Your SlideShare is downloading. ×
  • Like
  • Save
Cidway Bank Finance 01 2009 2 Fa Tr
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cidway Bank Finance 01 2009 2 Fa Tr

  • 518 views
Published

Secure Access & Transactions for e/mBanking, e/mCommerce using mobile phone unique technology

Secure Access & Transactions for e/mBanking, e/mCommerce using mobile phone unique technology

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • My company products are OTP Tokens in China, the first company who made the OTP Token in China.
    If you want to know more, pls contact me: alice@seamoon.com.cn or +86-13510999024, thanks
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
518
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
1
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DISCOVER CIDWAY
    Mobile Security, Authentication & Transactions’ Signature
    2009
  • 2. Agenda
    2-Factor Authentication & Transaction Signature
    • Usage & Definitions
    CORPORATE BACKGROUND
    • Facts & History
    • 3. Industries
    PRODUCT PRESENTATION
    • Product Line
    • 4. Tokens Features
    BUSINESS CASES
    • Multi-Channel Banking Solution
    • 5. Key differentiators
    SECURING BANKING TRANSACTIONS
    • Scenario 1: Simple out-of-band Transaction Signature
    • 6. Scenario 2: Challenged out-of-band Transaction Signature
    • 7. Scenario 3: Automated out-of-band Transaction Signature
  • STRONG AUTHENTICATION & TRANSACTION SIGNATURE
  • 8. 2-Factor Authentication & Transaction Signature
    Authentication Factors
    What you know (PIN Code…)
    What you have (hardware token, mobile Phone…)
    What you are (biometrics)
    2-Factor Authentication
    • Authentication using 2 of the 3 factors:
    1 & 2: PIN Code on a Mobile Phone, generating a One Time Password.
    Transaction Signature
    • Ensure the integrity of the data of a transaction, using a One Time Transaction Code.
    One Time Password (OTP)
    One time use & unique password to replace the static password. An OTP can be event based such as most of the solutions including smsotp (contains some weaknesses) or time-based, such as the one of all Cidway solutions.
    Transaction Signature
    Out-of-band Transaction Signature will enable the Bank to prevent Man-in-the-Midle attacks for its online user base in a simple and user friendly way.
  • 9. CORPORATE BACKGROUND
  • 10. CIDWAY – Background
    Cidway
    • Created in December 2005
    • 11. Head Quarters in Lausanne, CH
    • 12. Sales Offices in Switzerland & UK
    • 13. Internal R&D & Patent Office
    Partners and Customer Services
    • Global presence via partners & resellers
    • 14. Support center for Partners
    • 15. Support portal available for partners
    • 16. Consulting services
    CIDWAY’s Vision
    Authentication and transactions should be safe, reliable and easy for anyone, anywhere, anytime
    This vision is fuelled by:
    • Meeting virtually all authentication requirements
    • 17. Making Authentication & Transactions simple, easy, accessible, secure and user friendly
    • 18. Addressing virtually unlimited vertical applications from one platform
    • 19. Providing the next generation mobile software security solution for identity, transaction and data protection
  • Secure Identity, Authentication & Transactions
    Banking& Finance
    E-Banking, Mobile-Banking, Transactions signature, Phone Banking, ATM & POS anti-fraud…
    Mobile Application’s Providers
    Securing access & transactions for mobile applications (e/m-Commerce, e/m-Gambling, sms authentication…)
    Mobile Money & Payment
    P2P mPayment, cardless ATM cash withdrawal, POS mPayment, Bill payment…
    Enterprise resource access
    Two-factor authentication to Login to the Desktop / VPN access / Applications / Citrix / Webmail…
    Homeland Security
    Airline pilot & vehicle identification
    physical security solutions (guard exchange id., biometric implementation, etc.)
    Telecommunications
    Mobile Top-up, resources access, ASP authentication solution, SIM based OTP…
    E-Government services
    Citizens authentication & transaction security, electronic & mobile voting, bill payment…
    Enable new channels - Improve client’s confidence & loyalty – Lower TCO
  • 20. PRODUCT PRESENTATION
  • 21. CIDWAY GAIA / SESAMI Product Line
    One server for multiple tokens
    SESAMI SlimTime based OTP Hardware token
    SESAMI MobileTime based OTP Software token for mobile phones.
