UniOTP Business Solution

From SecuTech Wiki
Jump to: navigation, search


About This Guide

This document is intended for use by management. UniOTP dynamic password authentication system is a dynamic password authentication product designed by SecuTech Solution Inc. The company is committed to providing superior software protection and authentication experience for the user's personal data and intellectual property.

E-commerce requires that each party cooperates closely in order to provide to the consumer a safer environment and a more comfortable and appropriate consuming platform. It will become one of the most important business models in the future. But, while having brought convenience to people’s life, e-commerce also brings several hidden security risks. Attacks are becoming more sophisticated and diverse, and cases where a consumers’ profit has been infringed are rapidly increasing. Security is one of the most important obstacles to e-commerce development.

Financial industry refers to those enterprises operating specialized financial products, including banking, insurance, trusts, securities industry, leasing industry, mortgage industry etc. With the application of network technology in the financial industry, people can enjoy convenience brought by the computer network, such as online banking and online security trading. But with this convenience, user information security is facing more serious challenges. Various network attack technologies result in economic losses to customers. As the first user information security shield, if authentication is not strong enough, it can cause severe security problem and economic loss.

Authentication is the first step in assuring safety. This safety is directly related to the consumers’ personal benefits. Dynamic authentication is a technology that provides a strong authentication method to users and is considered to be a method that can solve today’s authentication related problems. The combination of dynamic password with e-commerce greatly raises the security level of electronic transactions, and better protects consumers’ benefits. Enterprise application refers to all kinds of information management systems which is applied by different enterprises, such as E-commerce, Enterprise resource planning (ERP), custom relationship management (CRM), etc. It will greatly improve enterprise management and manufacture efficiency by using enterprise applications to process cumbersome information.

Some of the information maintained by enterprise applications contains confidential information which may involve the core enterprises interests, so security of this information is very important. Enterprise information security can be achieved by building a defense system, including anti-virus, firewall network monitors and etc.

Current Situation of Financial Transactions

Transaction mode

OCT (Order confirmation transaction)
When a customer goes to the counter and talks a teller to do their business directly, customers have to present their ID and bank card to tellers and provide password to complete authentication and do business.
Dedicated terminal
Customers use a dedicated terminal provided by a financial institutions (ATM and POS) to process their transactions. Customers need to present credential card (bank card), customer ID and customer password to start independent transactions.
Online transaction
Customers log in to financial institution websites to process business. In online transactions, customers normally provide an account name and password to complete the authentication process. After successfully logging on, customers can process their business online.
Telephone transaction
Customers can process their business through calling the financial institutions hotline. Customers need to provide user credentials and password to complete authentication.

Transaction security

A variety of transaction modes provide different trading experiences to customers along with different security risk.

OCT security
When customers provide their account number and passwords, there is a risk that criminals may peek at their passwords. After stealing the passwords, a criminal can log into customer accounts and perform illegal operations.
Dedicated terminal security
When a user inputs their account number and password, there is a risk that criminals may record their password. Because dedicated terminals are for public use without any special protection, it is easy for criminals to steal a users’ identification information.
Online transaction security
There is risk that online transaction user accounts and passwords are stolen by criminals, through listening, installing Trojans on a target computer, network hijacking, etc.
Telephone transaction security
There is risk that user accounts and passwords are stolen by recording and eavesdropping.

Common account security risks

Plagiarism leak
Attackers steal customer account information by eye, and fake a user's customer ID to operate that customer's account illegally. This kind of risk usually occurs when customers do their business in public.
Install Trojans
Attackers install Trojans on a target computer, and steal user accounts and passwords remotely. This security risk usually exists when users perform their business online by PC.
Network sniffing
Attackers extract a user’s confidential information through eavesdropping on the data transmission network.
Replay attack
Attackers simulate a user login, through sending authentication request data packages which were intercepted and recorded via network, to gain access to a user account.
User password guess
If a user's password is too simple, using characters such as date of birth, anniversary and name, attackers can obtain user passwords by guessing these details easily.
Records leak
If a password is too complicated and a user records it on paper, there is the risk of someone else seeing it.
Brute force
Attackers can obtain passwords by an enumerating method, and just attempting different combinations.
Password sharing
To remember various passwords for many different accounts, users will sometimes use the same password. If one password is stolen, criminals can try it on other accounts.

Security Analysis

A general overview of the hidden security risks with e-commerce:

Falsification
Business related information is falsified as it is been transferred over a network.
Information destruction
Due to network devices or software malfunctioning, some data loss can happen.
Identification
A third party who uses weak methods of identification could be used to gain another party’s identity and achieve illegal operations.
Information leaking
Information of a transaction between two parties is read by a third party.

UniOTP's dynamic authentication system helps solve identification related risks. Below are common patterns of identification security risks:

  • Consumer’s account name and password are stolen.
  • The attacker installs a Trojan horse on a user’s computer to steal personal information such as bank account numbers.
  • The attacker listens on the network, intercepts user information and gets the bank account number.
  • For greater convenience, a consumer chooses an easy password such as their birth date, wedding anniversary, name, etc. making the password easy to guess for the attacker.
  • The consumer stores password information in a certain place (file or notebook), that might lead to it being leaked.
  • The attacker uses a brute force attack.
  • The consumer uses the same password for different accounts.

Dynamic Password Technology

Dynamic password overview

Dynamic passwords, also called one time passwords, are considered to be one method capable of solving existing authentication security problems. It is widely used for many situations and users such as Banks, Bourse, e-commerce. A dynamic password generation algorithm, user’s private key and dynamic elements constitute the 3 elements used to generate the dynamic password. When you authenticate yourself, besides your account name and your password, you have to provide the dynamic password to be able to pass the authentication process. Time based dynamic password generation creates a new unpredictable random password automatically every 60 seconds. This password can only be used once. Event based dynamic password generates a new unpredictable random password every time you press its button. This password can only be used once. Challenge response dynamic password uses a challenge code to generate a new unpredictable password. When the user requests authentication, the server will return a challenge code, this challenge code will be used to generate this time’s password.

Dynamic password characteristics

Dynamic
Depending on the dynamic factor changes, the password generated by dynamic password token will change. Every password generated is different from each other.
Valid only one time
Password generated by the dynamic password token can only be used one time, after that it will become invalid.
Random
Passwords are randomly generated, and cannot be predicted based on statistics.
Easy to use
Dynamic password is easy to use, no need for the user to remember the password, he only needs to read the password from the token at authentication time.
Loss report
As the user always keeps the token with him, he can notice the loss of the device immediately and report it as lost to the administrator who will disable the token, reducing risks caused by loss.
Protection against Trojans/Network interception
As the password is only valid one time, it is a way to protect oneself from peeking, Trojans, network interception.
Protection against brute force attack
The fact that the password is dynamic, and so, that it always changes every time is a good protection against a brute force attack (The attacker has less than 60 seconds to crack the password and use it before it becomes invalid or before the user himself uses it).
Economic
One token can be used for more than 3 years, thus saving on continual costs.
Computer-independent
The dynamic password Token has a LED display, you do not need to connect it to your computer through the USB port. In this case, it is very safe to use, as there is no connection with the computer as it doesn’t have the same security risks as USB based token products and certificate based products (In the case of USB products, there is still some risk of getting infected by Trojans).

Static password weak points

  • In order to make a password easier to remember, users may often use birth date, phone number, etc. as a password. Hackers can use a dictionary attack in order to crack the password.
  • If a password is used many times, hackers can calculate the password easily, by identifying the encrypted authentication information transmitted through network by using a interception and reply technique, causing critical information to be leaked.
  • Because most current authentication information transmitted through a network is unencrypted, hackers can obtain important information about users through eavesdropping on the network data stream. They identify authentication information and intercept passwords from the network or telephone line.
  • Hackers may even intercept a user’s password by using spies, social engineering or other methods.

Dynamic password usage procedure

  • User requests connection to the web server
  • Web server asks the user to authenticate
  • User’s computer displays a login interface, asking user to input account name, password and dynamic password.
  • User’s computer sends user authentication information to the web server
  • Web server requests the Authentication Server to authenticate user’s identity.
  • Authentication server returns authentication information to the web server.
  • Web Server decides if the user can log in or not based on authentication results.


UniOTP Dynamic Password Authentication

Overview

UniOTP dynamic password authentication system is a dynamic password product developed by SecuTech Solution Inc. UniOTP dynamic password authentication products can efficiently reduce losses caused by password leaks, and offer a powerful protection for user information and intellectual property. UniOTP dynamic password authentication system can be integrated with many kinds of systems, providing a dynamic password authentication service fitting any users’ needs. The enterprise server uses Agent SDK to perform the integration with UniOTP dynamic password authentication system and unify user authentication service. UniOTP dynamic password system open architecture and module-based structure provides convenience for UniOTP dynamic password system and enterprise server integration. UniOTP dynamic password authentication system robustness, flexibility, high availability and easy maintenance provide the best dynamic password authentication experience to the user.

