CertAnon

1
CertAnon

• Anonymous WAN Authentication Service
• Milestone Presentation
• Red Group
• CS410
• April 5, 2007

2
Presentation Outline

• Problem Description
• Solution Description
• Process Description
• Solution Characteristics
• Marketing Plan, ROI
• Management Plan
• Milestones, Deliverables, Budgets
• Risk Management
• Conclusion

3
Who is Chockalingam Ramanathan?

• Part of a group using stolen passwords to empty
  investors accounts1
• Hit prominent brokers such as TD Ameritrade,
  ETrade, and Charles Schwab
• Resulted in more than 2 million in losses, which
  were absorbed by the brokers
• Fourth tech-intrusion case filed by the SEC since
  December 2006

1. http//www.washingtonpost.com/wp-dyn/content/ar
ticle/2007/03/12/AR2007031201558.html
4
Fraud Stats

• From 2005 20062
• 8.9 million victims of online fraud or identity
  theft
• Total losses to identity theft and online fraud
  jumped from 54.4 billion to 56.6 billion
• Mean resolution time per incident skyrocketed
  from 28 to 40 hours per victim

2. http//www.verisignsecured.com/content/Default.
aspx?edu_stats_body.html
5
Going Phishing

• Phishing sites are on the rise3
• Over 7 million phishing attempts per day

3. Anti-Phishing Working Group -
http//www.antiphishing.org/
6
Consumers Online Activities

7
Password Overload

8
The Problem

• Single-factor password authentication is easily
  compromised and endangers the security of online
  accounts.
• Username/Password paradigm is insecure7
• Management of multiple strong passwords is
  difficult for individuals
• Fraudulent online account access and associated
  costs are increasing

7. http//www.schneier.com/crypto-gram-0503.html2
9
The Endangered Password

• More online accounts more passwords
• Complexity of passwords is limited by the human
  factor8
• Vulnerability is enhanced by the technology
  factor
• Dissemination is too easy
• Once compromised, a password is no longer
  effective for authentication

8. http//www.schneier.com/blog/archives/2006/12/r
ealworld_passw.html
10
CertAnon A New Proposal

• Anonymous WAN authentication service
• Used for any and all online accounts
• Strong two-factor authentication
• Limited information sharing
• Partner with online businesses
• Initial customers are Internet users

11
Two-Factor Authentication9

• Something you know
• A single PIN
• Plus something you have
• Hardware token generating pseudo-random numbers
• Effectively changes your password every 60 seconds

9. RSA - http//www.rsasecurity.com/node.asp?id11
56
12
RSA SecurID Users
13
Two-Factor Acceptance

• Rolls Royce Bentley Motor Cars
• Uses RSA SecurID authentication
• Enables them to use the Internet securely as a
  cost-effective and efficient extension to their
  corporate network
• ETrade Financial
• Provides retail customers the option to add
  Digital Security ID to their Internet security
  solution
• Helps guard against unauthorized account access

14
Goals and Objectives

• Build a WAN authentication service that permits
  customers to securely access all of their online
  accounts using a single access method
• Build our website
• Write software modules for partner sites
• Develop testing portal
• Install authentication servers
• Distribute tokens
• Beta-testing, then go live!

15
What Would It Look Like?
16
(No Transcript)
17
Who is Our Customer?

• Two sales channels
• Individual Internet user (210 million of them!)
• Purchases CertAnon token for one-time fee of 50
• Obtaining a critical mass of customers makes
  CertAnon a must have for online vendors
• Could provide leverage to charge vendors on a
  transaction basis in the future
• Security-conscious businesses
• Purchase batches of tokens for redistribution to
  their customers
• Focus on those without proprietary solutions

18
Marketing Strategy

• Offer software modules for customer integration
• Freely available to encourage adoption of the
  service
• Approach financial companies not already using a
  two-factor authentication method
• Bulk token sales
• Enable them to offer the same customer security
  as larger competitors without the infrastructure
  expense
• Token reusability will encourage faster customer
  adoption
• Advertising strategies
• Internet advertising
• Computer shows/trade shows
• Promotional token giveaways

19
ROI for Consumers

• Reduce/eliminate need for multiple passwords
• Avoid password theft, unauthorized account
  access, and fraud
• Information isnt stored on a card or device that
  can be lost
• Passwords are not stored in a hackable database
  that is a single point of failure

20
ROI for Businesses

• Very low cost
• Avoid implementing a costly proprietary solution
• Improves security of customer base by moving more
  people away from passwords
• Reduces losses from fraud reimbursement
• Snaps into existing infrastructure with minimal
  development
• Customers who don't use CertAnon will be
  unaffected

21
Cons

• Reliance on a physical token
• Forgotten
• Broken
• Lost or stolen
• Inadequate for sight-impaired users
• Customer service coordination will need to be
  handled carefully

