AnyID is the infrastructure of Thailand's National e-Payment Initiative. The presentation explains National e-Payment big picture, AnyID as a payment Infrastructure, AnyID security design & implementation and also privacy comparison between “With” and “Without” AnyID.
2. About Me
● Head of IT Security and Solution Architecture,
Kiatnakin Bank PLC (KKP)
● Consulting Team Member for National e-Payment project
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA),
Thailand Chapter.
● narudom.roongsiriwong@owasp.org
3. Disclaimer
● This presentation primarily expresses from Ministry of
Finance requirement.
● Final project may be different from this presentation.
● Words in this presentation are simplified for non-financial
audience.
● Whenever you see a phrase like {this} between curly
bracket, it means my opinion.
4. Agenda
● National e-Payment Big Picture
● AnyID as a Payment Infrastructure
● AnyID Security Design & Implementation
● Privacy Comparison between “With” and “Without” AnyID
8. National e-Payment Initiative
5 Strategic Projects
● Payment Infrastructure “AnyID”
● Expansion of Card Acceptance (via EDC)
● Electronics Taxation Document
● Government e-Payment
● Public Education and Awareness on Electronics
Transactions
9. Expansion of Card Acceptance
● Increase numbers of
Electronics Data Capture
(EDC)
● Support multiple types of
cards
– Debit Chip Card
– Common Ticket Card
(Rabbit, MRT,
Mangmoom)
– E-Wallet Card
– Credit Card
– Citizen ID Card
10. Electronics Taxation Document
● Improve laws related to revenue tax to support electronics
documents conform to Electronics Transaction Acts BE
2544
● Establish electronics invoice platform
● E-Invoice standard for accounting software
● E-Tax document matching/inspection system
13. e-Payment Infrastructure in Thailand
● Card Payment Infrastructure
– Payment Brand Network (VISA, MasterCard, UnionPay, etc.)
– Local Card Payment Switching (ex. Thai Payment Network)
● Fund Transfer Infrastructure
– SWIFT → International Switching
– SMART → Next day fund transfer
– BAHTNET → High Value Interbank Switching
– Online Retail Fund Transfer (ORFT)
14. How ORFT Works (Simplified)
XYZ Bank
Mobile Banking
Transfer From:
To:
Account #:
OK
Amount:
XYX Bank
Transfer 1,000 Baht
from My Account 1
to ABC Bank
account # 123-456-
789-1
Via HTTPS
Conversion
ABC Bank
Transfer 1,000 Baht
from XYZ Bank
account # 999-888-
777-6 to ABC Bank
account # 123-456-
789-1
Switch toSwitch to
ABC BankABC Bank
Old
15. AnyID Does the Same, But … With ID
XYX Bank
Transfer 1,000 Baht
from My Account 1
to ID “spiderman”
Via HTTPS
Conversion
ABC Bank
Transfer 1,000 Baht
from XYZ Bank
account # 999-888-
777-6 to ID
“spiderman”
ID “spiderman”ID “spiderman”
registered byregistered by
ABC BankABC Bank
ID “spiderman” link toID “spiderman” link to
account # 123-456-789-1account # 123-456-789-1
Transfer 1,000 Baht
from XYZ Bank
account # 999-888-
777-6 to account #
123-456-789-1
New
XYZ Bank
Mobile Banking
Transfer From:
ID #:
OK
Amount:
16. Current Limitations of Payment System
Switch/
Clearing
house
Consumer
Business
Bank Account No.
Government
OK
Non-Bank
OK
Old
17. Expand Infrastructure to handle AnyID
Switch/
Clearing
house
AnyID
Non-Bank
Consumer
Business
Government
OK
OK
New
18. Use AnyID to
Receive Payment
Payer does not
have to register
for AnyID
Payee registers
xxxxxx as
payee's AnyID
AnyID: xxxxxx
Hey dude!, this trip to
Pattaya room sharing
is 2,000 baht. Pay me
at my AnyID: xxxxxx
XYZ Bank
Mobile Banking
Transfer From:
To ID:
OK
Amount:
Payee is not
required to own
a smart phone
19. Which ID Can be Used?
● First Phase (Oct 2016)
– Bank+Account (for compatibility)
– National ID (13-Digit Citizen ID & Tax Payer ID)
– Mobile Phone Number
● Next Phases
– E-Wallet ID (Jan 2017), registered by E-Wallet issuers via
their banks.