Solution Description

E-commerce’s web structure mainly uses a server/browser setup. UniOTP dynamic password system provides two integration methods:

First Solution

Use Agent SDK (or Agent software) to perform integration of Web server and UniOTP dynamic password authentication systems, providing a unified authentication for the consumer. UniOTP’s dynamic password system open architecture, high stability and user-friendly interactivity provides the best dynamic password authentication and user experience possible.

Alt=user browser -> web server <-> UniOTP Agent <-> UniOTP Authentication server

Authentication process
After having integrated the dynamic password authentication as above, the consumer login process is the following:
  • The consumer uses their browser to display the login page
  • The consumer fills in their username, password, dynamic password and sends the login request
  • The web server authentication module receives the data submitted by the user and uses UniOTP Agent to send this data to the UniOTP authentication server.
  • UniOTP authentication server processes user authentication information to complete the authentication, and returns authentication results to UniOTP Agent.
  • UniOTP Agent returns the authentication results to the Web server authentication module.
  • The web server decides if the user can login or not depending on the authentication results sent by UniOTP Agent.
  • The consumer is able to log in, or receives a log in error message if the authentication failed.

Second solution

Use Server SDK to add dynamic password authentication function to the web server and perform integration of the Web Server System and UniOTP dynamic password authentication system. By using Server SDK integration to perform web application dynamic password authentication, you don’t need to rely on a UniOTP authentication server, but, compared to the previous method, this method requires the user to have strong development skills.

user browser <-> web server <-> UniOTP Authentication server

Authentication process
Once you’ve integrated UniOTP dynamic password authentication according to the picture above, the authentication process is the following:
  • The consumer opens the login page in their browser.
  • The consumer fills in their username, password, dynamic password and sends the login request.
  • The Web server receives authentication information submitted by the user and calls UniOTP Authentication Module to complete user authentication.
  • The Web server decides to allow or deny consumer login depending on authentication results.
  • Consumer is allowed to log in, or receives an error message if authentication fails.

UniOTP Dynamic password protection for each type of transaction

Transaction method UniOTP protection
OTC transaction The main security risk of OTC transaction is from plagiarism. The UniOTP dynamic password authentication system uses one-time valid passwords. After the password is used, it is disabled. Therefore UniOTP system can protect user information security effectively.
Dedicated terminal transaction The one time validity of UniOTP dynamic password provides excellent anti-peek feature. No matter what means exploited by an attacker to steal user information, the information is no longer valid, therefore UniOTP dynamic password authentication system can eliminate risk from dedicated terminal transaction.
Online transaction Online transactions are easily attacked. With features of one-time validity, randomness and unpredictability, UniOTP dynamic password protects user information from Trojans, network sniffing and replay attacks.
Telephone transaction The one-time validity feature enables UniOTP to eliminate password leakage caused by stealing password via telephone transaction.

UniOTP Dynamic password increases user authentication security

UniOTP dynamic passwords are only valid once and cannot be predicted by any statistical mean, the attacker cannot deduce what will be the next password from the previous ones, and moreover already used passwords will immediately be disabled after being used once. By using dynamic passwords, you can avoid potential safety problems which are caused by plagiarism, Trojans, network monitoring and password leakage by consumers.

UniOTP dynamic password authentication solution analysis

  • UniOTP dynamic password authentication helps financial institutions provide customers with a secure authentication service, and satisfy customers who require higher account security.
  • Easy integration and maintenance reduce costs.
  • Better account protection helps to improve the reputation of financial institutions.
  • Secure transaction environments will attract more customers.
  • Reduce administrative cost caused by password theft.
  • Easy to use, does not need require any software or connection to a computer by using an interface.
  • Reduce user costs; every UniOTP can be used for 3-5 years.
  • Improve account security and reduce customer economic risk.

UniOTP Dynamic password authentication benefits analysis

  • UniOTP Dynamic authentication system helps financial organizations to strengthen its authentication method in order to satisfy consumer security needs.
  • UniOTP dynamic password authentication system can be integrated simply and maintained easily, thus it reducing costs.
  • UniOTP dynamic password authentication system assists e-business service providers to build a more secure platform for consumers and increase the credit and reputation of the e-business operator.
  • UniOTP Dynamic password authentication protects consumer information from being stolen, and increases your users’ feeling of security.
  • One token can be used from 3 to 5 years, reducing initial cost for the consumer.


About UniOTP

UniOTP dynamic password authentication system is a dynamic password authentication product designed by SecuTech Solution Inc. The company is committed to providing superior software protection and authentication experience for the user's personal data and intellectual property. Financial sector activities require that each party cooperates closely in order to provide the consumer a safer commercial environment and a more comfortable and appropriate consumer platform.