t215 b session 9-spring2015

T215A Communication and information technologies

T215BCommunication andinformation technologies (II)

Session 9Block 4Protecting and pryingArab Open University 1

Session OutlinePart 7: Banking on ICTsIntroductionAs safe as a bankConnecting securelyIdentity and authenticationMoney in plastic

2Arab Open University

1. Introduction [1/2] In this part, Banking on ICTs, the focus is on money and on some of the ICT systems that support financial transactions. The motivation to pry, prey and protect is rarely greater than where money is involved.The ICT systems have:made many aspects of financial management easier for many honest peopleNational and international electronic money transfer transactionsMoney in plastic: Credit cardsBUT they have also provided new opportunities for criminals and fraudsters to carry out their activities!Criminals can operate anonymously and remotely!3Arab Open University

1. Introduction [2/2] When we do things like interacting with banks, buying goods online, paying bills to suppliers and so on, we need to feel confident about several aspects:Who are we dealing with?What information are we providing to organisations?How will this be used and protected from misuse?If we are doing these things remotely:how secure are the arrangements, particularly the communication channel that we are using?4Arab Open University

2. As safe as a bank [1/7]What measures should a bank take to protect the security of the user and their information?

Security Standards are published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).ISO/IEC 27000 is a family of standards that specifies how organisations should achieve the required standards of information using Information Security Management Sysmtems. ISO/IEC 27000 provides an overview and introduction to this developing series of standards.5Arab Open University

2. As safe as a bank [2/7]In an organisation such as a bank:Sensitive personal data or other account-related data should not be stored unencryptedAccess to such information and the related systems and processes should be carefully monitored and controlled.Secure logging of activity should record by whom, how and when information is accessed and usedCreating audit trails for subsequent inspection, with the audit records themselves being securely encrypted.


2. As safe as a bank [3/7]BUT, multiple legacy systems within an organisation can work against employee accountability.An individual employee is likely to need to log in to each system with a different password.Staff may be tempted to resort to the convenience of sharing common passwords or to writing them down.Doing either results in a loss of individual employee accountability and compromised security.Therefore, there are best-practice frameworks for IT governance and infrastructure in organisations. Information Technology Infrastructure Library (ITIL)Service-oriented architecture (SOA) T215A!SOA provides a means for integrating services and enabling single sign-on (SSO) to avoid the potential problems of multiple password legacy systems.


2. As safe as a bank [4/7]In an organisation such as a bank:Computer systems need to be protected from malicious software, messages or other intrusive devices used by hackers.A major defence is an effective firewall and an associated security policy. Additional systems are necessary to monitor and control what happens behind the firewall as well.Why? Because security can also be compromised from within the organisation by, for example, contractors or disgruntled employees.


2. As safe as a bank [5/7]In an organisation such as a bank:Intrusion detection systems are commonly usedThey continually monitor activities to identify those that are suspicious and which could indicate the start of an attack.They can detect potential threats arising from the actions of trusted insiders as well as external hackers.They use detailed knowledge about the systems and networks being protectedSuch as the security policy in force (who or what is allowed to access data or modify software) and any known system vulnerabilities that could be exploited. They compare current use with normal patterns of service usage so that suspicious activity can be flagged.Suspicious activity may lead to temporarily restrict access to, or disable the systems or functions that could be under threat.9Arab Open University

2. As safe as a bank [6/7]In an organisation such as a bank:Data leakage protection is another approach that is being developed.Data is categorized within files in a way that is appropriate to the datas sensitivityAttempts to access, move, modify or store sensitive data can be monitored and controlled in real-time and.Contingency measures are implementedContingency measures protect against serious disruption to their systems.Example: Guard against the destruction by fire of an organisations server site or other premises.Replicate and store data at multiple sites so that vulnerable data is not stored in one location only.This should be done securely and stored and encrypted appropriately.


2. As safe as a bank [7/7]Are these security measures infallible?Well No!

Systems and networks are never entirely reliable.System failures can be caused by technical failure, human error, negligence or sabotage.This causes inconvenience and possibly and expensive suspension of normal services.Fraudsters may also be able to exploit system fall back positions where the normal level of security is reduced or suspended.Hackers may of course attempt to sabotage systems to create favorable conditions to their activities.11Arab Open University



3. Connecting securely [1/7]Ensuring Privacy:When money changes hands over public communication networks, such as the internet, privacy is a major issue. This can be achieved with the use of protocols such as:Internet Protocol Security (IPsec),Transport Layer Security (TLS)and Secure Sockets Layer (SSL)

But privacy isnt the only issue here!We need to be assured that we are communicating securely with the intended party and not a malicious website.


