SlideShare une entreprise Scribd logo

Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank

Priyanka Aash
Priyanka Aash

This session will present a case study about the innovative approach that Sberbank has taken to implement biometrics in the bank with over 100M customers. Speakers will share best practices in designing an omnichannel user experience for customers, and how risk-based approach and machine learning helped them to build an intelligent system that is soft to legitimate users and hard to fraudsters. Learning Objectives: 1: Learn how biometrics may be implemented in omnichannel environment. 2: Get a fresh view on how innovative risk-based approaches help mitigate threats. 3: Gather some hints for implementing biometrics in a bank. (Source: RSA Conference USA 2018)

Technologie
1  sur  29
Télécharger pour lire hors ligne
SESSION ID: #RSAC RISK-BASED APPROACH TO DEPLOYMENT OF OMNICHANNEL BIOMETRICS IN SBERBANK IDY-W02 Leyla Goncharenko Risk-based authen:ca:on Product Owner Sberbank Anton Mitrofanov Authen:ca:on PlaBorm Chief Product Owner Sberbank
#RSAC Biometrics as a FinTech Trend 2 Juniper, TOP 10 DISRUPTIVE TECHNOLOGIES IN FINTECH, 2016
#RSAC Biometrics as a FinTech Trend 3
#RSAC Biometrics as a FinTech Trend 4
#RSAC Biometrics as a FinTech Trend 5
#RSAC Biometrics as a FinTech Trend 6 Banks turn into digital plaBorms Digital UX requires seamless and fast security– biometrics? Biometrics is already trendy among mobile devices (FaceID, TouchID) Banks experimen:ng with different types of biometrics depending on the environment (Branch, Call Center, Mobile Apps, ATM) Biometrics becomes a part of government regula:ons and complience
#RSAC Biometrics is a “silver bullet” ..? 7 No need to take the IDs - Biometrics is always with you Biometrics aligns the Customer experience among the service channels: ATM Branch Mobile Apps Call Center Geng the costs down for the branches and call center
#RSAC .. Or a challenge? 8 What the Banks face when implemen:ng biometrics are: Privacy concerns Liveness issues Recogni:on accuracy Enrollment is not equally secure Complicated rules and trust matrix are implemented to reduce the risks
#RSAC Biometrics limita:ons Recogni:on accuracy 9 Accuracy in large volumes Is it alive? How to re-issue your biometrics? ? Probability of false accept for biometrics is always above zero P = 0,999 P = 0,0001 ? Biometrics based mostly on image processing. How could we assure that it is live person? If your biometrics was stolen - how could we trust you? 17
#RSAC Biometrics technologies security Framework 10 From ISO/IEC 30107-1, inspired by figure by Nalini Ratha from 2001 and Standing Document 11 of ISO/IEC JTC1 SC37. Data capture Comparison Decision Data storage Signal processing 6 7 1 3 5 9 2 4 8 Presenta:on alack Modify sample Modify probe Modify scoreOverride signal Override comparator Override decision Modify biometrics reference Override or modify data 18
#RSAC Biometrics technologies security Alacks examples Biometrics scanners Spoofing 11 Biometrics search engine Morphing Enrollment process Profile stealing Profile 1 Profile 2 Profile 3 Profile 4 Presenta:on alack Override comparator Modify biometrics reference 19
#RSAC Biometrics liveness detec:on Interac:ve liveness Random user ac:ons «3D» models based on movements Environmental liveness Recogni:on of displays signatures Recogni:on of paper and phone/ tablet forms Scanner-based liveness 3D models based on depth surface, temperature and pulse analysis IR images 28
#RSAC Authen:ca:on factors across the channels 13
#RSAC Lessons Learned 14 Voice and face biometrics are easier to integrate and common for Customers. Behavioral biometrics is an addi:onal invisible layer of protec:on. Fingerprints and palm veins – good for physical access and trade acquiring. Presenta:on alack detec:on is s:ll a challenge: we see poten:al in mul:modal liveness detec:on (e.g. face+voice or face+behavior). Server-side processing provides omnichannel approach, but s:ll you need to es:mate the risks. On-device processing is s:ll on our radar as the privacy concerns and regula:ons may change the world quickly
#RSAC RISK-BASED AUTHENTICATION AS UNIVERSAL SOLUTION
#RSAC Risk-based authen:ca:on Basic workflow 16 Score ac:on’s risk level Select available auth factors Define necessary and sufficient challenge 1 2 3 Authen:cate by selected factors 4 •  Risk score •  User behavior profile for anomaly detec:on •  Define available auth factors •  Check IT-environment for scanners availability •  Select appropriate combina:ons •  Define challenge based on risk score Factor i weight Fi Risk score R Challenge: Sum (Fi) – R = 0 •  Challenge user by selected factors •  Confirm users iden:ty ? 21
#RSAC Measuring risks AuthenRcaRon data model AuthenRcaRon measurement models Rule-engine decision maker •  Behavior profile •  Environment data •  End-point device fingerprint •  Ac:on data •  Anomaly behavior •  Change in environment •  End-point device fingerprin:ng •  Ac:on risk scoring •  Set thresholds for interpre:ng measurement results •  Rules for combining results of measurements •  Rules for including external data and models results •  Decision making conveyer 22
#RSAC How to measure auth alempt? 18 Supervised learning Unsupervised learning Rule engine Based on appeals from customers or IDS/Fraud incidents detec:on User behavior profile for anomaly detec:on Set of rules, describing: •  know alacks/frauds •  interpreta:on of outputs from models 23
#RSAC Authen:ca:on measurement models Behavior model Environment score End-point score Factors weight Overall score User behavior scoring looks at previously aggregated sta:s:cs of typical user ac:ons End-point device scoring takes into account device alributes (model, S/N, hardware etc) Rule-engine as mandatory component of decision making for risk-based approach – our approach to use rules for interpre:ng scores from models Environment scoring based on geoloca:on, network provider, IP 24
#RSAC Rule-engine for risk-based models Rule-engine is mandatory component of decision making for risk-based approach Interpre:ng models scoring Defining known alack/fraud cases Selec:ng available and allowable authen:ca:on factor Rule-engine used for: Composing final decision 25
#RSAC How to measure auth factor’s trust? 21 Frequency of usage by user – how usual this factor is for this user? «Resistance» to compromising (based on experience) – set by security experts based on best world prac:ces and experience Channel type – how secure is channel of registra:on? Alack sta:s:cs – how much security incidents with this type of factors? 26
#RSAC How to measure biometrics template’s trust? Biometrics template enrollment channel 22 Biometrics enrollment sample quality Step-up bio template confirma:on VS ? VS ?Liveness detector score Step-up template confirma:on process Enrollment environment risk score 27
#RSAC Risk-based transac:on verifica:on Financial transac:on scoring 1 Confirma:on of payment 3 Is transac:on good? 2 Decline Allow Yes No Not sure •  Transac:on risk score •  Authen:ca:on risk score •  User environment, etc. •  What factors available in this channel? •  What factors are available for user? •  Supposed fraud case restricts sufficient auth factors •  What factors set are sufficient to ensure trust? Models adjustment 4 •  Adjus:ng transac:on and authen:ca:on measurement models according to confirma:on result •  Transac:on risk score •  Authen:ca:on risk score •  User environment, etc. 29
#RSAC RBA: Typical transac:on Legi:mate user makes a typical transac:on in a banking mobile app RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try Known device with a good background info Typical geoloca:on and IP-address Typical behavioral palern Typical transac:on No red-flags from the other systems, e.g. SIM-card never switched, mobile number never changed, no SIEM alerts, etc. User Risk: low TransacRon risk: low AcRon: allow transac:on Result: transac:on allowed with no addi:onal ac:ons from a user 30
#RSAC RBA: Step-Up and De-escala:on Legi:mate user makes purchase abroad RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try Known device with a good background info Non-Typical geoloca:on and IP-address Typical behavioral palern New transac:on type, but no fraud-signs detected No red-flags from the other systems, e.g. SIM-card never switched, mobile number never changed, no SIEM alerts, etc. User Risk: low or medium TransacRon risk: medium AcRon: allow transac:on or request step-up using addi:onal factor Result: transac:on allowed aver two-factor authen:ca:on 31
#RSAC RBA: Fraud Preven:on Fraudster alempts to make non-legal transac:on RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try New device, no background or red-flags. Non-typical geoloca:on and IP-address Non-typical behavior Risky transac:on and/or fraud signs Red alerts from the other systems: e.g. new mobile number was added recently User Risk: high TransacRon risk: high AcRon: request step-up using addi:onal factor Result: transac:on denied because of authen:ca:on failure 32
#RSAC Unified authen:ca:on plaBorm concept 27 Authen:ca:on plaBorm’s API Biometrics management sub- system Basic authen:ca:on sub- system Analy:cs and decision subsystem External models and data sources pwd otp token face voice palm Bank’s systems Channels ACS Partners Universal id Ac:on’s risk measurement Dynamic challenge selec:on Mul:factor authen:ca:on Mul:modal biometrics Key principles Addi:onal trust factor for ID One of the many authen:ca:on factors Comfortable tool for end-users Biometrics role 33
#RSAC Next steps for applica:on 28 Iden:fy and categorize all the authen:ca:on op:ons used Iden:fy all channels, where authen:ca:on is needed Create matrix of applicability for channels and auth factor Set weight’s for auth factors in each channel Biometric tuning is a must Integrate biometrics with IAM and fraud-monitoring solu:ons
#RSAC THANKS! QUESTIONS? Anton Mitrofanov admitrofanov@sberbank.ru Leyla Goncharenko lkhgoncharenko@sberbank.ru

