T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1.

T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1

Session Outline Part 7: Banking on ICTs Introduction As safe as a bank Connecting securely Identity and authentication Money in plastic 2 Arab Open University

1. Introduction [1/2] In this part, ‘Banking on ICTs’, the focus is on money and on some of the ICT systems that support financial transactions. The motivation to pry, prey and protect is rarely greater than where money is involved. The ICT systems have: made many aspects of financial management easier for many honest people National and international electronic money transfer transactions Money in plastic: Credit cards BUT they have also provided new opportunities for criminals and fraudsters to carry out their activities! Criminals can operate anonymously and remotely! 3 Arab Open University

1. Introduction [2/2] When we do things like interacting with banks, buying goods online, paying bills to suppliers and so on, we need to feel confident about several aspects: Who are we dealing with? What information are we providing to organisations? How will this be used and protected from misuse? If we are doing these things remotely: how secure are the arrangements, particularly the communication channel that we are using? 4 Arab Open University

2. As safe as a bank [1/7] What measures should a bank take to protect the security of the user and their information? Security Standards are published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27000 is a family of standards that specifies how organisations should achieve the required standards of information using Information Security Management Sysmtems. ISO/IEC 27000 provides an overview and introduction to this developing series of standards. 5 Arab Open University

2. As safe as a bank [2/7] In an organisation such as a bank: Sensitive personal data or other account-related data should not be stored unencrypted Access to such information and the related systems and processes should be carefully monitored and controlled. Secure logging of activity should record by whom, how and when information is accessed and used Creating audit trails for subsequent inspection, with the audit records themselves being securely encrypted. 6 Arab Open University

2. As safe as a bank [3/7] BUT, multiple legacy systems within an organisation can work against employee accountability. An individual employee is likely to need to log in to each system with a different password. Staff may be tempted to resort to the convenience of sharing common passwords or to writing them down. Doing either results in a loss of individual employee accountability and compromised security. Therefore, there are best-practice frameworks for IT governance and infrastructure in organisations. Information Technology Infrastructure Library (ITIL) Service-oriented architecture (SOA) → T215A! SOA provides a means for integrating services and enabling single sign-on (SSO) to avoid the potential problems of multiple password legacy systems. 7 Arab Open University

2. As safe as a bank [4/7] In an organisation such as a bank: Computer systems need to be protected from malicious software, messages or other intrusive devices used by hackers. A major defence is an effective firewall and an associated security policy. Additional systems are necessary to monitor and control what happens behind the firewall as well. Why? Because security can also be compromised from within the organisation by, for example, contractors or disgruntled employees. 8 Arab Open University

2. As safe as a bank [5/7] In an organisation such as a bank: Intrusion detection systems are commonly used They continually monitor activities to identify those that are suspicious and which could indicate the start of an attack. They can detect potential threats arising from the actions of ‘trusted’ insiders as well as external hackers. They use detailed knowledge about the systems and networks being protected Such as the security policy in force (who or what is allowed to access data or modify software) and any known system vulnerabilities that could be exploited. They compare current use with normal patterns of service usage so that suspicious activity can be flagged. Suspicious activity may lead to temporarily restrict access to, or disable the systems or functions that could be under threat. 9 Arab Open University

2. As safe as a bank [6/7] In an organisation such as a bank: Data leakage protection is another approach that is being developed. Data is categorized within files in a way that is appropriate to the data’s sensitivity Attempts to access, move, modify or store sensitive data can be monitored and controlled in real-time and. Contingency measures are implemented Contingency measures protect against serious disruption to their systems. Example: Guard against the destruction by fire of an organisation’s server site or other premises. Replicate and store data at multiple sites so that vulnerable data is not stored in one location only. This should be done securely and stored and encrypted appropriately. 10 Arab Open University

2. As safe as a bank [7/7] Are these security measures infallible? Well No! Systems and networks are never entirely reliable. System failures can be caused by technical failure, human error, negligence or sabotage. This causes inconvenience and possibly and expensive suspension of normal services. Fraudsters may also be able to exploit system ‘fall back’ positions where the normal level of security is reduced or suspended. Hackers may of course attempt to sabotage systems to create favorable conditions to their activities. 11 Arab Open University

3. Connecting securely [1/7] Ensuring Privacy: When money changes hands over public communication networks, such as the internet, privacy is a major issue. This can be achieved with the use of protocols such as: Internet Protocol Security (IPsec), Transport Layer Security (TLS) and Secure Sockets Layer (SSL) But privacy isn’t the only issue here! We need to be assured that we are communicating securely with the intended party and not a malicious website. 13 Arab Open University

