Meeting FFIEC Meeting Regulations for Online and Mobile Banking The benefits of a smart card based authentication that utilizes Public Key Infrastructure and additional mechanisms for authentication and verifying higher risk transactions has been outlined in the 2005 Guidance by the FFIEC. Technological advances by Tyfone, a security company that is currently working with the US Intelligence Community for device and access security based on smart cards using wireless protocols (Connected Smart Card ) overcomes the traditional limitations of the reader based smart card discussed in the 2005 Guidance by the FFIEC and can be used across the complete spectrum of devices used for Online and Mobile banking. The Trend and the Need! Cybersecurity that requires securing of online, cloud, and wireless mobile devices is an important issue facing all organizations including corporations, banks, critical infrastructure, and governments. Hackers are able to steal information such as social security numbers, credit card numbers, bank account details, vulnerability reports of dams, usernames, passwords and all other information stored centrally in the cloud. To make matters worse it is often impossible to catch these criminals as these hacks originate off-shore. And since the crime is virtual, whereby criminals make copies of the data without destroying the data, most organizations and users alike are unaware of the information loss. Recent data indicates the following: Dramatic loss in data 705 million records lost in 2013 OSF Dramatic loss in dollars $445 billion in 2013 CSIS No effective solutions $46 billion spent to prevent loss in 2013 & most of it wasted HP Increase in crime 20% increase in reported crime HP Increase in loss 30% increase in loss per crime HP Most breaches unreported 94% of breaches go unreported FBI Imagine what a security breach of a government agency, banking, or critical infrastructure such as a power grid could cost. Corporations, banks, and governments throughout the world are scrambling to figure out more effective solutions. FFIEC has recognized the need to solve this problem for Financial Institutions and has defined requirements while not requiring or recommending specific implementations. The problem with a majority of existing security solutions is that the implementations have centralized data stores. As demonstrated in the recently publicized cyber-attacks, centralized data stores are a single point of failure of authentication credentials. Such centralized security implementations do not prevent loss and are easy to hack. This is covered in the next section.
Security That is Centralized is Insufficient Most state-of-the-art security implementations look like what is shown in the figure below. All security mechanisms, namely, password storage and validation, encryption key storage, threat analytics as well as MFA answers are all centralized and intrusive as well as inconvenient to users. This consolidated approach is not only a lucrative target, but also a single hacking point of vulnerability. Cloud infrastructure for Mobile & internet Banking Core Banking System DATA & TRANSACTIONS PASSWORDS DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A Remote Users Multiple Devices Passwords MFA and Q&C Centralized Password Validation Centralized Encryption Keys Centralized Theart Analytics Consolidated= Lucrative & easy to seal Too many systems. Too many false positives. inconvenients for staff & users. Recent data indicates that it is not prudent to rely solely on centralized security: Passwords are not enough 90% of passwords are vulnerable as of 2013 Deloitte Dramatic password compromises 1.2 billion passwords stolen by one Russian Group in 2014 NY Times Threat analytics have become unmanageable for CIOs Not only are there too many analytic systems to manage and ESG there are too many alerts to deal with, 35% of alerts generated by fraud analytics are false positives By the time analytics capture anomalies it is almost always too Target Chase late. Target was 10 days after the breach and JP Morgan Chase was 2 months after the breach. Members do not want to answer too many MFA questions Private data Members often do not know the answers to knowledge based MFA questions which results in 40% of call center calls for password reset Limitations in ease of enrollment of customers, customer privacy concerns, unquantified liability of loss Threat analytics are almost always too late MFA Q&A to augment passwords too inconvenient Biometrics
Multi-factor and Layered Security with Decentralization Plastic cards with smart card security chips that store client side certificates and keys securely just like HSMs store server side certificates and keys are an effective and proven way to enable high-end decentralized security. This is required by and very commonly used by customers and employees of European and Asian Banks in smart card chips in a plastic card form factor. Unfortunately, plastic smart cards cannot be readily used in modern day mobile phones, tablets, laptops and desktops since these devices lack ability to read smart cards. For this purpose we propose the use of what is called as The Connected Smart Card that not only has a smart card security chip, but also has interfaces including Bluetooth radio, Near-field radio and USB allowing the smart card security chip to be made available on any device. This is shown in the figure below. Cloud infrastructure for Mobile & internet Banking Core Banking System DATA & TRANSACTIONS PASSWORDS + DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A DECENTRALIZED ID VALIDATION & KEY STORAGE Benefits of decentralized security includes: Dramatically lowers loss, since the hardware has to be stolen one at a time and a user s password or biometrics needs to be known. Increases convenience, since the user does not have to know hard to remember answers and it is as easy as pressing a button on the hardware. Increases scope of law enforcement, since it requires the physical theft of hardware instead of the remote theft of hacking into a cloud. Increases awareness of loss by user, since the loss is not virtual. Makes fraud analytics more meaningful, since fraudulent transactions will be minimized and therefore alerts will be more meaningful.
