Whitepaper

© 2015 Tyfone, Inc.

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

The Trend and the Need!

Recent data indicates the following:

The benefits of a smart card based authentication that utilizes Public Key Infrastructure and additional mechanisms for authentication and verifying higher risk transactions has been outlined in the 2005 Guidance by the FFIEC. Technological advances by Tyfone, a security company that is currently working with the US Intelligence Community for device and access security based on smart cards using wireless protocols (Connected Smart Card™) overcomes the traditional limitations of the reader based smart card discussed in the 2005 Guidance by the FFIEC and can be used across the complete spectrum of devices used for Online and Mobile banking.

Cybersecurity that requires securing of online, cloud, and wireless mobile devices is an important issue facing all organizations including corporations, banks, critical infrastructure, and governments. Hackers are able to steal information such as social security numbers, credit card numbers, bank account details, vulnerability reports of dams, usernames, passwords and all other information stored centrally in the cloud. To make matters worse it is often impossible to catch these criminals as these hacks originate off-shore. And since the crime is virtual, whereby criminals make copies of the data without destroying the data, most organizations and users alike are unaware of the information loss.

Imagine what a security breach of a government agency, banking, or critical infrastructure such as a power grid could cost. Corporations, banks, and governments throughout the world are scrambling to figure out more effective solutions.

FFIEC has recognized the need to solve this problem for Financial Institutions and has defined requirements while not requiring or recommending specific implementations. The problem with a majority of existing security solutions is that the implementations have centralized data stores. As demonstrated in the recently publicized cyber-attacks, centralized data stores are a single point of failure of authentication credentials. Such centralized security implementations do not prevent loss and are easy to hack. This is covered in the next section.

Dramatic loss in data 705 million records lost in 2013 OSFDramatic loss in dollars $445 billion in 2013 CSISNo effective solutions $46 billion spent to prevent loss in 2013 & most of it wasted HPIncrease in crime 20% increase in reported crime HPIncrease in loss 30% increase in loss per crime HPMost breaches unreported 94% of breaches go unreported FBI

Whitepaper

© 2015 Tyfone, Inc.

Security That is Centralized is InsufficientMost state-of-the-art security implementations look like what is shown in the figure below. All security mechanisms, namely, password storage and validation, encryption key storage, threat analytics as well as MFA answers are all centralized and intrusive as well as inconvenient to users. This consolidated approach is not only a lucrative target, but also a single hacking point of vulnerability.

Passwords are not enough 90% of passwords are vulnerable as of 2013 DeloitteDramatic password compromises 1.2 billion passwords stolen by one Russian Group in 2014 NY TimesThreat analytics have become unmanageable for CIOs

Not only are there too many analytic systems to manage and there are too many alerts to deal with, 35% of alerts generated by fraud analytics are false positives

ESG

Threat analytics are almost always too late

By the time analytics capture anomalies it is almost always too late. Target was 10 days after the breach and JP Morgan Chase was 2 months after the breach.

Target Chase

MFA Q&A to augment passwords too inconvenient

Members do not want to answer too many MFA questionsMembers often do not know the answers to knowledge based MFA questions which results in 40% of call center calls for password reset

Private data

Biometrics Limitations in ease of enrollment of customers, customer privacy concerns, unquantified liability of loss

Recent data indicates that it is not prudent to rely solely on centralized security:

Cloud infrastructure for Mobile & internet Banking

Core Banking System

Remote Users Multiple Devices

Passwords MFA and Q&C

Centralized Password ValidationCentralized Encryption KeysCentralized Theart Analytics

Consolidated= Lucrative & easy to sealToo many systems.Too many false positives.inconvenients for staff & users.

DATA & TRANSACTIONS PASSWORDS

DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A

Whitepaper

© 2015 Tyfone, Inc.

Multi-factor and Layered Security with DecentralizationPlastic cards with smart card security chips that store client side certificates and keys securely just like HSMs store server side certificates and keys are an effective and proven way to enable high-end decentralized security. This is required by and very commonly used by customers and employees of European and Asian Banks in smart card chips in a plastic card form factor.

Unfortunately, plastic smart cards cannot be readily used in modern day mobile phones, tablets, laptops and desktops since these devices lack ability to read smart cards. For this purpose we propose the use of what is called as The Connected Smart Card that not only has a smart card security chip, but also has interfaces including Bluetooth radio, Near-field radio and USB allowing the smart card security chip to be made available on any device. This is shown in the figure below.