– Payment Card Number
– E-Mail (Still be in consideration)
20. Use as Many AnyID’s as You Need
One AnyID can link
to one account
But each person can
use many AnyID's
Many AnyID's can link to
the same account
Each account may
be at any bank
Each account may
be at different banks
AnyID: BBBBBB
AnyID can
link to an
eWallet
AnyID: XXXXXX
AnyID: YYYYYY
AnyID: ZZZZZZ
AnyID: AAAAAA
21. 123-456-789-1
123-456-789-1
How to Use AnyID
Bank account number or eWallet ID
can be used as AnyID to receive
money but cannot link to another
different bank account or eWallet
Transfer into a bank account
or an eWallet can be done
anytime and does not
require AnyID registration
AnyID: YYYYYY
x
One AnyID must not link
to more then one account
at the same time
AnyID: YYYYYY
The owner of an AnyID
can change the link from
an AnyID to a different
account at any time
22. How to Use AnyID
0891234567
ID owner may choose to link
mobile number to a bank account,
even though the number may have
an eWallet with a mobile operator
Owner can still use eWallet to pay
via eWallet’s own Apps, while
receiving incoming payment into
the linked bank account
True Mobile No.
eWallet
TRUEMoney
A bank
account
0891234567
True Mobile No.
eWallet
AIS mPay
ID owner may choose to link
mobile number to an eWallet of
a different mobile operator
0987654321
Parent's Bank Account
or Staff's Bank Account
a Child’s Mobile Number
or Company’s Staff
Mobile Number
An AnyID may be linked
to an account if both
ID owner and account
owner consent
0987654321
Prepaid/Postpaid can be
used as AnyID as long as
ownership or possession
ca be positively proven.
23. Number (“ID”) Portability
● Switch Banks / instruments
(type of accounts, current,
saving or e-money)
● Efficiency : no need to
inform/update bank
accounts when changed
Pay to:
ID
Account1 Account2
24. Channels to Use AnyID
XYZ Bank
Mobile Banking
Transfer From:
To ID:
OK
Amount:
On Every Bank Channels
26. e-Money / e-Wallet ID
Bank A
Bank C
Bank B
e-Money/e-Wallet or
e-Ticketing System
conceptual idea, not actual technical implementation
Old
Currently, e-Money/e-Wallet
issuer need to have bank
accounts at many banks in order
to allow customers withdraw,
refill, auto debit, transfer.
27. e-Money / e-Wallet ID
● Any new player fast access
● Speed up competition
● Support Common Ticketing
● Cash withdraw, refill, auto debit, transfer
Bank A
Bank C
Bank B
e-Money/e-Wallet or
e-Ticketing System
conceptual idea, not actual technical implementation
Switch/Switch/
ClearingClearing
househouse
OtherOther
eMoneyeMoney
SystemsSystems
New
28. Dangling Payment
Pay Before … Register Later
Citizen ID1
If payee links
citizen id to
an account, the
money is transfer
into the account
immediately.
Citizen ID2
If the citizen id is not
linked to an account,
the money is waiting
for the payee in the
citizen id.
e.g. Welfare Payment
Government agencies
do not have to maintain
a database of citizen’s
bank accounts
29. Dangling Payment
Pay Before … Register Later
Citizen ID1
After registration of
Citizen ID2, money is
automatically transferred
into the linked account.
If payee links
citizen id to
an account, the
money is transfer
into the account
immediately.
Citizen ID2
If the citizen id is not
linked to an account,
the money is waiting
for the payee in the
citizen id.
Then, the payee can open a
new bank account/eWallet,
or use an existing bank
account/eWallet to link and
receive money.
e.g. Welfare Payment
Citizens don't need
an account before
receiving payment.
Government agencies
do not have to maintain
a database of citizen’s
bank accounts
30. NBTC and TelCo’s will
automatically inform
banks/switch to deregister, in
the event of a change in
ownership — whether or not
the old owner deregisters or
the new owner registers.
Automatic cleansing ...
New owner of the ID
has the option to
register the ID and
link it to the new
owner’s account
0891234567
If the ownership of an ID (e.g. Mobile No.) has changed, ...
