Upload
narudom-roongsiriwong-cissp
View
1.984
Download
0
Embed Size (px)
Citation preview
AnyID
AnyID : Security Point of ViewNarudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP
AnyID
WhoAmIWhoAmI
Lazy Blogger– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
Food Lover– Steak, Yakiniku, BBQ
– Sushi (especially Otoro)
– All Kinds of Noodle (Spaghetti, Ramen, Kanomjean)
Head of IT Security, Kiatnakin Bank PLC (KKP) Working Team for Adviser to the Finance
Ministry's National e-Payment project
AnyID
DisclaimerDisclaimer
This presentation primarily expresses from Ministry of Finance requirement.
Final project may be different from this presentation.
Words in this presentation are simplified for non-financial audience.
Whenever you see a phrase like {this} between curly bracket, it means my opinion.
AnyID
National E-Payment InitiativeNational E-Payment Initiative5 Strategic Projects5 Strategic Projects
Payment Infrastructure “AnyID” Expansion of Card Acceptance (via EDC) Electronics Taxation Document Government e-Payment Public Education and Awareness on Electronics
Transactions
EDC: Electronics Data Capture
AnyID
AnyID: Basic TransactionAnyID: Basic Transaction
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → Bank2, Acc2
TR toID2
TR toID2, Acc2
Cust2
Optional Interaction
AnyID
AnyID: Example P2P PaymentAnyID: Example P2P Payment
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:Mobile#2 → Bank2, Acc2
TR toMobile#2
TR toMobile#2, Acc2
Cust2
With Mobile P2P payments for retail buying food at food stalls, or for taxi fares, are all possible.
AnyID
AnyID: Example E-Wallet RefillAnyID: Example E-Wallet Refill
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Issuer2
Cust1
Registry:eWallet#2 → Bank2, Issuer2
TR toeWallet#2
TR toeWallet#2,
Acc2
Cust2
Refills of e-money wallets using e-Wallet IDs can be handled easily and similarly
Issuer 2
eWallet#2Cust2
AnyID
AnyID: Other FeaturesAnyID: Other Features
Transfer with e-Witholding Tax & VAT Information Interbank Bill Payment with Amount Inquiry Interbank Bill Payment with e-Witholding Tax &
VAT & Receipt Request to Pay Request to Pay with One-Time Authorization
Code (OTA)
AnyID
AnyID: Request to PayAnyID: Request to Pay
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → Bank2, Acc2
RTP toID2
RTP toID2, Acc2
Cust2
TR toAcc1
TR toAcc1
Depending on Bank1’s
innovation in channels,
Banks1 may interact with
Cust1
AnyID
AnyID: Request to PayAnyID: Request to PayImplementation ExampleImplementation Example
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → Bank2, Acc2
RTP toID2
RTP toID2, Acc2
Cust2
TR toAcc1
TR toAcc1
Merchant e-Commerce Website
AnyID
AnyID: PortabilityAnyID: Portability
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → Bank2, Acc2ID2 → Bank3, Acc3
TR toID2
TR toID2, Acc2
Cust2
Optional Interaction
Bank 3
Acc3Cust2
TR to
ID2, Acc3
Cust1 does not have to keep track of the changes in account numbers of Cust2.
AnyID
Which ID Can be Used?Which ID Can be Used?
Bank+Account (for compatibility) National ID (13-Digit Citizen ID & Tax Payer ID) Mobile Number E-Wallet ID (Phase 3) E-Mail (Still be in consideration)
AnyID
AnyID RegistrationAnyID Registration
National ID:– Banks will validate the registration/deregistration through KYC
(Know Your Customer) process
Mobile Number:– Phase 1, Banks must validate number possession by their own
processes
– The next phase, NBTC & Telcos will help on-line validation and daily sending revocation list via ITMX
E-Wallet ID (Phase 3):– Registered by E-Wallet issuers via their banks.
Portability:– Customer must deregister the existing bank account before
register to a new bank account.
AnyID
Security Design & Implementation
AnyID
Security vs. UsabilitySecurity vs. Usability
Security
Usability
AnyID
IT Security ArchitectureIT Security ArchitectureITMX ImplementationITMX Implementation Only Member Bank can sent/receive data with ITMX. Member bank connect to ITMX with existing Extranet (via MPLS) Member bank access to ITMX Extranet DMZ Zone only. ITMX separate Zone for DMZ Zone, Application Zone , Database
Zone and other critical zone. All Zone are protected by Firewall and IPS. ITMX data center , all devices are protected as PCI/DSS
standard requirement (Physical Security, Network access control, Data security, VA, patching, Logging and Monitoring, BCP).
All process to access to server complied with ISO27001 standard and BOT best practice.
Important data will be encrypted in transit and store.
AnyID
Network Security & CryptographyNetwork Security & CryptographyITMX ImplementationITMX Implementation
Single Registration: REST/HTTP TLS 1.2 with Message Signing (PKCS#7 & SHA-1)
Bulk Registration: SFTP with Hardware Token Financial Transaction: Protocol ISO8583 over TLS
1.2– PIN Block encryption using 3DES or DES
– Message in PIN Block could be OTA (One-Time Authorization Code), Any ID or Destination Account, type of message defined in field 48.13
– {Even DES algorithm is easily breakable, but data are not significant and in TLS 1.2 tunnel}
All keys and certificates kept on HSM
AnyID
Registration Security & PrivacyRegistration Security & PrivacyITMX ImplementationITMX Implementation
ID Validation– National ID: Use existing KYC process
– Mobile Number:● Phase 1: Validate by banks' processes● Next: Validate with NBTC & Telcos via ITMX
Only registered ID and bank account will be kept at ITMX, no other information
Banks can use a dummy account register to ITMX Destination bank will send the name of the account
that mapped to ID per request for verification
AnyID
Error PreventionError Prevention
Transfer to unregistered ID– MOF require banks to implement dangling account
– In ITMX specification, sender bank must reject (As of April 26, 2016)
– {Dangling account is good for National ID and accelerate adoption of Mobile Number}
Transfer to wrong ID– {Sender banks should send destination account name
to their customers for verification}
AnyID
Dangling AccountDangling Account
Payee (receiving customer) is not required to have a bank account. Linking AnyID to a bank account can be after transaction sent.
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → ??????
TR to ID2
Cust2
Please dangling
Please register ID2 to Acc2
I send money to your ID2
Add registryID2 → Acc2
AnyID
Dangling AccountDangling Account
Payee (receiving customer) is not required to have a bank account. Linking AnyID to a bank account can be after transaction sent.
Payment Switch
Bank 1
Acc1Cust1
Bank 2
Acc2Cust2
Cust1
Registry:ID2 → Bank2, Acc2
TR to ID2
Cust2
Please dangling
Please register ID2 to Acc2
Add registryID2 → Acc2
Please resolve dangling of ID2
Resend TR to ID2 TR to ID2. Acc2
I send money to your ID2
AnyID
About FraudAbout Fraud
AnyID does not intend to reduce the existing electronics fund transfer frauds but some flows will reduce frauds by design.– Example: Request to pay flow.
New innovation always introduces new frauds.
AnyID