Session 3: Digital Security challenges

Mr. Zoltan Szalai Solutions Manager

GEMALTO

eBanking Security

Zoltan Szalai eBanking Security Consultant at Gemalto

Gemalto Delivers Trusted and Convenient Digital Services to Billions of People

OUR COMPANY

€2,4 billion Revenue 2013

12,000 Employees

43 Countries worldwide

with a site in operation

OUR INNOVATION

€170+ million Invested in R&D 2013

4,300 Patents and patent

applications

OUR SOLUTION

1 in 3 people Use Gemalto products

and services worldwide

ABOUT E-BANKING

20% Annual growth

90+ million Protected by Ezio

solutions

200+ Employees in 15 sites

worldwide

eBanking Security 4

ANY BACK-END

ANY TECHNOLOGY

ANY FORM FACTOR

ALL CHANNELS

ALL SEGMENTS

ALL USE-CASES

MOBILE PC TABLET PHONE

TOKENS READERS USB DISPLAY

CARD

MOBILE

TOKEN SOFTWARE OTHER

VENDOR

PKI OATH CAP PROPRIETARY

EZIO

SERVER

CORPORATE RETAIL PRIVATE

E-BANKING E-COMMERCE

SUPPORT

ALL THE

WAY

EZIO

SERVICES

OTHER

SERVER

EZIO

TOOLKIT

eBanking Security 5

We are the trusted partner for financial services and retail institutions worldwide

eBanking Security 6

Footer, 20xx-xx-xx 7 Footer, 20xx-xx-xx 7 eBanking Security 7 7

Frauds

#

123456 56

eBanking Security 8

Fraud is Constantly Evolving

WHALING

ID THEFT KEY/SCREEN LOGGING

PHARMING

PHISHING

MAN-IN- THE-MIDDLE

MAN-IN- THE-BROWSER

SHOULDER SURFING

SOCIAL ENGINEERING

CROSS CHANNEL ATTACKS

CONTRACTUAL FRAUD

RELAY ATTACK

eBanking Security 9

STATIC PASSWORDS

ONE TIME PASSWORDS

CHALLANGE /

RESPONSE

TRANSACTION DATA SIGNING

TRANSACTION VERIFICATION

Phishing Attack

eBanking Security 10

are familiar with phishing

Low to very low knowledge of other attacks Source: RSA Online Fraud Report

Victim

Bank Server

1) Sends fake

“security” email

with fake link

2) Enters secure

information on

fake internet

bank site

Fake Server

3) Obtains account

information

4) Using obtained

account information

on real internet

bank site

Man-in-the-Middle Attack

eBanking Security 11

Victim

Bank Server

Malware Waits for

Transaction and

Modifies Details!!!

Submits

Transaction

To a Friend

Amount: 50

Submits

Transaction

To a Friend

Amount: 50

Modifies

Transaction

To Bad Friend

Amount: 5,000

Open Source now and

Manuals are also available

ZitMo and Variants Smashed SMS OTP

eBanking Security 12

Victim Bank Server

1) Infects both

- Computer

and

- Mobile Phone

30,000 online bank accounts

compromized in 30+ banks

by Eurograbber only

2) Submits Fraudulent

Transaction

3) Sends SMS OTP

to the ”User”

4) Submits User’s

SMS OTP

Source: www.net-security.org

13 eBanking Security

2010 2011 2012 2013

Zitmo Zeus

in the Mobile

Spitmo SpyEye

in the Mobile

Citmo Carberp

in the Mobile

Eurograbber Attack Based on Zitmo 36M€ Stolen

Perkele

Based on Zitmo

Derived from a PC Trojan First Malware as a Service

SMS OTP is Under Continuous Attack

Footer, 20xx-xx-xx 14 Footer, 20xx-xx-xx 14 eBanking Security 14

Mitigation

#

Multi-factor Authentication Methods

eBanking Security 15

Internet

Bank Server

Inte

rnet

Ezio Mobile SDK Ezio

Server

Mobile

EPS

HSM

EN

RO

LM

EN

T

PROVISIONING

AU

TH

EN

TIC

AT

IO

N

MBANKING

mBanking application

eBanking token

1 2 3 4 5 6 7 8 9

0

EBANKING

eBanking Security 16

Ezio Mobile Architecture

Access to the Bank with the Web browser

Protected by Mobile Token

Access to the Bank with a Native Application

Protected by Mobile SDK

eBanking Security 17

The Tablet Case

1 User is Prompted for Login + OTP 2 User Inputs PIN Code in

the Mobile Token 3 Mobile Application

Generates an OTP

4 User enters Login and OTP

5 Access to eBanking site is granted

eBanking Security 19

eBanking Use Case – Authentication SAME EXPERIENCE AS WITH A DEDICATED HARDWARE DEVICE

1 User Starts a Money Transfer

to a New Bank Account 2 User is Requested to Sign the

Transaction 3 User Enters Account Number,

Amount, and PIN

4 Application Generates

a Signature 5 User Enters Signature

eBanking Security 20

eBanking Use Case – Transaction Signature SAME EXPERIENCE AS WITH A DEDICATED HARDWARE DEVICE

1 User Enters UserID

and Presses Login 2 User Enters

PIN Code 3 OTP is Generated

and Sent to the Bank

Server

4

eBanking Security 21

mBanking Use Case – Authentication TRANSPARENT TWO FACTOR AUTHENTICATION – PIN CODE REPLACE PASSWORD

OTP is Validated and

User Accesses Bank

Account Details

1 End User Enters

Transactions

Details (IBAN

and Amount)

2 End User

Confirms that He

Wants to Sign

Transaction

3 End User Enters

PIN Code 4 Transaction is

Being Validated 5 Transaction is

Authorized

eBanking Security 22

mBanking Use Case – Transaction Signature TRANSPARENT TWO FACTOR AUTHENTICATION – PIN CODE REPLACE PASSWORD

One user can hold several devices linked to the same bank account. Each device requires to go through the enrolment process to not duplicate the keys.

Each member of the family can share the same device but without sharing the credentials of its own account. Each credential is stored in a separate secured container.

eBanking Security 23

Multi Devices and Multi Users

˃ zoltan.szalai@gemalto.com