3. Connecting securely [2/7] Parties authentication: The communication process needs to include some authentication Authentication of the server (e.g. the bank) with the client (e.g. the client’s computer). Authentication is achieved using the TLS/SSL setup procedure between an HTTPS protected server and a client. Hypertext Transfer Protocol Secure – HTTPS – is a secure version of the Hypertext Transfer Protocol (HTTP). 14 Arab Open University

3. Connecting securely [3/7] Reminder: Why isn’t all the data exchanged in a TLS/SSL secured session encrypted using asymmetric public-key encryption? Answer: The use of public key encryption for a typical TLS/SSL transaction would increase the amount of data to be transmitted significantly. In TLS/SSL public-key encryption is used to establish a secret key that can then be used for the subsequent session, during which the data transmitted is encrypted using symmetric encryption. This is much more efficient in terms of message size. 15 Arab Open University

3. Connecting securely [4/7] Reminder: A malicious website hijacks the valid certificate of a genuine website’s server and masquerades as the genuine site. What prevents the malicious website being successful in this ill thought out attempt to deceive? Answer: The malicious website does not have the means to encrypt the transmission in a way that could be successfully decrypted by a client. To do this it would need the genuine server’s private key. Another problem that would confound an attempted masquerade attack would be that the genuine server’s domain name details (and the corresponding URL) are typically embedded within the certificate by the trusted Certification Authority and cannot be changed by an attacker. 16 Arab Open University

3. Connecting securely [5/7] So TLS/SSL is used to ensure privacy and authentication BUT what could affect the TLS/SSL level of security? In general the level of security afforded during a TLS/SSL session depends on a number of factors. The browser application used at the client different browsers support different encryption algorithms having various strengths, and prioritise their use differently The version of TLS/SSL used to set up the connection Proper authentication of the digital certificate. 17 Arab Open University

3. Connecting securely [6/7] Authentication of the digital certificate To be confident in the security of a TLS/SSL protected transaction, we should inspect the certificate to ensure that: The certificate is issued by a major trusted Certification Authority The certificate is currently valid (not expired) The certificate is trusted by the computer There are no domain name mismatches The URL in the certificate is the same as that being visited. 18 Arab Open University

3. Connecting securely [7/7] Reminder: In financial transactions, authentication of both parties to a transaction is critical. To what extent do the TLS/SSL processes that has just been described satisfy this requirement? Answer: TLS/SSL generally authenticates a web server to a client only. If a successful TLS/SSL handshake has been completed and there are no certification inconsistencies, you can be fairly certain that you are linked to the intended website. 19 Arab Open University

4. Identity and authentication [1/13] Identity can be established from: something you are (or can do) something you have something you know. In a connected world, inhabited by terrorists, criminals and money launderers, authentication is a crucial element. Authentication is deemed to be strong when at least two of these factors are satisfied by the authentication process. Any example of electronic financial transactions? 21 Arab Open University

4. Identity and authentication [2/13] Electronic funds transfer (EFT): EFT is a generic term to describe financial transactions carried out by computer-based systems. EFT includes a wide variety of possible transactions such as: The use of payment cards (debit or credit card) to purchase goods or services The authorisation of the electronic payment of bills using an online bank The direct debit payments from customers’ accounts to service providers such as utility companies The payment of salaries by an employer into an employee’s account The transfer of funds to and from accounts in different countries. 22 Arab Open University

4. Identity and authentication [3/13] Automated teller machines (ATMs): ATM are often referred to in terms of one of their functions as ‘cash machines’. Modern ATMs allow many of the traditional over-the-counter services involving a bank teller to be accessed through a machine. withdraw cash check an account balance print out a summary or detailed statement pay in cheques, money orders and cash ATM benefits: reduced costs (to banks) reduced delays (for customers) extended availability outside normal banking hours. 23 Arab Open University

4. Identity and authentication [4/13] Electronic Point Of Sale – ePOS, EPOS or POS ePOS terminals allow customers to pay for groceries, fuel, or tickets, for example, using debit or credit cards. Some ePOS terminals include a ‘cash-back’ facility to allow customers to obtain cash by debiting their bank or credit card accounts. An ePOS terminal may be set up for a small business Generally use a broadband connection to the internet to process payment transactions For a larger business an ePOS system is likely to be connected to a local area network In addition to the payment transaction processing, a business’s inventory can be updated and customer orders tracked. 24 Arab Open University