    SIM enabled
    GAIA ServerAuthentication platform
    GAIA SDKAuthentication platform SDK
    SESAMI Mobile SDKTime based OTP Token SDK for mobile phones
    SESAMI SMSSMS based OTP for mobile phones
    SDK: Software Development Kit
  • 22.
    • Easy deployment
    • 23. No stock management
    • 24. Low on-going cost
    CIDWAY SESAMI SMS
    FEATURES & CHARACTERISTICS
    Strong two-factor authentication
    No need for software installation or activation in the mobile
    No secret stored in the mobile
    User convenience – no need to carry any other device
    User can change his mobile phone time zone or time
    Easy management – no need to maintain stock and distribute hardware tokens
    Easy deployment, no need for tokens maintenance
    Works with any SMS enabled mobile phone or PDA
    OTP FEATURES
    8 decimal digits (or optionally 8 hex-digits)
    Time-based combined with challenge-response
    SHA-1 algorithm
    Validity of few seconds (server parameter)
    Automatic time management by the server
  • 25.
    • Robust and user-friendly
    • 26. Secure
    • 27. Low on-going cost
    CIDWAY SESAMI Slim
    FEATURES & CHARACTERISTICS
    Portable, personal and robust (3.2 mm thickness – credit card size)
    2 line clear LCD display
    Replaceable battery (token’s data is not erased during battery replacement)
    Time based OTP – new OTP every second
    8 characters length OTP (hex-decimal or decimal)
    Initialization through a secure two way IR protocol using the SESAMI initialization set
    Device protected by user-selected PIN (configurable parameter [0-15 tries])
    Protection against token physical attacks (temper evidence)
    Protection against user physical attacks (stress PIN)
    Customizable operational parameters
    12 operational buttons
    No need for reader or other equipment
    Customizable front panel
  • 28. CIDWAY SESAMI Mobile
    FEATURES & CHARACTERISTICS
    Security
    • Time based OTP with time stamping, Digital Signature
    • 29. OTP time management to the second
    • 30. Protection against theft or loss of mobile phone: PIN not stored on Mobile, neither transmitted, neither stored on the server (patented solution)
    • 31. PIN Code selected by the User (no need for temporary PIN sent to the User)
    Compatibility
    • Large handset coverage (Symbian, Java, WinCE, Brew, Blackberry, iPhone*)
    • 32. Automatic time synchronization (support of any clock change on the mobile)
    • 33. Multiple transmission methods (Screen display, SMS, WAP, MMS, GPRS, Acoustic, NFC*…)
    Functionalities
    • 2-factor authentication (User authenticated by the Server)
    • 34. 2-way authentication (server is authenticated by the User)
    • 35. Transaction’s signature (guarantee the integrity of transactions, against MitM)
    • 36. Automated registration
    • 37. Time Traceability
    • 38. Mobile SDK for integration into any existing mobile application
    (*) S1-2009
  • 39. CIDWAY Download (Sesami Mobile only)
    Download
    Over the Air (Push, Pull)
    eMail
    PC Download
    Pre-loaded
    Bluetooth
    Etc.
    Registration Options:
    Automatic WAP registration
    Manual user registration
    Download Site (sample)
  • 40. BUSINESS CASES
  • 41. CIDWAY Multi Channel authentication for Banks
    ONLINE BANKING
    MOBILE BANKING
    PHONE BANKING
    DESKTOP LOGIN
    REMOTE ACCESS / VPN
    DOCUMENT SIGNATURE
    & DATA
    CORROBORATION
    ANTI-FRAUD ATM
    SMS / EMAIL
    AUTHENTICATION
    Improve ROI & Enable new Channels
    • Rationalize the number of authentication solutions
    • 42. Lower the cost of acquisition & maintenance
    • 43. Lower the cost of deployment & replacement
    • 44. Lower transactions’ cost & dispute support
    • 45. Improve customer acquisition & retention
    • 46. Enable innovative & revenue generating services
    Simplify User Experience
    • Choice of device (mobile software, hardware, sms)
    • 47. A device that the User already has (mobile phone)
    • 48. Simple & easy to use
    • 49. One application for many services
    Security
    • A very high level of security, using time based OTP, with 2-way authentication & Transaction’s signature, combine with a unique & patented PIN and secrets protection on the Mobile phone.
    Integration
    • Easy to integrate within existing bank infrastructure (Gaia Server or SDK)
    • 50. Mobile SDK for integration in any existing mobile application
    • 51. Scalable & fail-safe solution
    • 52. Easy deployment (internal tools or Lotaris)
  • What makes us different from competition?
