(Secure) Digital Banking 26.05.2017 Ali Süha Ter Head of Special Projects and Security

Agenda Overview of Garanti Digital Figures Map of general security controls – Architecture Platform Security Authentication Input methods Authorisation controls & Security settings Fraud Monitoring Transaction signing Out of channel validation

Garanti Digital Figures Total Digital Customers * *thousands Digitalization Level 5 million active digital customer* 3,9 million active mobile customers 92% of all client transactions are digital 45% of loan sales are thrugh digital Digital Mobile

Garanti Digital Figures Retail digital banking Market Share Market Share Details Money Transfers ( Havale ) Tax Payments Stock Transactions Credit Card Transactions

safeguards Control Architecture FRAUD MONITORING DEFINED RULES, ANALYST EFFORT PLATFORM SAFEGUARDS ENCYRPTION CERTIFICATES CLIENT BASED ANTIVIRUS WEB BASED ANTIVIRUS CUSTOMER TRAINING AUTHENTICATION PASSWORDS HARD TOKENS SOFT TOKENS TOKEN APPS e-SIGNATURE e-ID SMS OTP WEB FORMS & OTHER INPUT METHODS TRANSACTION SIGNING WITH HARD TOKEN WITH SOFT TOKEN WITH e-SIGNATURE WITH SMS OTP WITH CAPTCHA AUTHORIZATION CONTROLS & SECURITY SETTINGS TRANSACTION LIMITS , ACCOUNT AUTHORIZATION, TRANSACTION TYPE AUTHORIZATION, IP/LOCATION/TIME SETTINGS

Platform security ; Protect the customer platform ; Know the risks and feed to Fraud Monitoring ENCYRPTION; Always use state of the art encryption algorithms. CERTIFICATES; Use state of the art certificates that help users validate the web site owner. ANTIVIRUS SOFTWARE; Never allow android devices to access if they dont have virus protection. Add antivirus SDK to mobile APP code. It is very hard to convince PC users to download and install antivirus software. Deploy a web based protection software for PC usage because all of your customers will never download and install a client based antivirus. Garanti uses webroot SDK at all mobile apps mobile & offers free Pc antiviurs software «Webroot Secure Anywhere» to all PC users for free. CUSTOMER TRAINING Inform the customers about protection methods. Offer Antivirus software.

Authentication methods; Risk analysis Make continuous risk analysis; Write down the threats associated with each login method. Find real life threats or try to imagine. Find the best safeguards from standard documents or create new ones. Find out the resulting risks. Choose the best combination of factors. Factors should be totally independent

Authentication methods; Risk analysis* *Below information is intentionally distorted

Authentication methods; Regulatory requirement Choose at least 2 independent factors out of the following factor sets;

SMS OTP Soft Token Hard token Tokenization Authentication ; Methods We Use Identification with social security / customer number / cookies / tokens PASSWORD alphanumeric, forced to change in 180 days, strong passwords forced BIOMETRY Eye verification is used with liveness detection SMS OTP Soft Token Hard token Tokenization

Biometric solutions for authentication Eye Biometricis An alternative login method for mobile apps which allows clients to log in securely to Garanti Cep and GarantiOne by recognizing the structure of their eyes. Speech Recognition A voice biometrics infrastructure for live voice calls. Validates the customers while speaking freely without the need for static questions. Vocal Password A passphrase authentication tool to be used in self service IVR and other digital channels

Login with eye recognition Allows easy login with enough security, helps customers when they forget passwords Prevents from most of the risks associated with; loss of equipment social engineering theft message re-routing misuse disclosure of information

New Input methods; Keyboard extension Choose the Garanti Keyboard on any messaging app(Whatsapp, messenger, etc) Click the clover icon and choose the Garanti Mobile interface. Login by either typing in your Garanti password or by further authentication options. Choose the person from your contacts list that you’ll wire the money to, enter the amount to the amount box and click approve. Approve message that will be sent to the reciever and you’re all set! Allows users to make payment and money transfers through commonly used messaging apps by adding in-build interface to these apps.

New Input methods; Mobile Interactive Assistant Functionality Works through a parallel overview screen that helps users get instant respose to voice commands. Perceives natural language so that the user doesn´t have to use specific sentences or keywords. Extensive capacity for grammar and comprehension, currently with more than 120 different actions built in. Navigation assistance within the APP, getting information on the nearest ATM or branch, current loan rates, navigating to the profile page or settings page etc.. Inquiries Can respond to account inquiries\ account number details and activities Transactions Balance checking, card information, money transfers, bill payment, credit card payment. More advanced inquiries include “How much money did I spend to fuel-oil from my Platinum credit card?” “What is the maturity date of my deposit account?” “I want to send 100 USD to David immediately.”, or “How much money did I transfer last week?”

Chatbots

Authorization controls & Security settings; Optional controls; User defined money transfer and payment limits User defined transaction types User defined channel usage Optional security controls; User defined IP / time / location limits User defined settings can only be canceled with `out of channel` validation; Branches, video call center or call center with biometric validation

Fraud Monitoring ; Cyber Intelligence Banks, third parties, software based intelligence, government agencies Behavioral monitoring Detecting abnormal activities, Cross channel monitoring, Rule based monitoring based on patterns

Transaction Signing Transaction signing is required when; the journey of the customer is seen as abnormal. the transactions and cross channel activities match defined patterns. Applied to a certain predefined percentage of transactions to avoid customer dissatisfaction. Is a balancing method; When percentage increases, it means more safeguards are needed to be deployed. When decreases, it means safeguarda are abow the required level. Methods used are; Simple captcha generated from transaction details ( protects from MITB ) Real signing with hard token, soft token or e-signature ( Protects from MITM ) SMS signing with OTP generated from transaction details ( Protects from interview and social engineering. Weak against SIM forwarding )

Thank You for your patience ! Questions?