Secure Access & Transactions for e/mBanking, e/mCommerce using mobile phone unique technology

1. DISCOVER CIDWAY Mobile Security, Authentication & Transactions’ Signature 2009

6. Scenario 2: Challenged out-of-band Transaction Signature

9. CORPORATE BACKGROUND

11. Head Quarters in Lausanne, CH

12. Sales Offices in Switzerland & UK

14. Support center for Partners

15. Support portal available for partners

17. Making Authentication & Transactions simple, easy, accessible, secure and user friendly

18. Addressing virtually unlimited vertical applications from one platform

20. PRODUCT PRESENTATION

21. CIDWAY GAIA / SESAMI Product Line One server for multiple tokens SESAMI SlimTime based OTP Hardware token SESAMI MobileTime based OTP Software token for mobile phones. SIM enabled GAIA ServerAuthentication platform GAIA SDKAuthentication platform SDK SESAMI Mobile SDKTime based OTP Token SDK for mobile phones SESAMI SMSSMS based OTP for mobile phones SDK: Software Development Kit

23. No stock management

24. Low on-going costCIDWAY SESAMI SMS FEATURES & CHARACTERISTICS Strong two-factor authentication No need for software installation or activation in the mobile No secret stored in the mobile User convenience – no need to carry any other device User can change his mobile phone time zone or time Easy management – no need to maintain stock and distribute hardware tokens Easy deployment, no need for tokens maintenance Works with any SMS enabled mobile phone or PDA OTP FEATURES 8 decimal digits (or optionally 8 hex-digits) Time-based combined with challenge-response SHA-1 algorithm Validity of few seconds (server parameter) Automatic time management by the server

26. Secure

27. Low on-going costCIDWAY SESAMI Slim FEATURES & CHARACTERISTICS Portable, personal and robust (3.2 mm thickness – credit card size) 2 line clear LCD display Replaceable battery (token’s data is not erased during battery replacement) Time based OTP – new OTP every second 8 characters length OTP (hex-decimal or decimal) Initialization through a secure two way IR protocol using the SESAMI initialization set Device protected by user-selected PIN (configurable parameter [0-15 tries]) Protection against token physical attacks (temper evidence) Protection against user physical attacks (stress PIN) Customizable operational parameters 12 operational buttons No need for reader or other equipment Customizable front panel

29. OTP time management to the second

30. Protection against theft or loss of mobile phone: PIN not stored on Mobile, neither transmitted, neither stored on the server (patented solution)

32. Automatic time synchronization (support of any clock change on the mobile)

34. 2-way authentication (server is authenticated by the User)

35. Transaction’s signature (guarantee the integrity of transactions, against MitM)

36. Automated registration

37. Time Traceability

38. Mobile SDK for integration into any existing mobile application (*) S1-2009

39. CIDWAY Download (Sesami Mobile only) Download Over the Air (Push, Pull) eMail PC Download Pre-loaded Bluetooth Etc. Registration Options: Automatic WAP registration Manual user registration Download Site (sample)

40. BUSINESS CASES

42. Lower the cost of acquisition & maintenance

43. Lower the cost of deployment & replacement

44. Lower transactions’ cost & dispute support

45. Improve customer acquisition & retention

47. A device that the User already has (mobile phone)

48. Simple & easy to use

50. Mobile SDK for integration in any existing mobile application

51. Scalable & fail-safe solution

53. Registration and Activation - Ability to ensure convenient & secure registration procedure for CIDWAY mobile tokens

54. Time Management- Ability to time-stamp the OTP and Transaction Signature to the second and to allow an off-line (after-the-fact) verification of the OTP or the Signature.

56. 2-Way Authentication – ensuring the User he’s connected to the right server

57. Transaction Signature – preventing MitM attacks, with uniquely customizable fields

59. SECURING BANKING TRANSACTIONS - Scenario

60. Scenario 1 – Simple out-of-band Transaction Signature BANK BANK TRANSFER BANK Login using Cidway’s OTP & two-way authentication; Go on the Transfer page Cidway Token will generate an 6 digits time based Transaction Code, using the data certification algorithm using input data 1 BANK Transaction Code 560429 Amount Tr. Code Phone will display Transaction Code The web page will display all the fields for a bank transfer including IBAN. BN: BN: BN: 9 9 9 9 4 6 4 6 2 5 2 5 9 9 9 9 0 9 0 9 1 1 9 9 5 6 0 4 2 9 BANK 9 9 9 4 9 6 9 1 BANK TRANSFER 4 2. Input Transfer information as usual (IBAN, Amount, date, etc) 2 BANK Amount Tr. Code BANK TRANSFER 10’546.55 4. Input the displayed code on the Web page and VALIDATE Tr. Code Amount 5 6 0 4 2 9 10’546.55 Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification. BANK 3 data 3. Input the 8 digits on the mobile phone and Input PIN Code 99969491 PIN Code ******

