Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Similar documents
Personal Cybersecurity

Modern two-factor authentication: Easy. Affordable. Secure.

Secure Government Computing Initiatives & SecureZIP

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Identity & Access Management

Cybersecurity The Evolving Landscape

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Authentication Methods

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Data Security Essentials

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Applying biometric authentication to physical access control systems

Keep the Door Open for Users and Closed to Hackers

Retail Security in a World of Digital Touchpoint Complexity

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

PKI is Alive and Well: The Symantec Managed PKI Service

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Cyber Security Updates and Trends Affecting the Real Estate Industry

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Enabling Compliance for Physical and Cyber Security in Mobile Devices

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Paystar Remittance Suite Tokenless Two-Factor Authentication

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Altitude Software. Data Protection Heading 2018

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Authentication Technology for a Smart eid Infrastructure.

Combating Cyber Risk in the Supply Chain

DigitalPersona for Healthcare Organizations

Solution. Imagine... a New World of Authentication.

How Next Generation Trusted Identities Can Help Transform Your Business

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

The Device Has Left the Building

Put Identity at the Heart of Security

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Five Reasons It s Time For Secure Single Sign-On

AS emas emudhra Authentication Solution

Security Solutions. End-to-end security. Protecting your physical access control system.

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Maintaining Trust: Visa Inc. Payment Security Strategy

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

How. Biometrics. Expand the Reach of Mobile Banking ENTER

Using Smart Cards to Protect Against Advanced Persistent Threat

6 Vulnerabilities of the Retail Payment Ecosystem

Fraud Mobility: Exploitation Patterns and Insights

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Google Identity Services for work

mhealth SECURITY: STATS AND SOLUTIONS

Effective Strategies for Managing Cybersecurity Risks

Safelayer's Adaptive Authentication: Increased security through context information

Security Solutions for Mobile Users in the Workplace

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

CipherCloud CASB+ Connector for ServiceNow

Securing Today s Mobile Workforce

4 Ways to Protect Your Organization from a Data Breach

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Integrated Access Management Solutions. Access Televentures

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Cyber Security Guidelines for Public Wi-Fi Networks

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

To Audit Your IAM Program

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Who s Protecting Your Keys? August 2018

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

The Cyber War on Small Business

Using Biometric Authentication to Elevate Enterprise Security

Red Flag Regulations

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

A practical guide to IT security

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

FOR FINANCIAL SERVICES ORGANIZATIONS

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Mobile Security / Mobile Payments

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

PCI DSS Compliance. White Paper Parallels Remote Application Server

The Problem with Privileged Users

Employee Security Awareness Training

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PKI Credentialing Handbook

Strong Security Elements for IoT Manufacturing

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Outsourcing & remote teams: cyber security vulnerabilities

Transcription:

Meeting FFIEC Meeting Regulations for Online and Mobile Banking The benefits of a smart card based authentication that utilizes Public Key Infrastructure and additional mechanisms for authentication and verifying higher risk transactions has been outlined in the 2005 Guidance by the FFIEC. Technological advances by Tyfone, a security company that is currently working with the US Intelligence Community for device and access security based on smart cards using wireless protocols (Connected Smart Card ) overcomes the traditional limitations of the reader based smart card discussed in the 2005 Guidance by the FFIEC and can be used across the complete spectrum of devices used for Online and Mobile banking. The Trend and the Need! Cybersecurity that requires securing of online, cloud, and wireless mobile devices is an important issue facing all organizations including corporations, banks, critical infrastructure, and governments. Hackers are able to steal information such as social security numbers, credit card numbers, bank account details, vulnerability reports of dams, usernames, passwords and all other information stored centrally in the cloud. To make matters worse it is often impossible to catch these criminals as these hacks originate off-shore. And since the crime is virtual, whereby criminals make copies of the data without destroying the data, most organizations and users alike are unaware of the information loss. Recent data indicates the following: Dramatic loss in data 705 million records lost in 2013 OSF Dramatic loss in dollars $445 billion in 2013 CSIS No effective solutions $46 billion spent to prevent loss in 2013 & most of it wasted HP Increase in crime 20% increase in reported crime HP Increase in loss 30% increase in loss per crime HP Most breaches unreported 94% of breaches go unreported FBI Imagine what a security breach of a government agency, banking, or critical infrastructure such as a power grid could cost. Corporations, banks, and governments throughout the world are scrambling to figure out more effective solutions. FFIEC has recognized the need to solve this problem for Financial Institutions and has defined requirements while not requiring or recommending specific implementations. The problem with a majority of existing security solutions is that the implementations have centralized data stores. As demonstrated in the recently publicized cyber-attacks, centralized data stores are a single point of failure of authentication credentials. Such centralized security implementations do not prevent loss and are easy to hack. This is covered in the next section.

