EU cyber security Agency calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector
Different tokens, devices, mobile phone, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA. The report analyses current e-Finance fraud and correlates it with the financial institutions customers’ authentication mechanisms. The report underlines the need for updated security mechanisms; and provides 10 recommended approaches.
eID Authentication mechanisms for eFinance and ePayment services
1. eID Authentication methods for eBanking Services
Manel Medina, ENISA
European Union Agency for Network and Information Security
www.enisa.europa.eu
2. Outline: Assessing the robustness of
authentication mechanisms
•
•
•
•
•
•
•
Project presentation
Mobile technology & mobile banking
Emerging threats
Mobile authentication & Operation types
Assessing authentication Risk and benefits
Recommendations
Future directions
European Union Agency for Network and Information Security
www.enisa.europa.eu
2
3. Project presentation
• Aims:
– Identify the authentication mechanisms used in the eFinance
applications
– Categorise the authentication mechanisms based on the
perception of users and security professionals.
– Validate recommendations about the most suitable
authentication mechanisms to be used, based on the risk of
the operation, its strength, usability and other parameters.
• Main Participants:ENISA, APWG.EU, CaixaBank
• Survey contributors:
– Merchant Risk Council, SecuRePay (EU forum on Security in
Retail Payments), FI-ISAC, ECB, EPC, FSUG (Financial Services
User Group)
European Union Agency for Network and Information Security
www.enisa.europa.eu
3
4. Threats to different
operation/transaction types
• Operation 1 & 2: Read access (personal data, account
details)
– Steal personal data (account information, account
balance, credit card number, etc.)
• Operation 3: Low risk (Trusted) Transactions
– Make fake payments to trusted destinations (merchants
purchase payment, supplies providers Invoice payment)
• Operation 4: High risk (Untrusted) Transactions
– Make fake money transfers to unknown destinations
(e.g. mule accounts)
European Union Agency for Network and Information Security
www.enisa.europa.eu
10
5. eIDAS most used in e-banking
116 professionals & 60 users from user groups and
merchants representatives replied to survey.
European Union Agency for Network and Information Security
www.enisa.europa.eu
11
6. eIDAS most implemented in e-banking
60 replies to survey identified type of operation usage.
European Union Agency for Network and Information Security
www.enisa.europa.eu
12
7. Medium strength eIDAS select.criteria
European Union Agency for Network and Information Security
www.enisa.europa.eu
15
8. High strength eIDAS selection criteria
European Union Agency for Network and Information Security
www.enisa.europa.eu
16
10. Loss: Relative reduction vs Risk/user
European Union Agency for Network and Information Security
www.enisa.europa.eu
19
11. Draft Recommendations (I): Promote eIDA
method adequacy to context
• Rec.1: e-Finance Authentication mechanisms
strength have to be proportional to the Risk
associated to the operations they grant access.
• Rec2. For medium and high risk Transactions,
customers should be authenticated through at
least two authentication mechanisms, mutually
independent,
one be not replicable and one not be reusable,
using different communication channels or
devices
European Union Agency for Network and Information Security
www.enisa.europa.eu
23
12. Draft Recns (II): Improve knowledge & behaviour
of customers &professionals
• Rec3. Continuous training of professionals, to improve
their perception of the actual risk of transactions and
authentication mechanisms, keeping in mind the last threat
patterns discovered by criminals
• Rec4. e-Financial institutions should inform their
customers about the usability and need of the safer
authentication mechanisms, required to have an adequate
protection to their assets
European Union Agency for Network and Information Security
www.enisa.europa.eu
24
13. Draft Recns (III): Improve the security of the eFinance environment
• Rec5. Financial organisations (PSP) and e-commerce merchants
must perform specific risk analysis for their environments, taking
into consideration:
– the actual loss, number of incidents, customers involved, and
vulnerabilities of the authentication methods available, to effectively
reduce the incidents
• Rec6. Customer authentication has to be complemented with
context-based authentication strategy: behaviour profile,
customer segment, operation risk, etc.
• Rec7. PSP has to test &evaluate Access Device security
• Rec8. The concept of “something the user has” can be
extended to the platform used to access the service,
and thus it’s recommended to
Register any Device, Browser, or Mobile Application.
A real time validation of its authenticity would be required
European Union Agency for Network and Information Security
www.enisa.europa.eu
25
14. Draft Recns (IV): Improve e-Finance app.
development and distribution Sec.
• Rec9. Technology providers must guarantee Secure
banking application development & installation, taking
into consideration actual threats to Operating System (e.g.
mobile attack vectors) and data security analysis
(persistency, access control)
• Rec10. Distribution of e-Banking applications has to be
made through trust channels, reputable sites, that
guarantee that applications have been tested for security.
