the low rate of implementation of such solutions.

So is there a cost effective way to authenticate consumers without the need to burden the end users with physical gadgets or is there a solution which can address security and usability at the same time?

Fortunately there has been substantial innovation recently in how customer authentication can be improved without the cost and usability impacts of traditional methods. These solutions were designed in the form of real time proactive fraud prevention platforms (unlike the traditional fraud detection solutions) with open standards based multi-factor authentication security. These solutions are designed to enhance and secure traditional authentication schemes thereby plugging the weakness associated with these. Ultimately deployed together, organizations can start with one or the other depending on their specific requirements and move to the complete solution over time.

Real time fraud prevention represents an attractive approach as it can be used to detect identity attacks proactively in real time and stop suspect transactions. This approach does not require any change to the user experience – eliminating much of the work to roll out a solution. This means a fraud prevention solution can be put in production and be used almost instantly to reduce fraud by detecting anomalous activities by deploying it within the customer’s existing enterprise environment including identity and access management infrastructures or by layering it as a proxy in front of their existing business applications to monitor all on-line transactions without impacting the business application. The proxy based integration approach monitors on-line traffic and extracts each user action allowing for a complete picture of the on-line session. By monitoring all traffic versus substantial modification of business applications, production deployments can be done in weeks, not months.

Also these platforms are developed using open standards, so fraud prevention rules can be quickly updated and all transaction info necessary to detect new patterns are available instantly.

For some organizations, it may be more attractive to provide a confidence factor to their end users with stronger authentication of the user using secure mutual authentication as it provides more visible protection that may be desirable from a marketing perspective. In pursuing this path, it is important that any technology be open and supports a spectrum of authentication methods. From transparent techniques such as machine fingerprinting to the variety of interactive approaches such as one-time-password tokens, authentication requirements will change over time and be varied for different user groups and applications. For example, in large retail environments customers may answer pre-selected questions when logging in from a risky profile (example: phishing attack, anonymyzing networks, airport kiosks or strange and foreign geographies) more securely, ensuring that this challenge/response process also does not succumb to the phishing/pharming/Trojans based attacks, while a corporate customer may perform authentication during sensitive document access with a one-time-password token. For example, at the start of an on-line session, transparent recognition of the end user’s geography and desktop can provide an initial authentication. When the user’s on-line behavior suggests the potential of fraud, a more interactive authentication can be triggered.

If the solution does not support a spectrum of authentication methods in a single platform but also be able to influence session management with their user based on a centralized policy, then the platform is no longer flexible and open, to support various end user, business and security needs. In such cases, organizations will end up deploying a variety of different silo technologies that will make it expensive to integrate, operate and maintain. Regardless of where organizations start, multi-factor mutual authentication security or real time fraud prevention, both will be deployed together or over time as a single strategic solution to protecting customer identities. Proactive real time fraud prevention and detection will be used to determine risk levels from assessing the probability of fraud and drive user authentication from the open multi-factor authentication platform. When risk levels derived reach certain thresholds, users can be prompted for additional authentication from an open authentication platform.

With the need to move quickly to restore customer confidence as well as the long term requirement for a strategic consumer authentication platform that combines real time proactive fraud prevention with multi-factor authentication security, it becomes more important to seek out solution providers that provide complete capabilities, architected and developed from the grounds up to be able to prevent fraud instead of point solutions or solutions with integration challenges due to acquisition of disparate solutions to provide this platform. By working with providers that have deployed these capabilities in live production environments, organizations can successfully deploy confidence in the near term while ensuring, in the long run, the security of customers’ identities and their confidence in the on-line channel.

I will aim to address these security challenges in Identity management and security from the perspective of a security analyst and try to highlight issues as I see them percolating around us in our day to day lives as decision makers, developers, architects, customers, business owners, partners and more importantly end users.