Old owner of the ID
can delink (deregister)
The new owner
logically will not
tell anyone to
transfer into this
ID, before
registering to his
account.
The old owner is not
affected whether or
not the ID is
registered by the
new owner.
0891234567
0891234567
32. AnyID: Normal Flow
1. Customer 1 asks his bank to transfer money to ID 0812345678 with
amount 1,000 baht from his main account
2. Bank 1 asks ITMX for bank account registered to ID 0812345678
3. ITMX finds that ID 0812345678 registered to bank 2, then ask bank
2 for information on the account registered to ID 0812345678
4. Bank 2 responds account 1234 with account name Customer 2
registered to ID 0812345678 and is active
5. ITMX responds to bank 1 that bank 2 account 1234 named
Customer 2 registered to ID 0812345678
6. Bank 1 sends account name Customer 2 to Customer 1 for
verification
33. AnyID: Normal Flow
7. Customer 1 confirms
8. Bank 1 sends transfer instruction to ITMX for bank 2 account
1234 amount 1,000 baht with ID 0812345678 in extra field
9. ITMX instructs bank 2 to receive 1,000 baht to account 1234
10. Optionally, banks 2 alerts Customer 2 for money receiving
11. Bank 2 confirms ITMX successful transfer
12. ITMX confirms bank 1 successful transfer
13. Bank 1 confirms Customer 1 successful transfer
34. Mobile P2P Payment
Driver Mobile No.
0854598731
XYZ Bank
Mobile Banking
Transfer From:
To ID:
OK
Amount:
35. Mobile P2P Payment
Driver Mobile No.
0854598731
XYZ Bank
Mobile Banking
Transfer From:
To ID:
OK
Amount:
36. Request-to-Pay & Bill Payment
New Payment Infrastructure
XYZ Bank
Mobile Banking
Request to Pay From
Pay
Amount:
Bill Payment
B2B/B2C Bill Presentment
37. Current Limitations: Related Document/Transaction Flows
Outside Payment System
Switch/
Clearing
house
Consumer
Business
Bank Account No.
Government
OK
Non-Bank
OK
Old
38. Expand Infrastructure to handle Related
Document/Transaction Flows
Switch/
Clearing
house
Tax, Bill Presentment,
Bill Payment
Non-Bank
Consumer
Business
Government
OK
OK
Open up an opportunity
for innovative FinTech
or eCommerce
New
39. E-Commerce Enabler
Bank A Bank C
Bank B
Bank D
e-Commerce
Website /
Merchant
PG PG
PG
Simplify Payment Gateway with Request-to-Pay
Without AnyID, switch
customers of Bank B cannot
pay to the merchant
XYZ Bank
Mobile Banking
Request to Pay From
Pay
Amount:
Currently, merchant need
fund transfer gateway on
many banks to allow
customers pay easily.
Old
40. E-Commerce Enabler
Bank A Bank C
Bank B
AnyIDAnyID
SwitchSwitch
Bank D
e-Commerce
Website /
Merchant
Simplify Payment Gateway with Request-to-Pay
With AnyID
switch, merchant
sends a
“request-to-pay”
transaction
XYZ Bank
Mobile Banking
Request to Pay From
Pay
Amount:
With AnyID switch, multi-factor
or cross channel authorization
can be implemented
New
41. Ease of Doing Business
● Withholding Tax with payment
● Bill payment across banks. No more faxing slip
● B2B Bill payment with W/H Tax
● Banks’ ability to perform W/H Tax agent
● Bill presentment
● Email Tax Invoice
● Electronic cheque clearing / instant truncation
44. Current Exposure to Internet
Switch/
Clearing
house
Consumer
Business
Government
Non-Bank
Bank Account No.OK
OK
Old
45. Same Structure : No New Exposure to Internet
Switch/
Clearing
house
Consumer
Business
Government
Non-Bank
AnyIDOK
OK
New
46. IT Security Architecture
ITMX Implementation
● Only Member Bank can sent/receive data with ITMX.
● Member bank connect to ITMX with existing Extranet (via MPLS)
●
Member bank access to ITMX Extranet DMZ Zone only.
● ITMX separate Zone for DMZ Zone, Application Zone, Database
Zone and other critical zone.
● All Zone are protected by Firewall and IPS.
● ITMX data center, all devices are protected as PCI/DSS
standard requirement (Physical Security, Network access
control, Data security, VA, patching, Logging and Monitoring,
BCP).
