Scribd Logo
Upload

Welcome to Scribd!

  • Low Cost 3D Secure Authentication

    Uploaded by

    rchatab
    19 views23 pages
    This document proposes a low-cost enhanced authentication service for ATM and POS transactions. It analyzes current practices and limitations, including static PINs, easy-to-copy magnetic strips, lack of EMV support, and insider fraud. The proposed solution uses dynamic OTPs sent via SMS/email from an outsourced authentication hub to strengthen security while reducing costs. However, it relies on TCP/IP and an unstable network, and stakeholders may not be ready for outsourcing authentication.

    Original Description:

    Original Title

    lowcost3dauthenticationserviceforatmandpos-190329175120.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document proposes a low-cost enhanced authentication service for ATM and POS transactions. It analyzes current practices and limitations, including static PINs, easy-to-copy magnetic strips, lack of EMV support, and insider fraud. The proposed solution uses dynamic OTPs sent via SMS/email from an outsourced authentication hub to strengthen security while reducing costs. However, it relies on TCP/IP and an unstable network, and stakeholders may not be ready for outsourcing authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views23 pages

    Low Cost 3D Secure Authentication

    Uploaded by

    rchatab
    This document proposes a low-cost enhanced authentication service for ATM and POS transactions. It analyzes current practices and limitations, including static PINs, easy-to-copy magnetic strips, lack of EMV support, and insider fraud. The proposed solution uses dynamic OTPs sent via SMS/email from an outsourced authentication hub to strengthen security while reducing costs. However, it relies on TCP/IP and an unstable network, and stakeholders may not be ready for outsourcing authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Low Cost Enhanced 3D Secure Authentication Service

    For ATM and POS


    Presented By –

    Md. Shafiuddin Russel


    Network and Security Specialist,
    Bank Alfalah Ltd.
    MSc. Eng. System Security, BUP
    CISA, CEH
    Ph: 01714073692
    Email: engrussel@gmail.com
    Our Team Name

    Eagles Idea
    Project Objective
    The objectives of our Project are:
    Analysis the present Practices for ATM and POS Authentication.
    Exploring the limitation.
    Propose a new Technique.
    Prototype Development and live demo presentation.
    Back Ground Analysis

    It was Standard Chartered Bank (SCB) which introduced ATMs in


    Bangladesh. The first booth was set up at Dhaka's Banani in 1993.

    Now ATM And POS Machines are being popular in our country.
    Bangladesh Central Bank has taken initiative to reduce the use of printed
    money and encouraging the financial institute on secure plastic currency.

    According to the survey, the total number of credit and debit cards in the
    country’s banking system stood at 80,85,834 as of August 31, 2013
    while the banks set up a total of 22,224 POS and 14,000 ATM machine
    around the country. The number of credit and debit card, and POS
    terminals presumed to have increased much after the survey period.
    NPS Statistic

    Source : https://www.bb.org.bd/fnansys/paymentsys/natpayswitch.php
    NPSB Comparative Number of Transactions

    Apr-15, 455518

    Jul-16, 734790

    Mar-
    15, 366410

    Aug-
    16, 865890
    Some Fraud Scenario
     News: bdnews24.com, Date: 14/02/2016, url: http://goo.gl/kgxKOa

    “Skimming devices were planted in six ATM booths of three banks to steal card
    information and create duplicates, Bangladesh Bank investigators have found ”

     News: BD Business News, Date: 23/02/2016 url:http://goo.gl/zOXJQy

    “Four people including a foreigner allegedly involved in an ATM skimming scam


    have been arrested in Bangladesh capital Dhaka ”

     News: bdnews24.com, Date: 18/05/2016 url:http://goo.gl/BwCNhQ

    “After the arrest of a Chinese citizen over an ATM fraud, Prime Bank has said
    two other foreigners, apparently Chinese, drew over Tk 500,000 from two other
    booths in Dhaka ”
    Learning:

    Number of frauds are parallely


    increasing with number of
    Transaction!
    Internet of Things (IoT): number of connected devices worldwide from
    2012 to 2020 (in billions)

    https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
    Where our System will work

    N.B: The internet of things (IoT) is the internetworking of physical devices


    Limitation of Present System
    Core Reason of Fraud:

    1. Cards pin are Static


    2. Magnetic Strip are Easy to Copy.
    3. EMV Chip are Expensive. Magnetic Strip Card
    4. NPS Not yet Support EMV.
    5. All POS are not Support Online Pin.
    6. Lack of Awareness.

    Chip Card
    Learning

    And 99% card fraud Incident


    either done by Insider or During
    Authentication Process!
    How to Overcome

    Dynamic OTP
    #A dynamic OTP is some thing which change dynamically and varies
    from customer to customer ,transaction to transaction and have a life
    time.
    But Still There are some
    Problems are allies
    •In Enterprise, Insider (Sys Admin) or malware can compromise the OTP
    System.

    •The Payment Card Industry Data Security Standard (PCI DSS) practices are
    not usually Maintain in the enterprise.

    •RSA token is very Expensive and difficult to maintain for enormous


    customer.
    Our Proposed Mitigation Tech./System

    1. Out Source the Authentication Process.

    2. A common hub that support ATM, POS ,Web or any other platform.

    3. Maintaining the PCIDSS standards.

    4. Reducing the cost by no service no pay model.

    5. Use different channel like SMS/ E-mail for sending OTP.

    6. A complete Audit Trail.


    •No OTP sent for ATM or POS Transaction.
    •OTP are randomly generate from a seed.
    • Administrator have the option to change
    the seed or he can regenerate OTP if he
    know the algorithm.
    Our System Limitation
    1. We have to depend on unstable and non secure TCP/IP.

    2. Network structure of Bangladesh are not so stable.

    3. Enterprise stack holders mind sight are not yet ready for out sourcing
    the authentication process.

    4. No concrete law for settle the arbitration.


    End
    Magnetic Strip Card Architecture

    You might also like