enhanced Security, credit card encryption, SSL, dual/two-factor authentication

Resolving The Problem

Following are some of the measures that can be implemented to enhance the security for the credit card numbers. The level of security to be implemented should be determined by APL after considering the different client requests, cost of investments, etc..

1. On Yantra, the credit card number can be encrypted and the visibility of the decrypted credit card information can be controlled at user group level. Rest of the users will be able to view only the last 4 digits of the credit card(APL has already implemented it).

2. By making sure all the communications outside firewall is through SSL protocol. The SSL protocol maintains the security and integrity of the data transmission between server and client by using encryption, authentication and message authentication codes. Users from outside firewall will not be allowed to access the Yantra application directly through the HTTP.

3. By implementing a dual authentication system. A dual authentication (two-factor authentication) involves in authenticating a user by "something the user knows" (userid/password) and "something user has" (like a key card). One of the common forms of the dual authentication is by time-synchronized key cards (like RSA SecurID). The key card device will generate a string of numbers that changes in a given period (e.g.: a minute). Users are required to enter the user id and the number from the key card. The host system knows what that number is supposed to be for that user at that particular time and use this information to authenticate the user. This increases the protection against spoofing or brute-force attacks.

Access to Yantra can be integrated to a dual authenticating system by customizing login screen. New custom login screen(s) will be developed and exposed outside the firewall. The users will enter user id, password and the additional authentication information on the custom screen. This input will be passed on to a custom jsp page that will interface with the 3rd party software to authenticate the user. If the user is authenticated, the custom jsp page will log the user into Yantra by invoking the yantra standard login jsp (with the userid and password entered on the custom screen). The following steps should be followed to ensure the security and ease of use.
-- Users should not be permitted to access the standard Yantra login page directly.
-- The standard Yantra login page will be modified to redirect the users to the custom page, if accessed without a userid and password. This will ensure that users will be redirected to the custom login page on session time out or on log out.
-- The custom jsp page will implement server side redirect using RequestDispatcher for added security
-- If the login request is from within the same firewall, the custom jsp page can be enhanced to skip the 3rd party authentication steps

A sample authentication jsp page is attached below:

<%!<br> boolean validateAuthorizationID( String AuthId )<br> {<br> if ( AuthId.length() != 6 )<br> return false ;<br><br> try<br> {<br> long lAuthId = new Long(AuthId).longValue() ;<br><br> if ( ( lAuthId % 10 ) >= 5 )
return true ;
else
return false ;

}
catch ( NumberFormatException e )
{
return false ;
}
}
%>
<%<br> String strUser = request.getParameter("UserId") ;<br> String strPasswd = request.getParameter("Password") ;<br> String strAuthId = request.getParameter("AuthenticationID") ;<br><br> String strDispatch = null ;<br> if ( validateAuthorizationID( strAuthId ) )<br> {<br> strDispatch = "/yfsconsole/bin/login.jsp?userid=" + strUser<br> + "&password="+ strPasswd<br> + "&redirect=&btnlogin=Login" ;<br> }<br> else<br> {<br> strDispatch = "/custom/remote_login.jsp?ErrorMsg"<br> + "=Authentication Failed" ;<br> }<br><br> RequestDispatcher dispatcher = request.getRequestDispatcher( strDispatch ) ;<br><br> dispatcher.forward( request, response) ;<br>%>