22
Competition Matrix
23
Management Plan
24
Team Communications

• Team meetings (via AOL AIM)
• Sunday/Tuesday 800 P.M.
• Additional meetings as needed
• Meetings with Professor Brunelle as needed
• Meetings with Technical Advisors as needed
• Google Group for document management and messaging

25
Phase 0 Gantt Chart
26
Phase 1 Gantt Chart
27
Phase 1 Organizational Chart
28
Phase 1 Staffing Budget
29
Phase 1 Resource Budget
30
Phase 2 Gantt Chart
31
Phase 2 Organizational Chart
32
Phase 2 Staffing Budget
33
Phase 2 Resource Budget
34
Phase 3 Gantt Chart
35
Phase 3 Organizational Chart
36
Phase 3 Staffing Budget
37
Phase 3 Resource Budget
38
Total Project Cost
39
Break Even Analysis
40
Funding Plan

• SBIR Funding Agency National Science Foundation
• Phase 1 100,000
• Phase 2 750,000 or two years
• Phase 3
• Small business loan
• Venture capital investment
• Revenue from token sales

41
Risk Management Plan

• Identify project risks
• Determine the phase that the risk is in
• Categorize risks according to probability and
  impact
• Reduce risks before or as they happen with
  mitigation actions
• Continue to reevaluate risks during all phases
• Watch for new risks

42
Risks and Mitigation
(1-Low to 5-High)
43
Evaluation Plan

• Time
• Measured against baseline project plan
• Cost
• Measured against budget plan by phase
• Scope
• Measured against requirement document
• Quality
• Measured by customer adoption rate and
  satisfaction

44
Evaluation Phases

• Phase 0
• Idea developed
• Project website developed
• Funding secured
• Phase 2
• Product design
• Software module development
• Software module testing
• Integration testing
• Finished product

• Phase 1
• Prototype design
• Working prototype
• Initial customer demonstration
• Phase 3
• First sale completed
• Product released
• Marketing plan developed
• Successful marketing
• New contracts acquired

45
Conclusion

• Available, affordable, and proven technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Scaleable service
• Manageable project scope, achievable milestones

46
References

• 3 Indicted in Online Brokerage Hacking Scheme.
  Washington Post. 13 Mar. 2007. Carrie Johnson.
  2 Apr. 2007 lthttp//www.washingtonpost.com/wp-dyn/
  content/article/2007/03/12/AR2007031201558.htmlgt.
• Failure of Two-Factor Authentication. Schneier
  on Security. 12 Jul. 2006. Bruce Schneier. 28
  Jan. 2007 lthttp//www.schneier.com/blog/archives/2
  006/07/failure_of_twof.htmlgt.
• Internet Penetration and Impact. Pew/Internet.
  April 2006. Pew Internet American Life
  Project. 28 Jan. 2007 lthttp//www.pewinternet.org
  /pdfs/PIP_Internet_Impact.pdfgt.
• Internet Statistics Compendium - Sample.
  E-consultancy.com. 9 Jan. 2007.
  E-consultancy.com LTD. 28 Jan. 2007
  lthttp//www.e-consultancy.com/publications/downloa
  d/91130/internet-stats-compendium/internet-stats-c
  ompendium-January-2007-SAMPLE.docgt.
• Internet World Stats. Internet World Stats.
  11 Jan. 2007. Internet World Stats. 15 Feb.
  2007 lthttp//www.internetworldstats.com/stats2.htm
  gt.
• Online Banking Increased 47 since 2002.
  ClickZ Stats. 9 Feb. 2007. The ClickZ Network.
  15 Feb. 2007 lthttp//www.clickz.com/showPage.html?
  page3481976tablegt.

47
References (cont.)

• Phishing Activity Trends Report for the Month
  of November, 2006. Anti-Phishing Working Group.
  Nov. 2006. Anti-Phishing Working Group. 28
  Jan. 2007 lthttp//www.antiphishing.org/reports/apw
  g_report_november_2006.pdfgt.
• Real-World Passwords. Schneier on Security.
  14 Dec. 2006. Bruce Schneier. 28 Jan. 2007
  lthttp//www.schneier.com/blog/archives/2006/12/rea
  lworld_passw.htmlgt.
• RSA SecurID Authentication. RSA Security.
  2007. RSA Security, Inc. 28 Jan. 2007
  lthttp//www.rsasecurity.com/node.asp?id1156gt.
• RSA Security Password Management Survey. RSA
  Security. Sep. 2006. Wikipedia. 15 Feb. 2007
  lthttp//www.rsa.com/products/SOM/whitepapers/PASSW
  _WP_0906.pdf gt.
• Share of Time Spent Online. ClickZ Stats. 27
  Feb. 2007. The ClickZ Network. 28 Feb. 2007
  lthttp//www.clickz.com/img/Share_of_Time.htmlgt.

48
Appendix

• Abstract
• Management Plan
• Staffing Plan
• Risk Management Plan
• Evaluation Plan
• Marketing Plan
• Resource Plan
• Funding Plan
• Hardware Specifications
• SBIR Document
• Additional Diagrams