Security That is Centralized is Insufficient Most state-of-the-art security implementations look like what is shown in the figure below. All security mechanisms, namely, password storage and validation, encryption key storage, threat analytics as well as MFA answers are all centralized and intrusive as well as inconvenient to users. This consolidated approach is not only a lucrative target, but also a single hacking point of vulnerability. Cloud infrastructure for Mobile & internet Banking Core Banking System DATA & TRANSACTIONS PASSWORDS DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A Remote Users Multiple Devices Passwords MFA and Q&C Centralized Password Validation Centralized Encryption Keys Centralized Theart Analytics Consolidated= Lucrative & easy to seal Too many systems. Too many false positives. inconvenients for staff & users. Recent data indicates that it is not prudent to rely solely on centralized security: Passwords are not enough 90% of passwords are vulnerable as of 2013 Deloitte Dramatic password compromises 1.2 billion passwords stolen by one Russian Group in 2014 NY Times Threat analytics have become unmanageable for CIOs Not only are there too many analytic systems to manage and ESG there are too many alerts to deal with, 35% of alerts generated by fraud analytics are false positives By the time analytics capture anomalies it is almost always too Target Chase late. Target was 10 days after the breach and JP Morgan Chase was 2 months after the breach. Members do not want to answer too many MFA questions Private data Members often do not know the answers to knowledge based MFA questions which results in 40% of call center calls for password reset Limitations in ease of enrollment of customers, customer privacy concerns, unquantified liability of loss Threat analytics are almost always too late MFA Q&A to augment passwords too inconvenient Biometrics

Multi-factor and Layered Security with Decentralization Plastic cards with smart card security chips that store client side certificates and keys securely just like HSMs store server side certificates and keys are an effective and proven way to enable high-end decentralized security. This is required by and very commonly used by customers and employees of European and Asian Banks in smart card chips in a plastic card form factor. Unfortunately, plastic smart cards cannot be readily used in modern day mobile phones, tablets, laptops and desktops since these devices lack ability to read smart cards. For this purpose we propose the use of what is called as The Connected Smart Card that not only has a smart card security chip, but also has interfaces including Bluetooth radio, Near-field radio and USB allowing the smart card security chip to be made available on any device. This is shown in the figure below. Cloud infrastructure for Mobile & internet Banking Core Banking System DATA & TRANSACTIONS PASSWORDS + DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A DECENTRALIZED ID VALIDATION & KEY STORAGE Benefits of decentralized security includes: Dramatically lowers loss, since the hardware has to be stolen one at a time and a user s password or biometrics needs to be known. Increases convenience, since the user does not have to know hard to remember answers and it is as easy as pressing a button on the hardware. Increases scope of law enforcement, since it requires the physical theft of hardware instead of the remote theft of hacking into a cloud. Increases awareness of loss by user, since the loss is not virtual. Makes fraud analytics more meaningful, since fraudulent transactions will be minimized and therefore alerts will be more meaningful.

Apart from the above benefits, the additional benefits of The Connected Smart Card (CSCTM) hardware for decentralizing security that uses miniature smart card chips and existing interfaces to interface with any device are illustrated below: Existing Interface BEBEFITS OF THE CONNECTED SMART CARD Miniaturize Decentralized Password, Biometrics, and Key Storage Leverage billions invested in existing infrastructure Existing industry standards & certifications Certified for ID storage, validation Certified Key storage, cryptography Certified to be Biometric friendly Leverage existing security applets PKCS - Internet and Mobile Banking EMV - Payments CAC/PIV - Govt PIV-I - Enterprise Multiple use of cases form factor agnostic Any Device Any OS Pricing Comparison According to a recent Symantec Publication (A Total Cost of Ownership Viewpoint Two-factor Authenticationii) the average price of ownership for Symantec VIP is expected to be $3.18 per credential per month and that of RSA SecurID is expected to be $6.02 per credential per month. The cost of Tyfone CSC is estimated to be $1.99 per credential per month a savings of 37% over Symantec VIP and 67% over RSA SecurID. There is also further opportunity to decrease Total Cost of Ownership by adding additional credentials to CSC that cannot be accomplished in VIP or SecurID solutions. We envision CSC to not only include Public/Private Key based security for mobile and online banking but also contain EMV payment credentials as US migrates to smart card infrastructure for debit and credit identities.

CSC = Next Gen Smart Cards All the benefit and none of the concerns! Apart from the significant pricing benefit over RSA SecurID (or its comparative Symantec VIP) The Connected Smart Card (CSC) that enables device agnostic multi-factor and layered transaction encryption is significantly better than the well-known RSA SecurID. A comparison between RSA SecurID and CSC is provided below. Apart from the major differences highlighted below, since RSA SecurID relies on centralized validation of ID (dynamic password) they was a massive compromise of their centralized infrastructure that in turn compromised 720 companies. RSA SecurID Centralized Security Compromised in mass* Single - purpose Form Factor Agnostic CSC Module (sidekey and sidecard form factors shown on the right) Decentralized Multiple use cases & remote provisioning - Layered Transaction Encryption: Mutually authenticated TLS Connection - Device Agnostic Multi-factor: Cryptographic Strong ID auth - Prevents Man-in-the-Middle attacks through cryptographic validation of recipient account number - Enables remote secure messaging for secondary approval Manual entry Complex pricing and $5 to $7 per credential per month Press of a button & biometric friendly Any device - mobile phone, Tablet, PC $1.99 per credential per month

Summary Decentralizing security is rapidly becoming a necessity. Tyfone s CSC is the next generation of smart card based security. It is not only more secure and versatile, it is 67% cheaper to deploy over RSA SecurID (or other equivalents) including decentralization and multiple use cases. FFIEC COMPLIANCE: Tyfone s CSC enables both cryptographic multi-factor authentication as well as an additional layer of transaction encryption, thus making it a cost-effective FFIEC compliant implementation. Tyfone s CSC is device agnostic and therefore makes user experience as simple as pressing of a button for doing electronic banking on phones, tablets and PCs to be FFIEC compliant. The robustness of CSC also makes threat analytics more meaningful since it is expected to dramatically reduce the number of alerts. Tyfone s CSC is currently being tested by the US Intelligence Community through investment made by In-Q-Tel (CIA s venture fund) as well as by CoVantage CU. i http://www.ffiec.gov/pdf/authentication_guidance.pdf ii https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback