MICRO BANKING Where the security and convenience meet PKI SOLUTION FOR e. BANKING & e. PAYMENT
ONLINE BANKING OPOTUNITIES es More servic ine through onl el nn banking cha of Reduce costs g online bankin transaction CHANGLLENGES Security Convenience
ONLINE BANKING AUTHENTICATION Most of the banks are using password to protect access the Online Banking Password can be guessed, stolen, hacked … Including with basic techiques like shoulder surfing, dictionary attacks or more complex like Phishing
ATTACK ON THE INTERNET Fake email Phishing Hacker Pharming Trojan Horse Fake Website Hacker Man in the Middle Fake Website Hacker
AN EXAMPLE OF PHISHING ATTACK
AN EXAMPLE OF PHISHING ATTACK
AMOUNT OF THE PHISHING FRAUT 3. 2 Billion USD
FIRST CONCLUSION Phishing is effective Phishing is growing Phishing targets mainly the banks More sophisticated attacks are becoming a reality Password is not an option
TWO – FACTOR AUTHENTICATION Authentication must include one or more of the following: Something a person knows: PIN, password Something a person is: biometry PIN, Password Something a person owns: hardware Biometry Hardware A two-factor authentication includes at least two of these factors
WHY BANKS MUST MIGRATE TO STRONG AUTHENTICATION Avoid bad reputation § Customer recruitment and retention I § In case of security breach 41% of consumers would switch bank (Tri. Cipher study) Push customers to use online banking Compliance with security directives § Operations are 100 times cheaper than in branch § FFIEC § Banque De France § Cơ quan tiền tệ Singrapore. Decrease the direct cost of fraud
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET OTP TOKEN Generate a One Time Password every 60 s or when pushing a button • Mobility • Customer acceptance • No protection against Man in the Middle attack • Weak protection against dynamic phishing attacks
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET SMS Text The bank sends an authentication code to the user’s handset § The mobile phone is never far § Customer acceptance § No protection against Man in the Middle attack (except with return status message) § Maintenance is complex and costly (price of SMS, update of phone numbers…)
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Smart card with unconnected CAP reader After PIN validation the offline reader displays the authentication code § Leverage the existing EMV infrastructure § No driver to install on the PC § No protection against Man in the Middle attack § First feedbacks show a lack of convenience § Risk of human mistakes (long numbers)
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Smart card with connected CAP reader After PIN validation the online reader displays the authentication code § Leverage the existing EMV infrastructure § Provide better protection against Man in the Middle attacks § Just a PIN, no long number to enter in the system Require an installation on the PC: no mobility
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Criteria to select a solution The bank needs to find the best balance between security, convenience and price. § Login/Password : THE most used method § One Time Passwords (OTP) list & Matrix Cards & OTP tokens § CAP/DPA on EMV card + reader Fingerprint reader § Challenge response using users mobile § Risk management on Back Office
TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Conclusion about the available solutions And what if Conclusion • To be protected against • Many solutions exist Man in The Middle? on the market • Mobility: driver to auto • None seems to be install? THE solution • Customer adoption? • Each has at least one serious • Low maintenance cost? drawback • Combine between security & service?
MICRO BANKING Where the security and convenience meet
WHAT IS MICROBANKING SERVICE? Toke PKI n/M le. To obi ded ken icate d the Onli to ne Ban king 2 A smart card chip for the authentication operations 1 d cate r i ded er fo A s row nced b a enh ity and r e secu enienc v con 1 3
WHAT IS MICROBANKING SERVICE? Micro-Banking browser § Run automatically and integrated onto middleware § Goes to a unique address hardwired in the chip during personalization or configured from Token Management System (TMS)
USER EXPERIENCE 0: User Plug the Key (PKI Token) & the Usertool and even on Browser is launched 1: User chooses the Micro Banking on the left pane of Usertool, enter Login 2: Browser connect the Micro-Banking server through 2 -way SSL (client certificate) 3: Micro-Banking server request for authentication 4: Authentication application on the Key ask for PIN 5: PIN is validated in the Key 6: Cryptogram is sent to the Micro-Banking Server Access is grant Each transaction all requires PIN prompt Micro Banking Server
SCREENSHOTS Main Screen Please choose ‘Login’ once used Micro-Banking
SCREENSHOTS Choose certificate for login, the corresponding account will be referred
SCREENSHOTS Account balance, Account statement
SCREENSHOTS Bill payment
SECURITY OF MICROBANKING PKI-based Online Banking (highest security) Client Certificate two-way SSL Each transaction, each CMS PKCS#7 (Cryptographic Message Syntax) Used the public certificate, stable & popular Infrastructure in Vietnam market 1 2 3 4 5
BENEFIT FOR BANK’S CUSTOMERS § Mobility: minor installation on the PC (just 2 MB on the Key) § Convenience: just a Key, just a PIN code § Plug & Play, direct access to your account thanks to our Key, Tomikey -2003 U § No trace left on the PC
BENEFIT FOR BANK’S CUSTOMERS Dedicated browser: easy and security feeling Protect against Phishing and Mi. TM Easy of use Feedbacks from customers, they liked
BENEFIT FOR BANKS Optimal security: resistant to Phishing, Mi. TM 01 Enhance customer trust: attractive new customers & retain existing customers 03 02 05 Scalable for future options: digital vault storage Enhance branding: image of reliability and proximity with the customer 04 Optimal cost per user
BENEFIT FOR BANKS
TIME TO ACCESS: SO CONVENIENT Time of access is critical to increase: Ø Traffic of internet banking services Ø Customer satisfaction Password OTP token Unconnected CAP reader Connected CAP reader SMS Text Micro Banking Number of user’s actions 6 6 8 6 7 2 Average time 45 s 1 mn 10 s 40 s 1 mn 20 s Micro Banking offers fast access thanks to: Ø Real-time access Ø Real-time alarm
WHY SHOULD YOU CHOOSE OURS? Just requires little installation on the PC that can be remotely Personalized, Managed Supported by Tomica Partners to provide servers or integration services The best price compared to competition Developed by security-expert
TRIAL PACK FOR BANK TRIAL PACK PROOF OF CONCEPT ü 1 e. Pass 2003 ü 5 e. Pass 2003 ü 2 months access to an demo ü Implemented the CAG 360, service based on Micro-Banking on bank facility https: //tomicalab. com/microbanking/ (just takes 10 working days) ü Supported by TOMICATM
SYSTEM STRUCTURE Token Management System User Tool on the Key Micro-Banking System CAG 360 Centralized Authentication Gateway Core Banking (Service. Bus)
DEMO MICRO-BANKING where the security and convenience meet PKI-Based Online Banking, supplied by TOMICALAB & maintained and operated by just Bank QUESTION?
STILL IN PROGRESS - Integrated on i. OS, Android, Windows Phone with Tomikey-2003 A & SIMCA - Integrated fully on MACOSX and Linux - Trend to micro-payment and e. Invoicing together
CONTACT US MINH THONG CARD SOLUTIONS CO. , LTD Address: 16/2 Ter Dinh Tien Hoang, Da Kao Ward, 1 st District , Ho Chi Minh City Website: www. tomicalab. com Hotline : 19006884 Email : sales@tomicalab. com
Скачать презентацию MICRO BANKING Where the security and convenience meet
77e6b42be3ef70cc9c6edac946e489cd.ppt