The document outlines the National E-Payment Initiative in Thailand, detailing five strategic projects aimed at improving electronic payment infrastructure, including card acceptance and public education on electronic transactions. It discusses various features such as peer-to-peer payments, e-wallet refills, and security measures in transaction systems, emphasizing usability alongside security. The initiative focuses on the implementation of sophisticated architecture for data protection and fraud prevention within the banking sector.

1. AnyID
AnyID : Security Point of View
Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP

2. AnyID
WhoAmIWhoAmI
 Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
 Food Lover
– Steak, Yakiniku, BBQ
– Sushi (especially Otoro)
– All Kinds of Noodle (Spaghetti, Ramen, Kanomjean)
 Head of IT Security, Kiatnakin Bank PLC (KKP)
 Working Team for Adviser to the Finance
Ministry's National e-Payment project

3. AnyID
DisclaimerDisclaimer
 This presentation primarily expresses from
Ministry of Finance requirement.
 Final project may be different from this
presentation.
 Words in this presentation are simplified for non-
financial audience.
 Whenever you see a phrase like {this} between
curly bracket, it means my opinion.

4. AnyID
National E-Payment InitiativeNational E-Payment Initiative
5 Strategic Projects5 Strategic Projects
 Payment Infrastructure “AnyID”
 Expansion of Card Acceptance (via EDC)
 Electronics Taxation Document
 Government e-Payment
 Public Education and Awareness on Electronics
Transactions
EDC:
Electronics
Data
Capture

5. AnyID
AnyID: Basic TransactionAnyID: Basic Transaction
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → Bank2, Acc2
TR to
ID2
TR to
ID2, Acc2
Cust2
Optional
Interaction

6. AnyID
AnyID: Example P2P PaymentAnyID: Example P2P Payment
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
Mobile#2 → Bank2, Acc2
TR to
Mobile#2
TR to
Mobile#2, Acc2
Cust2
With Mobile P2P payments for retail buying food at food
stalls, or for taxi fares, are all possible.

7. AnyID
AnyID: Example E-Wallet RefillAnyID: Example E-Wallet Refill
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Issuer2
Cust1
Registry:
eWallet#2 → Bank2, Issuer2
TR to
eWallet#2
TR to
eWallet#2,
Acc2
Cust2
Refills of e-money wallets using e-Wallet IDs can be handled
easily and similarly
Issuer 2
eWallet#2
Cust2

8. AnyID
AnyID: Other FeaturesAnyID: Other Features
 Transfer with e-Witholding Tax & VAT Information
 Interbank Bill Payment with Amount Inquiry
 Interbank Bill Payment with e-Witholding Tax &
VAT & Receipt
 Request to Pay
 Request to Pay with One-Time Authorization
Code (OTA)

9. AnyID
AnyID: Request to PayAnyID: Request to Pay
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → Bank2, Acc2
RTP to
ID2
RTP to
ID2, Acc2
Cust2
TR to
Acc1
TR to
Acc1
Depending on
Bank1’s
innovation in
channels,
Banks1 may
interact with
Cust1

10. AnyID
AnyID: Request to PayAnyID: Request to Pay
Implementation ExampleImplementation Example
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → Bank2, Acc2
RTP to
ID2
RTP to
ID2, Acc2
Cust2
TR to
Acc1
TR to
Acc1
Merchant e-Commerce
Website

11. AnyID
AnyID: PortabilityAnyID: Portability
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → Bank2, Acc2
ID2 → Bank3, Acc3
TR to
ID2
TR to
ID2, Acc2
Cust2
Optional
Interaction
Bank 3
Acc3
Cust2

TR to
ID2, Acc3
Cust1 does not have to keep track of the
changes in account numbers of Cust2.

