Session 3: Digital Security challenges Mr. Zoltan Szalai · Zoltan Szalai eBanking Security ......
Transcript of Session 3: Digital Security challenges Mr. Zoltan Szalai · Zoltan Szalai eBanking Security ......
Gemalto Delivers Trusted and Convenient Digital Services to Billions of People
OUR COMPANY
€2,4 billion Revenue 2013
12,000 Employees
43 Countries worldwide
with a site in operation
OUR INNOVATION
€170+ million Invested in R&D 2013
4,300 Patents and patent
applications
OUR SOLUTION
1 in 3 people Use Gemalto products
and services worldwide
ABOUT E-BANKING
20% Annual growth
90+ million Protected by Ezio
solutions
200+ Employees in 15 sites
worldwide
eBanking Security 4
ANY BACK-END
ANY TECHNOLOGY
ANY FORM FACTOR
ALL CHANNELS
ALL SEGMENTS
ALL USE-CASES
MOBILE PC TABLET PHONE
TOKENS READERS USB DISPLAY
CARD
MOBILE
TOKEN SOFTWARE OTHER
VENDOR
PKI OATH CAP PROPRIETARY
EZIO
SERVER
CORPORATE RETAIL PRIVATE
E-BANKING E-COMMERCE
SUPPORT
ALL THE
WAY
EZIO
SERVICES
OTHER
SERVER
EZIO
TOOLKIT
eBanking Security 5
We are the trusted partner for financial services and retail institutions worldwide
eBanking Security 6
Fraud is Constantly Evolving
WHALING
ID THEFT KEY/SCREEN LOGGING
PHARMING
PHISHING
MAN-IN- THE-MIDDLE
MAN-IN- THE-BROWSER
SHOULDER SURFING
SOCIAL ENGINEERING
CROSS CHANNEL ATTACKS
CONTRACTUAL FRAUD
RELAY ATTACK
eBanking Security 9
STATIC PASSWORDS
ONE TIME PASSWORDS
CHALLANGE /
RESPONSE
TRANSACTION DATA SIGNING
TRANSACTION VERIFICATION
Phishing Attack
eBanking Security 10
are familiar with phishing
Low to very low knowledge of other attacks Source: RSA Online Fraud Report
Victim
Bank Server
1) Sends fake
“security” email
with fake link
2) Enters secure
information on
fake internet
bank site
Fake Server
3) Obtains account
information
4) Using obtained
account information
on real internet
bank site
Man-in-the-Middle Attack
eBanking Security 11
Victim
Bank Server
Malware Waits for
Transaction and
Modifies Details!!!
Submits
Transaction
To a Friend
Amount: 50
Submits
Transaction
To a Friend
Amount: 50
Modifies
Transaction
To Bad Friend
Amount: 5,000
Open Source now and
Manuals are also available
ZitMo and Variants Smashed SMS OTP
eBanking Security 12
Victim Bank Server
1) Infects both
- Computer
and
- Mobile Phone
30,000 online bank accounts
compromized in 30+ banks
by Eurograbber only
2) Submits Fraudulent
Transaction
3) Sends SMS OTP
to the ”User”
4) Submits User’s
SMS OTP
Source: www.net-security.org
13 eBanking Security
2010 2011 2012 2013
Zitmo Zeus
in the Mobile
Spitmo SpyEye
in the Mobile
Citmo Carberp
in the Mobile
Eurograbber Attack Based on Zitmo 36M€ Stolen
Perkele
Based on Zitmo
Derived from a PC Trojan First Malware as a Service
SMS OTP is Under Continuous Attack
Internet
Bank Server
Inte
rnet
Ezio Mobile SDK Ezio
Server
Mobile
EPS
HSM
EN
RO
LM
EN
T
PROVISIONING
AU
TH
EN
TIC
AT
IO
N
MBANKING
mBanking application
eBanking token
1 2 3 4 5 6 7 8 9
0
EBANKING
eBanking Security 16
Ezio Mobile Architecture
Access to the Bank with the Web browser
Protected by Mobile Token
Access to the Bank with a Native Application
Protected by Mobile SDK
eBanking Security 17
The Tablet Case
1 User is Prompted for Login + OTP 2 User Inputs PIN Code in
the Mobile Token 3 Mobile Application
Generates an OTP
4 User enters Login and OTP
5 Access to eBanking site is granted
eBanking Security 19
eBanking Use Case – Authentication SAME EXPERIENCE AS WITH A DEDICATED HARDWARE DEVICE
1 User Starts a Money Transfer
to a New Bank Account 2 User is Requested to Sign the
Transaction 3 User Enters Account Number,
Amount, and PIN
4 Application Generates
a Signature 5 User Enters Signature
eBanking Security 20
eBanking Use Case – Transaction Signature SAME EXPERIENCE AS WITH A DEDICATED HARDWARE DEVICE
1 User Enters UserID
and Presses Login 2 User Enters
PIN Code 3 OTP is Generated
and Sent to the Bank
Server
4
eBanking Security 21
mBanking Use Case – Authentication TRANSPARENT TWO FACTOR AUTHENTICATION – PIN CODE REPLACE PASSWORD
OTP is Validated and
User Accesses Bank
Account Details
1 End User Enters
Transactions
Details (IBAN
and Amount)
2 End User
Confirms that He
Wants to Sign
Transaction
3 End User Enters
PIN Code 4 Transaction is
Being Validated 5 Transaction is
Authorized
eBanking Security 22
mBanking Use Case – Transaction Signature TRANSPARENT TWO FACTOR AUTHENTICATION – PIN CODE REPLACE PASSWORD
One user can hold several devices linked to the same bank account. Each device requires to go through the enrolment process to not duplicate the keys.
Each member of the family can share the same device but without sharing the credentials of its own account. Each credential is stored in a separate secured container.
eBanking Security 23
Multi Devices and Multi Users