Managing & Securing the Online and Mobile banking - Chew Chee Seng
-
Upload
knowledge-group -
Category
Technology
-
view
228 -
download
3
Transcript of Managing & Securing the Online and Mobile banking - Chew Chee Seng
0
Managing & Securing the Online and Mobile Banking Transaction
18th March 2015
Chew Chee SengManagePay Group
Malaysia
ManagePay GroupBusiness Presentation
1 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Mobile device is the new normal for computing
“Global mobile devices and connections in 2013 grew to 7 billion, up from 6.5 billion in 2012. Smartphones accounted for 77 percent of that growth, with 406 million net additions in 2013.” - Cisco 2014 –
“80% of Smartphones Used in the Workplace are Employee Owned” - McKinsey 2012 -
“Smart phones and tablets are giving people new levels of mobile connectivity, and we expect to be able to use them for work and leisure.”
Whether in private or in workplace, the demand for security has arisen to protect business critical information, communication and IT processes against threats like unauthorized access, data leakage, espionage, identity theft and fraud, and denial of service.
2 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
OTP: Security Past its Expiration Date
• For more than 25 years, the financial services industry has relied on one-time passwords for online banking security.
• The advent of Internet and mobile technology and an explosion in digital crime have rendered these single-use strings of digits obsolete, both in terms of security and convenience.
3 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
All OTP systems share the same inherent flaws
• OTP-based authentication systems, – The OTPs are generated as either time-synchronized or counter-synchronized codes
and it requires the user to carry a small hardware device, i.e. a “Token”, which may look like a small calculator or a keychain charm with an LCD display.
– Some banks generate and dispatch OTPs to the customer’s mobile phone via SMS which is referred to as Transaction Authorization Code (TAC)
• OTP systems share the same flaws and vulnerabilities. – First, they are all symmetric because the bank has access to the same secrets as its
customer (and the mobile carrier does too, in the case of SMS transmission).– Secondly, OTP systems all remain reliant on browser-based communications back to
the bank & Anything that goes through a browser can be compromised by a Trojan!!– Trojan-enabled “man-in-the-middle” or “man-in-the-browser” attacks circumvent
the security promised by sophisticated-looking OTP generators, chip cards and biometric technology.
– According to Kasperksy Labs, 2013 saw an almost twenty-fold increase in the number of recorded banking trojans, many of them targeting SMS OTPs
4 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
if OTPs are the past, what’s the future?
• For financial institutions intent on providing a secure and convenient method for customers to transact online, there are new solutions available today that can virtually eliminate all types of man-in-the-middle attacks.
• Deploying industry-standard X.509 digital certificates to mobile phones and tablets allows them to be uniquely identified, transforming them into second factors of authentication.
5 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
What is two-factor authentication
There are three (3) types/factors of human authentication :• Something you know – a password or PIN• Something you have – a smart card, USB key, PKI (Public Key
Infrastructure) certificate or mobile phone• Something you are – a biometric characteristic, e.g. fingerprint or
voice patterntwo-factor authentication means that you authenticate a user with two or more factors. Ideally, different authentication factors should be used in combination.Mobile PKI is a technology which allows users to place PKI certificates (electronic signatures) with their mobile phone, and the mobile phone will ask the user for his or her PIN before he/she places his/her electronic signature onto transactions that requires multiple authentication.
6 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Why Mobile PKI Security?
• The mobile phone is everywhere and available to almost everyone. By 2015, the number of mobile phones should exceed world population.
• Today, more people own and use a mobile phone than a personal computer. Mobile penetration in Malaysia is way above 100%.
• So is mobile PKI (Public Key Infrastructure) security:
– Every mobile phone and every other device (Internet of Things) i.e. smart watch, CCTV, wearables) that works with a SIM card supports mobile PKI.
• Legally bind: – All transactions are digitally signed with non-repudiation as provisioned by
the Digital Signature Act. – Avoid disputes and provide better customer service and experience.
7 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Single ID for Multiple Applications
8 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Mobile ID or Mobile Signature for Banks
Mobile PKI on SIM’s SE
Certificate Authority
9 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
BanksGovernment
Agencies
Corporate
EntitiesMerchants
Service Provider Aggregator
MSSP
MSSP
Mobile
Operators
WAP
SMS
USSD
App
Service RequestAuth Request
Generate
Signature
Request
Sig
na
ture
Req
ue
st
Signature Request
Cancel OK
Pay RMXXX from
your Acc 123456789
to Mr. Aan Smith.
Please confirm with
signature
Signature (Transaction encrypted at SIM)
CA
Sig
na
ture
(T
ran
sa
cti
on
en
cry
pte
d)
Signature
attached with
CertSignature & Cert
Decrypt
Trans & Verify
Signature
Proceed with
Service
Service Fulfillment
Cancel OK
Key in PIN to sign
PIN: ******
Mobile SignatureService Platform
How it works?
RCA
10 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
MSSP
Mobile SignatureService Platform
Service Delivery
Channels
Bank Data Center
Priority Internet/Mobile
Banking
Smart Phone/Tablet
Application
Relationship Manager
Customer accesses
service
Relationship
Mgr Initiated
auth Request
Priority Banking
Internet/Mobile Banking
Application Servers
Certificate
Authority
MNO
Customer Interacts with
Relationship Manager
Authentication
request
Auth
entication
Request
Create
Signature
Request
Signature RequestSignature Request
Cancel OK
Please key in
Signing PIN
******
Cancel OK
Signature SentSignature Signature Attach
Certificate
Verify
Signature and
Decide on
Transaction
Return
ConfirmationReturn Confirmation
Priority Banking
Customer
Sig
natu
re
with
Cert
ific
ate
Implementation for High Net Worth Individual Banking
11 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
MSSP
Mobile SignatureService Platform
Certificate
Authority
Priority Banking
Customer
Relationship
Manager
Please proceed
with my transfer of
RM 500,000 from
my current account
to a fixed deposit
Sure Mr. Lee,
please confirm the
transaction with
your digital
signature
Priority
Banking
CRM System
Bank Data Center
CRM Application
servers
MNO
Phone interactionKey in
transaction and
initiate auth
request
Auth Request
Au
th R
equ
est
Create
signature
request
Signature RequestSignature RequestCancel OK
Transfer of
RM500,000 from
current acct to
fixed deposit
Cancel OK
Please confirm
with digital
signature
PIN: ******
Cancel OK
Signature Sent
Signature Signature
Attach
digital
certificate
Sig
na
ture
an
d
Cert
ific
ate
Verify
signature and
confirm
transaction
Return confirmation
Thanks Mr. Lee.
We’ve received
your signature and
your transfer is
confirmed
Wow, that was fast.
Thanks very much
Cancel OK
Transaction
confirmed
Customer and Money Transfer Transaction Flow
12 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Thank you…
Chew Chee [email protected]+60122188433