Upload
wso2-inc
View
211
Download
1
Embed Size (px)
Citation preview
Building a Fool Proof Security Strategy for PSD2 Compliance
Pushpalanka JayawardhanaFinancial Solutions - WSO2
Line Up• PSD2• PSD2 RTS on SCA and Secured Communication• Compliance Requirements
– API Security• Specifications to meet recommandations
Eg. OpenBanking Org UK specification/ Berlin Group/ STET/ FAPI- OIDC Hybrid Flow- Private Key JWT authentication
– Strong Customer Authentication– Consent Management– Fraud Detection
• Implicit Requirements– Conditional Authentication– Adaptive Authentication– Fine Grained Authorization
PSD2
Mandates Banks to - securely expose - customer Account and Payment data - with customer consent - to regulated third parties - via APIs
With the Objective of ● Providing a frictionless user experience
● Making electronic payments more secure
● Establish a platform for effective and integrated payment services
● Providing openness required for innovations in the domain, with enhanced competition.
PSD2RTS on SCA and Secured Communication
● Two factor Authentication● Strong authentication is required with at least two factors from below,
i. Knowledge factors (username and password, pin)ii. Possession factors (mobile, security device, token generator)iii. Inherence factors (fingerprint, voice, iris pattern)
● Open secured APIs for payment initiation and account information● Access delegation with explicit user consent● Secured Communication● Fraud detection and audit logs
More Requirements● Conditional Authentication● Adaptive Authentication● Fine grained authorization● Federated Authentication● Continued security procedures
Strong Customer Authentication (SCA)● Correctly identifying and authenticating the end user is a necessity.
● More secure than just having basic authentication.
● WSO2 Open Banking Solution provides,
○ Multi Factor Authentication (MFA ) support with SMS/OTP, FIDO, DUO, MePin etc.
■ WSO2 connector store - https://store.wso2.com/store/assets/isconnector/list
○ Extensible to support any other mechanism preferred by banks to authenticate users.
Knowledge Ownership Inherence
Password, PIN, ID number Mobile device, token or Smart card
Fingerprint, face or voice recognition
API Security● Exposing confidential internal data to external parties
● Inbuilt OAuth2 security layer provided by IAM capabilities ensures secure API invocations
through WSO2 Open Banking Solution.
● Supports common grant types such as Client Credentials, Authorization Code, Password,
Implicit, SAML Bearer, JWT assertion bearer and Integrated Windows Authentication
(IWA) allowing APIs to be used by different types of Applications.
● Applicable entitlement management and enforcement layer
Our recent webinar on API Mgt :
https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd2-compliance/
Standards
JSON REST OAuth
OpenID Connect
Sources - ODI OBWG : Open Banking Standard 2016 & Ⓒ By 2016 Nomura Research Institute https://www.slideshare.net/nat_sakimura/financial-grade-oauth-openid-connect
Specifics for OIDC
• OIDC Hybrid flow• Request object • s_hash• Private_key_jwt client
authentication
➢ Less round trips than authorization_code
➢ Avoid multiple mix up attacks Eg. IDP mixup
➢ Protection from ‘state’ parameter injection
➢ Strengthen source authentication
Consent Management● Comprehensive support to manage user consent
○ For payment transactions or account information aggregations
○ Revoking consents
○ Operations from custom care officers
● GDPR Implications (May 2018)
System is breach proof?Data Breaches Frequency 998 Incidents, 471 with confirmed data disclosure
Top 3 patterns Denial of Service, Web Application Attacks and Payment Card Skimming represent
88% of all security incidents within Financial Services
Threat actors 94% External, 6% Internal, <1% Partner (all incidents)
Actor motives 96% Financial, 1% Espionage (all incidents)
Data compromised 71% Credentials, 12% Payment, 9% Personal
- DoS attacks were the most common incident type.
Summary
Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords, along with ATM skimming operations.
Source : Verizon 2017 Data Breach Investigations Report - 10th Edition
Fraud Detection• Allows Organizations to
– Detect known anomalies via contextually evolving rules– Detect unknown anomalies via Machine Learning– Detect Anomalous event sequences via Markov Modelling– Reduce False Positives via Fraud Scoring– Further investigate and identify complex relationships using
Interactive Analytics
Quantity
ValueAnomaly
Adaptive Authentication● Adaptive Authentication allows the solution to adjust the authentication strength
● This is based on the feedback from analytics engine.
● Maked the authentication stronger or relax it based on the context at hand.
● Provides better user experience, enforcing strong authentication only when it’s necessary.
Transaction amount > 10000 EUR
Transaction amount < 10000 EUR
Basic Authentication SMS OTP Authentication
Basic Authentication
Authenticated
Authenticated
Fine Grained Authorization● In the Authentication Flow
○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0
○ User authentication decision can be affected by other factors
■ Eg. In a specific time interval, users cannot login
● In the API calls
○ WSO2 AM can intercept the flows to apply fine grained authorization
○ Consume authorization decisions from IS, acting as a PEP
■ Eg. API response can be further customized according to user attributes.
● If the user belongs to ‘Platinum’ tier let them take online loans below an
amount x.
Continued Assurance Process• Proactive strategy (Continuous Integration)
– WSO2 Security Guidelines based on OWSAP– Commercial static code and dynamic security scan tools– Third party dependency scans
• Reactive strategy– Any vulnerabilities reported are addressed with the
highest priority– Issue fixes to customers before public disclosure
Resources : https://wso2.com/technical-reports/wso2-secure-engineering-guidelineshttps://wso2.com/security
Creates an “Open Banking” platform to be PSD2 compliant and as a result become a Digitally
Transformed Bank.
API Specification
○ API Definitions○
WSO2 Open Banking
Customer
TPP (AISP/PISP)
FinTech
Merchants
Core Banking
Internal Payment Services
Bank Internal NetworkISO 8583 (TCP/IP)
HTTP
HTTPS
Other Banks
HTTPS
WSO2 Open Banking
● API Specification
● API Security + SCA
● API Analytics
● API Monetization
PSD2 Compliance
● API Integration
● Fraud Detection
● API Analytics
● Dashboards
TPP Provider
● Web/Mobile App Suite
● Insight Sales
● Required Integration
Digital
Transformation
Resources More Information http://wso2.com/solutions/financial/open-banking/
Try out WSO2 Open Banking https://openbanking.wso2.com
On Demand Webinars
https://wso2.com/library/webinars/2017/11/getting-your-api-management-strategy-on-point-for-psd
2-compliance/
http://wso2.com/library/webinars/2017/08/wso2-open-banking-digital-transformation-through-psd2/
Open Banking White Paper
http://wso2.com/whitepapers/digital-transformation-through-psd2-and-open-banking/