Where the security and convenience meet MICRO BANKING Where the security and convenience meet PKI SOLUTION FOR eBANKING & ePAYMENT

ONLINE BANKING Reduce costs of online banking transaction Convenience OPOTUNITIES Reduce costs of online banking transaction More services through online banking channel CHANGLLENGES Convenience Security

ONLINE BANKING AUTHENTICATION Most of the banks are using password to protect access the Online Banking Password can be guessed, stolen, hacked … Including with basic techiques like shoulder surfing, dictionary attacks or more complex like Phishing

ATTACK ON THE INTERNET Hacker Fake email Phishing Hacker Pharming Fake Website Trojan Horse Hacker Man in the Middle Fake Website Hacker

AN EXAMPLE OF PHISHING ATTACK

AN EXAMPLE OF PHISHING ATTACK

AMOUNT OF THE PHISHING FRAUT 3.2 Billion USD

FIRST CONCLUSION Phishing is effective Phishing is growing Phishing targets mainly the banks More sophisticated attacks are becoming a reality Password is not an option

TWO – FACTOR AUTHENTICATION Authentication must include one or more of the following: Something a person knows: PIN, password Biometry Hardware PIN, Password Something a person is: biometry Something a person owns: hardware A two-factor authentication includes at least two of these factors

WHY BANKS MUST MIGRATE TO STRONG AUTHENTICATION Push customers to use online banking Compliance with security directives Decrease the direct cost of fraud Avoid bad reputation Customer recruitment and retention I In case of security breach 41% of consumers would switch bank (TriCipher study) FFIEC Banque De France Cơ quan tiền tệ Singrapore. Operations are 100 times cheaper than in branch

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET OTP TOKEN Generate a One Time Password every 60 s or when pushing a button • Mobility • Customer acceptance • No protection against Man in the Middle attack • Weak protection against dynamic phishing attacks

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET SMS Text The bank sends an authentication code to the user’s handset The mobile phone is never far Customer acceptance No protection against Man in the Middle attack (except with return status message) Maintenance is complex and costly (price of SMS, update of phone numbers…)

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Smart card with unconnected CAP reader After PIN validation the offline reader displays the authentication code Leverage the existing EMV infrastructure No driver to install on the PC No protection against Man in the Middle attack First feedbacks show a lack of convenience Risk of human mistakes (long numbers)

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Smart card with connected CAP reader After PIN validation the online reader displays the authentication code Leverage the existing EMV infrastructure Provide better protection against Man in the Middle attacks Just a PIN, no long number to enter in the system Require an installation on the PC: no mobility

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Criteria to select a solution The bank needs to find the best balance between security, convenience and price. Login/Password : THE most used method One Time Passwords (OTP) list & Matrix Cards & OTP tokens CAP/DPA on EMV card + reader Fingerprint reader Challenge response using users mobile Risk management on Back Office

TWO FACTOR AUTHENTICATION AVAILABLE IN THE MARKET Conclusion about the available solutions Conclusion Many solutions exist on the market None seems to be THE solution Each has at least one serious drawback And what if I want To be protected against Man in The Middle? Mobility: driver to auto-install? Customer adoption? Low maintenance cost? Combine between security & service?

Where the security and convenience meet MICRO BANKING Where the security and convenience meet

WHAT IS MICROBANKING SERVICE? 1 the authentication operations 3 A dedicated browser for enhanced security and convenience 2 PKI Token/Mobi leToken dedicated to the Online Banking A smart card chip for

WHAT IS MICROBANKING SERVICE? Micro-Banking browser Run automatically and integrated onto middleware Goes to a unique address hardwired in the chip during personalization or configured from Token Management System (TMS)

USER EXPERIENCE Access is grant 0: User Plug the Key (PKI Token) & the Usertool and even on Browser is launched Micro Banking Server 1: User chooses the Micro Banking on the left pane of Usertool, enter Login 2: Browser connect the Micro-Banking server through 2-way SSL (client certificate) 3: Micro-Banking server request for authentication 4: Authentication application on the Key ask for PIN 5: PIN is validated in the Key 6: Cryptogram is sent to the Micro-Banking Server Access is grant Each transaction all requires PIN prompt

SCREENSHOTS Main Screen Please choose ‘Login’ once used Micro-Banking

SCREENSHOTS Choose certificate for login, the corresponding account will be referred

Account balance, Account statement SCREENSHOTS Account balance, Account statement

SCREENSHOTS Bill payment

SECURITY OF MICROBANKING 1 PKI-based Online Banking (highest security) Client Certificate two-way SSL 2 Each transaction, each CMS PKCS#7 (Cryptographic Message Syntax) 3 4 Used the public certificate, stable & popular 5 Infrastructure in Vietnam market

BENEFIT FOR BANK’S CUSTOMERS Mobility: minor installation on the PC (just 2MB on the Key) Convenience: just a Key, just a PIN code Plug & Play, direct access to your account thanks to our Key, Tomikey-2003U No trace left on the PC

BENEFIT FOR BANK’S CUSTOMERS Feedbacks from customers, they liked Easy of use Dedicated browser: easy and security feeling Protect against Phishing and MiTM

BENEFIT FOR BANKS Optimal security: resistant to Phishing, MiTM 01 03 05 Enhance customer trust: attractive new customers & retain existing customers 02 Enhance branding: image of reliability and proximity with the customer Scalable for future options: digital vault storage 04 Optimal cost per user

BENEFIT FOR BANKS 6 Available supported basic bank functions like Check Balance, Account Statement, Fund Transfer and Bill Payment 7 Ease-2-extend other functions like Online Saving, Lending Service, Card Service based on bank requirements 8 Implementation just takes 10 working-days for integrated to Bank ServiceBus

TIME TO ACCESS: SO CONVENIENT Time of access is critical to increase: Traffic of internet banking services Customer satisfaction Password OTP token Unconnected CAP reader Connected CAP reader SMS Text Micro Banking Number of user’s actions 6 8 7 2 Average time 45s 1mn 10s 40s 1mn 20s 20s Micro Banking offers fast access thanks to: Real-time access Real-time alarm

WHY SHOULD YOU CHOOSE OURS? Just requires little installation on the PC The best price compared to competition Developed by security-expert Partners to provide servers or integration services Supported by Tomica that can be remotely Personalized, Managed

TRIAL PACK FOR BANK 2 1 TRIAL PACK PROOF OF CONCEPT 1 ePass2003 2 months access to an demo service based on https://tomicalab.com/microbanking/ Supported by TOMICATM 5 ePass2003 Implemented the CAG360, Micro-Banking on bank facility (just takes 10 working days) Supported by TOMICATM

Token Management System Centralized Authentication Gateway SYSTEM STRUCTURE Token Management System Core Banking (ServiceBus) User Tool on the Key Micro-Banking System CAG360 Centralized Authentication Gateway

where the security and convenience meet DEMO MICRO-BANKING where the security and convenience meet PKI-Based Online Banking, supplied by TOMICALAB & maintained and operated by just Bank QUESTION?

STILL IN PROGRESS Integrated on iOS, Android, Windows Phone with Tomikey-2003A & SIMCA Integrated fully on MACOSX and Linux Trend to micro-payment and eInvoicing together

CONTACT US MINH THONG CARD SOLUTIONS CO., LTD Address: 16/2 Ter Dinh Tien Hoang, Da Kao Ward, 1st District , Ho Chi Minh City Website: www.tomicalab.com Hotline :19006884 Email : sales@tomicalab.com