62. Security: prevents from changing Bank Transfer information (MitM attacks) as it protects digits of the IBAN (and amount), using Data Certification

63. Security: Data Certification & Strong Authentication, time based and time stamped.

64. Simplicity: does not require encryption and seamless integration into existing infrastructure

65. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…BANK The data to input on the phone can vary depending on the required level of security, can also apply to the amount or any other data of the transfer. The CIDWAY Mobile application can be customized accordingly to match input fields (from 1 to 4, alpha, titles, etc.)

66. Scenario 2 – Challenged out-of-band Transaction Signature BANK TransferenciaBancaria Login using Cidway’s OTP & two-way authentication; Go on the Transfer page BANK Cidway Token will generate an 8 digits time based OTP, using the data certification algorithm with input data from web site 1 BANK Transaction Code 560429 Amount Tr. Code The web page will display all the fields for a transfer including IBAN, with 8 digits pre-highlighted (the Challenge – randomly selected* changed for each transfer) Phone will display Transaction Code IBAN: IBAN: IBAN: 9 9 9 9 2 9 0 2 9 0 4 6 4 6 0 2 1 5 0 2 1 5 9 9 9 9 0 9 9 0 9 9 1 1 9 9 5 6 0 4 2 9 (*) see next slide BANK 9 4 2 9 9 0 9 1 H C H C TransferenciaBancaria 4 2. Input Transfer information as usual (IBAN, Amount, date, etc) 2 BANK Amount Tr. Code BANK TRANSFER 10’546.55 4. Input the displayed code on the Web page and VALIDATE Tr. Code Amount 5 6 0 4 2 9 10’546.55 Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification. BANK 3 3. Input the highlighted 8 digits on the phone and Input PIN Code data 92909941 PIN Code ******

68. Security: prevents from changing Bank Transfer information (mitM Attacks) as it protects digits of the IBAN (and amount), but selected randomly, using Data Certification

69. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.

70. Simplicity: does not require encryption and seamless integration into existing infrastructure

71. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…BANK The number of pre-highlighted digits can vary depending on the required level of security, can also apply to the amount or any other data of the transfer. Taking into account the IBAN structure, the pre-highlighted digits, even though selected with a random generator, should always include digits in the Bank Code, Branch Code and Account. IBAN format: ESkk BBBB GGGG KKCC CCCC CCCC - B = bank code, G=Branch/office number, K=Check digits, C = account No.

72. Scenario 3 – Automated out-of-band Transaction Signature BANK BANK TRANSFER OTA Communications BANK 3 1 BANK Send Send Date IBAN CH99122900599969491 Amount 10’546.- Date 09.10.08 3. User will verify displayed information received directly on the BANK Mobile application, press YES and input his PIN Code. Amount Login using Cidway’s OTP & two-way authentication; Go on the Transfer page PIN ****** IBAN: IBAN 9 9 9 2 0 4 6 2 0 1 5 9 9 9 0 9 1 9 H C BANK BANK TRANSFER 2 The Application Server will send transfer data (using OTA communications to the pre-registered mobile number), that will be directly displayed by the BANK Mobile application (no search in sms inbox…). When the User validate & input his PIN Code it will generate a time based Transaction Code, with Data Certification of the entire data set, with NO data input from the User. The BANK Mobile application will then send (OTA) this Code to the Application Server (an alternative is for the User to input the displayed OTP on the PC to avoid a second OTA communication), that will finalize the transaction and acknowledge it on the Web. Date 09 / 10 / 08 Amount 10’546.00 2. Input transfer information as usual (IBAN, Amount, date, etc) and click SEND Application server will receive all information and transmit IBAN & Amount to the BANK Mobile Phone application (already opened) for validation.

74. Security: prevents any attacks on the PC as the transaction is validated and signed completely out-of-band (MitM Attacks), using a strong time based algorithm.

75. Security: combines Challenge Response, Data Certification & Strong Authentication, time based and time stamped.

76. Simplicity: does not require encryption and seamless integration into existing infrastructure

77. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…

79. THANK YOU FOR YOUR ATTENTION For more information, contact: Laurent FILLIAT VP Strategic Business Mob. +41 78 842 11 47 Tel. +41 21 331 27 00 Fax +41 21 331 27 09 Email: laurent.filliat@cidway.com