European Union Agency for Network and Information Security
www.enisa.europa.eu
26
15. Looking to the future
• e-Signature (new EU Regulation)
• Migration from pure two-factor authentication to
transaction signing.
• Development of new authentication mechanisms
– Context-based OTP
– OTP-based on Biometrics
– QR codes: TAN/Image TAN
• Authentication in the Cloud (Risk-Based)
European Union Agency for Network and Information Security
www.enisa.europa.eu
28
Graph1: ITU – 2013 ICT Facts and figures - In 2013, there are almost as many mobile-cellular subscriptions as people in the world.Graph2: 2011-2016 Mobile phone users who use mobile financial services, more than 860 million expected by the year 2016 [whitepaper Juniper research, banking anytime anywhere]Graph3: 2012 World Retail Banking Report survey from Capgemini and Efma - The growing importance of the mobile channel is undeniable. By 2015, 43% of consumers will be using mobile banking tools every month — 10% will be daily users.The 7 billion people in the world have 6 billion mobile phones [http://www.europeanfinancialreview.com/?p=6199]Mobile devices have increasingly become tools for financial services, in thenextfewyears global mobile payments are predicted to exceed $1.3tn.Mobile banking users worldwide will reach 530 million in 2013, up from just over 300 million in 2011 [http://www.juniperresearch.com/viewpressrelease.php?pr=282]Mobile computing levels reached new peaks in 2012. Worldwide smart phone shipments reached 671 million for the year – an increase of almost 42% over 2011. (Juniper Research, Smartphone Shipments Exceed 200 Million in Q4 2012, January 2013)JuniperResearchfindsthat over 1 billion mobile phone userswill have made use of their mobile devices for bankingpurposes by the end of 2017, compared to just over 590 million thisyear. (JuniperResearch - Mobile Banking Handset & Tablet Market Strategies 2013-2017)According to Gartner, global mobile transaction volume and value is expected to have an average 42% annual growth between 2011 and 2016.(Gartner, “Forecast: Mobile Payment, Worldwide, 2009-2016,” May 2012)Nearly one third of smartphone and tablet owners use their device for some kind of banking.(‘‘Mobile banking soars; usage in U.S. increases 50 percent since 2011’’ Bain and Company, December 2012.)iovation, August 2013 - 20% of all online financial services transactions originated from a mobile device such as a smartphone or tabletWRONG numbers? >> By 2015 it is estimated there will be 2 billion + mobile devices. [White Paper: Mobile FinancialFraudApril 2013]
Graph1: The majority of consumers who use mobile banking tools (74percent) use the mobile Web to access the services. Fifty sevenpercent said they access their banks’ mobile tools using adownloadable app. SMS/text messaging is still used by 37 percent ofmobile banking customers.
As the world goes mobile, cybercrime will follow (THE CURRENT STATE OF CYBERCRIME 2013 - EMC)Mobile security is the No1 barrier to adopting Mobile (2012 Tech Trends Report - IBM Market Insights)The number of mobile threats skyrocketed in 2012 (Kaspersky Securelist - Mobile Malware Evolution: Part 6)Most notable for 2012 is that it took Android less than three years to reach the volume of malware threats that it took 14 years for the PC to reach. (Trend Micro – Evolved Threats in a “Post-PC” World)PC threats migrating to mobile (e.g. phishing, ransomware)Bitdefender (July 2013): Android threats shifting to banking and ransomware----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------1st chart: Mobile Malware Evolution: Part 6 – Securelist- Kaspersky , 28 Feb 20132nd chart:McAfee 2Q2013 (published end of August 2013): Halfway through 2013 we have already collected almost as many mobile malware samples as in all of 2012.
Device related threats:…Phishing: Research has shown that mobile users are three times more likely than desktop users to submit personal information to phishing websites.Poor implementation and design of banking app:Insecure sensitive data storage, Non/weakly encrypted communications, Improper SSL validation, Unintended permissions by misconfigured apps…Banking Trojans: Man-in-the-Mobile (MitMo) attackers can circumvent password verification systems.(viaForensics - https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/mobile-security-primer/)Network related threats:Wi-Fi (weak encryption/no encryption), Rogue access points, Packet sniffing, Man-in-the-Middle (MITM), SSLStrip, Session hijacking, DNS poisoning, Fake SSL certificatesBanking server related threats: Platform vulnerabilities, Server misconfiguration, Cross-site scripting (XSS), Cross-site Request Forgery (CSRF), Weak input validation, Brute-force attacks, SQL injection,
Mobile banking was a focal point for malware writers and security researchers alike in 2012.“mTANs were considered to be safe from attack until ZitMo and SpitMotrojans.”(APWG - Mobile Financial Fraud)Mass phishing messages through e-mailSMSsocial networks links.Malicious apps (even in official app stores) that masquerade as legitimate banking applications. QR-Code requiring you to install a new application or a new security feature provided by your bank.Hijack two-factor authentication Intercepted mTAN (SMS OTP ) is forwarded via HTTP or SMS messages to the attacker’s drop zone.
