Sophistication Meets Malice Date:   Wednesday , November 02, 2011 Many activities today are completed digitally – whether it’s a simple conversation, online retail or a complex financial transaction. Information is also exchanged through digital interactions between people and devices. Coupled with the rising penetration of the Internet and ubiquity of always-on networked digital devices such as mobile phones and tablets, a fundamental change has taken place in how individuals live and corporations function globally. However, the rise in popularity of digital devices has also brought about an increased risk to security. Malicious threats by attackers who look into stealing user identities and obtaining unauthorized access to confidential data and resources are on the rise. With advanced persistent threats (APT) becoming more prevalent, companies of all sizes need to take a serious look at the security protecting access to data resources. Username and password are no longer sufficient to protect access to the most important aspects of one’s business – the company’s internal information. There is a need for stronger access control methods to secure all access points into the network to ensure that only authorized users gain network access. At present, a variety of easy-to-use form factors that meet business requirements and ensure quick end-user adoption are available. Public Key Infrastructure Public Key Infrastructure (PKI) is a system that validates a user's digital identity over a public or private network by associating a pair of public and private keys with their individual identity credentials. In PKI systems, the private key is maintained by the end user and the public key is available as part of a digital certificate in a directory that can be freely accessed. The private key remains secure and is not transmitted over the network. It is used for certificate-based authentication, encryption and digital signatures. PKI technology offers a range of security features for enterprises including authenticity, confidentiality and non-repudiation. PKI applications for end-users include network and workstation logon, secure remote access, single sign-on, email encryption, secure data storage, digital signatures and secure online transactions. One Time Password Another strong authentication system is One Time Password (OTP), which provides better protection to online bank accounts, corporate networks and other systems containing sensitive data. OTP systems provide a mechanism for logging on to a network or service using a unique password, which can only be used once. This prevents identity theft by making sure that a captured user name/password pair cannot be used more than once. Typically the user’s logon name stays the same, while the OTP changes with each logon. OTPs can be generated in several ways and each method has trade-offs in terms of security, convenience, cost and accuracy. Simple methods such as a printed list of OTP numbers and grid cards can provide a set of OTPs. These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and require users to keep track of where they are on the list of passwords. A more convenient way for users is to use an OTP token which is a hardware device that generates one-time passwords. Some of these devices are PIN-protected, offering an additional layer of security. More advanced hardware tokens use microprocessor-based smart cards to calculate one-time passwords. Smart cards have several advantages for strong authentication, including data storage capacity, processing power, portability and ease of use. They are inherently more secure than other OTP tokens because they generate a unique, non-reusable password for each authentication event. In addition, smart cards store personal data and do not transmit personal or private data over the network. Another solution leverages on the high penetration of mobile phones, using short messaging service (SMS) as a cost effective method for OTP authentication. Using a strong authentication server to send a SMS-OTP, users are able to securely access the network without the need for additional authentication devices. In addition, SMS-OTP can also function as a backup method for OTP delivery when the user’s primary OTP device has been lost, stolen or broken. At present, most enterprise networks, e-commerce sites and online communities are vulnerable to identity theft through methods such as phishing, keyboard logging and man-in-the-middle attacks. Strong authentication technologies like Gemalto’s Protiva™ family of smart cards, tokens, smart card readers and authentication servers utilize PKI and OTP to address the limitations in protecting network access and end-users’ digital identities. The Protiva™ range of products are based on Gemalto’s proven smart card expertise and supports current industry standards and provides solutions that operates in both Java and .NET environments. For example, Gemalto’s .NET cards come equipped with support for either OTP or PKI, or both at once for different uses. This extra level of security makes it extremely difficult for unauthorized users to gain access to confidential information, networks or online accounts – giving both consumers and enterprises peace of mind. The author is Sales VP, Online Authentication &eBanking Asia, Gemalto