Maximilian Stark (mail@dakror.de), SS2020
Stand: 18.07.2020
Payment Networks
Introduction
Payment process
- Debit
- Customer to merchant
- Merchant over processor to merchant bank
- Merchant bank to customer issuer bank
- Payment risk at issuer bank
- Credit
- Customer to merchant
- Merchant over processor to merchant bank
- Merchant bank over credit card issuer to customer bank
- Payment risk at credit card issuer
- Credit / Debit with Trusted Service Provider (TSP)
- Customer to merchant
- Customer to TSP
- TSP to merchant bank
- TSP to merchant
- NFC
Payment card types
- Magnetic stripe card
- strip 3 for debit
- strip 2 for credit
- Chip cards
- EMV (Europay, MasterCard, Visa)
- Contact & Contactless
- Smartphone / Token
- Encrypted PIN Pad (EPP)
- Keypad certified for payment process
- HW & SW security
- Alarm secured
Authentication
see here: https://dakror.de/uni/itsec.md [German]
- Multi-Factor
- Out-of-band
- Types
- 2-Factor Auth
- OTP: time based or event based
- 3D-Secure: XML-based SSL communication
- Authentication for eID systems
- Password-Authenticated Connection establishment (PACE)
- Terminal Authentication Version 2 (TA2)
- Passive Authentication (PA)
- Chip Authentication V2 (CA2)
- PKI
- User
- Registration Authority
- Certification Authority
- Validation Authority
- Merchant
- Digital Signature
- Qualified Digital signature
- eIDAS Regulation
- national IDs for all of EU
- European internal market for electronic signatures
Biometrics
- Body measurements and calculations
- Identifivation and access control
- Surveillance
- Types
- Physiological: static
- Behavioral: dynamic
- Process
- Enrollment: recording & analysis
- Verification: 1:1 decision
- Identification: 1:n decision
- Evaluation
- False Acceptance Rate
- False Rejection Rate
- Equal Error Rate
- Security levels (in descending order)
- DNA
- (hidden features)
- lifelong
- Iris, Face, fingerprint, behavioral
- (dedicated detection device)
- change over time
- spoofing
- Photo, identification
- (manual inspection)
- Inaccurate
- Morphing
- Human errors
Rapid DNA
- Verification only
- 90 min processing
- 1:1 trillion FAR/FRR
- mobile application
ABIS (Automated Biometric Identification System)
- Used at border control
- Mobile enroll station
- PC with internet
- Camera
- Finger scanner
- Optional iris scanner
- Printer
- Checks
- Camera
- Signature
- Fingerprint
Secure Smartphones and mobile Wallets
- TEE, ARM Trustzone
- OS Virtualization
- Secure Display
- Secure eID card reader
Mobile Wallet
- Scenarios
- Generic app-independent solution
- "Walled Garden", operator-centric, designated compatible apps
- One app one payment
- Operators
- OEMs: Apple Pay
- MNOs: MPESA (Vodafone)
- Trusted Service Providers: PayPal
- Applications
- Loyalty
- Identity management
- Service discovery
- Ticketing
- Money transfer
- Gaming
- Physical access
- Payment
Attacks and Cybersecurity
- Common security violations
- Breach of Confidentiality
- Breach of Integrity
- Breach of Availability
- Theft of service
- Denial of service
- Stakeholder risks
- Client side as most risky element
- Risk locations
- During authentication
- During transfer of value
- During storage
- Attack types
- Social engineering
- Password-based
- Encryption-based
- Sniffer
- MitM
- Phishing
- Compromised key
- Chip card re-engineering
- Application layer attack: Virus
- DoS
- VPNs: IPSec
- Hardware Security Module (HSM)
Global Payment Standards
- SEPA (Single European Payment Area)
- SEPA Direct Debit: Withdrawal of service payment
- SEPA Credit Transfer: Money to customer send
- Communication via SEPA XML messages
- IBAN
- 2 digit country code
- 2 digit checksum
- up to 30 digit bank and account number
- Verification step
- Check valid iso country code
- replace country chars by corresponding digit + 9, e.g A -> 10
- move country digits and 00 to end of IBAN
- remove checksum at start
- Calculate $\mathrm{checksum} = 98 - \mathrm{IBAN} ~\mathrm{mod}~ 97$
- compare checksum with original checksum
- SWIFT (Society for Worldwide Interbank Financial Telecommunication)
- Standardized communication between banks
- BIC (Bank Identifier codes) also known as SWIFT codes
- Alternatives
- Ripple: Crypto
- INSTEX: EU
- CIPS: China
- SPFS: Russia
- PSD2 (Payment Standard Directive)
- EU directive
- Guidelines on provided information for authorization of payment institutions
- Payment institutions (PIS)
- Information service providers (AISPs)
- Electronic money institutions (EMIs)
- Competent authorities (CAs)
- Key points
- strict security requirements
- transparency
- rights and obligations
- RTGS (Real-time Gross Settlement)
- Continuous process of inter-bank payment settlement through central bank
- Use cases for large scale fund transfers
- No bundling with other transactions
- Immmediate and irrevocable transaction
Blockchain
Topics
- Basics
- Tokens
- Smart contracts
See here: https://dakror.de/uni/blockchain.md
The golden eight
- Authenticate & attest to value
- Transfer value
- Store value
- Lend value
- Exchange value
- Fund & Invest
- Insure value & manage risk
- Account for & audit value
Crypto and beyond
Money Flower: Taxonomy of money
- Universally accessible
- Electronic
- Central bank issued
- P2P
Central Bank Digital Currency (CBDC)
- Crypto-inspired central bank money
- Settlement assets for decentralized financial infrastructures
- Universal payment mechanism in a cashless economy
- IoT
- Cross border payments
- Wholesale vs Retail
Libra
- Backing of currency by real life financial assets
- private digital currency
- Global world payment system
- Sortof-blockchain
- Building blocks
- Blockchain
- Programming language: Move
- Replcation of state
- Consensus mechanism
Certificates
- Company certificates
- ISO 9001
- Family of quality management systems
- Company standardization to fulfill customer & stakeholder needs
- ISO 14000: Environmental management
- ISO 27001: Plan-Do-Check-Act information security standards
- Product / Solution certificates
- Common Criteria for Information Technology Security Evaluation (CC)
- Standard for computer security specification
- Components
- Target of Evaluation
- Protection Profile
- Security Target
- Security Functional Requirement
- Security Assurance Requirements
- Evaluation Assurance Level
- NIST (National Institute of Standards and Technology)
- NIST Certificate of Calibration: Testing and calibration by NIST
- NIST Certificate of Compliance: Testing but no calibration performed
- Local Certificates
- CCC: China
- PIF / FIPS: USA
- VDS: Germany
- Payment Certificates
- EMV: technical standard for smart cards & (-readers)
- CAST (Compliance Assessment & Security Testing): standard for mobile payments
- PSD2