● All process to access to server complied with ISO27001
standard and BOT best practice.
● Important data will be encrypted in transit and store.
47. Network Security & Cryptography
ITMX Implementation
● Single Registration: REST/HTTP TLS 1.2 with Message
Signing (PKCS#7 & SHA-1)
● Bulk Registration: SFTP with Hardware Token
● Financial Transaction: Protocol ISO8583 over TLS 1.2
– PIN Block encryption using 3DES or DES
– Message in PIN Block could be OTA (One-Time
Authorization Code), Any ID or Destination Account, type of
message defined in field 48.13
– {Even DES algorithm is easily breakable, but data are not
significant and in TLS 1.2 tunnel}
● All keys and certificates kept on Hardware Security Module
(HSM)
48. Error Prevention
● Transfer to unregistered ID
– MOF require banks to implement dangling account
– {Dangling account is good for National ID and accelerate
adoption of Mobile Number}
● Transfer to wrong ID
– {Sender banks should send destination account name to
their customers for verification}
49. About Fraud
● AnyID does not intend to reduce the existing electronics
fund transfer frauds but some flows will reduce frauds by
design.
– Example: Request to pay flow.
● New innovation always introduces new frauds.
50. Registration Security & Privacy
ITMX Implementation
● ID Validation
– National ID: Banks will validate the registration/deregistration
through KYC (Know Your Customer) process
– Mobile Number:
● Phase 1, Banks must validate number possession by their own
processes
● The next phase, NBTC & Telcos will help on-line validation and
daily sending revocation list via ITMX
● Only registered ID and bank account will be kept at ITMX,
no other information
● Banks can use a dummy account register to ITMX
● Destination bank will send the name of the account that
mapped to ID per request for verification
52. What is Privacy?
“Well, it depends on who you ask. Broadly speaking, privacy
is the right to be let alone, or freedom from interference or
intrusion. Information privacy is the right to have some control
over how your personal information is collected and used.”
The International Association of Privacy Professionals (IAPP)
53. Control Over Information
"Privacy is not simply an absence of information about us in
the minds of others; rather it is the control we have over
information about ourselves."
Charles Fried,
The Yale Law Journal Vol. 77, No. 3 (Jan., 1968), pp. 475-493
54. Personally Identifiable Information (PII)
Any information about an
individual maintained by an
agency, including
(1) any information that can be
used to distinguish or trace
an individual‘s identity, such
as name, social security
number, date and place of
birth, mother‘s maiden
name, or biometric records;
and
(2) any other information that is
linked or linkable to an
individual, such as medical,
educational, financial, and
employment information.‖
55. Factors for Determining PII Confidentiality Impact
Levels
● Identifiability
● Quantity of PII
● Data Field Sensitivity
● Context of Use
● Obligations to Protect Confidentiality
● Access to and Location of PII
NIST Special Publication 800-122,
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),
April 2010
56. AnyID Participants
● Banks
● Switching (ITMX)
● Government
● Employers (for Payroll)
● Payers with Withholding Tax
● Other Payers
● Billers (Request to Pay)
● E-Commerce Merchants (Request to Pay)
57. AnyID & Identifiability
● Considered as PII
– Citizen ID
– Bank Account
– Mobile Phone Number
– Payment Card Number
– Email Address
● Not Considered as PII
– E-Wallet Number
58. Participants & Quantity of PII
Participants
Bank
Account
Citizen
ID
Phone
Number
Banks # Accounts # Customers # Customers
Switching (ITMX) High [High] [High]
Government Low All Low
Employers (for Payroll) # Employees # Employees # Employees
Payers with Withholding Tax Low # Payees Depends
Other Payers (Individual) Low [Low] [Low]
[R2P]Billers Low # Account # Account
[R2P]E-Commerce Merchants None [# Users] [# Users]
In [ ] are estimation of quantity after AnyID in operation.
{This is my opinion not team nor participants}
59. AnyID & Data Field Sensitivity
“For example, an individual‘s SSN, medical history, or
financial account information is generally considered more
sensitive than an individual‘s phone number or ZIP code.”
