BANKING ON CRYPTOGRAPHY & BIOMETRICS

Transcription

1 BANKING ON CRYPTOGRAPHY & BIOMETRICS Tony Chew, Director / Specialist Advisor MONETARY AUTHORITY OF SINGAPORE

2 WHY WE NEED CRYPTOGRAPHY The only known practical means of protecting data in a communications network. System security tool for online banking, payments e-commerce and m-commerce to achieve: a) confidentiality b) integrity c) authentication d) digital signature

3

4 LARGEST KNOWN DATA BREACH CONSPIRACY 160 million credit cards hacked ( ) Global Payment Systems Heartland Payment Systems Visa Jordan / Commidea/ DexiaBank Wet Seal / 7-Eleven / JetBlue Airways JC Penney / Carrefour / Hannaford Euronet/ Dow Jones / Nasdaq Diners Singapore / Ingenicard

5

6 Attacks on payments systems have exploded in the past two years said the US Secret Service ATM skimming fraud is costing the US banking industry about $1 billion each year. According to the US Secret Service, payment card fraud in America is at least $8 billion annually. According to the National Retail Federation, credit card fraud exceeded $11 billion in 2012.

7

8 WHAT IS CRYPTOGRAPHY? Encryption and decryption Permutation, substitution = product cipher Symmetric cipher: same secret key to encrypt, decrypt Asymmetric cipher: public key, private key

9 CIPHERS AND HASH FUNCTIONS Algorithm Key Length Weak Strong DES RC4 SSL RSA ECC MD5 128 SHA /192/256 AES 128/192/256

10 ENCRYPTION ALGORITHM 3DES Key size: 168 bits

11 ENCRYPTION ALGORITHM AES 256

12 HASHING ALGORITHM SHA256

13 ebanking & ATM/POS SYSTEMS ATM NETWORKS PSTN / WIFI INTERNET WEB SERVER IVR /BIOMETRICS ATM / EFTPOS CARDS/M-APPS AUTHENTICATION VERIFICATION AUTHORISATION CORE BANKING SYSTEM

14 ONLINE BANKING SECURITY ARCHITECTURE Crypto Server OTP verification APPLET HOST Firewall IPS Sensor AVS SECURE SOCKETS LAYER (SSL) + APPLICATION LAYER END TO END ENCRYPTION Customer ID PIN (encrypted) Web Server Application Server Database Server HSM 4 types of OTP with Transaction Alerts Cryptographic functions

15

16

17 PIN MECHANICS A/C # KEY DES Chosen PIN Derived PIN PIN OFFSET

18 PIN VERIFICATION A/C # Chosen PIN HSM calculates new Derived PIN from A/C # then adds it to previously stored PIN OFFSET for comparison with Chosen PIN

19 ATM NETWORKS SHARED LOCAL NETWORK: >2,000 ATMs in Singapore State Bank of India Global Networks:

20 SHARED ATM NETWORKS PIN encryption PIN encryption PIN encryption

21 ATM5 NETWORK ATMs at 153 locations ekc(pin) ekm(pin) ekh(pin) CIRRUS State Bank of India

22 KEY EXCHANGE A B C D E F

23 KEY EXCHANGE PERMUTATION Number of keys : n(n-1)/2 = 6(6-1)/2 = 15 A B C D E F B C D E F C D E F D E F E F F Total

24 DES KEY MANAGEMENT Key generation KM KKE KDE Master keys Key encrypting keys Data encrypting keys Key distribution Key installation Key recovery

25 KEY MANAGEMENT KT1 KT2 KTn ekm(kde1) ekm(kde2) ekm(kden) SCM KM

26 HIERARCHY OF KEYS KM KT KMO KM1 KM2 KMn ekmo((kde) ekm1(kt) KT ekt(kde) ekde(pin) SCM HOST ATM RANDOM # = ekmo(kde) EN[eKMO(KDE), PIN] = ekde(pin) DE[eKMO(KDE), ekde(pin)] = PIN (disallowed) VE[eKMO(KDE), ekde(pini), ekm2(pinv)] KT