    TECHNOLOGY
    • PIN & Data protection- Ability to protect secret and sensitive data in mobile phones and PDAs, using Cidway patented solution
    • 53. Registration and Activation - Ability to ensure convenient & secure registration procedure for CIDWAY mobile tokens
    • 54. Time Management- Ability to time-stamp the OTP and Transaction Signature to the second and to allow an off-line (after-the-fact) verification of the OTP or the Signature.
    • 55. Automatic Time Synchronization- Ability to fix in a transparent way for the user and the server the time drift between the token and the server, even if the token is a mobile application.
    UNIQUE RESPONSE TO MARKET NEEDS
    • 2-Factor Authentication – using a time-based OTP generated autonomously on a mobile phone
    • 56. 2-Way Authentication – ensuring the User he’s connected to the right server
    • 57. Transaction Signature – preventing MitM attacks, with uniquely customizable fields
    • 58. Mobile SDK – seamless integration into any mobile application ensuring the simplest User experience
  • CIDWAY USPs
    Convenience
    A device the User already has
    Carrier & Handset independent
    One application for multiple usage
    Transparent to the User (when integrated into a mobile application)
    Cost Optimization
    Low acquisition, deployment and maintenance costs
    Multi-channel solution
    Transaction’s cost reduction and customer retention
    Security & Functionalities
    Time based OTP algorithm with time stamping
    Unique PIN & Secret protection on the Mobile (patented)
    2-way authentication
    Transaction Signature (with unique customizable fields)
    Flexibility
    Easy to integrate within existing infrastructure
    Scalable solution
    Mobile SDK to integrate into any mobile application
  • 59. SECURING BANKING TRANSACTIONS - Scenario
  • 60. Scenario 1 – Simple out-of-band Transaction Signature
    BANK
    BANK TRANSFER
    BANK
    Login using Cidway’s OTP & two-way authentication; Go on the Transfer page
    Cidway Token will generate an 6 digits time based Transaction Code, using the data certification algorithm using input data
    1
    BANK
    Transaction Code
    560429
    Amount
    Tr. Code
    Phone will display Transaction Code
    The web page will display all the fields for a bank transfer including IBAN.
    BN:
    BN:
    BN:
    9
    9
    9
    9
    4
    6
    4
    6
    2
    5
    2
    5
    9
    9
    9
    9
    0
    9
    0
    9
    1
    1
    9
    9
    5 6 0 4 2 9
    BANK
    9
    9
    9
    4
    9
    6
    9
    1
    BANK TRANSFER
    4
    2. Input Transfer information as usual (IBAN, Amount, date, etc)
    2
    BANK
    Amount
    Tr. Code
    BANK TRANSFER
    10’546.55
    4. Input the displayed code on the Web page and VALIDATE
    Tr. Code
    Amount
    5 6 0 4 2 9
    10’546.55
    Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification.
    BANK
    3
    data
    3. Input the 8 digits on the mobile phone and Input PIN Code
    99969491
    PIN Code
    ******
  • 61. Scenario 1 – Simple out-of-band Transaction Signature…
    STRONG SECURITY COMBINED WITH USER CONVENIENCE AND SIMPLE IMPLEMENTATION
    • User Convenience: small number of digits to input on the phone
    • 62. Security: prevents from changing Bank Transfer information (MitM attacks) as it protects digits of the IBAN (and amount), using Data Certification
    • 63. Security: Data Certification & Strong Authentication, time based and time stamped.
    • 64. Simplicity: does not require encryption and seamless integration into existing infrastructure
    • 65. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…
    BANK
    The data to input on the phone can vary depending on the required level of security, can also apply to the amount or any other data of the transfer.
    The CIDWAY Mobile application can be customized accordingly to match input fields (from 1 to 4, alpha, titles, etc.)
  • 66. Scenario 2 – Challenged out-of-band Transaction Signature
    BANK
    TransferenciaBancaria
    Login using Cidway’s OTP & two-way authentication; Go on the Transfer page
    BANK
    Cidway Token will generate an 8 digits time based OTP, using the data certification algorithm with input data from web site
    1
    BANK
    Transaction Code
    560429
    Amount
    Tr. Code
    The web page will display all the fields for a transfer including IBAN, with 8 digits pre-highlighted (the Challenge – randomly selected* changed for each transfer)
    Phone will display Transaction Code
    IBAN:
    IBAN:
    IBAN:
    9
    9
    9
    9
    2
    9
    0
    2
    9
    0
    4
    6
    4
    6
    0
    2
    1
    5
    0
    2
    1
    5
    9
    9
    9
    9
    0
    9
    9
    0
    9
    9
    1
    1
    9
    9
    5 6 0 4 2 9
    (*) see next slide
    BANK
    9
    4
    2
    9
    9
    0
    9
    1
    H
    C
    H
    C
    TransferenciaBancaria
    4
    2. Input Transfer information as usual (IBAN, Amount, date, etc)
    2
    BANK
    Amount
    Tr. Code
    BANK TRANSFER
    10’546.55
    4. Input the displayed code on the Web page and VALIDATE
    Tr. Code
    Amount
    5 6 0 4 2 9
    10’546.55
    Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification.
    BANK
    3
    3. Input the highlighted 8 digits on the phone and Input PIN Code
    data
    92909941
    PIN Code
    ******
  • 67. Scenario 2 – Challenged out-of-band Transaction Signature
    STRONG SECURITY COMBINED WITH USER CONVENIENCE AND SIMPLE IMPLEMENTATION
    • User Convenience: small number of digits to input on the phone and easy to identify
    • 68. Security: prevents from changing Bank Transfer information (mitM Attacks) as it protects digits of the IBAN (and amount), but selected randomly, using Data Certification
    • 69. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.
    • 70. Simplicity: does not require encryption and seamless integration into existing infrastructure
    • 71. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…
    BANK
    The number of pre-highlighted digits can vary depending on the required level of security, can also apply to the amount or any other data of the transfer.
    Taking into account the IBAN structure, the pre-highlighted digits, even though selected with a random generator, should always include digits in the Bank Code, Branch Code and Account.
    IBAN format: ESkk BBBB GGGG KKCC CCCC CCCC - B = bank code, G=Branch/office number, K=Check digits, C = account No.
  • 72. Scenario 3 – Automated out-of-band Transaction Signature
    BANK
    BANK TRANSFER
    OTA
    Communications
    BANK
    3
    1
    BANK
    Send
    Send
    Date
    IBAN CH99122900599969491
    Amount 10’546.-
    Date 09.10.08
    3. User will verify displayed information received directly on the BANK Mobile application, press YES and input his PIN Code.
    Amount
    Login using Cidway’s OTP & two-way authentication; Go on the Transfer page
    PIN
    ******
    IBAN:
    IBAN
    9
    9
    9
    2
    0
    4
    6
    2
    0
    1
    5
    9
    9
    9
    0
    9
    1
    9
    H
    C
    BANK
    BANK TRANSFER
    2
    The Application Server will send transfer data (using OTA communications to the pre-registered mobile number), that will be directly displayed by the BANK Mobile application (no search in sms inbox…).
    When the User validate & input his PIN Code it will generate a time based Transaction Code, with Data Certification of the entire data set, with NO data input from the User.
    The BANK Mobile application will then send (OTA) this Code to the Application Server (an alternative is for the User to input the displayed OTP on the PC to avoid a second OTA communication), that will finalize the transaction and acknowledge it on the Web.
    Date
    09 / 10 / 08
    Amount
    10’546.00
    2. Input transfer information as usual (IBAN, Amount, date, etc) and click SEND
    Application server will receive all information and transmit IBAN & Amount to the BANK Mobile Phone application (already opened) for validation.
  • 73. Scenario 3 – Automated out-of-band Transaction Signature
    THE STRONGEST SECURITY COMBINED WITH SIMPLE USER EXPERIENCE
    • User Convenience: NO digits to input on the phone
    • 74. Security: prevents any attacks on the PC as the transaction is validated and signed completely out-of-band (MitM Attacks), using a strong time based algorithm.
    • 75. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.
    • 76. Simplicity: does not require encryption and seamless integration into existing infrastructure
    • 77. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…
    • 78. Redundancy: as it is application based, the User experience remains extremely simple; a fall back solution can be used if the phone has no network
    BANK
    • Requires OTA communication with the User’s phone
  • CIDWAY Some of our Clients, Partners & on-going initiatives
  • 79. THANK YOU FOR YOUR ATTENTION
    For more information, contact:
    Laurent FILLIAT
    VP Strategic Business
    Mob. +41 78 842 11 47
    Tel. +41 21 331 27 00
    Fax +41 21 331 27 09
    Email: laurent.filliat@cidway.com