4. Identity and authentication [5/13] Electronic Point Of Sale – ePOS, EPOS or POS An ePOS system requires a secure connection, normally to an acquirer’s financial network (e.g. a bank). ePOS terminals are being increasingly integrated to operate alongside other systems such as supermarket ‘self-checkouts’ where customers present items they are purchasing for scanning and weighing prior to payment. 25 Arab Open University

4. Identity and authentication [6/13] Activity 7.6: For the transactions that follow, think through the sequence of what normally happens and comment critically on how strong you believe the resulting authentication to be. State your own reasoning in each case. Using an ATM to obtain cash Presenting a cheque to a bank teller (not the individual’s own branch) to obtain cash Paying for goods or services at an ePOS terminal Purchasing goods or services on the internet or by phone using a credit or debit card Carrying out a transaction using an online bank account 26 Arab Open University

4. Identity and authentication [7/13] Activity 7.6 – Solution: Using an ATM to obtain cash: We need to have the bank card: Something we have We need to know the PIN: Something we know Two factors are satisfied so this provides strong authentication. Should the card be stolen the thief would need to know the PIN. Presenting a cheque to a bank teller (not the individual’s own bank): To obtain cash, in general we need to have a cheque, a cheque book and a signed bank card relating to the same account. The cheque, cheque book and bank card only count as one authentication factor: Something we have The signature satisfies another authentication factor: Something we know So we have a strong authentication here? 27 Arab Open University

4. Identity and authentication [8/13] Activity 7.6 – Solution: Presenting a cheque to a bank teller (not the individual’s own bank): When the signature is examined by another human this is quite a subjective process. The signature is not very consistent and could easily be forged by someone else with a little practice. The case for strong authentication here is flawed  weak authentication. That is why banks may limit the withdrawal amount away from a ‘home’ bank. Paying for goods or services at an ePOS terminal: We need to have a payment card: Something we have We need to know the appropriate PIN: Something we know So this is strong authentication. 28 Arab Open University

4. Identity and authentication [9/13] Activity 7.6 – Solution: Purchasing goods or services on the internet or by phone using a credit or debit card: We need to know card and personal details (e.g. card number and type, validity dates and card ‘security code’: Something we have We are also normally required to give a Card Verification Value (CVV) specifically (CVV2) CVV2 is the printed value on the card, which a thief would also need to know: So this is also something we have Providing this value gives some assurance (but not proof) that we do have the payment card in our possession: Something we have The authentication is essentially single factor, so this is weak authentication 29 Arab Open University

4. Identity and authentication [10/13] Activity 7.6 – Solution: Carrying out a transaction using an online bank account: Practice varies between banks in general we need to know the username and a password: Something we know. We then need to enter a response to a personalised question: Something we know. The authentication is essentially single factor, so this is weak authentication 30 Arab Open University

4. Identity and authentication [11/13] So achieving strong authentication is not always straightforward with particular problems associated with those transactions where a card is not visible to the merchant or bank (card-not- present transactions)!! Any Solutions? 31 Arab Open University

4. Identity and authentication [12/13] Some banks, for some accounts, provide additional security measures for use with online transactions. Examples include: Hardware tokens which are unlocked using a PIN and then used to generate one-time passwords: Something we have and something we know Personal card readers for use with a home computer. We need to have their bank card or token and know the corresponding PINs: Something we have and something we know Such combinations of factors allow strong authentication to be achieved in a card-not-present transaction. 32 Arab Open University

4. Identity and authentication [13/13] Additional measures to increase security can be introduced as the technology develops further. The three original authentication factors can be supplemented by: where you are the patterns or behaviour of your account activity. Changes in the normal pattern of usage or apparent behaviour of the card holder can indicate potential or actual misuse This gives the potential for five-factor authentication. 33 Arab Open University

Session Outline Part 7: Banking on ICTs Introduction As safe as a bank Connecting securely Identity and authentication Money in plastic Introduction Data transfer by imprinting Data transfer by magnetic stripe 34 Arab Open University

5. Money in plastic [1/3] Payment cards for many people seem indispensable for modern life. Payment cards are covered by an extensive range of cross- referenced specifications from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Payement cards should usable anytime anywhere. 35 Arab Open University

