Solutions for Demanding Business

Transcription

1 Solutions for Demanding Business

2 Authentication and the Future of Security Is user authentication enough today? Igor Gržalja Group Sales Director 17 th CEESCA Conference March 19 th 2015

3 While preparing for this presentation... Hacking Browser fingerprint easy with Antidetect ( solutions for demanding business 3

4 Asseco SEE in figures 254 banks use Asseco SEE Banking software in SouthEast Europe 63 Core banking installations in SouthEast Europe ecommerce HUB: merchants, 14mil card transactions per month Maintenance ATM network for 76 banks in SouthEast Europe POS terminals for 79 banks in SouthEast Europe People: 270 in Croatia, in SouthEast Europe, in total Asseco Group 4

5 AGENDA solutions for demanding business 1. What are threads we face? 2. What should be future of security? 3. What is role of regulators (PSD2.0) 4. User authentication and AntiFraud - how to tackle fraud in more effective way

6 Last year, financial Trojans compromised the computers of 4.1 million individual users, with variants of the Trojan.Zbot malware accounting for about 4 million of that number. Any given day at a major European bank, at least 5 percent of bank customers' devices will be infected by some kind of malware. He points out that 3 percent will be infected by unwanted adware, 1.5 percent will be infected by spyware, and 0.5 percent will be infected by banking-related malware. 6

7 Most important for the Clients? FAST SIMPLE SECURE

8 CNP fraud is still growing... solutions for demanding business types of attacks phishing Trojan horse man-in-the-middle man-in-the-browser SIM swap inside attack

9

10 Authentication First line of defence

11 Legislative and regulatory initiatives

12 Legislative and regulatory initiatives key points Final guidelines on the security of Internet payments published by the European Banking Authority in December 2014 PSPs are expected to comply by August 2015 requirement two-factor authentication, to verify the end user s identity before: performing a transaction accessing sensitive payment data altering sensitive payment data

13 Legislative and regulatory initiatives key points Payment Services Directive 2 under review by the European Commission expected to be implemented into national legislation by 2017 additional requirement transaction authorization linking the transaction to a specific amount and a specific payee Passwords were obsolete, but One Time Passwords are not enough

14 User authentication from today to tomorrow

15 User authentication devices Hardware token SMS OTP SIM Sticker EMV CAP/DPA compliant reader TAN/Grid Cards ASEBA Mobile token DisplayCard Java BlackBerry iphone Android WP7 PKI

16 Device-centric approach solutions for demanding business 1st Phase: improve security (2FA)

17 User-centric approach solutions for demanding business 2nd Phase: improved user convenience

18 3-D Secure user authentication solutions for demanding business 3DSecure without 2FA is increasing security

19 Introducing QR Code as Transaction authorization Improved user experience easy input of data into the Mobile Token application Signing batch transactions Implementation of Multiple Digital Signature to Increase level of security host verification method MitM and MitB attack prevention

20 QR Code Transaction authorization use case 3. mtoken Verifies User generates captures transaction authentication a QR details code data 20

21 But still... 21

22 Now what? 22

23 Option: Make User authentication more complex to increase security Customer conveniance will suffer Costs will grow 23

24 Multilayer User-centric approach solutions for demanding business 3nd Phase: not only user authentication but Multilayer fraud prevention

25 Enterprise approach Combining user authentication and fraud prevention

26 Concept Score client and provide Best suited authentication (Adaptive authentication) Monitor customer behaviour Analyse transactions based on given scenarios in Real Time and Near Real time Report potential fraud 26

27 Channels, transactions, executors: Fraud Cube Executors Customer Employee Channels Branch POS/ATM Internet Mobile Call center Transactions EFT Card Merchant All monetary Non-monetary InACT - Central Fraud Management Solution

28 Profiling clients solutions for demanding business Statistics = Profiles Monthly number of transactions, sum of transactions, etc. Monthly number of transactions in foreign countries Statistics + Scenario Detection in change in customer / merchant behaviour

29 Sample fraud scenarios - Multichannel solutions for demanding business Client performs a transaction with the amount three times higher than his monthly average Client is transferring funds to an account in a country to which he/she hasn t transferred before Corporate client is making an international payment for the first time Merchant is performing transactions out of his regular working time Client is performing a high number of transactions through Internet banking, in a short period of time Client wants to withdraw a large sum of money from an ATM in a nonneighboring country. VIP client is performing a single unusual transaction Client keeps switching between currencies in his/her transactions

30 Adaptive authentication increasing user convenience FRAUD PREVENTION TOOL: low-risk client score Authentication: OTP only FRAUD PREVENTION TOOL: high-risk client score Authentication: Challange/Response

31 Benefits Increased security Transaction monitoring and analysis Cross channel security Increased customer convenience Adaptive authentication Lower costs Antifraud monitoring vs high cost End-user devices 31

32 Next steps Reconsider your user authentication to meet Multilayer approach Check how you can make your customers more safe than today Be step ahead since... If you are not improving, fraudsters are improving for sure 32

33