12. AnyID
Which ID Can be Used?Which ID Can be Used?
 Bank+Account (for compatibility)
 National ID (13-Digit Citizen ID & Tax Payer ID)
 Mobile Number
 E-Wallet ID (Phase 3)
 E-Mail (Still be in consideration)

13. AnyID
AnyID RegistrationAnyID Registration
 National ID:
– Banks will validate the registration/deregistration through KYC
(Know Your Customer) process
 Mobile Number:
– Phase 1, Banks must validate number possession by their own
processes
– The next phase, NBTC & Telcos will help on-line validation and
daily sending revocation list via ITMX
 E-Wallet ID (Phase 3):
– Registered by E-Wallet issuers via their banks.
 Portability:
– Customer must deregister the existing bank account before
register to a new bank account.

14. AnyID
Security Design & Implementation

15. AnyID
Security vs. UsabilitySecurity vs. Usability
Security
Usability

16. AnyID
IT Security ArchitectureIT Security Architecture
ITMX ImplementationITMX Implementation
 Only Member Bank can sent/receive data with ITMX.
 Member bank connect to ITMX with existing Extranet (via MPLS)
 Member bank access to ITMX Extranet DMZ Zone only.
 ITMX separate Zone for DMZ Zone, Application Zone , Database
Zone and other critical zone.
 All Zone are protected by Firewall and IPS.
 ITMX data center , all devices are protected as PCI/DSS
standard requirement (Physical Security, Network access
control, Data security, VA, patching, Logging and Monitoring,
BCP).
 All process to access to server complied with ISO27001
standard and BOT best practice.
 Important data will be encrypted in transit and store.

17. AnyID
Network Security & CryptographyNetwork Security & Cryptography
ITMX ImplementationITMX Implementation
 Single Registration: REST/HTTP TLS 1.2 with
Message Signing (PKCS#7 & SHA-1)
 Bulk Registration: SFTP with Hardware Token
 Financial Transaction: Protocol ISO8583 over TLS
1.2
– PIN Block encryption using 3DES or DES
– Message in PIN Block could be OTA (One-Time
Authorization Code), Any ID or Destination Account, type
of message defined in field 48.13
– {Even DES algorithm is easily breakable, but data are not
significant and in TLS 1.2 tunnel}
 All keys and certificates kept on HSM

18. AnyID
Registration Security & PrivacyRegistration Security & Privacy
ITMX ImplementationITMX Implementation
 ID Validation
– National ID: Use existing KYC process
– Mobile Number:
● Phase 1: Validate by banks' processes
● Next: Validate with NBTC & Telcos via ITMX
 Only registered ID and bank account will be kept at
ITMX, no other information
 Banks can use a dummy account register to ITMX
 Destination bank will send the name of the account
that mapped to ID per request for verification

19. AnyID
Error PreventionError Prevention
 Transfer to unregistered ID
– MOF require banks to implement dangling account
– In ITMX specification, sender bank must reject (As of
April 26, 2016)
– {Dangling account is good for National ID and
accelerate adoption of Mobile Number}
 Transfer to wrong ID
– {Sender banks should send destination account name
to their customers for verification}

20. AnyID
Dangling AccountDangling Account
 Payee (receiving customer) is not required to have a
bank account. Linking AnyID to a bank account can be
after transaction sent.
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → ??????
TR to ID2
Cust2
Please dangling
Please register
ID2 to Acc2
I send money
to your ID2
Add registry
ID2 → Acc2

21. AnyID
Dangling AccountDangling Account
 Payee (receiving customer) is not required to have a
bank account. Linking AnyID to a bank account can be
after transaction sent.
Payment
Switch
Bank 1
Acc1
Cust1
Bank 2
Acc2
Cust2
Cust1
Registry:
ID2 → Bank2, Acc2
TR to ID2
Cust2
Please dangling
Please register
ID2 to Acc2
Add registry
ID2 → Acc2
Please resolve
dangling of ID2
Resend TR to ID2 TR to ID2. Acc2
I send money
to your ID2

22. AnyID
About FraudAbout Fraud
 AnyID does not intend to reduce the existing
electronics fund transfer frauds but some flows
will reduce frauds by design.
– Example: Request to pay flow.
 New innovation always introduces new frauds.

23. AnyID