CertAnon Anonymous WAN Authentication Service Milestone Presentation
advertisement
CertAnon Anonymous WAN Authentication Service Milestone Presentation Red Group CS410 April 5, 2007 Presentation Outline • • • • • • • • • Problem Description Solution Description Process Description Solution Characteristics Marketing Plan, ROI Management Plan Milestones, Deliverables, Budgets Risk Management Conclusion April 5, 2007 Red Group 2 Who is Chockalingam Ramanathan? • Part of a group using stolen passwords to empty investors’ accounts1 • Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab • Resulted in more than $2 million in losses, which were absorbed by the brokers • Fourth tech-intrusion case filed by the SEC since December 2006 1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html April 5, 2007 Red Group 3 Fraud Stats • From 2005 – 20062 – 8.9 million victims of online fraud or identity theft – Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion – Mean resolution time per incident skyrocketed from 28 to 40 hours per victim 2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html April 5, 2007 Red Group 4 Going Phishing • Phishing sites are on the rise3 • Over 7 million phishing attempts per day 3. Anti-Phishing Working Group - http://www.antiphishing.org/ April 5, 2007 Red Group 5 Consumers’ Online Activities % 70 Bank online 60 50 Make travel reservations 40 30 Communication 20 10 Commerce 0 % of Internet Users % Time spent online 4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html April 5, 2007 Red Group 6 Password Overload % 35 30 Have 6-15 passwords 25 20 15 10 Have over 15 passwords 5 0 % of Surveyed Professionals 6. RSA Security Password Management Survey http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf April 5, 2007 Red Group 7 The Problem • Single-factor password authentication is easily compromised and endangers the security of online accounts. – Username/Password paradigm is insecure7 – Management of multiple strong passwords is difficult for individuals – Fraudulent online account access and associated costs are increasing 7. http://www.schneier.com/crypto-gram-0503.html#2 April 5, 2007 Red Group 8 The Endangered Password • More online accounts = more passwords • Complexity of passwords is limited by the human factor8 • Vulnerability is enhanced by the technology factor • Dissemination is too easy • Once compromised, a password is no longer effective for authentication 8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html April 5, 2007 Red Group 9 CertAnon – A New Proposal • Anonymous WAN authentication service – Used for any and all online accounts – Strong two-factor authentication – Limited information sharing • Partner with online businesses • Initial customers are Internet users April 5, 2007 Red Group 10 Two-Factor Authentication9 • Something you know – A single PIN • Plus something you have – Hardware token generating pseudorandom numbers • Effectively changes your password every 60 seconds 9. RSA - http://www.rsasecurity.com/node.asp?id=1156 April 5, 2007 Red Group 11 RSA SecurID Users April 5, 2007 Red Group 12 Two-Factor Acceptance • Rolls Royce & Bentley Motor Cars – Uses RSA SecurID authentication – Enables them to use the Internet securely as a cost-effective and efficient extension to their corporate network • E*Trade Financial – Provides retail customers the option to add Digital Security ID to their Internet security solution – Helps guard against unauthorized account access April 5, 2007 Red Group 13 Goals and Objectives • Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method – Build our website – Write software modules for partner sites – Develop testing portal – Install authentication servers – Distribute tokens – Beta-testing, then go live! April 5, 2007 Red Group 14 What Would It Look Like? April 5, 2007 Red Group 15 4. Bob goes to E*Trade's website to sign in. Username: TraderBob His E*Trade username is TraderBob, so he types that as usual. Password: 1a2b3c234836 He looks at the code on his token display. He types his PIN and that token code in the Password field. 5. And now he's in his E*Trade account! 6. One minute later, he jumps to the Yahoo! mail page to check e-mail. Username: SpamBob His Yahoo! username is SpamBob, so he types that as usual. Password: 1a2b3c184675 7. And now he's in his Yahoo! account! April 5, 2007 Red Group He looks at the code on his token display. He types his PIN and that token code in the Password field. 