Apart from the above benefits, the additional benefits of The Connected Smart Card (CSCTM) hardware for decentralizing security that uses miniature smart card chips and existing interfaces to interface with any device are illustrated below: Existing Interface BEBEFITS OF THE CONNECTED SMART CARD Miniaturize Decentralized Password, Biometrics, and Key Storage Leverage billions invested in existing infrastructure Existing industry standards & certifications Certified for ID storage, validation Certified Key storage, cryptography Certified to be Biometric friendly Leverage existing security applets PKCS - Internet and Mobile Banking EMV - Payments CAC/PIV - Govt PIV-I - Enterprise Multiple use of cases form factor agnostic Any Device Any OS Pricing Comparison According to a recent Symantec Publication (A Total Cost of Ownership Viewpoint Two-factor Authenticationii) the average price of ownership for Symantec VIP is expected to be $3.18 per credential per month and that of RSA SecurID is expected to be $6.02 per credential per month. The cost of Tyfone CSC is estimated to be $1.99 per credential per month a savings of 37% over Symantec VIP and 67% over RSA SecurID. There is also further opportunity to decrease Total Cost of Ownership by adding additional credentials to CSC that cannot be accomplished in VIP or SecurID solutions. We envision CSC to not only include Public/Private Key based security for mobile and online banking but also contain EMV payment credentials as US migrates to smart card infrastructure for debit and credit identities.
CSC = Next Gen Smart Cards All the benefit and none of the concerns! Apart from the significant pricing benefit over RSA SecurID (or its comparative Symantec VIP) The Connected Smart Card (CSC) that enables device agnostic multi-factor and layered transaction encryption is significantly better than the well-known RSA SecurID. A comparison between RSA SecurID and CSC is provided below. Apart from the major differences highlighted below, since RSA SecurID relies on centralized validation of ID (dynamic password) they was a massive compromise of their centralized infrastructure that in turn compromised 720 companies. RSA SecurID Centralized Security Compromised in mass* Single - purpose Form Factor Agnostic CSC Module (sidekey and sidecard form factors shown on the right) Decentralized Multiple use cases & remote provisioning - Layered Transaction Encryption: Mutually authenticated TLS Connection - Device Agnostic Multi-factor: Cryptographic Strong ID auth - Prevents Man-in-the-Middle attacks through cryptographic validation of recipient account number - Enables remote secure messaging for secondary approval Manual entry Complex pricing and $5 to $7 per credential per month Press of a button & biometric friendly Any device - mobile phone, Tablet, PC $1.99 per credential per month
Summary Decentralizing security is rapidly becoming a necessity. Tyfone s CSC is the next generation of smart card based security. It is not only more secure and versatile, it is 67% cheaper to deploy over RSA SecurID (or other equivalents) including decentralization and multiple use cases. FFIEC COMPLIANCE: Tyfone s CSC enables both cryptographic multi-factor authentication as well as an additional layer of transaction encryption, thus making it a cost-effective FFIEC compliant implementation. Tyfone s CSC is device agnostic and therefore makes user experience as simple as pressing of a button for doing electronic banking on phones, tablets and PCs to be FFIEC compliant. The robustness of CSC also makes threat analytics more meaningful since it is expected to dramatically reduce the number of alerts. Tyfone s CSC is currently being tested by the US Intelligence Community through investment made by In-Q-Tel (CIA s venture fund) as well as by CoVantage CU. i http://www.ffiec.gov/pdf/authentication_guidance.pdf ii https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf