DISCOVER CIDWAY<br />Mobile Security, Authentication & Transactions’ Signature<br />2009<br />
Agenda<br />2-Factor Authentication & Transaction Signature<br /><ul><li>Usage & Definitions</li></ul>CORPORATE BACKGROUND...
Industries</li></ul>PRODUCT PRESENTATION<br /><ul><li>Product Line
Tokens Features</li></ul>BUSINESS CASES<br /><ul><li>Multi-Channel Banking Solution
Key differentiators</li></ul>SECURING BANKING TRANSACTIONS<br /><ul><li>Scenario 1: Simple out-of-band Transaction Signature
Scenario 2: Challenged out-of-band Transaction Signature
Scenario 3: Automated out-of-band Transaction Signature</li></li></ul><li>STRONG AUTHENTICATION & TRANSACTION SIGNATURE<br />
2-Factor Authentication & Transaction Signature<br />Authentication Factors<br />What you know (PIN Code…)<br />What you h...
CORPORATE BACKGROUND<br />
CIDWAY – Background<br />Cidway<br /><ul><li>Created in December 2005
Head Quarters in Lausanne, CH
Sales Offices in Switzerland & UK
Internal R&D & Patent Office</li></ul>Partners and Customer Services<br /><ul><li>Global presence via partners & resellers
Support center for Partners
Support portal available for partners
Consulting services</li></ul>CIDWAY’s Vision<br />Authentication and transactions should be safe, reliable and easy for an...
Making Authentication & Transactions simple, easy, accessible, secure and user friendly
Addressing virtually unlimited vertical applications from one platform
Providing the next generation mobile software security solution for identity, transaction and data protection</li></li></u...
PRODUCT PRESENTATION<br />
CIDWAY GAIA / SESAMI Product Line<br />One server for multiple tokens<br />SESAMI SlimTime based OTP Hardware token<br />S...
<ul><li>Easy deployment
No stock management
Low on-going cost</li></ul>CIDWAY SESAMI SMS<br />FEATURES & CHARACTERISTICS<br />Strong two-factor authentication<br />No...
<ul><li>Robust and user-friendly
Secure
Upcoming SlideShare
Loading in...5
×

Cidway Bank Finance 01 2009 2 Fa Tr

557

Published on

Secure Access & Transactions for e/mBanking, e/mCommerce using mobile phone unique technology

1 Comment
0 Likes
Statistics
Notes
  • My company products are OTP Tokens in China, the first company who made the OTP Token in China.
    If you want to know more, pls contact me: alice@seamoon.com.cn or +86-13510999024, thanks
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
557
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Cidway Bank Finance 01 2009 2 Fa Tr

  1. 1. DISCOVER CIDWAY<br />Mobile Security, Authentication & Transactions’ Signature<br />2009<br />
  2. 2. Agenda<br />2-Factor Authentication & Transaction Signature<br /><ul><li>Usage & Definitions</li></ul>CORPORATE BACKGROUND<br /><ul><li>Facts & History
  3. 3. Industries</li></ul>PRODUCT PRESENTATION<br /><ul><li>Product Line
  4. 4. Tokens Features</li></ul>BUSINESS CASES<br /><ul><li>Multi-Channel Banking Solution
  5. 5. Key differentiators</li></ul>SECURING BANKING TRANSACTIONS<br /><ul><li>Scenario 1: Simple out-of-band Transaction Signature
  6. 6. Scenario 2: Challenged out-of-band Transaction Signature
  7. 7. Scenario 3: Automated out-of-band Transaction Signature</li></li></ul><li>STRONG AUTHENTICATION & TRANSACTION SIGNATURE<br />
  8. 8. 2-Factor Authentication & Transaction Signature<br />Authentication Factors<br />What you know (PIN Code…)<br />What you have (hardware token, mobile Phone…)<br />What you are (biometrics)<br />2-Factor Authentication<br /><ul><li>Authentication using 2 of the 3 factors:</li></ul>1 & 2: PIN Code on a Mobile Phone, generating a One Time Password.<br />Transaction Signature<br /><ul><li>Ensure the integrity of the data of a transaction, using a One Time Transaction Code.</li></ul>One Time Password (OTP)<br />One time use & unique password to replace the static password. An OTP can be event based such as most of the solutions including smsotp (contains some weaknesses) or time-based, such as the one of all Cidway solutions.<br />Transaction Signature<br />Out-of-band Transaction Signature will enable the Bank to prevent Man-in-the-Midle attacks for its online user base in a simple and user friendly way.<br />
  9. 9. CORPORATE BACKGROUND<br />
  10. 10. CIDWAY – Background<br />Cidway<br /><ul><li>Created in December 2005
  11. 11. Head Quarters in Lausanne, CH
  12. 12. Sales Offices in Switzerland & UK
  13. 13. Internal R&D & Patent Office</li></ul>Partners and Customer Services<br /><ul><li>Global presence via partners & resellers
  14. 14. Support center for Partners
  15. 15. Support portal available for partners
  16. 16. Consulting services</li></ul>CIDWAY’s Vision<br />Authentication and transactions should be safe, reliable and easy for anyone, anywhere, anytime<br />This vision is fuelled by:<br /><ul><li>Meeting virtually all authentication requirements
  17. 17. Making Authentication & Transactions simple, easy, accessible, secure and user friendly
  18. 18. Addressing virtually unlimited vertical applications from one platform
  19. 19. Providing the next generation mobile software security solution for identity, transaction and data protection</li></li></ul><li>Secure Identity, Authentication & Transactions<br />Banking& Finance<br />E-Banking, Mobile-Banking, Transactions signature, Phone Banking, ATM & POS anti-fraud…<br />Mobile Application’s Providers<br />Securing access & transactions for mobile applications (e/m-Commerce, e/m-Gambling, sms authentication…)<br />Mobile Money & Payment<br />P2P mPayment, cardless ATM cash withdrawal, POS mPayment, Bill payment…<br />Enterprise resource access<br />Two-factor authentication to Login to the Desktop / VPN access / Applications / Citrix / Webmail…<br />Homeland Security<br />Airline pilot & vehicle identification<br />physical security solutions (guard exchange id., biometric implementation, etc.) <br />Telecommunications<br />Mobile Top-up, resources access, ASP authentication solution, SIM based OTP…<br />E-Government services<br />Citizens authentication & transaction security, electronic & mobile voting, bill payment…<br />Enable new channels - Improve client’s confidence & loyalty – Lower TCO<br />
  20. 20. PRODUCT PRESENTATION<br />
  21. 21. CIDWAY GAIA / SESAMI Product Line<br />One server for multiple tokens<br />SESAMI SlimTime based OTP Hardware token<br />SESAMI MobileTime based OTP Software token for mobile phones.<br />SIM enabled<br />GAIA ServerAuthentication platform<br />GAIA SDKAuthentication platform SDK<br />SESAMI Mobile SDKTime based OTP Token SDK for mobile phones<br />SESAMI SMSSMS based OTP for mobile phones<br />SDK: Software Development Kit<br />
  22. 22. <ul><li>Easy deployment
  23. 23. No stock management
  24. 24. Low on-going cost</li></ul>CIDWAY SESAMI SMS<br />FEATURES & CHARACTERISTICS<br />Strong two-factor authentication<br />No need for software installation or activation in the mobile<br />No secret stored in the mobile<br />User convenience – no need to carry any other device<br />User can change his mobile phone time zone or time<br />Easy management – no need to maintain stock and distribute hardware tokens<br />Easy deployment, no need for tokens maintenance<br />Works with any SMS enabled mobile phone or PDA<br />OTP FEATURES<br />8 decimal digits (or optionally 8 hex-digits)<br />Time-based combined with challenge-response<br />SHA-1 algorithm<br />Validity of few seconds (server parameter)<br />Automatic time management by the server<br />
  25. 25. <ul><li>Robust and user-friendly
  26. 26. Secure
  27. 27. Low on-going cost</li></ul>CIDWAY SESAMI Slim<br />FEATURES & CHARACTERISTICS<br />Portable, personal and robust (3.2 mm thickness – credit card size)<br />2 line clear LCD display<br />Replaceable battery (token’s data is not erased during battery replacement) <br />Time based OTP – new OTP every second<br />8 characters length OTP (hex-decimal or decimal)<br />Initialization through a secure two way IR protocol using the SESAMI initialization set<br />Device protected by user-selected PIN (configurable parameter [0-15 tries])<br />Protection against token physical attacks (temper evidence)<br />Protection against user physical attacks (stress PIN)<br />Customizable operational parameters<br />12 operational buttons<br />No need for reader or other equipment<br />Customizable front panel<br />
  28. 28. CIDWAY SESAMI Mobile<br />FEATURES & CHARACTERISTICS<br />Security<br /><ul><li>Time based OTP with time stamping, Digital Signature
  29. 29. OTP time management to the second
  30. 30. Protection against theft or loss of mobile phone: PIN not stored on Mobile, neither transmitted, neither stored on the server (patented solution)
  31. 31. PIN Code selected by the User (no need for temporary PIN sent to the User)</li></ul>Compatibility<br /><ul><li>Large handset coverage (Symbian, Java, WinCE, Brew, Blackberry, iPhone*)
  32. 32. Automatic time synchronization (support of any clock change on the mobile)
  33. 33. Multiple transmission methods (Screen display, SMS, WAP, MMS, GPRS, Acoustic, NFC*…)</li></ul>Functionalities<br /><ul><li>2-factor authentication (User authenticated by the Server)
  34. 34. 2-way authentication (server is authenticated by the User)
  35. 35. Transaction’s signature (guarantee the integrity of transactions, against MitM)
  36. 36. Automated registration
  37. 37. Time Traceability
  38. 38. Mobile SDK for integration into any existing mobile application </li></ul>(*) S1-2009<br />
  39. 39. CIDWAY Download (Sesami Mobile only)<br />Download<br />Over the Air (Push, Pull)<br />eMail<br />PC Download<br />Pre-loaded<br />Bluetooth<br />Etc.<br />Registration Options:<br />Automatic WAP registration<br />Manual user registration<br />Download Site (sample)<br />
  40. 40. BUSINESS CASES<br />
  41. 41. CIDWAY Multi Channel authentication for Banks<br />ONLINE BANKING<br />MOBILE BANKING<br />PHONE BANKING<br />DESKTOP LOGIN<br />REMOTE ACCESS / VPN<br />DOCUMENT SIGNATURE<br />& DATA<br /> CORROBORATION<br />ANTI-FRAUD ATM<br />SMS / EMAIL<br />AUTHENTICATION<br />Improve ROI & Enable new Channels<br /><ul><li>Rationalize the number of authentication solutions
  42. 42. Lower the cost of acquisition & maintenance
  43. 43. Lower the cost of deployment & replacement
  44. 44. Lower transactions’ cost & dispute support
  45. 45. Improve customer acquisition & retention
  46. 46. Enable innovative & revenue generating services</li></ul>Simplify User Experience<br /><ul><li>Choice of device (mobile software, hardware, sms)
  47. 47. A device that the User already has (mobile phone)
  48. 48. Simple & easy to use
  49. 49. One application for many services</li></ul>Security<br /><ul><li>A very high level of security, using time based OTP, with 2-way authentication & Transaction’s signature, combine with a unique & patented PIN and secrets protection on the Mobile phone.</li></ul>Integration<br /><ul><li>Easy to integrate within existing bank infrastructure (Gaia Server or SDK)
  50. 50. Mobile SDK for integration in any existing mobile application
  51. 51. Scalable & fail-safe solution
  52. 52. Easy deployment (internal tools or Lotaris)</li></li></ul><li>What makes us different from competition?<br />TECHNOLOGY<br /><ul><li>PIN & Data protection- Ability to protect secret and sensitive data in mobile phones and PDAs, using Cidway patented solution
  53. 53. Registration and Activation - Ability to ensure convenient & secure registration procedure for CIDWAY mobile tokens
  54. 54. Time Management- Ability to time-stamp the OTP and Transaction Signature to the second and to allow an off-line (after-the-fact) verification of the OTP or the Signature.
  55. 55. Automatic Time Synchronization- Ability to fix in a transparent way for the user and the server the time drift between the token and the server, even if the token is a mobile application.</li></ul>UNIQUE RESPONSE TO MARKET NEEDS<br /><ul><li>2-Factor Authentication – using a time-based OTP generated autonomously on a mobile phone
  56. 56. 2-Way Authentication – ensuring the User he’s connected to the right server
  57. 57. Transaction Signature – preventing MitM attacks, with uniquely customizable fields
  58. 58. Mobile SDK – seamless integration into any mobile application ensuring the simplest User experience </li></li></ul><li>CIDWAY USPs<br />Convenience<br />A device the User already has<br />Carrier & Handset independent<br />One application for multiple usage<br />Transparent to the User (when integrated into a mobile application)<br />Cost Optimization<br />Low acquisition, deployment and maintenance costs<br />Multi-channel solution<br />Transaction’s cost reduction and customer retention<br />Security & Functionalities<br />Time based OTP algorithm with time stamping<br />Unique PIN & Secret protection on the Mobile (patented)<br />2-way authentication<br />Transaction Signature (with unique customizable fields)<br />Flexibility<br />Easy to integrate within existing infrastructure<br />Scalable solution<br />Mobile SDK to integrate into any mobile application<br />
  59. 59. SECURING BANKING TRANSACTIONS - Scenario<br />
  60. 60. Scenario 1 – Simple out-of-band Transaction Signature<br />BANK<br />BANK TRANSFER<br />BANK<br />Login using Cidway’s OTP & two-way authentication; Go on the Transfer page<br />Cidway Token will generate an 6 digits time based Transaction Code, using the data certification algorithm using input data<br />1<br />BANK<br />Transaction Code<br />560429<br /> Amount <br />Tr. Code<br />Phone will display Transaction Code<br />The web page will display all the fields for a bank transfer including IBAN.<br />BN: <br />BN: <br />BN: <br />9<br />9<br />9<br />9<br />4<br />6<br />4<br />6<br />2<br />5<br />2<br />5<br />9<br />9<br />9<br />9<br />0<br />9<br />0<br />9<br />1<br />1<br />9<br />9<br />5 6 0 4 2 9<br />BANK<br />9<br />9<br />9<br />4<br />9<br />6<br />9<br />1<br />BANK TRANSFER<br />4<br />2. Input Transfer information as usual (IBAN, Amount, date, etc)<br />2<br />BANK<br /> Amount <br />Tr. Code<br />BANK TRANSFER<br />10’546.55<br />4. Input the displayed code on the Web page and VALIDATE<br />Tr. Code<br /> Amount <br />5 6 0 4 2 9<br />10’546.55<br />Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification.<br />BANK<br />3<br />data<br />3. Input the 8 digits on the mobile phone and Input PIN Code<br />99969491<br />PIN Code<br />******<br />
  61. 61. Scenario 1 – Simple out-of-band Transaction Signature…<br />STRONG SECURITY COMBINED WITH USER CONVENIENCE AND SIMPLE IMPLEMENTATION<br /><ul><li>User Convenience: small number of digits to input on the phone
  62. 62. Security: prevents from changing Bank Transfer information (MitM attacks) as it protects digits of the IBAN (and amount), using Data Certification
  63. 63. Security: Data Certification & Strong Authentication, time based and time stamped.
  64. 64. Simplicity: does not require encryption and seamless integration into existing infrastructure
  65. 65. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…</li></ul>BANK<br />The data to input on the phone can vary depending on the required level of security, can also apply to the amount or any other data of the transfer.<br />The CIDWAY Mobile application can be customized accordingly to match input fields (from 1 to 4, alpha, titles, etc.)<br />
  66. 66. Scenario 2 – Challenged out-of-band Transaction Signature<br />BANK<br />TransferenciaBancaria<br />Login using Cidway’s OTP & two-way authentication; Go on the Transfer page<br />BANK<br />Cidway Token will generate an 8 digits time based OTP, using the data certification algorithm with input data from web site<br />1<br />BANK<br />Transaction Code<br />560429<br /> Amount <br />Tr. Code<br />The web page will display all the fields for a transfer including IBAN, with 8 digits pre-highlighted (the Challenge – randomly selected* changed for each transfer)<br />Phone will display Transaction Code<br />IBAN: <br />IBAN: <br />IBAN: <br />9<br />9<br />9<br />9<br />2<br />9<br />0<br />2<br />9<br />0<br />4<br />6<br />4<br />6<br />0<br />2<br />1<br />5<br />0<br />2<br />1<br />5<br />9<br />9<br />9<br />9<br />0<br />9<br />9<br />0<br />9<br />9<br />1<br />1<br />9<br />9<br />5 6 0 4 2 9<br />(*) see next slide<br />BANK<br />9<br />4<br />2<br />9<br />9<br />0<br />9<br />1<br />H<br />C<br />H<br />C<br />TransferenciaBancaria<br />4<br />2. Input Transfer information as usual (IBAN, Amount, date, etc)<br />2<br />BANK<br /> Amount <br />Tr. Code<br />BANK TRANSFER<br />10’546.55<br />4. Input the displayed code on the Web page and VALIDATE<br />Tr. Code<br /> Amount <br />5 6 0 4 2 9<br />10’546.55<br />Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification.<br />BANK<br />3<br />3. Input the highlighted 8 digits on the phone and Input PIN Code<br />data<br />92909941<br />PIN Code<br />******<br />
  67. 67. Scenario 2 – Challenged out-of-band Transaction Signature<br />STRONG SECURITY COMBINED WITH USER CONVENIENCE AND SIMPLE IMPLEMENTATION<br /><ul><li>User Convenience: small number of digits to input on the phone and easy to identify
  68. 68. Security: prevents from changing Bank Transfer information (mitM Attacks) as it protects digits of the IBAN (and amount), but selected randomly, using Data Certification
  69. 69. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.
