Leveraging on EMV cards for One-Time-Password authentication Istvan Botos Business Development Manager CEE Network Identity Solutions 19th September 2006

Agenda Online banking market overview Authentication Solutions based on EMV Smart Card Banking Card (CAP Authentication) Use Case Advantages of use EMV Smart Card for Authentication Introduction of GemAuthenticateTM 19th,September 2006

Online Banking Market Overview 19th,September 2006

e-Banking Definition Strong user authentication required Financial Services delivered through Internet and others remote channels Online Banking, Phone Banking / IVR, Mobile Banking e-commerce Scope Retail Banking (B2C) Corporate Banking (B2B) Strong user authentication required 19th,September 2006

A Phenomenal Growth (European Market) Top countries : UK, Germany, Netherlands and Nordic Countries Strong uptake in Southern Countries : France, Italy, Spain, Greece and Turkey 60 million of European currently bank on-line (20% of European population)* * Source: Forrester Research (2003) 19th,September 2006

Online Banking – A mass adoption Top UK Online Banks (Mill.) HBOS : 2 Lloyds TSB : 3,1 RBS : 4 Barclays : 4,5 HSBC : 2,2 Source : Journal du Net Online banking (France) C.Agricole : 2,2 S.Générale : 1,1 BNP : 1,1 BFBP : 0,9 Crédit Lyonnais : 0,8 Source : Benchmark Group 19th,September 2006

Market Drivers Operational Cost Savings (transactions) On-line banking transactions cost is 0.03$ versus ($0.50) for ATM or (1.30 $) for branches * Password Management Costs Savings Forgotten pwd, pwd reset … 10% of customer / month (source HBOS) Customer Acquisition Attract the increasing number of Internet Users Active People (who on-line banking equals gain of time) Customer Retention A rich on-line banking offer improves the stickiness of the bank Decrease Fraud business impacts Brand image Drop in Consumer confidence Costs Barrier to online banking services growth Regulations / Recommendations Standardization Chip Authentication Program (CAP) OATH 3D Secure deployment (e-commerce) *source InfoAmericas 2001 19th,September 2006

The challenge - Balancing Convenience, Security & Costs - Solution should take into account Consumer Market specificities Simple to use Portable – can be used @work, @home, @cyber café Variety of customer profiles (young's, business man, …) Security level should be adapted according to the associated risks Account Consultation vs. Fund Transfers Transfer Amounts, Transfer Destination (internal, external, abroad) Minimized Total Cost of Ownership Acceptable deployment effort Reusable over others banking channels Solution should fit in a long term strategy 19th,September 2006

Authentication Solutions based on EMV Smart Card 19th,September 2006

Powerful Concept Leveraging the EMV Cards for OTP authentication Principle: Use of the EMV Smart Card functionalities to authenticate cardholder The customer uses his own Banking Cards to Log-in to the online banking Perform Transactions such as fund transfer or e-commerce Based on field proven One-Time-Password 2 Factor Authentication Customer needs his Banking Card & his PIN code Something I own (Smart Card) and Something I know (PIN) 19th,September 2006

Main advantages High Security Level Reduced cost of ownership Use Generic Smart Card Reader (no cardholder data) Authentication data are stored in the Smart Card Requires no heavy & expensive PKI infrastructure (certificates, PK application on smart card, etc.) Leverage EMV investment Make use of the EMV application, already available in ROM Works on all range EMV Smart Card Open Solution with Emerging Standard Can be used to secure online payment as well as online banking A growing number of financial institutions are looking for EMV based authentication solutions 19th,September 2006

Banking Card (CAP Authentication) Use Case 19th,September 2006

OTP Log-in User asks for an OTP by pressing « code » 1683777 xxxx PIN ? User asks for an OTP by pressing « code » PIN code is checked locally by the Smart Card The OTP is generated by the card & entered manually by the user no more “static” password 13 19th,September 2006

Transactions Signature Cardholder is requested to confirm his/her funds transfer Cardholder enters his banking EMV Smart Card in the Reader Cardholder press”Sign” on the reader keypad Cardholder enters transaction parameters Challenge, Amount, … Cardholder enters PIN code The EMV Smart Card generates a dynamic, non reusable and unique transaction signature Signature is displayed by the reader Signature provided manually to the application Signature is verified by OTP is verified by GemAuthenticateTM platform 19th,September 2006

Secure Transactions Transaction parameters Transaction Signature xxxx 3035107 PIN ? 32500 239 Transaction Signature Parameters are defined by the banks Can be : a challenge, the transaction amount, destination account, etc …. Man-in-the-middle attacks – use transaction parameters with the destination account 19th,September 2006

Advantages of use EMV Smart Card for Authentication 19th,September 2006

Standard and Endorsed Solution Available for both MasterCard & Visa cards Based on MasterCard Chip Authentication Program (CAP) Specifications finalized in 2004 Endorsed by an increasing number of bank associations GIE Cartes Bancaires APACS (UK) Interpay (The Netherlands) … Allow interoperability Cards & readers from different vendors can be mixed 19th,September 2006

Key Advantages No impact on the customer culture – so high adoption rate As easy as getting cash or make payment at Point of Sales No more password to remember Work whenever and wherever needed Reader extremely simple to use Life time ~5 years (+ replaceable batteries) Minimal deployment effort Deployment process already in place Reuse of Card lost/stolen process Authentication data Loaded during banking card manufacturing Could be done for the entire portfolio 19th,September 2006

Introduction of GemAuthenticateTM 19th,September 2006

GemAuthenticate Overview Strong Authentication Solution for Banks Online Banking Phone Banking IVR Strong User Authentication Solution Online Payment (3D Secure) Any E-services A multi-devices and standard user authentication solution for retail & corporate banking 22 19th,September 2006

Support of large choice of tokens Fitting to your business requirements 19th,September 2006

Gemalto, Your Best Partner Flexible & Standard Solution Provider Multiple authentication methods – allow customer segmentation & smooth migration towards higher security scheme Broad Form Factors Compliancy with market standards (CAP, OATH, PKI) Supply chain Readers/Tokens mass personalization & fulfillment Customization capabilities 19th,September 2006

Thank You ! 19th,September 2006