CertAnon Anonymous WAN Authentication Service Approval Presentation Red Group CS410 May 1, 2007 Our Team May 1, 2007 Red Group 2 Presentation Outline • • • • • • • • • Problem Description Solution Description Process Description Solution Characteristics Marketing Plan, ROI Management Plan Milestones, Deliverables, Budgets Risk Management Conclusion May 1, 2007 Red Group 3 Who is Chockalingam Ramanathan? • Part of a group using stolen passwords to empty investors’ accounts1 • Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab • Resulted in more than $2 million in losses, which were absorbed by the brokers • Fourth tech-intrusion case filed by the SEC since December 2006 1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html May 1, 2007 Red Group 4 Fraud Stats • From 2005 – 20062 – 8.9 million victims of online fraud or identity theft – Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion – Mean resolution time per incident skyrocketed from 28 to 40 hours per victim 2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html May 1, 2007 Red Group 5 Going Phishing • Phishing sites are on the rise3 • Over 7 million phishing attempts per day 3. Anti-Phishing Working Group - http://www.antiphishing.org/ May 1, 2007 Red Group 6 Consumers’ Online Activities % 70 Bank online 60 50 Make travel reservations 40 30 Communication 20 10 Commerce 0 % of Internet Users % Time spent online 4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html May 1, 2007 Red Group 7 Password Overload % 35 30 Have 6-15 passwords 25 20 15 10 Have over 15 passwords 5 0 % of Surveyed Professionals 6. RSA Security Password Management Survey http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf May 1, 2007 Red Group 8 The Problem • Single-factor password authentication is easily compromised and endangers the security of online accounts. – Username/Password paradigm is insecure7 – Management of multiple strong passwords is difficult for individuals – Fraudulent online account access and associated costs are increasing 7. http://www.schneier.com/crypto-gram-0503.html#2 May 1, 2007 Red Group 9 The Endangered Password • More online accounts = more passwords • Complexity of passwords is limited by the human factor8 • Vulnerability is enhanced by the technology factor • Dissemination is too easy • Once compromised, a password is no longer effective for authentication 8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html May 1, 2007 Red Group 10 CertAnon – A New Proposal • Anonymous WAN authentication service – Used for any and all online accounts – Strong two-factor authentication – Limited information sharing • Partner with online businesses • Initial customers are Internet users May 1, 2007 Red Group 11 Two-Factor Authentication9 • Something you know – A single PIN • Plus something you have – Hardware token generating pseudorandom numbers • Effectively changes your password every 60 seconds 9. RSA - http://www.rsasecurity.com/node.asp?id=1156 May 1, 2007 Red Group 12 RSA SecurID Users May 1, 2007 Red Group 13 Two-Factor Acceptance • Rolls Royce & Bentley Motor Cars – Uses RSA SecurID authentication – Enables them to use the Internet securely as a cost-effective and efficient extension to their corporate network • E*Trade Financial – Provides retail customers the option to add Digital Security ID to their Internet security solution – Helps guard against unauthorized account access May 1, 2007 Red Group 14 Reaching the Goal • Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method – Build our website – Write software modules for partner sites – Develop testing portal – Install authentication servers – Distribute tokens – Beta-testing, then go live! May 1, 2007 Red Group 15 What Would It Look Like? May 1, 2007 Red Group 16 4. Bob goes to E*Trade's website to sign in. Username: TraderBob His E*Trade username is TraderBob, so he types that as usual. Password: 1a2b3c234836 He looks at the code on his token display. He types his PIN and that token code in the Password field. 5. And now he's in his E*Trade account! 6. One minute later, he jumps to the Yahoo! mail page to check e-mail. Username: SpamBob His Yahoo! username is SpamBob, so he types that as usual. Password: 1a2b3c184675 7. And now he's in his Yahoo! account! May 1, 2007 Red Group He looks at the code on his token display. He types his PIN and that token code in the Password field. 17 Who is Our Customer? • Two sales channels • Individual Internet user (211 million of them!)10 – Purchases CertAnon token for one-time fee of $50 – Obtaining a critical mass of customers makes CertAnon a must have for online vendors – Could provide leverage to charge vendors on a transaction basis in the future • Security-conscious businesses – Purchase batches of tokens for redistribution to their customers – Focus on those without proprietary solutions 10. Internet World Stats - http://www.internetworldstats.com/stats2.htm May 1, 2007 Red Group 18 Marketing Strategy • Offer software modules for customer integration – Freely available to encourage adoption of the service • Approach financial companies not already using a two-factor authentication method – Bulk token sales – Enable them to offer the same customer security as larger competitors without the infrastructure expense – Token reusability will encourage faster customer adoption • Advertising strategies – Internet advertising – Computer shows/trade shows – Promotional token giveaways May 1, 2007 Red Group 19 TBDROI RU for Marketing Consumers Strategy • Reduce/eliminate need for multiple passwords • Avoid password theft, unauthorized account access, and fraud • Information isn’t stored on a card or device that can be lost • Full passcodes not stored in a hackable database that is a single point of failure May 1, 2007 Red Group 20 ROI for Businesses • Very low cost • Avoid implementing a costly proprietary solution • Improves security of customer base by moving more people away from passwords • Reduces losses from fraud reimbursement • Snaps into existing infrastructure with minimal development • Customers who don't use CertAnon will be unaffected May 1, 2007 Red Group 21 Cons • Reliance on a physical token – Forgotten – Broken – Lost or stolen • Inadequate for sight-impaired users • Customer service coordination will need to be handled carefully May 1, 2007 Red Group 22 Competition Matrix May 1, 2007 Red Group 23 Management Plan May 1, 2007 Red Group 24 Team Communications • Team meetings (via AOL AIM): – Sunday/Tuesday 8:00 P.M. – Additional meetings as needed – Meetings with Professor Brunelle as needed – Meetings with Technical Advisors as needed • Google Group for document management and messaging May 1, 2007 Red Group 25 Phase 0 Gantt Chart May 1, 2007 Red Group 26 Phase 1 Gantt Chart May 1, 2007 Red Group 27 Phase 1 Major Components Data Account setup Workstation Auth Server Update CertAnon website Test user on workstation with token simulation software Login attempt Login response Data Auth request Workstation running simulated authentication manager software Auth response Simulated Partner Web Site May 1, 2007 Red Group 28 Phase 1 Development WBS May 1, 2007 Red Group 29 Phase 1 Organizational Chart May 1, 2007 Red Group 30 Phase 1 Staffing Budget Position Documentation Specialist Financial Director Hardware Manager Project Manager Risk Director Software Manager Web Developer May 1, 2007 Type Quantity Hours Student 1 30 Student 1 24 Student 1 92 Student 1 64 Student 1 52 Student 1 500 Student 1 486 Rate $ 15 $ 15 $ 15 $ 15 $ 15 $ 15 $ 15 Total Cost 40% Overhead Total Phase 1 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ Total 452 362 1,377 960 785 7,497 7,292 18,723 7,489 26,212 31 Phase 1 Resource Budget Description Quantity Cost Dell Servers -Web site & DB hosting 4 $11,632 Dell Workstations -Dedicated PC’s for team use 5 $6,990 MySQL -Web site back end database -- $0 PHP -Web sites and plug-in modules -- $0 1 Total Cost: $0 $18,622 40% Overhead: $7,449 Total Phase 1 Resource Cost: $26,071 Website -Hosting by ODU May 1, 2007 Red Group 32 Phase 2 Gantt Chart May 1, 2007 Red Group 33 Phase 2 Organizational Chart May 1, 2007 Red Group 34 Phase 2 Staffing Budget Position Documentation Specialist Financial Director Hardware Manager HR Manager Project Manager QA Engineer Risk Director Software Engineer 1 Software Manager Technical Director Web Developer May 1, 2007 Type Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Quantity Hours 1 552 1 94 1 200 1 172 1 136 1 774 1 8 1 440 1 334 1 136 1 790 Rate $ 18 $ 68 $ 20 $ 29 $ 29 $ 21 $ 18 $ 22 $ 42 $ 50 $ 28 Total Cost 40% Overhead Total Phase 2 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ $ $ $ $ Total 9,713 6,372 3,901 5,053 3,883 16,009 140 9,718 13,961 6,835 22,143 97,728 39,091 136,819 35 Phase 2 Resource Budget Description Quantity Cost RSA Authentication Manager Server License 4 $12,000 Dell Servers -Running RSA Authentication Mgr software 4 $11,632 Dell Workstations -PC’s for additional staff 4 $5,592 RSA Training -- $1,600 Visual Studio Professional 2005 -Used for additional plug-in development RSA Tokens 2 $1,338 10 Total Cost: $500 $32,622 40 % Overhead: $13,065 Total Phase 2 Resource Cost: $45,687 May 1, 2007 Red Group 36 Phase 3 Gantt Chart May 1, 2007 Red Group 37 Phase 3 Organizational Chart May 1, 2007 Red Group 38 Phase 3 Staffing Budget Position Customer Service Reps Documentation Specialist Financial Director Hardware Manager HR Manager Marketing Director Project Manager QA Engineer Sales Representative Software Engineer 1 Software Manager Technical Director Web Developer May 1, 2007 Type Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Staff Quantity Hours 5 2,080 1 440 1 278 1 200 1 528 1 1,161 1 1,391 1 350 3 2,080 1 320 1 345 1 1,280 1 320 Salary $ 30,400 $ 36,600 $140,500 $ 40,600 $ 61,100 $ 99,900 $ 59,600 $ 43,000 $ 40,488 $ 45,900 $ 87,000 $104,400 $ 58,300 Total Cost 40% Overhead Total Phase 3 Staffing Budget Red Group $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Total 152,000 7,742 18,778 3,899 15,510 55,763 39,866 7,233 121,464 7,062 14,443 64,268 8,969 516,997 206,799 723,796 39 Phase 3 Resource Budget Description Quantity Cost Secure Server Hosting -Hosting authentication servers remotely -- $48,000 Dell Workstations -PC’s for additional staff 9 $12,582 2 Total Cost: $5,816 $66,398 40% Overhead $26,560 Total Phase 3 Resource Cost: $92,958 Dell Servers -Web site database servers with RAID arrays May 1, 2007 Red Group 40 Total Project Cost Phase 1 Phase 2 Phase 3 (One Year) Total Phases 1-3 $ $ $ $ Staffing 26,212 136,819 723,796 886,827 Out Years (Annual) $ 629,776 $ $ $ $ Resources 26,071 45,687 92,958 164,716 $ $ $ $ Phase Total 52,283 182,506 816,754 1,051,543 $ 67,200 $ 696,976 Item Marginal Cost Per # of Customers Token $ 30 1 Authentication Server $ 2,908 250,000 RSA Auth Mgr License $ 3,000 250,000 Secure Hosting (3 Years) $ 36,000 250,000 Total Cost 40% Overhead Total Marginal Cost Per Customer Marginal Revenue Per Customer Profit Per Customer May 1, 2007 Red Group Cost per Customer $ 30.00 $ 0.01 $ 0.01 $ 0.14 $ 30.17 $ 12.07 $ 42.23 $ 50.00 $ 7.77 41 Break Even Analysis Revenue Cumulative Break Even Analysis (Year 0 = Phase 3) Total Revenue Total Cost $60,000,000 $50,000,000 $40,000,000 $30,000,000 $20,000,000 $10,000,000 $- 0 1 2 3 Year Year Tokens Sold 0 1 150,000 2 500,000 3 1,000,000 May 1, 2007 Total Revenue $ $ 7,500,000 $ 25,000,000 $ 50,000,000 Red Group Total Cost $ 816,754 $ 7,848,933 $ 23,328,049 $ 45,142,368 Profit $ (816,754) $ (348,933) $ 1,671,951 $ 4,857,632 42 Funding Plan • SBIR Funding Agency: National Science Foundation – Phase 1: $100,000 max, $52k planned – Phase 2: $750,000 or two years, $183k planned • Phase 3 – Venture capital investment – Small business loan – Revenue from token sales May 1, 2007 Red Group 43 Risk Management Plan • Identify project risks • Determine the phase that the risk is in • Categorize risks according to probability and impact • Reduce risks before or as they happen with mitigation actions • Continue to reevaluate risks during all phases • Watch for new risks May 1, 2007 Red Group 44 Risks and Mitigation # 5 I m p a c t 5 2 6 2 3 7 4 1 1 2 3 4 Probability (1-Low to 5-High) May 1, 2007 Mitigation 1 Trust Beta-testing 2 Customer understanding Tutorials on website 3 Reliance on token sales revenue Encourage early partner site adoption 4 Viable alternatives Single source two-factor 5 Token loss Provide temporary password access 6 Token availability Offer online and through retail outlets 7 Government vs. Anonymity Follow the lead of encryption products 1 4 3 Risk 5 Red Group 45 Evaluation Plan • Time – Measured against baseline project plan • Cost – Measured against budget plan by phase • Scope – Measured against requirement document • Quality – Measured by customer adoption rate and satisfaction May 1, 2007 Red Group 46 Evaluation Phases • Phase 0 • Phase 1 – Idea developed – Project website developed – Funding secured • Phase 2 – Prototype design – Working prototype – Initial customer demonstration • Phase 3 – – – – – – Product design – Software module development – Software module testing – Integration testing – Finished product May 1, 2007 Red Group First sale completed Product released Marketing plan developed Successful marketing New contracts acquired 47 Conclusion • Available, affordable, and proven technology • Targets a large and growing market • Benefits consumers and online businesses • Scaleable service • Manageable project scope, achievable milestones May 1, 2007 Red Group 48 References • • • • • “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wpdyn/content/article/2007/03/12/AR2007031201558.html>. “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>. “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007-SAMPLE.doc>. “Internet World Stats.” Internet World Stats. 10 Mar. 2007. Internet World Stats. 22 Apr. 2007 <http://www.internetworldstats.com/stats2.htm >. “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>. May 1, 2007 Red Group 49 References (cont.) • • • • • “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf >. “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html >. “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>. “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pd f >. “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>. May 1, 2007 Red Group 50 Appendix • • • • • • • • • • • • Abstract SBIR Document Management Plan Evaluation Plan Resource Plan Marketing Plan Funding Plan Staffing Plan Risk Management Plan Hardware Specifications Work Breakdown Structure Additional Diagrams May 1, 2007 Red Group 51