  70. 70. Simplicity: does not require encryption and seamless integration into existing infrastructure
  71. 71. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…</li></ul>BANK<br />The number of pre-highlighted digits can vary depending on the required level of security, can also apply to the amount or any other data of the transfer.<br />Taking into account the IBAN structure, the pre-highlighted digits, even though selected with a random generator, should always include digits in the Bank Code, Branch Code and Account.<br />IBAN format: ESkk BBBB GGGG KKCC CCCC CCCC - B = bank code, G=Branch/office number, K=Check digits, C = account No.<br />
  72. 72. Scenario 3 – Automated out-of-band Transaction Signature<br />BANK<br />BANK TRANSFER<br />OTA<br />Communications<br />BANK<br />3<br />1<br />BANK<br /> Send<br /> Send<br />Date<br />IBAN CH99122900599969491<br />Amount 10’546.-<br />Date 09.10.08<br />3. User will verify displayed information received directly on the BANK Mobile application, press YES and input his PIN Code.<br /> Amount <br />Login using Cidway’s OTP & two-way authentication; Go on the Transfer page<br />PIN<br />******<br />IBAN: <br />IBAN <br />9<br />9<br />9<br />2<br />0<br />4<br />6<br />2<br />0<br />1<br />5<br />9<br />9<br />9<br />0<br />9<br />1<br />9<br />H<br />C<br />BANK<br />BANK TRANSFER<br />2<br />The Application Server will send transfer data (using OTA communications to the pre-registered mobile number), that will be directly displayed by the BANK Mobile application (no search in sms inbox…).<br />When the User validate & input his PIN Code it will generate a time based Transaction Code, with Data Certification of the entire data set, with NO data input from the User.<br />The BANK Mobile application will then send (OTA) this Code to the Application Server (an alternative is for the User to input the displayed OTP on the PC to avoid a second OTA communication), that will finalize the transaction and acknowledge it on the Web.<br />Date<br />09 / 10 / 08<br /> Amount <br />10’546.00<br />2. Input transfer information as usual (IBAN, Amount, date, etc) and click SEND<br />Application server will receive all information and transmit IBAN & Amount to the BANK Mobile Phone application (already opened) for validation.<br />
  73. 73. Scenario 3 – Automated out-of-band Transaction Signature<br />THE STRONGEST SECURITY COMBINED WITH SIMPLE USER EXPERIENCE<br /><ul><li>User Convenience: NO digits to input on the phone
  74. 74. Security: prevents any attacks on the PC as the transaction is validated and signed completely out-of-band (MitM Attacks), using a strong time based algorithm.
  75. 75. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.
  76. 76. Simplicity: does not require encryption and seamless integration into existing infrastructure
  77. 77. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…
  78. 78. Redundancy: as it is application based, the User experience remains extremely simple; a fall back solution can be used if the phone has no network</li></ul>BANK<br /><ul><li>Requires OTA communication with the User’s phone</li></li></ul><li>CIDWAY Some of our Clients, Partners & on-going initiatives<br />
  79. 79. THANK YOU FOR YOUR ATTENTION<br />For more information, contact:<br />Laurent FILLIAT<br />VP Strategic Business<br />Mob. +41 78 842 11 47<br />Tel. +41 21 331 27 00<br />Fax +41 21 331 27 09<br />Email: laurent.filliat@cidway.com<br />

×