Dramatically lowers loss, since the hardware has to be stolen one at a time and a user’s password or biometrics needs to be known.Increases convenience, since the user does not have to know hard to remember answers and it is as easy as pressing a button on the hardware.Increases scope of law enforcement, since it requires the physical theft of hardware instead of the remote theft of hacking into a cloud.Increases awareness of loss by user, since the loss is not virtual.Makes fraud analytics more meaningful, since fraudulent transactions will be minimized and therefore alerts will be more meaningful.

Benefits of decentralized security includes:

Cloud infrastructure for Mobile & internet Banking

Core Banking System

DATA & TRANSACTIONS PASSWORDS +

DIGITAL ENCRYPTION KEYS THEART ANALYTICS and MFA Q&A

DECENTRALIZED ID VALIDATION & KEY STORAGE

Whitepaper

© 2015 Tyfone, Inc.

Apart from the above benefits, the additional benefits of The Connected Smart Card (CSCTM) hardware for decentralizing security that uses miniature smart card chips and existing interfaces to interface with any device are illustrated below:

Pricing ComparisonAccording to a recent Symantec Publication (A Total Cost of Ownership Viewpoint – Two-factor Authenticationii) the average price of ownership for Symantec VIP is expected to be $3.18 per credential per month and that of RSA SecurID is expected to be $6.02 per credential per month. The cost of Tyfone CSC is estimated to be $1.99 per credential per month – a savings of 37% over Symantec VIP and 67% over RSA SecurID.

There is also further opportunity to decrease Total Cost of Ownership by adding additional credentials to CSC that cannot be accomplished in VIP or SecurID solutions. We envision CSC to not only include Public/Private Key based security for mobile and online banking but also contain EMV payment credentials as US migrates to smart card infrastructure for debit and credit identities.

Min

iatu

rize

ExistingInterface BEBEFITS OF THE CONNECTED SMART CARD

Decentralized Password, Biometrics, and Key Storage Leverage billions invested in existing infrastructure

Leverage existing security applets

Multiple use of cases form factor agnosticAny Device Any OS

• Existing industry standards & certifications• Certified for ID storage, validation• Certified Key storage, cryptography• Certified to be Biometric friendly

• PKCS - Internet and Mobile Banking• EMV - Payments• CAC/PIV - Govt• PIV-I - Enterprise

Whitepaper

© 2015 Tyfone, Inc.

CSC = Next Gen Smart CardsAll the benefit and none of the concerns!

Apart from the significant pricing benefit over RSA SecurID (or its comparative Symantec VIP) The Connected Smart Card (CSC) that enables device agnostic multi-factor and layered transaction encryption is significantly better than the well-known RSA SecurID. A comparison between RSA SecurID and CSC is provided below.

Apart from the major differences highlighted below, since RSA SecurID relies on centralized validation of ID (dynamic password) they was a massive compromise of their centralized infrastructure that in turn compromised 720 companies.

RSA SecurID Form Factor Agnostic CSC Module(sidekey and sidecard form factors shown on the right)

Centralized SecurityCompromised in mass* Decentralized

Single - purpose

Multiple use cases & remote provisioning- Layered Transaction Encryption: Mutually authenticated TLS Connection- Device Agnostic Multi-factor: Cryptographic Strong ID auth- Prevents Man-in-the-Middle attacks through cryptographic validation of recipient account number- Enables remote secure messaging for secondary approval

Manual entryPress of a button & biometric friendly

Any device - mobile phone, Tablet, PC

Complex pricing and $5 to $7 per credential per month $1.99 per credential per month

Whitepaper

© 2015 Tyfone, Inc.

SummaryDecentralizing security is rapidly becoming a necessity. Tyfone’s CSC is the next generation of smart card based security. It is not only more secure and versatile, it is 67% cheaper to deploy over RSA SecurID (or other equivalents) including decentralization and multiple use cases.

FFIEC COMPLIANCE: Tyfone’s CSC enables both cryptographic multi-factor authentication as well as an additional layer of transaction encryption, thus making it a cost-effective FFIEC compliant implementation. Tyfone’s CSC is device agnostic and therefore makes user experience as simple as pressing of a button for doing electronic banking on phones, tablets and PCs to be FFIEC compliant. The robustness of CSC also makes threat analytics more meaningful since it is expected to dramatically reduce the number of alerts.

Tyfone’s CSC is currently being tested by the US Intelligence Community through investment made by In-Q-Tel (CIA’s venture fund) as well as by CoVantage CU.

i http://www.ffiec.gov/pdf/authentication_guidance.pdfii https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf