certanon anonymous wan authentication service milestone presentation red group cs410 april 5, 2007

CertAnon

Anonymous WAN Authentication Service

Milestone Presentation

Red GroupCS410

April 5, 2007

April 5, 2007 Red Group 2

Presentation Outline

• Problem Description• Solution Description• Process Description• Solution Characteristics• Marketing Plan, ROI• Management Plan• Milestones, Deliverables, Budgets• Risk Management• Conclusion


Who is Chockalingam Ramanathan?

• Part of a group using stolen passwords to empty investors’ accounts1

• Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab

• Resulted in more than $2 million in losses, which were absorbed by the brokers

• Fourth tech-intrusion case filed by the SEC since December 2006

1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html


Fraud Stats

• From 2005 – 20062

– 8.9 million victims of online fraud or identity theft

– Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion

– Mean resolution time per incident skyrocketed from 28 to 40 hours per victim

2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html


• Phishing sites are on the rise3

• Over 7 million phishing attempts per day

3. Anti-Phishing Working Group - http://www.antiphishing.org/

Going Phishing


Consumers’ Online Activities

0

10

20

30

40

50

60

70

% of InternetUsers

% Time spentonline

Bank online

Make travelreservations

Communication

Commerce

%

4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html


0

5

10

15

20

25

30

35

% of Surveyed Professionals

Have 6-15passwords

Have over 15passwords

%

6. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf

Password Overload


• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure7

– Management of multiple strong passwords is difficult for individuals

– Fraudulent online account access and associated costs are increasing

7. http://www.schneier.com/crypto-gram-0503.html#2

The Problem


• More online accounts = more passwords• Complexity of passwords is limited by the

human factor8

• Vulnerability is enhanced by the technology factor

• Dissemination is too easy• Once compromised, a password is no

longer effective for authentication

8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html

The Endangered Password


• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing

• Partner with online businesses

• Initial customers are Internet users

CertAnon – A New Proposal


• Something you know– A single PIN

• Plus something you have– Hardware token generating pseudo-

random numbers

• Effectively changes your password every 60 seconds

9. RSA - http://www.rsasecurity.com/node.asp?id=1156

Two-Factor Authentication9


RSA SecurID Users


• Rolls Royce & Bentley Motor Cars– Uses RSA SecurID authentication– Enables them to use the Internet securely as a cost-effective

and efficient extension to their corporate network

• E*Trade Financial– Provides retail customers the option to add Digital Security

ID to their Internet security solution– Helps guard against unauthorized account access

Two-Factor Acceptance


Goals and Objectives

• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!


Data

Website Host

US East CoastRSA ACE server

Data

USA West CoastRSA ACE server

Data

UK RSAACE server

Data

AustraliaRSA ACE

server

Data

Login attempt

Login response

Auth request

Auth response

CertAnon website

Account setup Database update

Internet user withCertAnon token

What Would It Look Like?


4. Bob goes to E*Trade's website to sign in.

Username: TraderBob

Password: 1a2b3c234836

His E*Trade usernameis TraderBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

5. And now he's in his E*Trade account!

SpamBob

1a2b3c184675

His Yahoo! usernameis SpamBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

Username:

Password:

7. And now he's in his Yahoo! account!

6. One minute later, he jumps to the Yahoo!mail page to check e-mail.


• Two sales channels• Individual Internet user (210 million of them!)

– Purchases CertAnon token for one-time fee of $50– Obtaining a critical mass of customers makes

CertAnon a must have for online vendors– Could provide leverage to charge vendors on a

transaction basis in the future

• Security-conscious businesses– Purchase batches of tokens for redistribution to

their customers– Focus on those without proprietary solutions

Who is Our Customer?


Marketing Strategy

• Offer software modules for customer integration– Freely available to encourage adoption of the service

• Approach financial companies not already using a two-factor authentication method– Bulk token sales– Enable them to offer the same customer security as larger

competitors without the infrastructure expense– Token reusability will encourage faster customer adoption

• Advertising strategies– Internet advertising– Computer shows/trade shows– Promotional token giveaways


• Reduce/eliminate need for multiple passwords

• Avoid password theft, unauthorized account access, and fraud

• Information isn’t stored on a card or device that can be lost

• Passwords are not stored in a hackable database that is a single point of failure

ROI for Consumers


• Very low cost• Avoid implementing a costly proprietary

solution• Improves security of customer base by moving

more people away from passwords• Reduces losses from fraud reimbursement• Snaps into existing infrastructure with minimal

development• Customers who don't use CertAnon will be

unaffected

ROI for Businesses


• Reliance on a physical token– Forgotten– Broken– Lost or stolen

• Inadequate for sight-impaired users

• Customer service coordination will need to be handled carefully

Cons


Competition Matrix


Management Plan


Team Communications

• Team meetings (via AOL AIM):– Sunday/Tuesday 8:00 P.M.– Additional meetings as needed– Meetings with Professor Brunelle as

needed– Meetings with Technical Advisors as

needed

• Google Group for document management and messaging


Phase 0 Gantt Chart


Phase 1 Gantt Chart


Phase 1 Organizational Chart


Phase 1 Staffing Budget

Position Type Quantity Hours Rate TotalDocumentation Specialist Student 1 30 15$ 452$ Financial Director Student 1 36 15$ 542$ Hardware Manager Student 1 103 15$ 1,542$ Marketing Director Student 1 8 15$ 113$ Project Manager Student 1 74 15$ 1,116$ Risk Director Student 1 51 15$ 762$ Software Manager Student 1 498 15$ 7,474$ Web Developer Student 1 486 15$ 7,289$