3. Connecting securely [2/7]Parties authentication:The communication process needs to include some authenticationAuthentication of the server (e.g. the bank) with the client (e.g. the clients computer).Authentication is achieved using the TLS/SSL setup procedure between an HTTPS protected server and a client.Hypertext Transfer Protocol Secure HTTPS is a secure version of the Hypertext Transfer Protocol (HTTP).


3. Connecting securely [3/7]Reminder: Why isnt all the data exchanged in a TLS/SSL secured session encrypted using asymmetric public-key encryption?Answer: The use of public key encryption for a typical TLS/SSL transaction would increase the amount of data to be transmitted significantly.In TLS/SSL public-key encryption is used to establish a secret key that can then be used for the subsequent session, during which the data transmitted is encrypted using symmetric encryption.This is much more efficient in terms of message size.


3. Connecting securely [4/7]Reminder: A malicious website hijacks the valid certificate of a genuine websites server and masquerades as the genuine site. What prevents the malicious website being successful in this ill thought out attempt to deceive?Answer:The malicious website does not have the means to encrypt the transmission in a way that could be successfully decrypted by a client.To do this it would need the genuine servers private key.Another problem that would confound an attempted masquerade attack would be that the genuine servers domain name details (and the corresponding URL) are typically embedded within the certificate by the trusted Certification Authority and cannot be changed by an attacker.16Arab Open University

3. Connecting securely [5/7]So TLS/SSL is used to ensure privacy and authentication BUT what could affect the TLS/SSL level of security?

In general the level of security afforded during a TLS/SSL session depends on a number of factors.The browser application used at the clientdifferent browsers support different encryption algorithms having various strengths, and prioritise their use differentlyThe version of TLS/SSL used to set up the connectionProper authentication of the digital certificate.17Arab Open University

3. Connecting securely [6/7]Authentication of the digital certificate

To be confident in the security of a TLS/SSL protected transaction, we should inspect the certificate to ensure that:The certificate is issued by a major trusted Certification AuthorityThe certificate is currently valid (not expired)The certificate is trusted by the computerThere are no domain name mismatches The URL in the certificate is the same as that being visited.18Arab Open University

3. Connecting securely [7/7]Reminder: In financial transactions, authentication of both parties to a transaction is critical. To what extent do the TLS/SSL processes that has just been described satisfy this requirement?Answer:TLS/SSL generally authenticates a web server to a client only.If a successful TLS/SSL handshake has been completed and there are no certification inconsistencies, you can be fairly certain that you are linked to the intended website.




4. Identity and authentication [1/13]Identity can be established from:something you are (or can do)something you havesomething you know.In a connected world, inhabited by terrorists, criminals and money launderers, authentication is a crucial element.Authentication is deemed to be strong when at least two of these factors are satisfied by the authentication process.

Any example of electronic financial transactions?21Arab Open University

4. Identity and authentication [2/13]Electronic funds transfer (EFT): EFT is a generic term to describe financial transactions carried out by computer-based systems.EFT includes a wide variety of possible transactions such as:The use of payment cards (debit or credit card) to purchase goods or servicesThe authorisation of the electronic payment of bills using an online bankThe direct debit payments from customers accounts to service providers such as utility companiesThe payment of salaries by an employer into an employees accountThe transfer of funds to and from accounts in different countries.22Arab Open University

4. Identity and authentication [3/13]Automated teller machines (ATMs): ATM are often referred to in terms of one of their functions as cash machines.Modern ATMs allow many of the traditional over-the-counter services involving a bank teller to be accessed through a machine.withdraw cashcheck an account balanceprint out a summary or detailed statementpay in cheques, money orders and cashATM benefits:reduced costs (to banks)reduced delays (for customers)extended availability outside normal banking hours.23Arab Open University