16 Who is Our Customer? • Two sales channels • Individual Internet user (210 million of them!) – Purchases CertAnon token for one-time fee of $50 – Obtaining a critical mass of customers makes CertAnon a must have for online vendors – Could provide leverage to charge vendors on a transaction basis in the future • Security-conscious businesses – Purchase batches of tokens for redistribution to their customers – Focus on those without proprietary solutions April 5, 2007 Red Group 17 Marketing Strategy • Offer software modules for customer integration – Freely available to encourage adoption of the service • Approach financial companies not already using a two-factor authentication method – Bulk token sales – Enable them to offer the same customer security as larger competitors without the infrastructure expense – Token reusability will encourage faster customer adoption • Advertising strategies – Internet advertising – Computer shows/trade shows – Promotional token giveaways April 5, 2007 Red Group 18 ROI for Consumers • Reduce/eliminate need for multiple passwords • Avoid password theft, unauthorized account access, and fraud • Information isn’t stored on a card or device that can be lost • Passwords are not stored in a hackable database that is a single point of failure April 5, 2007 Red Group 19 ROI for Businesses • Very low cost • Avoid implementing a costly proprietary solution • Improves security of customer base by moving more people away from passwords • Reduces losses from fraud reimbursement • Snaps into existing infrastructure with minimal development • Customers who don't use CertAnon will be unaffected April 5, 2007 Red Group 20 Cons • Reliance on a physical token – Forgotten – Broken – Lost or stolen • Inadequate for sight-impaired users • Customer service coordination will need to be handled carefully April 5, 2007 Red Group 21 Competition Matrix April 5, 2007 Red Group 22 Management Plan April 5, 2007 Red Group 23 Team Communications • Team meetings (via AOL AIM): – Sunday/Tuesday 8:00 P.M. – Additional meetings as needed – Meetings with Professor Brunelle as needed – Meetings with Technical Advisors as needed • Google Group for document management and messaging April 5, 2007 Red Group 24 Phase 0 Gantt Chart April 5, 2007 Red Group 25 Phase 1 Gantt Chart April 5, 2007 Red Group 26 Phase 1 Organizational Chart April 5, 2007 Red Group 27 Phase 1 Staffing Budget Position Documentation Specialist Financial Director Hardware Manager Marketing Director Project Manager Risk Director Software Manager Web Developer April 5, 2007 Type Quantity Hours Student 1 30 Student 1 36 Student 1 103 Student 1 8 Student 1 74 Student 1 51 Student 1 498 Student 1 486 Rate $ 15 $ 15 $ 15 $ 15 $ 15 $ 15 $ 15 $ 15 Total Cost 40% Overhead Total Phase 1 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ $ Total 452 542 1,542 113 1,116 762 7,474 7,289 19,290 7,716 27,005 28 Phase 1 Resource Budget April 5, 2007 Red Group 29 Phase 2 Gantt Chart April 5, 2007 Red Group 30 Phase 2 Organizational Chart April 5, 2007 Red Group 31 Phase 2 Staffing Budget Position Documentation Specialist Financial Director Hardware Manager HR Manager Marketing Director Project Manager QA Engineer Risk Director Software Engineer 1 Software Manager Technical Director Web Developer April 5, 2007 Type Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Quantity Hours 1 552 1 94 1 200 1 172 1 48 1 136 1 774 1 8 1 440 1 334 1 436 1 790 Rate $ 18 $ 68 $ 20 $ 29 $ 48 $ 29 $ 21 $ 18 $ 22 $ 42 $ 50 $ 28 Total Cost 40% Overhead Total Phase 2 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Total 9,713 6,372 3,901 5,053 2,305 3,883 16,009 140 9,710 13,961 21,892 22,143 115,082 46,033 161,115 32 Phase 2 Resource Budget April 5, 2007 Red Group 33 Phase 3 Gantt Chart April 5, 2007 Red Group 34 Phase 3 Organizational Chart April 5, 2007 Red Group 35 Phase 3 Staffing Budget Position Customer Service Reps Documentation Specialist Financial Director Hardware Manager HR Manager Marketing Director Project Manager QA Engineer Software Engineer 1 Software Manager Technical Director Web Developer April 5, 2007 Type Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Quantity Hours 5 2,080 1 440 1 278 1 200 1 528 1 1,161 1 1,391 1 350 1 320 1 345 1 1,280 1 320 Salary $ 30,400 $ 36,600 $140,500 $ 40,600 $ 61,100 $ 99,900 $ 59,600 $ 43,000 $ 45,900 $ 87,000 $104,400 $ 58,300 Total Cost 40% Overhead Total Annual Phase 3 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Total 152,000 7,742 18,778 3,899 15,510 55,763 39,866 7,233 7,062 14,443 64,268 8,969 395,533 158,213 553,747 36 Phase 3 Resource Budget April 5, 2007 Red Group 37 Total Project Cost Staffing Phase 1 $ 27,005 Phase 2 $ 161,115 Phase 3 (One Year) $ 553,747 Total Phases 1-3 $ 741,867 Resources Phase Total $ 26,071 $ 53,076 $ 45,687 $ 206,802 $ 92,958 $ 646,705 $ 164,716 $ 906,583 Out Years (Annual) $ $ 397,935 67,200 Item Marginal Cost Per # of Customers Token $ 30 1 Authentication Server $ 2,908 250,000 RSA Auth Mgr License $ 3,000 250,000 Secure Hosting (3 Years) $ 36,000 250,000 Total Cost 40% Overhead Total Marginal Cost Per Customer Marginal Revenue Per Customer Profit Per Customer April 5, 2007 Red Group $ 465,135 Cost per Customer $ 30.00 $ 0.01 $ 0.01 $ 0.14 $ 30.17 $ 12.07 $ 42.23 $ 50.00 $ 7.77 38 Break Even Analysis Revenue Cumulative Break Even Analysis (First Year = Phase 3) Total Revenue Total Cost $60,000,000 $50,000,000 $40,000,000 $30,000,000 $20,000,000 $10,000,000 $- 0 1 2 3 Year Year Tokens Sold 0 1 150,000 2 500,000 3 1,000,000 April 5, 2007 Total Revenue $ $ 7,500,000 $ 25,000,000 $ 50,000,000 Red Group Total Cost $ 259,878 $ 7,241,786 $ 22,489,060 $ 44,071,537 Profit $ (259,878) $ 258,214 $ 2,510,940 $ 5,928,463 39 Funding Plan • SBIR Funding Agency: National Science Foundation – Phase 1: $100,000 – Phase 2: $750,000 or two years • Phase 3 – Small business loan – Venture capital investment – Revenue from token sales April 5, 2007 Red Group 40 Risk Management Plan • Identify project risks • Determine the phase that the risk is in • Categorize risks according to probability and impact • Reduce risks before or as they happen with mitigation actions • Continue to reevaluate risks during all phases • Watch for new risks April 5, 2007 Red Group 41 Risks and Mitigation # 5 I m p a c t 5 2 6 2 3 7 4 1 1 2 3 4 Probability (1-Low to 5-High) April 5, 2007 Mitigation 1 Trust Beta-testing 2 Customer understanding Tutorials on website 3 Reliance on token sales revenue Encourage early partner site adoption 4 Viable alternatives Single source two-factor 5 Token loss Provide temporary password access 6 Token availability Offer online and through retail outlets 7 Government vs. Anonymity Follow the lead of encryption products 1 4 3 Risk 5 Red Group 42 Evaluation Plan • Time – Measured against baseline project plan • Cost – Measured against budget plan by phase • Scope – Measured against requirement document • Quality – Measured by customer adoption rate and satisfaction April 5, 2007 Red Group 43 Evaluation Phases • Phase 0 • Phase 1 – Idea developed – Project website developed – Funding secured • Phase 2 – Prototype design – Working prototype – Initial customer demonstration • Phase 3 – – – – – – Product design – Software module development – Software module testing – Integration testing – Finished product April 5, 2007 Red Group First sale completed Product released Marketing plan developed Successful marketing New contracts acquired 44 Conclusion • Available, affordable, and proven technology • Targets a large and growing market • Benefits consumers and online businesses • Scaleable service • Manageable project scope, achievable milestones April 5, 2007 Red Group 45 References • • • • • • “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wpdyn/content/article/2007/03/12/AR2007031201558.html>. “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>. “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>. “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007-SAMPLE.doc>. “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >. “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>. April 5, 2007 Red Group 46 References (cont.) • • • • • “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf >. “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html >. “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>. “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pd f >. “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>. April 5, 2007 Red Group 47 Appendix • • • • • • • • • • • Abstract Management Plan Staffing Plan Risk Management Plan Evaluation Plan Marketing Plan Resource Plan Funding Plan Hardware Specifications SBIR Document Additional Diagrams April 5, 2007 Red Group 48
