Chew Chee Seng's presentation at our 7th BankTech Asia - Series 1

1. 0
Managing & Securing the Online
and Mobile Banking Transaction
18th March 2015
Chew Chee Seng
ManagePay Group
Malaysia
ManagePay Group
Business Presentation

2. 1 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Mobile device is the new normal for computing
“Global mobile devices and connections in 2013 grew to 7 billion, up from
6.5 billion in 2012. Smartphones accounted for 77 percent of that growth,
with 406 million net additions in 2013.” - Cisco 2014 –
“80% of Smartphones Used in the Workplace are Employee Owned”
- McKinsey 2012 -
“Smart phones and tablets are giving people new levels of mobile
connectivity, and we expect to be able to use them for work and leisure.”
Whether in private or in workplace, the demand for security has arisen to
protect business critical information, communication and IT processes against
threats like unauthorized access, data leakage, espionage, identity theft and
fraud, and denial of service.

3. 2 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
OTP: Security Past its Expiration Date
• For more than 25
years, the financial
services industry has
relied on one-time
passwords for online
banking security.
• The advent of Internet
and mobile technology
and an explosion in
digital crime have
rendered these single-
use strings of digits
obsolete, both in
terms of security and
convenience.

4. 3 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
All OTP systems share the same inherent flaws
• OTP-based authentication systems,
– The OTPs are generated as either time-synchronized or counter-synchronized codes
and it requires the user to carry a small hardware device, i.e. a “Token”, which may
look like a small calculator or a keychain charm with an LCD display.
– Some banks generate and dispatch OTPs to the customer’s mobile phone via SMS
which is referred to as Transaction Authorization Code (TAC)
• OTP systems share the same flaws and vulnerabilities.
– First, they are all symmetric because the bank has access to the same secrets as its
customer (and the mobile carrier does too, in the case of SMS transmission).
– Secondly, OTP systems all remain reliant on browser-based communications back to
the bank & Anything that goes through a browser can be compromised by a Trojan!!
– Trojan-enabled “man-in-the-middle” or “man-in-the-browser” attacks circumvent
the security promised by sophisticated-looking OTP generators, chip cards and
biometric technology.
– According to Kasperksy Labs, 2013 saw an almost twenty-fold increase in the
number of recorded banking trojans, many of them targeting SMS OTPs

5. 4 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
if OTPs are the past, what’s the future?
• For financial institutions intent on providing a
secure and convenient method for customers to
transact online, there are new solutions
available today that can virtually eliminate
all types of man-in-the-middle attacks.
• Deploying industry-standard X.509
digital certificates to mobile phones and
tablets allows them to be uniquely identified,
transforming them into second factors of
authentication.

6. 5 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
What is two-factor authentication
There are three (3) types/factors of human authentication :
• Something you know – a password or PIN
• Something you have – a smart card, USB key, PKI (Public Key
Infrastructure) certificate or mobile phone
• Something you are – a biometric characteristic, e.g. fingerprint or
voice pattern
two-factor authentication means that you authenticate a user with two
or more factors. Ideally, different authentication factors should be used in
combination.
Mobile PKI is a technology which allows users to place PKI certificates
(electronic signatures) with their mobile phone, and the mobile phone
will ask the user for his or her PIN before he/she places his/her electronic
signature onto transactions that requires multiple authentication.

7. 6 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Why Mobile PKI Security?
• The mobile phone is everywhere and available to almost everyone. By
2015, the number of mobile phones should exceed world population.
• Today, more people own and use a mobile phone than a personal
computer. Mobile penetration in Malaysia is way above 100%.
• So is mobile PKI (Public Key Infrastructure) security:
– Every mobile phone and every other device (Internet of Things) i.e. smart
watch, CCTV, wearables) that works with a SIM card supports mobile PKI.
• Legally bind:
– All transactions are digitally signed with non-repudiation as provisioned by
the Digital Signature Act.
– Avoid disputes and provide better customer service and experience.

8. 7 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Single ID for Multiple Applications

9. 8 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Mobile ID or Mobile Signature for Banks
Mobile PKI on
SIM’s SE
Certificate
Authority

10. 9 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
Banks
Government
Agencies
Corporate
Entities
Merchants
Service Provider Aggregator
MSSP
MSSP
Mobile
Operators
WAP
SMS
USSD
App
Service Request
Auth Request
Generate
Signature
Request
SignatureRequest
Signature Request
Cancel OK
Pay RMXXX from
your Acc 123456789
to Mr. Aan Smith.
Please confirm with
signature
Signature (Transaction encrypted at SIM)
CA
Signature(Transaction
encrypted)
Signature
attached with
CertSignature & Cert
Decrypt
Trans & Verify
Signature
Proceed with
Service
Service Fulfillment
Cancel OK
Key in PIN to sign
PIN: ******
Mobile Signature
Service Platform
How it works?
RCA

11. 10 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
MSSP
Mobile Signature
Service Platform
Service Delivery
Channels
Bank Data Center
Priority Internet/Mobile
Banking
Smart Phone/Tablet
Application
Relationship Manager
Customer accesses
service
Relationship
Mgr Initiated
auth Request
Priority Banking
Internet/Mobile Banking
Application Servers
Certificate
Authority
MNO
Customer Interacts with
Relationship Manager
Authentication
request
Authentication
Request
Create
Signature
Request
Signature RequestSignature Request
Cancel OK
Please key in
Signing PIN
******
Cancel OK
Signature Sent
Signature Signature Attach
Certificate
Verify
Signature and
Decide on
Transaction
Return
Confirmation
Return Confirmation
Priority Banking
Customer
Signature
with
Certificate
Implementation for High Net Worth Individual Banking

12. 11 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Licensed CA
MSSP
Mobile Signature
Service Platform
Certificate
Authority
Priority Banking
Customer
Relationship
Manager
Please proceed
with my transfer of
RM 500,000 from
my current account
to a fixed deposit
Sure Mr. Lee,
please confirm the
transaction with
your digital
signature
Priority
Banking
CRM System
Bank Data Center
CRM Application
servers
MNO
Phone interaction
Key in
transaction and
initiate auth
request
Auth Request
AuthRequest
Create
signature
request
Signature RequestSignature Request
Cancel OK
Transfer of
RM500,000 from
current acct to
fixed deposit
Cancel OK
Please confirm
with digital
signature
PIN: ******
Cancel OK
Signature Sent
Signature Signature
Attach
digital
certificate
Signatureand
Certificate
Verify
signature and
confirm
transaction
Return confirmation
Thanks Mr. Lee.
We’ve received
your signature and
your transfer is
confirmed
Wow, that was fast.
Thanks very much
Cancel OK
Transaction
confirmed
Customer and Money Transfer Transaction Flow

13. 12 Strictly Private & Confidential – Property of ManagePay Group All Rights Reserved
Thank you…
Chew Chee Seng
cheseng@mpsb.net
+60122188433