Trojan infects user’s computerTrojan intercepts communication with the bankAttackers retrieve user’s mobile nbr. Attackers infect mobile deviceUser connects again with the bankAttackers’ Trojan initiates transfer to mule’s accountBank sends TAN to mobile deviceTrojan in user’s mobile intercepts SMS and forwards TAN to attackersAttackers complete transaction to mule’s accountEurograbber nice summary: http://securityaffairs.co/wordpress/10876/cyber-crime/how-were-stolen-36m-euro-with-eurograbber-malware.htmlEurograbber authoritative report: https://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf
Example threats/attacks: Phishing , man-in-the-browser, physical loss or theft of the device, eavesdropping, man-in-the-middle, brute force attacks???, XSS, poor implementation of mobile app, user surveillance, session hijacking, DNS poisoning, fake SSL certificates…….…Compare withthecategorisation of operations made by ECB…++++scientific papers!!!!
(AS: A good idea would be to generally present the advantages and disadvantages of using mobile devices in eBanking authentication)Advantages of using mobile devices in financial sector: [Mobeyforum whitepaper]- The use of a mobile device as the “second factor” in authentication, and the use of a mobile channel for exchanging transaction and authentication information, can greatly help to combat phishing and man-in-the-middle attacks. Typically, the mobile device can be used as a secure channel, while the other channel (e.g. the Internet) can be used as an associated service channel.- The use of hardware inside the mobile device, such as a SIM, Secure Memory Card or Embedded Chip, offers a good tamper-resistant solution for storing and processing authentication credentials.--------------------------------------------* Hardware Token (most preferable method by banks - widely used by XX user segment)* Hardware Token disadvantages:purchase, distribution, maintenance, and renewal and replacement costs* Mobile signatures advantages:credentials are protected by hardware Secure element, greatly reduces the possibility of successful MITM attacks* Mobile signature disadvantages: the common implementation relies on a third party (entity managing the SE), distribution and other associated costs* SMS-based OTP (one of the most implemented authentication methods by the financial sector)*SMS-based OTP disadvantages:associated non-scalable costs, roaming,latency,security vulnerable to Man-in-the-middle attacks.mOTP (software OTP) (emerging, not widely implemented).A key advantage of the mobile software token is that there are no new devices for customers, this results on additional advantages such as:costs, distribution, updatesmOTP disadvantages: early stage of research, most implementations involving biometrics (biometrics technology not fully trusted by service providers), if NOT implemented in the secure element >> they inherit the security vulnerabilities that are inherent to mobile devices & mobile operating systems, vulnerable to Real-time MITM attacks
SANS Institute - Virtual OOB (out of band) approach, another totally separate application on the device acts as an OOB channel. One could argue that this is not a true OOB approach, however, may be a key direction as users move to one device for all key interactions.
(AS: A good idea would be to generally present the advantages and disadvantages of using mobile devices in eBanking authentication)Advantages of using mobile devices in financial sector: [Mobeyforum whitepaper]- The use of a mobile device as the “second factor” in authentication, and the use of a mobile channel for exchanging transaction and authentication information, can greatly help to combat phishing and man-in-the-middle attacks. Typically, the mobile device can be used as a secure channel, while the other channel (e.g. the Internet) can be used as an associated service channel.- The use of hardware inside the mobile device, such as a SIM, Secure Memory Card or Embedded Chip, offers a good tamper-resistant solution for storing and processing authentication credentials.--------------------------------------------Hardware Token (most preferable method by banks - widely used by XX user segment)Hardware Token disadvantages:purchase, distribution, maintenance, and renewal and replacement costsMobile signatures advantages:- credentials are protected by hardware Secure element- greatly reduces the possibility of successful MITM attacksMobile signature disadvantages:- the common implementation relies on a third party (entity managing the SE)- distribution and other associated costsSMS-based OTP (one of the most implemented authentication methods by the financial sector)Advantages SMS-based OTP disadvantages- associated costs- roaming - latency -- security vulnerable to Man-in-the-middle attacks.mOTP (software OTP) (emerging, not widely implemented)- A key advantage of the mobile software token is that there are no new devices for customers, this results on additional advantages such as:- costs- distribution- updates mOTP disadvantages- early stage of research- most implementations involving biometrics (biometrics technology not fully trusted by service providers)- if NOT implemented in the secure element >> they inherit the security vulnerabilities that are inherent to mobile devices & mobile operating systems- vulnerable to Real-time MITM attacks
viaForensics - Mobile metadata security: PIE (Position Independent Executable), SSP (Stack Smashing Protection) and ARC (Automatic Reference Counting) should be used in support of ASLR (address space layout randomization). Debugging mechanisms such as NSLog should be disabled.viaForensics - Application Protocols security: Avoid debugged or disabled SSL functions. Communications need to be secured to avoid attacks using XSS, CSRF and XXEviaForensics - Embedded Databases and Storage security: The choice of embedded database is an important factor in storage security for mobileApplications.viaForensics - Password information Storage security: e.g. Keychain filesBanking and other Mobile Financial Services related Apps should only be allowed to be published by the banks and related financial institutions, ensuring their credentials are fully verified prior to submission of those Apps.