4. Identity and authentication [4/13]Electronic Point Of Sale ePOS, EPOS or POSePOS terminals allow customers to pay for groceries, fuel, or tickets, for example, using debit or credit cards.Some ePOS terminals include a cash-back facility to allow customers to obtain cash by debiting their bank or credit card accounts.An ePOS terminal may be set up for a small businessGenerally use a broadband connection to the internet to process payment transactionsFor a larger business an ePOS system is likely to be connected to a local area networkIn addition to the payment transaction processing, a businesss inventory can be updated and customer orders tracked.24Arab Open University

4. Identity and authentication [5/13]Electronic Point Of Sale ePOS, EPOS or POSAn ePOS system requires a secure connection, normally to an acquirers financial network (e.g. a bank).ePOS terminals are being increasingly integrated to operate alongside other systems such as supermarket self-checkouts where customers present items they are purchasing for scanning and weighing prior to payment.25Arab Open University

4. Identity and authentication [6/13]Activity 7.6:For the transactions that follow, think through the sequence of what normally happens and comment critically on how strong you believe the resulting authentication to be. State your own reasoning in each case.Using an ATM to obtain cashPresenting a cheque to a bank teller (not the individuals own branch) to obtain cashPaying for goods or services at an ePOS terminalPurchasing goods or services on the internet or by phone using a credit or debit cardCarrying out a transaction using an online bank account26Arab Open University

4. Identity and authentication [7/13]Activity 7.6 Solution:Using an ATM to obtain cash: We need to have the bank card: Something we haveWe need to know the PIN: Something we knowTwo factors are satisfied so this provides strong authentication.Should the card be stolen the thief would need to know the PIN.

Presenting a cheque to a bank teller (not the individuals own bank):To obtain cash, in general we need to have a cheque, a cheque book and a signed bank card relating to the same account.The cheque, cheque book and bank card only count as one authentication factor: Something we haveThe signature satisfies another authentication factor: Something we knowSo we have a strong authentication here?


4. Identity and authentication [8/13]Activity 7.6 Solution:Presenting a cheque to a bank teller (not the individuals own bank):When the signature is examined by another human this is quite a subjective process.The signature is not very consistent and could easily be forged by someone else with a little practice.The case for strong authentication here is flawed weak authentication.That is why banks may limit the withdrawal amount away from a home bank.Paying for goods or services at an ePOS terminal:We need to have a payment card: Something we haveWe need to know the appropriate PIN: Something we knowSo this is strong authentication.


4. Identity and authentication [9/13]Activity 7.6 Solution:Purchasing goods or services on the internet or by phone using a credit or debit card:We need to know card and personal details (e.g. card number and type, validity dates and card security code: Something we haveWe are also normally required to give a Card Verification Value (CVV) specifically (CVV2)CVV2 is the printed value on the card, which a thief would also need to know: So this is also something we haveProviding this value gives some assurance (but not proof) that we do have the payment card in our possession: Something we haveThe authentication is essentially single factor, so this is weak authentication29Arab Open University

4. Identity and authentication [10/13]Activity 7.6 Solution:Carrying out a transaction using an online bank account: Practice varies between banksin general we need to know the username and a password: Something we know.We then need to enter a response to a personalised question: Something we know.The authentication is essentially single factor, so this is weak authentication30Arab Open University

4. Identity and authentication [11/13]

So achieving strong authentication is not always straightforward with particular problems associated with those transactions where a card is not visible to the merchant or bank (card-not-present transactions)!!

Any Solutions?31Arab Open University

4. Identity and authentication [12/13]Some banks, for some accounts, provide additional security measures for use with online transactions.Examples include:Hardware tokens which are unlocked using a PIN and then used to generate one-time passwords: Something we have and something we know Personal card readers for use with a home computer.We need to have their bank card or token and know the corresponding PINs: Something we have and something we know Such combinations of factors allow strong authentication to be achieved in a card-not-present transaction.


4. Identity and authentication [13/13]Additional measures to increase security can be introduced as the technology develops further.The three original authentication factors can be supplemented by:where you arethe patterns or behaviour of your account activity.Changes in the normal pattern of usage or apparent behaviour of the card holder can indicate potential or actual misuseThis gives the potential for five-factor authentication.33Arab Open University

Session OutlinePart 7: Banking on ICTsIntroductionAs safe as a bankConnecting securelyIdentity and authenticationMoney in plasticIntroductionData transfer by imprintingData transfer by magnetic stripe


5. Money in plastic [1/3]Payment cards for many people seem indispensable for modern life.Payment cards are covered by an extensive range of cross-referenced specifications from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).Payement cards should usable anytime anywhere.