Total Cost 19,290$ 40% Overhead 7,716$

Total Phase 1 Staffing Budget 27,005$


Phase 1 Resource Budget


Phase 2 Gantt Chart


Phase 2 Staffing BudgetPosition Type Quantity Hours Rate TotalDocumentation Specialist Staff 1 552 18$ 9,713$ Financial Director Staff 1 94 68$ 6,372$ Hardware Manager Staff 1 200 20$ 3,901$ HR Manager Staff 1 172 29$ 5,053$ Marketing Director Staff 1 48 48$ 2,305$ Project Manager Staff 1 136 29$ 3,883$ QA Engineer Staff 1 774 21$ 16,009$ Risk Director Staff 1 8 18$ 140$ Software Engineer 1 Staff 1 440 22$ 9,710$ Software Manager Staff 1 334 42$ 13,961$ Technical Director Staff 1 436 50$ 21,892$ Web Developer Staff 1 790 28$ 22,143$


Total Phase 2 Staffing Budget 161,115$


Phase 3 Gantt Chart


Phase 3 Staffing Budget

Position Type Quantity Hours Salary TotalCustomer Service Reps Staff 5 2,080 30,400$ 152,000$ Documentation Specialist Staff 1 440 36,600$ 7,742$ Financial Director Staff 1 278 140,500$ 18,778$ Hardware Manager Staff 1 200 40,600$ 3,899$ HR Manager Staff 1 528 61,100$ 15,510$ Marketing Director Staff 1 1,161 99,900$ 55,763$ Project Manager Staff 1 1,391 59,600$ 39,866$ QA Engineer Staff 1 350 43,000$ 7,233$ Software Engineer 1 Staff 1 320 45,900$ 7,062$ Software Manager Staff 1 345 87,000$ 14,443$ Technical Director Staff 1 1,280 104,400$ 64,268$ Web Developer Staff 1 320 58,300$ 8,969$


Total Annual Phase 3 Staffing Budget 553,747$


Total Project CostStaffing Resources Phase Total

Phase 1 27,005$ 26,071$ 53,076$ Phase 2 161,115$ 45,687$ 206,802$ Phase 3 (One Year) 553,747$ 92,958$ 646,705$ Total Phases 1-3 741,867$ 164,716$ 906,583$

Out Years (Annual) 397,935$ 67,200$ 465,135$

Item Marginal Cost Per # of Customers Cost per CustomerToken 30$ 1 30.00$ Authentication Server 2,908$ 250,000 0.01$ RSA Auth Mgr License 3,000$ 250,000 0.01$ Secure Hosting (3 Years) 36,000$ 250,000 0.14$

Total Cost 30.17$ 40% Overhead 12.07$

Total Marginal Cost Per Customer 42.23$ Marginal Revenue Per Customer 50.00$

Profit Per Customer 7.77$


Break Even Analysis

Cumulative Break Even Analysis(First Year = Phase 3)

$-$10,000,000$20,000,000$30,000,000$40,000,000$50,000,000$60,000,000

0 1 2 3Year

Re

ven

ue

Total RevenueTotal Cost

Year Tokens Sold Total Revenue Total Cost Profit0 - -$ 259,878$ (259,878)$ 1 150,000 7,500,000$ 7,241,786$ 258,214$ 2 500,000 25,000,000$ 22,489,060$ 2,510,940$ 3 1,000,000 50,000,000$ 44,071,537$ 5,928,463$


Funding Plan

• SBIR Funding Agency: National Science Foundation – Phase 1: $100,000– Phase 2: $750,000 or two years

• Phase 3– Small business loan– Venture capital investment– Revenue from token sales


Risk Management Plan

• Identify project risks • Determine the phase that the risk is in• Categorize risks according to probability

and impact• Reduce risks before or as they happen

with mitigation actions• Continue to reevaluate risks during all

phases• Watch for new risks


Impact

5 5 2 1

4

3 6 3

2 7 4

1

1 2 3 4 5

Probability

# Risk Mitigation

1 Trust Beta-testing

2 Customerunderstanding

Tutorials on website

3 Reliance on token sales revenue

Encourage early partner site adoption

4 Viable alternatives Single source two-factor

5

Token loss Provide temporary password access

6 Token availability Offer online and through retail outlets

7 Government vs. Anonymity

Follow the lead of encryption products (1-Low to 5-High)

Risks and Mitigation


Evaluation Plan

• Time– Measured against baseline project plan

• Cost– Measured against budget plan by phase

• Scope– Measured against requirement document

• Quality– Measured by customer adoption rate and

satisfaction


Evaluation Phases

• Phase 0– Idea developed– Project website developed– Funding secured

• Phase 2– Product design– Software module

development– Software module testing– Integration testing– Finished product

• Phase 1– Prototype design– Working prototype– Initial customer

demonstration

• Phase 3– First sale completed– Product released– Marketing plan developed– Successful marketing– New contracts acquired


• Available, affordable, and proven technology

• Targets a large and growing market

• Benefits consumers and online businesses

• Scaleable service

• Manageable project scope, achievable milestones

Conclusion


• “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html>.

• “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>.

• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.

• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.

• “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >.

• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.

References


References (cont.)• “Phishing Activity Trends: Report for the Month of November, 2006.”

Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.

• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.

• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.

• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.

• “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>.


Appendix

• Abstract• Management Plan• Staffing Plan• Risk Management Plan• Evaluation Plan• Marketing Plan• Resource Plan• Funding Plan• Hardware Specifications• SBIR Document• Additional Diagrams

certanon anonymous wan authentication service milestone presentation red group cs410 april 5, 2007

Documents