AnyID: Security Point of View
9 likes2,848 views
The document outlines the National E-Payment Initiative in Thailand, detailing five strategic projects aimed at improving electronic payment infrastructure, including card acceptance and public education on electronic transactions. It discusses various features such as peer-to-peer payments, e-wallet refills, and security measures in transaction systems, emphasizing usability alongside security. The initiative focuses on the implementation of sophisticated architecture for data protection and fraud prevention within the banking sector.
AnyID: Security Point of View
- 1. AnyID AnyID : Security Point of View Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP
- 2. AnyID WhoAmIWhoAmI Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com Food Lover – Steak, Yakiniku, BBQ – Sushi (especially Otoro) – All Kinds of Noodle (Spaghetti, Ramen, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP) Working Team for Adviser to the Finance Ministry's National e-Payment project
- 3. AnyID DisclaimerDisclaimer This presentation primarily expresses from Ministry of Finance requirement. Final project may be different from this presentation. Words in this presentation are simplified for non- financial audience. Whenever you see a phrase like {this} between curly bracket, it means my opinion.
- 4. AnyID National E-Payment InitiativeNational E-Payment Initiative 5 Strategic Projects5 Strategic Projects Payment Infrastructure “AnyID” Expansion of Card Acceptance (via EDC) Electronics Taxation Document Government e-Payment Public Education and Awareness on Electronics Transactions EDC: Electronics Data Capture
- 5. AnyID AnyID: Basic TransactionAnyID: Basic Transaction Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → Bank2, Acc2 TR to ID2 TR to ID2, Acc2 Cust2 Optional Interaction
- 6. AnyID AnyID: Example P2P PaymentAnyID: Example P2P Payment Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: Mobile#2 → Bank2, Acc2 TR to Mobile#2 TR to Mobile#2, Acc2 Cust2 With Mobile P2P payments for retail buying food at food stalls, or for taxi fares, are all possible.
- 7. AnyID AnyID: Example E-Wallet RefillAnyID: Example E-Wallet Refill Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Issuer2 Cust1 Registry: eWallet#2 → Bank2, Issuer2 TR to eWallet#2 TR to eWallet#2, Acc2 Cust2 Refills of e-money wallets using e-Wallet IDs can be handled easily and similarly Issuer 2 eWallet#2 Cust2
- 8. AnyID AnyID: Other FeaturesAnyID: Other Features Transfer with e-Witholding Tax & VAT Information Interbank Bill Payment with Amount Inquiry Interbank Bill Payment with e-Witholding Tax & VAT & Receipt Request to Pay Request to Pay with One-Time Authorization Code (OTA)
- 9. AnyID AnyID: Request to PayAnyID: Request to Pay Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → Bank2, Acc2 RTP to ID2 RTP to ID2, Acc2 Cust2 TR to Acc1 TR to Acc1 Depending on Bank1’s innovation in channels, Banks1 may interact with Cust1
- 10. AnyID AnyID: Request to PayAnyID: Request to Pay Implementation ExampleImplementation Example Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → Bank2, Acc2 RTP to ID2 RTP to ID2, Acc2 Cust2 TR to Acc1 TR to Acc1 Merchant e-Commerce Website
- 11. AnyID AnyID: PortabilityAnyID: Portability Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → Bank2, Acc2 ID2 → Bank3, Acc3 TR to ID2 TR to ID2, Acc2 Cust2 Optional Interaction Bank 3 Acc3 Cust2 TR to ID2, Acc3 Cust1 does not have to keep track of the changes in account numbers of Cust2.
- 12. AnyID Which ID Can be Used?Which ID Can be Used? Bank+Account (for compatibility) National ID (13-Digit Citizen ID & Tax Payer ID) Mobile Number E-Wallet ID (Phase 3) E-Mail (Still be in consideration)
- 13. AnyID AnyID RegistrationAnyID Registration National ID: – Banks will validate the registration/deregistration through KYC (Know Your Customer) process Mobile Number: – Phase 1, Banks must validate number possession by their own processes – The next phase, NBTC & Telcos will help on-line validation and daily sending revocation list via ITMX E-Wallet ID (Phase 3): – Registered by E-Wallet issuers via their banks. Portability: – Customer must deregister the existing bank account before register to a new bank account.
- 14. AnyID Security Design & Implementation
- 15. AnyID Security vs. UsabilitySecurity vs. Usability Security Usability
- 16. AnyID IT Security ArchitectureIT Security Architecture ITMX ImplementationITMX Implementation Only Member Bank can sent/receive data with ITMX. Member bank connect to ITMX with existing Extranet (via MPLS) Member bank access to ITMX Extranet DMZ Zone only. ITMX separate Zone for DMZ Zone, Application Zone , Database Zone and other critical zone. All Zone are protected by Firewall and IPS. ITMX data center , all devices are protected as PCI/DSS standard requirement (Physical Security, Network access control, Data security, VA, patching, Logging and Monitoring, BCP). All process to access to server complied with ISO27001 standard and BOT best practice. Important data will be encrypted in transit and store.
- 17. AnyID Network Security & CryptographyNetwork Security & Cryptography ITMX ImplementationITMX Implementation Single Registration: REST/HTTP TLS 1.2 with Message Signing (PKCS#7 & SHA-1) Bulk Registration: SFTP with Hardware Token Financial Transaction: Protocol ISO8583 over TLS 1.2 – PIN Block encryption using 3DES or DES – Message in PIN Block could be OTA (One-Time Authorization Code), Any ID or Destination Account, type of message defined in field 48.13 – {Even DES algorithm is easily breakable, but data are not significant and in TLS 1.2 tunnel} All keys and certificates kept on HSM
- 18. AnyID Registration Security & PrivacyRegistration Security & Privacy ITMX ImplementationITMX Implementation ID Validation – National ID: Use existing KYC process – Mobile Number: ● Phase 1: Validate by banks' processes ● Next: Validate with NBTC & Telcos via ITMX Only registered ID and bank account will be kept at ITMX, no other information Banks can use a dummy account register to ITMX Destination bank will send the name of the account that mapped to ID per request for verification
- 19. AnyID Error PreventionError Prevention Transfer to unregistered ID – MOF require banks to implement dangling account – In ITMX specification, sender bank must reject (As of April 26, 2016) – {Dangling account is good for National ID and accelerate adoption of Mobile Number} Transfer to wrong ID – {Sender banks should send destination account name to their customers for verification}
- 20. AnyID Dangling AccountDangling Account Payee (receiving customer) is not required to have a bank account. Linking AnyID to a bank account can be after transaction sent. Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → ?????? TR to ID2 Cust2 Please dangling Please register ID2 to Acc2 I send money to your ID2 Add registry ID2 → Acc2
- 21. AnyID Dangling AccountDangling Account Payee (receiving customer) is not required to have a bank account. Linking AnyID to a bank account can be after transaction sent. Payment Switch Bank 1 Acc1 Cust1 Bank 2 Acc2 Cust2 Cust1 Registry: ID2 → Bank2, Acc2 TR to ID2 Cust2 Please dangling Please register ID2 to Acc2 Add registry ID2 → Acc2 Please resolve dangling of ID2 Resend TR to ID2 TR to ID2. Acc2 I send money to your ID2
- 22. AnyID About FraudAbout Fraud AnyID does not intend to reduce the existing electronics fund transfer frauds but some flows will reduce frauds by design. – Example: Request to pay flow. New innovation always introduces new frauds.
- 23. AnyID