5. Money in plastic [2/3]When examining card features, we notice mix of technologies used in payment and other cards over the years.The embossed letters and numbers were used to transfer data by mechanical imprinting.Magnetic stripes enabled data to be stored in binary, on tracks of magnetic material, sensed by a reading head.The electrical contacts on some cards are evidence of an onboard processor chip allowing data storage and processingFor contactless smart cards the connectivity to the outside world is by radio channel.36

Arab Open University

5. Money in plastic [3/3]37


Session OutlinePart 7: Banking on ICTsIntroductionAs safe as a bankConnecting securelyIdentity and authenticationMoney in plasticIntroductionData transfer by imprintingData transfer by magnetic stripe


5.1 Data transfer by imprinting [1/2]Imprinting was achieved from embossed letters and numbers on the card.Travellers to different countries may find these features and the related processes as supplement security checksfor example, when foreigners purchase goods abroad.39

The ISO/ IEC 7811 series of standards includes the specification of embossed characters for cards having an ID-1 card format.ID-1 relates to the size of card commonly used for credit and debit payment cards.Arab Open University

5.1 Data transfer by imprinting [2/2]During a point-of-sale transaction using this technologyThe card was handed to a check-out assistant.The visible embossed card data was transferred on to a transaction slip using a machine called a PDQ imprinter.PDQ is usually taken to mean process data quickly.Other details of the goods purchased and the price were added to the transaction slip.The customer signed it to complete the purchase.In this process the retailer was responsible for checking the similarity of the card users signature (previously written on to the cards signature strip) with that on the transaction slip.40Arab Open University

Session OutlinePart 7: Banking on ICTsIntroductionAs safe as a bankConnecting securelyIdentity and authenticationMoney in plasticIntroductionData transfer by imprintingData transfer by magnetic stripeATM transactions using magnetic stripe cards


5.2 Data transfer by magnetic stripe [1/6]Data transfer using imprinting plus magnetic stripe data is still used widely in many regions.Magnetic stripe payment cards store, in one or more of the available tracks:a copy of the data embossed on the card,and additional data that strengthens security.Magnetic stripe cards allowed electronic transfer of data between the card and an ePOS or ATM terminal.42Arab Open University

Up to three tracks are normally provided on the magnetic stripe of payment cards They are identified as tracks 1, 2 and 3.Card could contain less then three tracks, explaining the different widths of magnetic stripe.Narrower stripes relate to the omission of an unused track on cards.

5.2 Data transfer by magnetic stripe [2/6]43Layout of data tracks on a ID-1 format magnetic stripe cardArab Open University

5.2 Data transfer by magnetic stripe [3/6]Activity 7.10: Estimate how much data could in principle be stored on a magnetic stripe (only) card as represented by Figure 7.3. Assume that the full length of all three tracks are available for this purpose. Express your answer in bytes.44


5.2 Data transfer by magnetic stripe [4/6]Activity 7.10 Soultion:The table included in Figure 7.3 gives the data density for each track in bits/inch.The required storage capacity can be found by multiplying the length of each track by the data density of that track.The total storage is found by adding the value for each of the three tracks.

A magnetic stripe card has a very limited data storage capacity!

45


5.2 Data transfer by magnetic stripe [5/6]Data on the magnetic stripe represented by the transitions in magnetisation is sensed by a reading head when the card is moved relative to the head.The data stored in the magnetic stripe of a standard ID-1 payment card includes:A Card Verification Value 1 code - CVV1: used to support the authenticity of the cardNote the distinction between CVV1 which is recorded electronically on the card and CVV2 which is printed on the card.A PIN Verification Value - PVV: An encrypted representation of the corresponding account PIN.

