1. business and industrial
2. business software

Solutions for Demanding Business
solutions for demanding business
Authentication and the Future of Security
Is user authentication enough today?
Igor Gržalja
Group Sales Director
17th CEESCA Conference
March 19th 2015
solutions for demanding business
While preparing for this presentation...
Hacking Browser fingerprint – easy with Antidetect
(https://www.youtube.com/watch?v=ZQN7CyCXh90)
3
solutions for demanding business
Asseco SEE in figures
254 banks use Asseco SEE Banking software in SouthEast Europe
63 Core banking installations in SouthEast Europe
eCommerce HUB: 20.000 merchants, 14mil card
transactions per month
Maintenance 6.500 ATM network for 76 banks in SouthEast Europe
120.000 POS terminals for 79 banks in SouthEast Europe
People: 270 in Croatia, 1.317 in SouthEast Europe, 17.000 in total Asseco Group
4
solutions for demanding business
AGENDA
1. What are threads we face?
2. What should be future of security?
3. What is role of regulators (PSD2.0)
4. User authentication and AntiFraud - how to tackle
fraud in more effective way
solutions for demanding business
„Last year, financial Trojans compromised the computers of 4.1 million individual users,
with variants of the Trojan.Zbot malware accounting for about 4 million of that number.”
„Any given day at a major European bank, at least 5 percent of bank customers' devices
will be infected by some kind of malware. He points out that 3 percent will be infected by
unwanted adware, 1.5 percent will be infected by spyware, and 0.5 percent will be
infected by banking-related malware.”
6
solutions for demanding business
Most important for the Clients?
FAST
SIMPLE
SECURE
solutions for demanding business
CNP fraud is still growing...
 types of attacks
 phishing
 Trojan horse
 man-in-the-middle
 man-in-the-browser
 SIM swap
 inside attack
solutions for demanding business
solutions for demanding business
Authentication
First line of defence
solutions for demanding business
Legislative and regulatory initiatives
solutions for demanding business
Legislative and regulatory initiatives – key points
Final guidelines on the security of Internet payments
 published by the European Banking Authority
in December 2014
 PSPs are expected to comply by August 2015
 requirement – two-factor authentication, to verify
the end user’s identity before:
 performing a transaction
 accessing sensitive payment data
 altering sensitive payment data
solutions for demanding business
Legislative and regulatory initiatives – key points
Payment Services Directive 2
 under review by the European Commission
 expected to be implemented into national legislation
by 2017
 additional requirement – transaction authorization
 linking the transaction to a specific amount and
a specific payee
Passwords were obsolete, but One Time Passwords are not enough
solutions for demanding business
User authentication from today to tomorrow
User authentication devices
SMS OTP
Hardware token
EMV CAP/DPA
compliant
reader
DisplayCard
TAN/Grid Cards
SIM Sticker
ASEBA Mobile token
Java
PKI
BlackBerry
iPhone
Android
WP7
solutions for demanding business
Device-centric approach
1st Phase: improve security (2FA)
solutions for demanding business
User-centric approach
2nd Phase: improved user convenience
solutions for demanding business
3-D Secure – user authentication
3DSecure without 2FA is increasing security
solutions for demanding business
Introducing QR Code as Transaction authorization
 Improved user experience
 easy input of data into the Mobile Token application
 Signing batch transactions
 Implementation of Multiple Digital Signature to Increase level of security
 host verification method – MitM and MitB attack prevention
QR Code Transaction authorization – use case
3. mToken
2.1.Verifies
User
generates
captures
transaction
authentication
a QRdetails
code data
20
solutions for demanding business
But still...
21
solutions for demanding business
Now what?
22
solutions for demanding business
Option: Make User authentication more complex to increase security
Customer conveniance will suffer
Costs will grow
23
solutions for demanding business
Multilayer User-centric approach
3nd Phase: not only user authentication but Multilayer fraud prevention
solutions for demanding business
Enterprise approach
Combining user authentication and fraud prevention
solutions for demanding business
Concept
 Score client and provide Best suited authentication (Adaptive authentication)
 Monitor customer behaviour
 Analyse transactions based on given scenarios in Real Time and Near Real time
 Report potential fraud
26
solutions for demanding business
Channels, transactions, executors: Fraud Cube
Executors
Customer
Employee
Channels
Branch
POS/ATM
Internet
Mobile
Call center
Transactions
EFT
Card
Merchant
All monetary
Non-monetary
InACT® - Central Fraud
Management Solution
solutions for demanding business
Profiling clients
Statistics = Profiles

Monthly number of
transactions, sum of
transactions, etc.

Monthly number of
transactions in
foreign countries
Statistics + Scenario

Detection in change in
customer / merchant
behaviour
solutions for demanding business
Sample fraud scenarios - Multichannel
• Client performs a
transaction with the
amount three times
higher than his monthly
average
• Client is transferring
funds to an account in a
country to which he/she
hasn’t transferred before
• Corporate client is
making an international
payment for the first time
• Merchant is performing
transactions out of his
regular working time
• Client is performing a
high number of
transactions through
Internet banking, in a
short period of time
• Client wants to withdraw
a large sum of money
from an ATM in a nonneighboring country
• VIP client is performing a
single unusual
transaction
• Client keeps switching
between currencies in
his/her transactions
.
solutions for demanding business
Adaptive authentication – increasing user convenience
FRAUD
PREVENTION
TOOL: low-risk
client score
Authentication:
OTP only
FRAUD PREVENTION
TOOL: high-risk
client score
Authentication:
Challange/Response
solutions for demanding business
Benefits
Increased security
Transaction monitoring and analysis
Cross channel security
Increased customer convenience
Adaptive authentication
Lower costs
Antifraud monitoring vs high cost End-user devices
31
solutions for demanding business
Next steps
Reconsider your user authentication to meet Multilayer approach
Check how you can make your customers more safe than today
Be step ahead since...
If you are not improving, fraudsters are improving for sure
32