viaForensics - Mobile metadata security: PIE (Position Independent Executable), SSP (Stack Smashing Protection) and ARC (Automatic Reference Counting) should be used in support of ASLR (address space layout randomization). Debugging mechanisms such as NSLog should be disabled.viaForensics - Application Protocols security: Avoid debugged or disabled SSL functions. Communications need to be secured to avoid attacks using XSS, CSRF and XXEviaForensics - Embedded Databases and Storage security: The choice of embedded database is an important factor in storage security for mobileApplications.viaForensics - Password information Storage security: e.g. Keychain filesBanking and other Mobile Financial Services related Apps should only be allowed to be published by the banks and related financial institutions, ensuring their credentials are fully verified prior to submission of those Apps.
viaForensics - Mobile metadata security: PIE (Position Independent Executable), SSP (Stack Smashing Protection) and ARC (Automatic Reference Counting) should be used in support of ASLR (address space layout randomization). Debugging mechanisms such as NSLog should be disabled.viaForensics - Application Protocols security: Avoid debugged or disabled SSL functions. Communications need to be secured to avoid attacks using XSS, CSRF and XXEviaForensics - Embedded Databases and Storage security: The choice of embedded database is an important factor in storage security for mobileApplications.viaForensics - Password information Storage security: e.g. Keychain filesBanking and other Mobile Financial Services related Apps should only be allowed to be published by the banks and related financial institutions, ensuring their credentials are fully verified prior to submission of those Apps.
viaForensics - Mobile metadata security: PIE (Position Independent Executable), SSP (Stack Smashing Protection) and ARC (Automatic Reference Counting) should be used in support of ASLR (address space layout randomization). Debugging mechanisms such as NSLog should be disabled.viaForensics - Application Protocols security: Avoid debugged or disabled SSL functions. Communications need to be secured to avoid attacks using XSS, CSRF and XXEviaForensics - Embedded Databases and Storage security: The choice of embedded database is an important factor in storage security for mobileApplications.viaForensics - Password information Storage security: e.g. Keychain filesBanking and other Mobile Financial Services related Apps should only be allowed to be published by the banks and related financial institutions, ensuring their credentials are fully verified prior to submission of those Apps.
Future solution by EPCQR TAN / Photo TAN :The transaction data of an online banking session is signed, encrypted, and then presented on the screen as a QR-Code. Via an application on the smart phone the customer can verify the transaction data and the authenticity of the origin. Trends identified by EPCMore and more countries migrate from pure two-factor authentication to the generation of a signature over the transaction(s).In addition to improving their authentication and transaction security mechanisms, PSPs are using monitoring tools for preventing the processing of fraudulent transactions. Since it is only early days for Mobile payments and fraud in this area is currently still limited, the development of new authentication and transaction security mechanisms are to be expected in the near future. Specific governmental regulation vs self-regulation via best practices?SANS InsituteWhile authentication through biometrics is not new, it is still challenged with issues related to false positives. With advanced mobile device hardware such as cameras and voice recognition, there will be increased use of biometric authentication in the use of mobile banking.
Future solution by EPCQR TAN / Photo TAN :The transaction data of an online banking session is signed, encrypted, and then presented on the screen as a QR-Code. Via an application on the smart phone the customer can verify the transaction data and the authenticity of the origin. Trends identified by EPCMore and more countries migrate from pure two-factor authentication to the generation of a signature over the transaction(s).In addition to improving their authentication and transaction security mechanisms, PSPs are using monitoring tools for preventing the processing of fraudulent transactions. Since it is only early days for Mobile payments and fraud in this area is currently still limited, the development of new authentication and transaction security mechanisms are to be expected in the near future. Specific governmental regulation vs self-regulation via best practices?SANS InsituteWhile authentication through biometrics is not new, it is still challenged with issues related to false positives. With advanced mobile device hardware such as cameras and voice recognition, there will be increased use of biometric authentication in the use of mobile banking.