46


5.2 Data transfer by magnetic stripe [6/6]The PVV encoded on the magnetic stripe is created by the card issuer.The PVV Combines the PIN with other account data.The process includes encryption and subsequent transformation using a one-way function to produce a fixed-length value (the PVV). The exact details of this process are secret to a card issuer.The PVV is used to verify the user-entered PIN when, for example, you are using a bank ATM.47What is a PVV?Arab Open University

5.2.1 ATM transactions using magnetic stripe cards [1/9]Many of the detailed processes used by financial institutions are confidential and vary between institutionsThe outline description that follows should be read with this in mind.In practice there could be additional intermediate stages of encryption and decryption.48Arab Open University

49

5.2.1 ATM transactions using magnetic stripe cards [2/9]Arab Open University

On presenting a card to an ATM, a user will be prompted to enter an account PIN using the terminal keypad.Information on the cards stripe is read, including the PVV.The two inputs (the user-entered PIN and the magnetic stripe data read by the ATM) are encrypted for transmission to the location of a banks Hardware Security Module (HSM).The HSM is a tamper-resistant, physically secure environment within which critical encryption and other processes including those associated with card authentication are undertaken.


On arrival, the incoming data is decrypted so that the entered PIN, the PVV and the related account data are recovered.The HSM ensures that a transaction will only be authorised if the correct PIN is enteredA PVV value is derived using:the entered PIN, the card data and the same secret process originally used to create the PVV held on the magnetic stripe.The derived PVV could be compared with the original PVV value for the related account.The original PVV could be stored either on a banks database or on the magnetic stripe or both.If the derived PVV does not match the actual PVV, the transaction will be denied515.2.1 ATM transactions using magnetic stripe cards [4/9]Arab Open University

Why a derived PVV may differ from the original one?

If any of the input data used to create the derived PVV differs from the input data originally used to create the original PVV, then the derived PVV will not match the actual PVV and the transaction will be denied.For instance, entering an incorrect PIN would result in a failed attempt to access the required services.

The security of the PIN authentication process is dependent on the infeasibility of creating a derived PVV


Activity 7.9: We have described how in an ATMmagnetic stripe card transaction, a derived PVV (the processing of which involves the users entered PIN in combination with other account data and a one-way function) is compared with the PVV for the account (stored on the magnetic stripe and in a banks database). Plaintext PINs are not used as the basis of this comparison.(a) Explain why a ciphertext representation (PVV) rather than a plaintext representation of a PIN should be used for the following:(i) verification of PIN data within a banks HSM(ii) storing the PIN data on a magnetic stripe (only) card(iii) storing the PIN data in a banks database.535.2.1 ATM transactions using magnetic stripe cards [6/9]Arab Open University

Part (a) == Solution:(i) In a perfectly secure HSM, it shouldnt matter whether PVVs or PINs are compared. However, remember that where a one-way function is used to create a PVV, a correct PIN value could not be derived from a stored PVV for comparison with an entered PIN.(ii) A PVV is a ciphertext representation of a PIN and so can be included in the encoded information on a cards magnetic stripe. If a PVV is accessed by a fraudster the process used to create the PVV, which includes the use of a one-way function, should ensure that the PIN cannot be accessed. It would certainly be unsafe to include the plaintext version of the PIN within the magnetic stripe data. (iii) Storing an account PIN in a banks database would also be unacceptable. As a general principle, PINs and also passwords (such as one you might use to access your computer) are more securely stored as ciphertext.545.2.1 ATM transactions using magnetic stripe cards [7/9]Arab Open University

Activity 7.9 (Cont.): (b) Think about why payment card PINs are often just four decimal numbers long (though in some regions up to six are allowed), whereas passwords for other purposes are often required to be longer. (Wouldnt you expect that a payment card PIN would need to be at least as long as passwords used for other purposes, especially as decimal numbers rather than alphanumeric sequences are used?)555.2.1 ATM transactions using magnetic stripe cards [8/9]Arab Open University

Part (b) == Solution:A four-digit PIN is relatively easy to remember. A PIN is normally used as something you know accompanied by something you have a payment card whereas a password is often used in isolation as something you know. Two-factor authentication is inherently stronger than single-factor authentication, so a short PIN is adequate.Also, when entering a PIN you are normally restricted to perhaps three attempts before the account is blocked by the bank.A fraudsters chance of getting this right would be approximately three in ten thousand.565.2.1 ATM transactions using magnetic stripe cards [9/9]Arab Open University

What about the embedded integrated circuit in a payment card?

To be discussed next week!57Arab Open University