MOBILE-FIRST OR MOBILE-ONLY, GETTING THE BALANCE … · Mobile-First or Mobile-Only, getting the...

MOBILE-FIRST OR MOBILE-ONLY, GETTING THE BALANCE RIGHT BETWEEN UX AND SECURITY REMAINS A CRITICAL CONSIDERATION

Er Chiang Kai

Chief Technology Officer

2018-07-23

Mobile-First or Mobile-Only, getting the balance right between UX and Security remains a critical consideration

2

Mobile Platform Risks1

Virtual Secure Element and Solutions2

Security Embedded Within User Experience3

About V-Key4

MOBILE PLATFORM RISKS1

Banking Model of the FutureMobile at the epicenter of customer experience

4

Bank Branch Online

Mail / MessagingCall Center

Open API

PastFuture

Source: Deloitte 2018 Banking Outlook report.

The impact of mobile cybercrime

5

Source: Kaspersky Labs 2017

Up toUS$1.64 millionper incident

SMS & banking trojan

Vulnerable app store

Hardware backdoor

Software backdoor

Spyware

Typical Mobile App

7

Mobile App

App Server

Keylogging

Man-in-the-middle attack

Stealing sensitive data

Overlay

attack

VIRTUAL SECURE ELEMENT & SOLUTIONS2

The global trust ecosystem is built on the smart card

… But there’s a LIMIT to how far and fast they can scale

10

B A N K S

G O V E R N M E N T

T E L C O S

M O B I L E

B A N K S

G O V E R N M E N T

T E L C O S

M O B I L E

HARDWARESECURE ELEMENT

B A N K S

G O V E R N M E N T

T E L C O S

M O B I L E

HARDWARESECURE ELEMENT

MICRO CONTROLLER

TAMPER PROTECTION FILM

HARDWARESECURE ELEMENT

MICRO CONTROLLER

TAMPER PROTECTION FILM

VIRTUALSECURE ELEMENT

TAMPER PROTECTION SYSTEM

CRYPTOGRAPHIC VIRTUAL MACHINE

VIRTUALSECURE ELEMENT

V-OS

PATENTED

USA, Australia, SingaporePending: China, EU

VIRTUALSECURE ELEMENT

Certifications and Global Standards

Proven resiliency in multiple global

penetration testsV-OS

PATENTED

USA, Australia, SingaporePending: China, EU

Regulatory Compliance

HOW IT’S USED

V-OS is embedded within an iOS or Android mobile app

SECURING CRITICAL DATA & PROCESSING

UNTRUSTEDOS

UNTRUSTED APPS

SECUREAPP

Root of Trust

Intrusion Prevention System (IPS)

➢

➢

Intrusion Prevention System (IPS)

Root of Trust

Secure Digitized Use Cases

Mobile Identity

Smart Token (OTP/PKI)

Secure Messaging

Application Protection

Seamless Authentication

Document Signing

Electronic KYC

Mobile Biometrics

Secure DigitizedUse Cases

TrustedStorage

TrustedCrypto-graphy

V-OSVirtual Secure Element

Mobile Identity APIsFor iOS/Android apps

23

V-OS SMART TOKEN / V-OS MESSAGING

SMART TOKEN PUSH AUTH/AUTHORIZATION

AuthenticatedAuthenticating

SHADOW AUTH

339941484647

V-OS eKYC - ONBOARDING 1/5

24

User performs eKYC to sign up for onboarding:

1. User downloads and logs in to MB app2. User opens an account using biometric passport3. User registers using biometric Face Scan4. Account successfully opened

eKYC – Account Opening With Biometric Passport 2/5

25

26

eKYC – Account Opening With Biometric Passport 3/5

eKYC - User Validation With Facial Recognition 4/5

27

eKYC - Account Successfully Opened/ Onboarding 5/5

28

V-OS APP PROTECTION

29

Mobile App

App Server

Keylogging

Man-in-the-middle attack

Stealing sensitive data

Overlay

attack

Secure GUI

SSL pinning

Multiplex App Data Security (MADS)

- device-bound data encryption

Overlay

detection

Root/Jailbreak detection

Malware detection

App integrity

protection

V-OS App

Protection Server

Threat intelligence

SECURITY EMBEDDED WITHIN USER EXPERIENCE

3

AuthenticatedAuthenticating

Authentication

CostlyReplacements

Dynamic

Scalable

Safer

Inconvenient Convenient

Delayed detection of lost device

Vulnerability => replace device

Immediate detection of lost

device

Vulnerability => over-the-air update

Risk of OTP stealing End-to-end security

Cumbersome UX Seamless UX

UX Options – Authentication

Hardware OTP Token V-OS Smart Token

Display OTP in token, then enter in UI Display OTP in app, then enter in UI

Invisible to user – just authenticate with server

Slow down UI, show “Authenticating”

Authenticate user with biometrics

User to enter Smart Token PIN

Secure push notification, then tap to allow

Scan dynamic QR code, then tap to allow

…

…

Use combinations of above, for different user journeys

34

35

V-OS AuthenticationReplacing hardware tokens and SMS OTPs

V-OS MESSAGING

Authenticate with a single tap

Out-of-band authentication

PKI Technology

36

V-OS Authorization

PAPERLESS

SAVE TIME

NON-REPUDIATION

REDUCE COST

PAVE THE WAY FOR AUTOMATION

Mobile App Security

37

Device Binding

Encrypted Storage

Secure Messaging

App Protection

Jailbreak / Root Detection

Face Authentication

Voice Authentication

One-Time Password or PKI-based Transaction Signing

Eye Authentication

Fingerprint Authentication

Security embedded within UX

ABOUT V-KEY4

Corporate overview

US $16M raisedLed by Ant Financial & IPV Capital

7+ yearsRedefining mobile security

85+ cybersecurity expertsBased out of Singapore, Ho Chi Minh, Manila and growing!

Thank YouFor any enquiries, please contact us at enquiries@v-key.com