Accessibility Links

Accessibility Links

Infosec
English 繁體版 简体版

Navigation Menu 1

General UsersYoungsters & StudentsParents and TeachersIT ProfessionalsSME
FAQ Search :
Change text size: Text Size: Default Size (A) Text Size: Larger (A) Text Size: Largest (A)
general user youngsters and students parents and teachers IT professionals sme

Navigation Menu 2

 

  

 
 

e-Authentication for Business

Is e-Authentication required for my Business?

Is e-Authentication required for my Business?

The Internet has revolutionised the mode of delivery of information and services. Provision of online business functions is now a prerequisite for a company to be competitive. To automate core business processes, businesses have to give their users, including customers, suppliers and employees, access to corporate information and applications anytime/ anywhere.

To prevent unauthorised users from gaining access to protected resources, secure authentication systems are required to ensure that users are who they claim to be.

   What are the Processes Involved?

E-authentication is an important element in establishment of trust on electronic transactions. Two major processes are involved:

1. Registration Process

Authentication Process

The registration process will normally consist of 2 major components, namely Registration and Revocation.

Registration is

  • to ensure that the claimed identity actually exists;
  • to ensure that the applicant is who he/she says to be;
  • to ensure that the information associated with the identity are consistent, accurate and recorded; and
  • to issue a credential, or record details of an existing credential.

Revocation is

  • to withdraw and where necessary replace credentials in case of holder's death, resignation or dismissal, change of name, cessation of trading or other significant change of circumstance;
  • to withdraw and replace stolen/compromised credentials;
  • to suspend credentials where there is suspicion of compromise, theft or significant change of circumstances; and
  • to withdraw credentials at the client's request.

2. Authentication Process

Authentication is the process to identify and to prove the identity of a user/party who attempts to send message or access data. The objective is

  • to check that the credential is valid for the transaction in question; and
  • to check that the credential presented has not expired, been revoked or withdrawn.

   What are the Common Threats?

Registration

Broadly speaking, there are three types of attacks in the registration process

Impersonation
  • Impersonation
  • the attacker obtains a credential in another person's name, where the subject person can be targeted or untargeted.

Fictitious Subscriber
  • Fictitious Subscriber
  • the attacker claims the identity of a non-existent person with the goal to creating a subscriber relationship.

Rogue Registration Entity
  • Rogue Registration Entity
  • an internal abuse of trusted position to create or obtain credentials as a potential subscriber or a non-existent person.

Authentication

There are also four main sources of threats during the authentication process:

Eavesdropper / Replay Attack
  • Eavesdropper / Replay Attack
  • observer of the run of authentication data (across the network) for later analysis or interception of the messages between the genuine parties. This observer then makes an improper attempt to obtain tokens to pose as the rightful user. This is often used with the replay attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

Password Guessing
  • Password Guessing
  • the most common way a hacker will try to get your password is via a dictionary attack. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is your password. They do this with programs, which can guess hundreds or thousands of words per second.

Verifier Impersonation
  • Verifier Impersonation
  • attacker impersonates the verifier and induces the claimant to reveal his secret token.

Hijacker
  • Hijacker
  • one who takes over an already authenticated session and then poses him/herself as the genuine subscriber or IT system to learn sensitive information or to input/output invalid information.

Other Sources of Threats

Other than in the registration and authentication processes, some security attacks may also lead to threats in electronic authentication.

  • Phishing / Bogus website
  • the attacker uses fake e-mail messages that appeared to come from the legitimate organization and asks the victim to provide sensitive information such as account id, password, etc) or provides link to a fraudulent website for victim to enter sensitive information.

  • Hacking
  • the attacker exploits the vulnerabilities of computer systems to gain access and steal the information of sensitive personal data, passwords etc for further attacks such as impersonation or take control of accounts.

  • Cross site scripting
  • the hacker installs malicious codes or scripts on a legitimate website such that when the victim visits the site, the malicious scripts will be executed to steal sensitive information or redirect to another fraudulent website with similar look to the legitimate site.

   What is e-Authentication Assurance Level?

   Examples on Determining the Assurance Level

 
 
     
Back back to topTop
 

Footer Menu

Sitemap | Contact Us | Privacy Policy | Important Notices
 
General Users Youngsters & Students Parents & Teachers IT Professionals SME