5. Money in plastic [2/3] When examining card features, we notice mix of technologies used in payment and other cards over the years. The embossed letters and numbers were used to transfer data by mechanical imprinting. Magnetic stripes enabled data to be stored in binary, on tracks of magnetic material, sensed by a reading head. The electrical contacts on some cards are evidence of an onboard processor chip allowing data storage and processing For contactless smart cards the connectivity to the outside world is by radio channel. 36 Arab Open University

5. Money in plastic [3/3] 37 Arab Open University

Session Outline Part 7: Banking on ICTs Introduction As safe as a bank Connecting securely Identity and authentication Money in plastic Introduction Data transfer by imprinting Data transfer by magnetic stripe 38 Arab Open University

5.1 Data transfer by imprinting [1/2] Imprinting was achieved from embossed letters and numbers on the card. Travellers to different countries may find these features and the related processes as supplement security checks for example, when foreigners purchase goods abroad. 39 The ISO/ IEC 7811 series of standards includes the specification of embossed characters for cards having an ID-1 card format. ID-1 relates to the size of card commonly used for credit and debit payment cards. Arab Open University

5.1 Data transfer by imprinting [2/2] During a point-of-sale transaction using this technology The card was handed to a check-out assistant. The visible embossed card data was transferred on to a transaction slip using a machine called a PDQ imprinter. PDQ is usually taken to mean ‘process data quickly’. Other details of the goods purchased and the price were added to the transaction slip. The customer signed it to complete the purchase. In this process the retailer was responsible for checking the similarity of the card user’s signature (previously written on to the card’s signature strip) with that on the transaction slip. 40 Arab Open University

Session Outline Part 7: Banking on ICTs Introduction As safe as a bank Connecting securely Identity and authentication Money in plastic Introduction Data transfer by imprinting Data transfer by magnetic stripe ATM transactions using magnetic stripe cards 41 Arab Open University

5.2 Data transfer by magnetic stripe [1/6] Data transfer using imprinting plus magnetic stripe data is still used widely in many regions. Magnetic stripe payment cards store, in one or more of the available tracks: a copy of the data embossed on the card, and additional data that strengthens security. Magnetic stripe cards allowed electronic transfer of data between the card and an ePOS or ATM terminal. 42 Arab Open University

Up to three tracks are normally provided on the magnetic stripe of payment cards  They are identified as tracks 1, 2 and 3. Card could contain less then three tracks, explaining the different widths of magnetic stripe. Narrower stripes relate to the omission of an unused track on cards. 5.2 Data transfer by magnetic stripe [2/6] 43 Layout of data tracks on a ID-1 format magnetic stripe card Arab Open University

5.2 Data transfer by magnetic stripe [3/6] Activity 7.10: Estimate how much data could in principle be stored on a magnetic stripe (only) card as represented by Figure 7.3. Assume that the full length of all three tracks are available for this purpose. Express your answer in bytes. 44 Arab Open University

5.2 Data transfer by magnetic stripe [4/6] Activity 7.10 – Soultion: The table included in Figure 7.3 gives the data density for each track in bits/inch. The required storage capacity can be found by multiplying the length of each track by the data density of that track. The total storage is found by adding the value for each of the three tracks.  A magnetic stripe card has a very limited data storage capacity! 45 Arab Open University

5.2 Data transfer by magnetic stripe [5/6] Data on the magnetic stripe represented by the transitions in magnetisation is sensed by a reading head when the card is moved relative to the head. The data stored in the magnetic stripe of a standard ID-1 payment card includes: A Card Verification Value 1 code - CVV1: used to support the authenticity of the card Note the distinction between CVV1 which is recorded electronically on the card and CVV2 which is printed on the card. A PIN Verification Value - PVV: An encrypted representation of the corresponding account PIN. 46 Arab Open University

5.2 Data transfer by magnetic stripe [6/6] The PVV encoded on the magnetic stripe is created by the card issuer. The PVV Combines the PIN with other account data. The process includes encryption and subsequent transformation using a one-way function to produce a fixed-length value (the PVV). The exact details of this process are secret to a card issuer. The PVV is used to verify the user-entered PIN when, for example, you are using a bank ATM. 47 What is a PVV? Arab Open University

5.2.1 ATM transactions using magnetic stripe cards [1/9] Many of the detailed processes used by financial institutions are confidential and vary between institutions The outline description that follows should be read with this in mind. In practice there could be additional intermediate stages of encryption and decryption. 48 Arab Open University

49 5.2.1 ATM transactions using magnetic stripe cards [2/9] Arab Open University

1.On presenting a card to an ATM, a user will be prompted to enter an account PIN using the terminal keypad. 2.Information on the card’s stripe is read, including the PVV. 3.The two inputs (the user-entered PIN and the magnetic stripe data read by the ATM) are encrypted for transmission to the location of a bank’s Hardware Security Module (HSM). The HSM is a tamper-resistant, physically secure environment within which critical encryption and other processes including those associated with card authentication are undertaken. 50 5.2.1 ATM transactions using magnetic stripe cards [3/9] Arab Open University

4.On arrival, the incoming data is decrypted so that the entered PIN, the PVV and the related account data are recovered. 5.The HSM ensures that a transaction will only be authorised if the correct PIN is entered A PVV value is derived using: the entered PIN, the card data and the same secret process originally used to create the PVV held on the magnetic stripe. The derived PVV could be compared with the original PVV value for the related account. The original PVV could be stored either on a bank’s database or on the magnetic stripe or both. If the derived PVV does not match the actual PVV, the transaction will be denied 51 5.2.1 ATM transactions using magnetic stripe cards [4/9] Arab Open University

Why a derived PVV may differ from the original one? If any of the input data used to create the derived PVV differs from the input data originally used to create the original PVV, then the derived PVV will not match the actual PVV and the transaction will be denied. For instance, entering an incorrect PIN would result in a failed attempt to access the required services. The security of the PIN authentication process is dependent on the infeasibility of creating a derived PVV 52 5.2.1 ATM transactions using magnetic stripe cards [5/9] Arab Open University

Activity 7.9: We have described how in an ATMmagnetic stripe card transaction, a derived PVV (the processing of which involves the user’s entered PIN in combination with other account data and a one-way function) is compared with the PVV for the account (stored on the magnetic stripe and in a bank’s database). Plaintext PINs are not used as the basis of this comparison. (a) Explain why a ciphertext representation (PVV) rather than a plaintext representation of a PIN should be used for the following: (i) verification of PIN data within a bank’s HSM (ii) storing the PIN data on a magnetic stripe (only) card (iii) storing the PIN data in a bank’s database. 53 5.2.1 ATM transactions using magnetic stripe cards [6/9] Arab Open University

Part (a) == Solution: (i) In a perfectly secure HSM, it shouldn’t matter whether PVVs or PINs are compared. However, remember that where a one-way function is used to create a PVV, a correct PIN value could not be derived from a stored PVV for comparison with an entered PIN. (ii) A PVV is a ciphertext representation of a PIN and so can be included in the encoded information on a card’s magnetic stripe. If a PVV is accessed by a fraudster the process used to create the PVV, which includes the use of a one-way function, should ensure that the PIN cannot be accessed. It would certainly be unsafe to include the plaintext version of the PIN within the magnetic stripe data. (iii) Storing an account PIN in a bank’s database would also be unacceptable. As a general principle, PINs and also passwords (such as one you might use to access your computer) are more securely stored as ciphertext. 54 5.2.1 ATM transactions using magnetic stripe cards [7/9] Arab Open University

Activity 7.9 (Cont.): (b) Think about why payment card PINs are often just four decimal numbers long (though in some regions up to six are allowed), whereas passwords for other purposes are often required to be longer. (Wouldn’t you expect that a payment card PIN would need to be at least as long as passwords used for other purposes, especially as decimal numbers rather than alphanumeric sequences are used?) 55 5.2.1 ATM transactions using magnetic stripe cards [8/9] Arab Open University

Part (b) == Solution: A four-digit PIN is relatively easy to remember. A PIN is normally used as ‘something you know’ accompanied by ‘something you have’ – a payment card whereas a password is often used in isolation as ‘something you know’. Two-factor authentication is inherently stronger than single- factor authentication, so a short PIN is adequate. Also, when entering a PIN you are normally restricted to perhaps three attempts before the account is blocked by the bank. A fraudster’s chance of getting this right would be approximately three in ten thousand. 56 5.2.1 ATM transactions using magnetic stripe cards [9/9] Arab Open University

What about the embedded integrated circuit in a payment card? To be discussed next week! 57 Arab Open University

T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1.

Similar presentations

Presentation on theme: "T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1.

Similar presentations

Presentation on theme: "T215B Communication and information technologies (II) Session 9 Block 4 Protecting and prying Arab Open University 1."— Presentation transcript:

Similar presentations

About project

Feedback