Security Assessment of briidge.net TM 2-Step verification for banking customers in a multichannel delivery environment that is FFIEC compliant

Transcription

1 Security Assessment of briidge.net TM 2-Step verification for banking customers in a multichannel delivery environment that is FFIEC compliant Prepared for: By: Wesly Delva, SSCP, Information Security Consultant Adam Sarote, CISA, CGEIT, CRISC, AES, PCI-QSA, PCIP, Managing Director Date: March 20, 2015 Coalfire Systems, Inc 361 Centennial Parkway Louisville, CO Seattle San Francisco Los Angeles Boulder Dallas Atlanta Washington DC New York Boston Manchester UK

2 Overview: The loss of customer data as a result of compromised security controls is a serious threat to financial institutions. The lack of effective identity and authentication security controls can expose all lines of business to data breaches. Recent breaches affecting financial institutions have increased security awareness throughout the industry. Consequently, financial institutions are relying on regulatory guidance, such as those provided by the Federal Financial Institutions Examination Council ( FFIEC ) and PCI-DSS, to help prevent risks that are associated with identity theft and fraudulent transactions. SecureKey (or "the Company ) contracted with Coalfire Systems, Inc. ( Coalfire ), an independent leading industry provider of IT Security, governance and regulatory compliance services, to provide a security review of the Company s "briidge.net Connect application. For more than eleven (11) years and four thousand (4000) projects later, Coalfire has provided IT assessment and risk management services for a variety of financial institutions. Coalfire has hundreds of financial service clients, to include banks, credit unions, trust companies and brokerage located throughout the United States. Our clients range from small specialty membership credit unions to large national banks. Our experience and flexibility allow us to provide guidance on controls appropriate for the size and complexity of each financial institution. Key aspects of Coalfire s financial institutions practice include: Experience our team completed more than two hundred (200) assessments for financial institutions last year; Training Coalfire trains more than two hundred (200) federal examiners annually from the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and several state examination authorities on Federal Financial Institutions Examination Council (FFIEC) examination guidelines and security best practices; and Specialization Coalfire offers highly-specialized assessment services unique to financial organizations, such as e-banking, FedLine assessment, Risk Assessments, Business Continuity Planning, Social Engineering, employee awareness training, and more. Our assessment of the briidge.net Connect application focused on the FFIEC s requirements for authentication. The objectives of our security review included: 1. The overall design and architecture of briidge.net Connect; 2. Authentication capabilities across mobile and web channels; and 3. Active network monitoring to confirm that the briidge.net Connect applications encryption fields are not transmitting clear text data. Overall, our procedures included interviews with the Company s key personnel, technical assessments and review of supported documentation.

3 The purpose of this white paper is to provide an overview of Coalfire s security assessment results, and to identify how the development of the briidge.net Connect application aligns with FFIEC authentication standards and guidelines. Target Audience: The primary audience for this white paper are financial institutions seeking clarity regarding Internet Banking solutions that address multi-channel authentication security needs of low-tohigh risk IT control environments. Introduction: The 2014 Data Breach Investigations Report by Verizon noted that 33% of web application attacks are financially motivated. According to Verizon s study, the underlying vulnerability behind these attacks is the lack of effective identity and authentication controls. Exposures of this nature enable an intruder to penetrate sensitive networks, and allow them to carry out attacks that could manipulate the user interface of an application. These attacks grant unauthorized access to customer accounts, transaction funds and other sensitive information. Figure 1 - Web Application Attacks Malware such as Crimeware," which obtains financial returns by stealing Personally Identifiable Information ( PII ) and account credentials and poses a significant threat to financial institutions. The latest Crimeware, Zeus (or "Zbot") steals banking information by conducting a man-in-the-browser keystroke logging attack. This attack steals the device input of the customer, such as PINs and passwords, during the authentication process. The stolen credentials provide a hacker with the opportunity to modify the customer s banking sessions. Attacks of this kind thwart two-factor authentication solutions that rely on one-time passcodes, known as OTP. Specifically, a large number of European banks suffered losses in $47 Million USD range, as a result of Crimeware called Eurograbber, a Zeus variant, which bypassed customer authentication systems. Symantec s Internet Security Threat Report 2014," revealed that the development of Banking Trojans has tripled during the first three quarters in More than half of these attacks were aimed at the top fifteen (15) worldwide financial institutions.

4 Figure 2 Crimeware What is the FFIEC? The FFIEC Council is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. To provide guidance for financial institutions, the US government formed the Federal Financial Institutions Examination Council ( FFIEC ). The body governs the Federal Reserve System ( FRS ), the Federal Deposit Insurance Corporation ( FDIC ), the National Credit Union Administration ( NCUA ), the Office of the Comptroller of the Currency ( OCC ), and the Consumer Financial Protection Bureau ( CFPB ). The oversight provided by the FFIEC promotes uniformity in the supervision of financial institutions. This uniformity establishes guidelines for minimizing security risk and preventing loss of data. The FFIEC s Authentication Guidance continues to expand in response to technology trends. In 2006, the State Liaison Committee ( SLC ) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors ( CSBS ), the American Council of State Savings Supervisors ( ACSSS ), and the National Association of State Credit Union Supervisors ( NASCUS ).

