iSolv in the News

Positive Identification to replace Passwords for Internet and Other Applications

The recent spate of Internet banking fraud has focussed the public mind on the risks associated with online transactions. The industry norm for security on Internet banking sites is the use of Secure Socket Layer (SSL) together with user IDs and passwords. The level of sophistication of the criminal element of our society keeps improving at a rate that Internet banking security has not kept up with.

With the advent of the Electronic Communications and Transactions (ECT) Act of 2002, the consumer’s rights are to be protected in the online world. Digital certificates, smart cards and biometrics are some of the technologies that may be utilised to address such security exposures and curb the current levels of fraud experienced.

A secure web communication channel such as SSL on its own is not suitable for financial and other sensitive online transactions, as it does not provide authentication of the client (user) to the server i.e. the application must implement other means to identify the user connecting to it. It is common practice for applications to implement user IDs and passwords to provide this authentication. The problems with this approach are:

  • the user ID and password can be guessed or acquired by other means by a fraudster; and
  • weak passwords are the norm rather than the exception as users choose them such that they are easier to remember thus making the fraudster’s job of guessing a password easier.

As an alternative, a digital certificate can be used to uniquely identify the user to the application over a secure communication channel thereby removing the risks posed by the use of passwords. The use of digital certificates provide the following advantages:

  • Fraudster’s cannot easily guess the key associated with your digital certificate.
  • Your digital certificate acquired by a fraudster from your PC is useless without the private key that goes with it. The private key is stored securely on your system so as to prevent unauthorised disclosure.
  • The password you use on your digital certificate is to activate the private key and not to authenticate to the online application i.e. the password is useless to the fraudster without the private key.

Further enhancements to this security can be implemented through the use of smart cards or a combination of smart cards and fingerprint biometrics. In the case of smart cards, the chip provides enhanced security mechanisms to protect the private keys stored in its memory. A hacker that compromises the security on your PC has no physical access to your private key and will not be able to access the private key stored on the smart card.

To further protect the private key, a biometric such as fingerprint can be used to protect the private key on the smart card. This provides the highest level of security as it requires the physical presence of the smart card and the user before the private key can be activated for use in an online transaction.

iSolv Technologies is the provider a South African developed positive identification solution based on digital certificates, smart cards and biometrics. This solution has been successfully deployed within the South African Post Office social grant payment system. The SAPO TrustCentre which houses the back-end systems developed by iSolv is the secure facility that maintains the digital certificates and fingerprint biometrics for this project.

 

Leveraging Secure Electronic Mail in your Enterprise

One often relates electronic commerce applications with web servers and browsers. This medium is suited for information retrieval and on-line interaction i.e. an information pull model of communication. However, many business applications require an information push model of communication where large volumes of customized information need to be distributed to individuals on a regular basis. E-mail is ideally suited to cater for this push model of communication.

E-mail is the most widely used application on the Internet today. It is used extensively for business-to-business, business-to-consumer, business internal and interpersonal communication by multinationals, corporates and individuals worldwide.

Some of the business applications in which e-mail communication may be directly applied include:

  • Collaboration encompassing internal and trusted external parties.
  • Secure electronic distribution of desktop software updates and patches.
  • Subscription-based services delivery by information providers.
  • Outsourcing of the organization’s messaging requirement to an external service provider.

Businesses and individuals, to convey information of a sensitive nature, often unwittingly utilize conventional e-mail out of its sheer convenience. However, this form of communication is akin to the transfer of sensitive information on the back of a conventional postcard. The information is vulnerable to disclosure and tampering while it is in transit or storage. Similarly, information in unprotected e-mail is vulnerable to disclosure and tampering as it traverses open networks such as the Internet.

Conventional e-mail suffers from the following risks:

  • Lack of information confidentiality
    Conventional e-mail does not provide for data confidentiality in that the message contents can be disclosed to any party that views it while it is in transit or while it resides unread in the recipient’s mailbox at his/her service provider.
  • Lack of control over information disclosure
    Conventional e-mail services do not provide for usage restriction based on administrator-specified access rights. This commonly leads to uncontrolled leakage of the organization’s valuable and often sensitive information assets to untrusted external parties.
  • Information tampering
    Conventional e-mail communication also does not provide for data integrity in that the message contents can be modified while in transit or while it resides unread in the recipient’s mailbox at the service provider.
  • Delivery failures
    E-mail communication does not provide tamperproof delivery notification. Recipients can often deny receiving critical information.
  • Identity spoofing
    Due to the open nature of the Internet, no guarantee is provided as to identity of the author of any e-mail message. Any person connected to the Internet can utilize any mail server worldwide to compose a message with a forged author identity. This type of fraud will go undetected by the recipient of forged e-mail, as no mechanisms are available to establish the true identity of the author.

These security risks impact directly and negatively on the applicability of unprotected e-mail to the communication of any sensitive information. In particular, it impacts on the ability of organizations to leverage it as a serious business tool for the communication of confidential information internally, to business partners and to their customers.

Suitable security countermeasures exist to address these security risks. Data within e-mail messages can be kept confidential through the use of data encryption and decryption. Digital certificates are an industry-accepted mechanism that can be used to identify users communicating via e-mail. Furthermore, digital signatures can be used to maintain the integrity of information sent via e-mail.

Several products are currently available in the marketplace, which provide this capability to secure e-mail messages. However, many of these products do not address the issues of digital certificate configuration and management in a manner that is transparent to this user. This makes it difficult for the user to fully exploit the capabilities provided by this technology. As a result, these solutions do not adequately cater for large-scale, global intercommunication that is characteristic of e-mail communication.

iSolv Technologies’ digital certificate solution for e-mail users provides security in the form of key exchange for encryption and electronic signatures. This product works with all of the popular S/MIME capable e-mail clients including Microsoft Outlook and Outlook Express. iSolv's solution in this regard is ideally suited to address e-mail security concerns in corporates and of individuals communicating over the Internet.