NIST Special Publication 800-122, April 2010, Page 3-3
● High Sensitivity
– Citizen ID
– Bank Account
– Payment Card Number
● Low Sensitivity
– Mobile Phone Number
– Email Address
60. Participants & Context of Use
● How the disclosure of data elements can potentially harm
individuals and the organization
● The context of use factor may cause the same types of PII to be
assigned different PII confidentiality impact levels in different
instances.
Participants Context of Use Impact
Banks Know Your Customer (KYC) Low
Switching (ITMX) ID to Bank Account Switching Low
Government Payment (Citizen ID Only) Medium
Employers (for Payroll) Payroll (Bank Account & Citizen ID) High
Payers with Withholding Tax Payment (Citizen ID Only) Medium
Other Payers Payment Medium
[R2P]Billers Request to Pay (ID depends on bill category) Low
[R2P]E-Commerce Merchants Request to Pay Low
NIST Special Publication 800-122, April 2010, Page 3-4
{This is my opinion not team nor participants}
61. Participants & Obligations to Protect Confidentiality
Participants Context of Use Impact
Banks Bank of Thailand Regulation High
Switching (ITMX) Future Privacy Law Medium
Government
พระราชบบญญบตตขขอมมลขขาวสารของ
ราชการ พ.ศ. 2540
Medium
Employers (for Payroll)
Future Privacy Law Medium
Payers with Withholding Tax
Other Payers
[R2P]Billers
[R2P]E-Commerce Merchants
{This is my opinion not team nor participants}
62. Participants & Access to and Location of PII
● Consideration the nature of authorized access to PII
● More often or by more people and systems
● Accessed from teleworkers‘ devices or other systems and other systems
NIST Special Publication 800-122, April 2010, Page 3-5
Participants Access to and Location Impact
Banks
Internal & ITMX (Internet Banking not be
considered to expose PII information by
practice)
Low
Switching (ITMX) Internal & Banks Low
Government Depends on department Medium
Employers (for Payroll) Internal and Banks Low
Payers with Withholding Tax Internal Low
Other Payers Unknown High
[R2P]Billers Internal & Bank in Contract Low
[R2P]E-Commerce Merchants Internal, Internet & Bank in Contract Medium
{This is my opinion not team nor participants}
63. PII Exposure Shift After AnyID
Participants
Bank
Account
Citizen
ID
Phone
Number
Banks ● ● ●
Switching (ITMX) ● ▲ ▲
Government ▼ ● ●
Employers (for Payroll) ▼ ● ●
Payers with Withholding Tax ▼ ● ●
Other Payers ▼ ▲ ●
[R2P]Billers ● ● ●
[R2P]E-Commerce Merchants ● ▲ ▲
● Unchanging ▼Decrease ▲ IncreaseR2P = Request to Pay
{This is my opinion not team nor participants}
64. Privacy Impact from Bank Account
Participants Quantity Context Obligation Access Shift
Banks High Low High Low ●
Switching (ITMX) High Low Medium Low ●
Government Low Low Medium Medium ▼
Employers (for Payroll) Medium High Medium Low ▼
Payers with Withholding Tax Low Low Medium Low ▼
Other Payers Low Medium Medium High ▼
[R2P]Billers Low Low Medium Low ●
[R2P]E-Commerce Merchants None Low Medium Medium ●
{This is my opinion not team nor participants}
65. Privacy Impact from Citizen ID
Participants Quantity Context Obligation Access Shift
Banks High Low High Low ●
Switching (ITMX) High Low Medium Low ▲
Government Low Medium Medium Medium ●
Employers (for Payroll) Medium High Medium Low ●
Payers with Withholding Tax Low Medium Medium Low ●
Other Payers Low Medium Medium High ▲
[R2P]Billers Low Low Medium Low ●
[R2P]E-Commerce Merchants Medium Low Medium Medium ▲
{This is my opinion not team nor participants}
66. Privacy Impact from Phone Number
Participants Quantity Context Obligation Access Shift
Banks High Low High Low ●
Switching (ITMX) High Low Medium Low ▲
Government Low Low Medium Medium ●
Employers (for Payroll) Medium Low Medium Low ●
Payers with Withholding Tax Low Low Medium Low ●
Other Payers Low Medium Medium High ●
[R2P]Billers Low Low Medium Low ●
[R2P]E-Commerce Merchants High Low Medium Medium ▲
Low Sensitivity
{This is my opinion not team nor participants}