Managing & Securing the Online and Mobile banking - Chew Chee Seng

0

Managing & Securing the Online and Mobile Banking Transaction

18th March 2015

Chew Chee SengManagePay Group

Malaysia

ManagePay GroupBusiness Presentation

1 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved

Mobile device is the new normal for computing

“Global mobile devices and connections in 2013 grew to 7 billion, up from 6.5 billion in 2012. Smartphones accounted for 77 percent of that growth, with 406 million net additions in 2013.” - Cisco 2014 –

“80% of Smartphones Used in the Workplace are Employee Owned” - McKinsey 2012 -

“Smart phones and tablets are giving people new levels of mobile connectivity, and we expect to be able to use them for work and leisure.”

Whether in private or in workplace, the demand for security has arisen to protect business critical information, communication and IT processes against threats like unauthorized access, data leakage, espionage, identity theft and fraud, and denial of service.


OTP: Security Past its Expiration Date

• For more than 25 years, the financial services industry has relied on one-time passwords for online banking security.

• The advent of Internet and mobile technology and an explosion in digital crime have rendered these single-use strings of digits obsolete, both in terms of security and convenience.


All OTP systems share the same inherent flaws

• OTP-based authentication systems, – The OTPs are generated as either time-synchronized or counter-synchronized codes

and it requires the user to carry a small hardware device, i.e. a “Token”, which may look like a small calculator or a keychain charm with an LCD display.

– Some banks generate and dispatch OTPs to the customer’s mobile phone via SMS which is referred to as Transaction Authorization Code (TAC)

• OTP systems share the same flaws and vulnerabilities. – First, they are all symmetric because the bank has access to the same secrets as its

customer (and the mobile carrier does too, in the case of SMS transmission).– Secondly, OTP systems all remain reliant on browser-based communications back to

the bank & Anything that goes through a browser can be compromised by a Trojan!!– Trojan-enabled “man-in-the-middle” or “man-in-the-browser” attacks circumvent

the security promised by sophisticated-looking OTP generators, chip cards and biometric technology.

– According to Kasperksy Labs, 2013 saw an almost twenty-fold increase in the number of recorded banking trojans, many of them targeting SMS OTPs


if OTPs are the past, what’s the future?

• For financial institutions intent on providing a secure and convenient method for customers to transact online, there are new solutions available today that can virtually eliminate all types of man-in-the-middle attacks.

• Deploying industry-standard X.509 digital certificates to mobile phones and tablets allows them to be uniquely identified, transforming them into second factors of authentication.


What is two-factor authentication

There are three (3) types/factors of human authentication :• Something you know – a password or PIN• Something you have – a smart card, USB key, PKI (Public Key

Infrastructure) certificate or mobile phone• Something you are – a biometric characteristic, e.g. fingerprint or

voice patterntwo-factor authentication means that you authenticate a user with two or more factors. Ideally, different authentication factors should be used in combination.Mobile PKI is a technology which allows users to place PKI certificates (electronic signatures) with their mobile phone, and the mobile phone will ask the user for his or her PIN before he/she places his/her electronic signature onto transactions that requires multiple authentication.


Why Mobile PKI Security?

• The mobile phone is everywhere and available to almost everyone. By 2015, the number of mobile phones should exceed world population.

• Today, more people own and use a mobile phone than a personal computer. Mobile penetration in Malaysia is way above 100%.

• So is mobile PKI (Public Key Infrastructure) security:

– Every mobile phone and every other device (Internet of Things) i.e. smart watch, CCTV, wearables) that works with a SIM card supports mobile PKI.

• Legally bind: – All transactions are digitally signed with non-repudiation as provisioned by

the Digital Signature Act. – Avoid disputes and provide better customer service and experience.


Single ID for Multiple Applications


Mobile ID or Mobile Signature for Banks

Mobile PKI on SIM’s SE

Certificate Authority


Licensed CA

BanksGovernment

Agencies

Corporate

EntitiesMerchants

Service Provider Aggregator

MSSP

MSSP

Mobile

Operators

WAP

SMS

USSD

App

Service RequestAuth Request

Generate

Signature

Request

Sig

na

ture

Req

ue

st

Signature Request

Cancel OK

Pay RMXXX from

your Acc 123456789

to Mr. Aan Smith.

Please confirm with

signature

Signature (Transaction encrypted at SIM)

CA

Sig

na

ture

(T

ran

sa

cti

on

en

cry

pte

d)

Signature

attached with

CertSignature & Cert

Decrypt

Trans & Verify

Signature

Proceed with

Service

Service Fulfillment

Cancel OK

Key in PIN to sign

PIN: ******

Mobile SignatureService Platform

How it works?

RCA


Licensed CA

MSSP


Service Delivery

Channels

Bank Data Center

Priority Internet/Mobile

Banking

Smart Phone/Tablet

Application

Relationship Manager

Customer accesses

service

Relationship

Mgr Initiated

auth Request

Priority Banking

Internet/Mobile Banking

Application Servers

Certificate

Authority

MNO

Customer Interacts with

Relationship Manager

Authentication

request

Auth

entication

Request

Create

Signature

Request

Signature RequestSignature Request

Cancel OK

Please key in

Signing PIN

******

Cancel OK

Signature SentSignature Signature Attach

Certificate

Verify

Signature and

Decide on

Transaction

Return

ConfirmationReturn Confirmation

Priority Banking

Customer

Sig

natu

re

with

Cert

ific

ate

Implementation for High Net Worth Individual Banking


Licensed CA

MSSP


Certificate

Authority

Priority Banking

Customer

Relationship

Manager

Please proceed

with my transfer of

RM 500,000 from

my current account

to a fixed deposit

Sure Mr. Lee,

please confirm the

transaction with

your digital

signature

Priority

Banking

CRM System

Bank Data Center

CRM Application

servers

MNO

Phone interactionKey in

transaction and

initiate auth

request

Auth Request

Au

th R

equ

est

Create

signature

request

Signature RequestSignature RequestCancel OK

Transfer of

RM500,000 from

current acct to

fixed deposit

Cancel OK

Please confirm

with digital

signature

PIN: ******

Cancel OK

Signature Sent

Signature Signature

Attach

digital

certificate

Sig

na

ture

an

d

Cert

ific

ate

Verify

signature and

confirm

transaction

Return confirmation

Thanks Mr. Lee.

We’ve received

your signature and

your transfer is

confirmed

Wow, that was fast.

Thanks very much

Cancel OK

Transaction

confirmed

Customer and Money Transfer Transaction Flow


Thank you…

Chew Chee [email protected]+60122188433

Technology

Managing & Securing the Online and Mobile banking - Chew Chee Seng