European Union Agency for Network and Information Security www.enisa.europa.eu

eID Authentication methods for e-Banking ServicesManel Medina, ENISA

European Union Agency for Network and Information Security www.enisa.europa.eu 2

Outline: Assessing the robustness of authentication mechanisms

• Project presentation• Mobile technology & mobile banking• Emerging threats• Mobile authentication & Operation types• Assessing authentication Risk and benefits• Recommendations• Future directions

European Union Agency for Network and Information Security www.enisa.europa.eu 3

Project presentation

• Aims:– Identify the authentication mechanisms used in the eFinance

applications– Categorise the authentication mechanisms based on the

perception of users and security professionals.– Validate recommendations about the most suitable

authentication mechanisms to be used, based on the risk of the operation, its strength, usability and other parameters.

• Main Participants:ENISA, APWG.EU, CaixaBank• Survey contributors:

– Merchant Risk Council, SecuRePay (EU forum on Security in Retail Payments), FI-ISAC, ECB, EPC, FSUG (Financial Services User Group)

European Union Agency for Network and Information Security www.enisa.europa.eu 10

Threats to different operation/transaction types

• Operation 1 & 2: Read access (personal data, account details)– Steal personal data (account information, account

balance, credit card number, etc.)

• Operation 3: Low risk (Trusted) Transactions – Make fake payments to trusted destinations (merchants

purchase payment, supplies providers Invoice payment)

• Operation 4: High risk (Untrusted) Transactions– Make fake money transfers to unknown destinations (e.g.

mule accounts)

European Union Agency for Network and Information Security www.enisa.europa.eu 11

eIDAS most used in e-banking

116 professionals & 60 users from user groups and merchants representatives replied to survey.

European Union Agency for Network and Information Security www.enisa.europa.eu 12

eIDAS most implemented in e-banking

60 replies to survey identified type of operation usage.

European Union Agency for Network and Information Security www.enisa.europa.eu 15

Medium strength eIDAS select.criteria

European Union Agency for Network and Information Security www.enisa.europa.eu 16

High strength eIDAS selection criteria

European Union Agency for Network and Information Security www.enisa.europa.eu 17

Professionals Perceived characteristics

European Union Agency for Network and Information Security www.enisa.europa.eu 19

Loss: Relative reduction vs Risk/user

European Union Agency for Network and Information Security www.enisa.europa.eu 23

Draft Recommendations (I): Promote eIDA method adequacy to context

• Rec.1: e-Finance Authentication mechanisms strength have to be proportional to the Risk associated to the operations they grant access.

• Rec2. For medium and high risk Transactions, customers should be authenticated through at least two authentication mechanisms, mutually independent, one be not replicable and one not be reusable, using different communication channels or devices

European Union Agency for Network and Information Security www.enisa.europa.eu 24

Draft Recns (II): Improve knowledge & behaviour of customers &professionals

• Rec3. Continuous training of professionals, to improve their perception of the actual risk of transactions and authentication mechanisms, keeping in mind the last threat patterns discovered by criminals

• Rec4. e-Financial institutions should inform their customers about the usability and need of the safer authentication mechanisms, required to have an adequate protection to their assets

European Union Agency for Network and Information Security www.enisa.europa.eu 25

Draft Recns (III): Improve the security of the e-Finance environment

• Rec5. Financial organisations (PSP) and e-commerce merchants must perform specific risk analysis for their environments, taking into consideration:– the actual loss, number of incidents, customers involved, and

vulnerabilities of the authentication methods available, to effectively reduce the incidents

• Rec6. Customer authentication has to be complemented with context-based authentication strategy: behaviour profile, customer segment, operation risk, etc.

• Rec7. PSP has to test &evaluate Access Device security• Rec8. The concept of “something the user has” can be

extended to the platform used to access the service, and thus it’s recommended to Register any Device, Browser, or Mobile Application. A real time validation of its authenticity would be required

European Union Agency for Network and Information Security www.enisa.europa.eu 26

Draft Recns (IV): Improve e-Finance app. development and distribution Sec.

• Rec9. Technology providers must guarantee Secure banking application development & installation, taking into consideration actual threats to Operating System (e.g. mobile attack vectors) and data security analysis (persistency, access control)

• Rec10. Distribution of e-Banking applications has to be made through trust channels, reputable sites, that guarantee that applications have been tested for security.

European Union Agency for Network and Information Security www.enisa.europa.eu 28

Looking to the future

• e-Signature (new EU Regulation)

• Migration from pure two-factor authentication to transaction signing.

• Development of new authentication mechanisms– Context-based OTP – OTP-based on Biometrics– QR codes: TAN/Image TAN

• Authentication in the Cloud (Risk-Based)

European Union Agency for Network and Information Security www.enisa.europa.eu

hank you!!

Questions?

Manel.medina@enisa.europa.eu