27 $45 MILLION ATM HEISTS

28 Note: acquiring bank layer is not shown Note: acquiring bank layer is not shown BANKNET $5M $40M

29

30 ANATOMY OF A MAGNETIC STRIPE ; nnnn nnnn nnnn nnnn = YYMM SVC DDDDDDDDCVV X Start Card Number Separator Expiry Date Service Code Discretionary End Track 1 Track 2 Track 3 THE ACHILLES HEEL OF PAYMENT CARD SECURITY 30

31 CHIP AND MAGNETIC STRIPE 916 Card Number Expiry Date Service Code Discretionary CVC THE ACHILLES HEEL OF PAYMENT CARD SECURITY

32 CARD DATA AND PERSONAL DETAILS OF 110 MILLION CUSTOMERS WERE HACKED BETWEEN 27 NOV AND 15 DEC 2013.

33

34 ENCRYPTION FORMAT IN ECB MODE 1. XOR PIN AND PAN 2. CONCATENATE PIN AND TRANSACTION NUMBER 3. PAD PIN WITH RANDOM VALUE 4. PAD PIN WITH FIXED VALUE

35

36 PAYMENT CARD FRAUD WHAT DO WE KNOW? HOW MUCH DO WE KNOW?

37 PAYMENT CARD AND ONLINE BANKING SECURITY ENHANCEMENT ROADMAP DDA Credit/Debit Chip Card Migration DDA ATM Chip Card Migration One Time Password for Card Not Present New/Replacement Card Activation Cessation of Domestic Magstripe Transactions for Credit/Debit Card Transaction Alerts Deactivation of Overseas Cash Withdrawal for ATM Card Transaction Signing for Online Banking Deactivation of Overseas Use of Magstripe for Credit/Debit/Prepaid Card Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q DDA: Dynamic Data Authentication ATM: Automated Teller Machine

38 ONLINE BANKING SECURITY ARCHITECTURE Security Server OTP & Biometrics HOST APPLET Firewall SSL IPS Sensor AVS APPLICATION LAYER END TO END ENCRYPTION Customer ID PIN Configuration Management Controls Transaction Signing (1 January 2013) Web Server Application Server Database Server HSM BIOMETRICS 38 Cryptographic functions

39

40 BIOMETRICS

41 AUTHENTICATION WHAT YOU KNOW WHAT YOU HAVE WHO YOU ARE (BIOMETRICS) The automatic identification or identity verification of living persons based on behavioural and physiological characteristics.

42 BIOMETRICS A general term to describe a process or a characteristic. 1. Automated methods of recognizing a person based on measurable behavioural and physiological characteristics. 2. A measurable physiological and behavioural trait that can be used for automated recognition.

43 SURVEY BANKS Australia Belgium Brazil Brunei Canada Chile China Germany Indonesia Ireland Israel Italy Japan Jordan Pakistan Poland Mexico Panama Russia Spain Turkey UAE UK USA

44 BARCLAYS

45

46 iphone5s Touch ID

47 Apple iphone 5S Touch ID Laser-cut sapphire crystal Tactile switch Touch ID sensor Stainless steel detection ring FAR = 0.002%

48 VENDOR CLAIMS OF BIOMETRIC ACCURACY FINGERPRINT / AuthenTec FAR % FRR 1.0% FINGER-VEIN / Hitachi-Omron FAR % FRR 0.01% PALM-VEIN / Fujitsu FAR % FRR 0.01%

49 VOICE BIOMETRICS

50

51

52

53

54 BASIC COMPONENTS OF A BIOMETRIC SYSTEM Decision Module

55 TOP FIVE THREATS TO BIOMETRICS 1. IMPERSONATION 2. CIRCUMVENTION 3. SUBSTITUTION 4. REPUDIATION 5. COERCION

56 finis