5 FFIEC Guidance: The two main aspects of the FFIEC s latest authentication guidance Supplement to Authentication in an Internet Banking Environment are to ensure that institutions are: (1) executing a periodic risk assessment and (2) implementing a layered security approach to establish a commercially reasonable control environment for electronic financial services. Risk Assessment: Since the FFIEC s first guidance released in 2001, the methods and sophistication of fraudsters and hackers have evolved. The FFIEC has acknowledged the development as a high risk security concern and recommends that financial institutions perform annual risk assessments, which address: Changes in the internal and external threat environment; Changes in the customer base adopting electronic banking; Changes in the customer functionality offered through electronic banking; and Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry. The FFIEC s guidance states that not all transactions pose the same level of risk, and financial institutions should implement robust solutions that address the risk exposures of Internet Banking Environments. Layered Security: Since virtually every authentication technique can be compromised, financial institutions should not reply solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security release Supplement to Authentication in an Internet Banking Environment. The FFIEC s guidelines make it clear that single-factor authentication is inadequate. To enhance authentication security controls, the FFIEC recommends a layered security approach that relies upon multiple types of authentication controls, established at different transaction periods. The best approach will include a combination of multi-factor authentication and effective layered security controls, such as device identification or challenge questions. The solution will have the Internet Banking s customer acceptance, be reliable, scalable, and interoperable with existing and future plans. What is briidge.net Connect? Briidge.net Connect is an authentication solution that operates as a cloud-based service. The solution enables financial institutions to provide a consistent security experience across multiple service channels by offering mobile and web Software Development Kits ( SDK ). The

6 briidge.net Connect SDK is used by embedding it into existing applications. Rather than developing and implementing a strong authentication solution for each stand-alone application, financial institutions can seamlessly embed briidge.net Connect functionality into existing web and mobile applications. This allows financial institutions to maintain full control of the customer experience. To facilitate the consistent customer experience across channels it enables customers to use their personal devices in a simple and secure manner (e.g., personal mobile phone, tablet, laptop, and workstations) for personal banking accounts, without separate mobile apps, desktop software, or carrying external devices such as OTP tokens. How does briidge.net Connect Work? Coalfire s testing procedures found that each user is assigned a unique cryptographic key for each device used. User verification requires a multi-device 4-6 digit PIN Code (or Passcode). Only users with verified devices can access the user verification service. Unlike a typical SMS based system, the application provides its own dedicated secure channel to the briidge.net Connect application via Transport Layer Security (TLS) v1.2. Layered Security and Dynamic Authentication Connect Service: One of the strengths of briidge.net Connect is the ability to provide a unique device ID, which allows organizations to identify customers across multiple channels. It installs a credential in the personal devices customers use (i.e. mobile phones, tablets, laptops, etc.). During setup, briidge.net Connect interrogates the customer s device and determines the most secure location to store the unique cryptographic key that protects the customer s Digital ID. The SDK determines if the device has a hardware secure container, such as Trusted Execution Environment ( TEE ), Hardware Secure Element ( HW-SE ), SIM Secure Element ( SIM-SE ) or Intel Identity Protection Technology ( IPT ). If a hardware secure container is not found, Connect constructs a software based Virtual Secure Element ( vse ) on the device using cryptographic keys with secure key management. The key management protocols are facilitated by a cloud-based Hardware Security Module ( HSM ), which implements specifications for cryptographic security from Federal Information Processing Standard ( FIPS ) In addition, the Company incorporates a key management protocol for personalizing the credential based on the Global Platform ( GP ) SCP-03 standard. Ordinary devices contain a trusted credential, which provides an assurance to a financial institution that the device accessing their services meets an acceptable level of security. bridge.net Connect can help organizations with respect to customer authentication. The Company has evolved the traditional client-server username/password concept to be simpler and more secure with a cryptographic PIN ( Crypto-PIN ) Code that unlocks keys from secure storage used to generate dynamic authentication cryptograms. The same Passcode or PIN is synchronized across all of a user s enrolled devices. Together, verified device and Crypto- PIN are two factors of authentication. The Crypto-PIN itself is never stored on the customer s

7 device or any of the servers, making the process real-time. Coalfire reviewed the account access and authentication transaction processes and verified that the Customer provides a unique, dynamic, cryptographic authentication token for each transaction, which verifies the device and user. Figure 3 - SecureKey bridge.net Connect Overview Page 8 Connect integrates with existing technologies, while enhancing their capabilities. Briidge.net Connect allows financial institutions to integrate other authentication technologies. Fingerprints or other biometric scans can be included as additional authentication factors or high-risk transactions. This is a significant advantage to financial institutions that already have fraud engines and identity verification systems in place. Briidge.net Connects device identification process is compatible with multiple platforms. All devices registered and associated to the end user s digital ID become trusted. Customers only need one credential for many devices, which provides dynamic authentication for every access, and every transaction.

8 Figure 4 - Secure Connect Scalability Summary and Conclusion: Based upon the results of our review, briidge.net Connect meets the FFIEC s layered security guidance for authentication in an Internet Banking Environment. Briidge.net Connect will provide a financial institution with the assurance of secure customer authentication. The threats from Crimeware and Banking Trojans are dramatically reduced by SecureKey s design. The multi-device Crypto-PIN is not usable without the verified physical devices that users have registered. Passwords, usernames, and PII cannot be stolen because Connect replaces them with cryptograms and verified devices. Connect does not have exposure to the same threats as password based schemes, because the solution does not depend on knowledge-based authentication factors vulnerable to theft and replay. The benefits of an SDK solution enable a financial institution to implement additional levels of security that can be used for low-to-high risk transactions in all types of Internet Banking Environments.