Recommandé

Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Merchant Link
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
Priyanka Aash
 
Authentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User AuthenticationAuthentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User Authentication
Kelly Colbert
 
Authentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User AuthenticationAuthentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User Authentication
TransUnion
 

Recommandé

Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Merchant Link
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
FOR THE LOVE OF MONEY: Finding and exploiting vulnerabilities in mobile point...
Priyanka Aash
 
Authentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User AuthenticationAuthentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User Authentication
Kelly Colbert
 
Authentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User AuthenticationAuthentifusion: Clarifying the Future of User Authentication
Authentifusion: Clarifying the Future of User Authentication
TransUnion
 
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
TransUnion
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
Syed Akhtar-Uz-Zaman
 
Mobile Solutions and Market Trends
Mobile Solutions and Market TrendsMobile Solutions and Market Trends
Mobile Solutions and Market Trends
ForgeRock
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectives
SensePost
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
TelecomValley
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
Nasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learningNasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learning
Ratnakar Pandey
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
Splunk
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
TransUnion
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
DESMOND YUEN
 
Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...
Tim Bass
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Understanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemUnderstanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent Them
MarketingArrowECS_CZ
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
Teri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
RakeshKumar442494
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 

Contenu connexe

Similaire à Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank

Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
TransUnion
 
Nasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learningNasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learning
Ratnakar Pandey
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
TransUnion
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 

Similaire à Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank (20)

Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
Feeding the Beast-How Fraud Tools Bring Context into Authentication (Gartner ...
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
 
Mobile Solutions and Market Trends
Mobile Solutions and Market TrendsMobile Solutions and Market Trends
Mobile Solutions and Market Trends
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectives
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
Cyber-menaces et cyber-préjudices : regards croisés par Gilles DESOBLIN & Red...
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Nasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learningNasscom how can you identify fraud in fintech lending using deep learning
Nasscom how can you identify fraud in fintech lending using deep learning
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
 
Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Understanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent ThemUnderstanding Advanced Threats and How to Prevent Them
Understanding Advanced Threats and How to Prevent Them
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank

  • 1. SESSION ID: #RSAC RISK-BASED APPROACH TO DEPLOYMENT OF OMNICHANNEL BIOMETRICS IN SBERBANK IDY-W02 Leyla Goncharenko Risk-based authen:ca:on Product Owner Sberbank Anton Mitrofanov Authen:ca:on PlaBorm Chief Product Owner Sberbank
  • 2. #RSAC Biometrics as a FinTech Trend 2 Juniper, TOP 10 DISRUPTIVE TECHNOLOGIES IN FINTECH, 2016
  • 3. #RSAC Biometrics as a FinTech Trend 3
  • 4. #RSAC Biometrics as a FinTech Trend 4
  • 5. #RSAC Biometrics as a FinTech Trend 5
  • 6. #RSAC Biometrics as a FinTech Trend 6 Banks turn into digital plaBorms Digital UX requires seamless and fast security– biometrics? Biometrics is already trendy among mobile devices (FaceID, TouchID) Banks experimen:ng with different types of biometrics depending on the environment (Branch, Call Center, Mobile Apps, ATM) Biometrics becomes a part of government regula:ons and complience
  • 7. #RSAC Biometrics is a “silver bullet” ..? 7 No need to take the IDs - Biometrics is always with you Biometrics aligns the Customer experience among the service channels: ATM Branch Mobile Apps Call Center Geng the costs down for the branches and call center
  • 8. #RSAC .. Or a challenge? 8 What the Banks face when implemen:ng biometrics are: Privacy concerns Liveness issues Recogni:on accuracy Enrollment is not equally secure Complicated rules and trust matrix are implemented to reduce the risks
  • 9. #RSAC Biometrics limita:ons Recogni:on accuracy 9 Accuracy in large volumes Is it alive? How to re-issue your biometrics? ? Probability of false accept for biometrics is always above zero P = 0,999 P = 0,0001 ? Biometrics based mostly on image processing. How could we assure that it is live person? If your biometrics was stolen - how could we trust you? 17
  • 10. #RSAC Biometrics technologies security Framework 10 From ISO/IEC 30107-1, inspired by figure by Nalini Ratha from 2001 and Standing Document 11 of ISO/IEC JTC1 SC37. Data capture Comparison Decision Data storage Signal processing 6 7 1 3 5 9 2 4 8 Presenta:on alack Modify sample Modify probe Modify scoreOverride signal Override comparator Override decision Modify biometrics reference Override or modify data 18
  • 11. #RSAC Biometrics technologies security Alacks examples Biometrics scanners Spoofing 11 Biometrics search engine Morphing Enrollment process Profile stealing Profile 1 Profile 2 Profile 3 Profile 4 Presenta:on alack Override comparator Modify biometrics reference 19
  • 12. #RSAC Biometrics liveness detec:on Interac:ve liveness Random user ac:ons «3D» models based on movements Environmental liveness Recogni:on of displays signatures Recogni:on of paper and phone/ tablet forms Scanner-based liveness 3D models based on depth surface, temperature and pulse analysis IR images 28
  • 14. #RSAC Lessons Learned 14 Voice and face biometrics are easier to integrate and common for Customers. Behavioral biometrics is an addi:onal invisible layer of protec:on. Fingerprints and palm veins – good for physical access and trade acquiring. Presenta:on alack detec:on is s:ll a challenge: we see poten:al in mul:modal liveness detec:on (e.g. face+voice or face+behavior). Server-side processing provides omnichannel approach, but s:ll you need to es:mate the risks. On-device processing is s:ll on our radar as the privacy concerns and regula:ons may change the world quickly
  • 16. #RSAC Risk-based authen:ca:on Basic workflow 16 Score ac:on’s risk level Select available auth factors Define necessary and sufficient challenge 1 2 3 Authen:cate by selected factors 4 •  Risk score •  User behavior profile for anomaly detec:on •  Define available auth factors •  Check IT-environment for scanners availability •  Select appropriate combina:ons •  Define challenge based on risk score Factor i weight Fi Risk score R Challenge: Sum (Fi) – R = 0 •  Challenge user by selected factors •  Confirm users iden:ty ? 21
  • 17. #RSAC Measuring risks AuthenRcaRon data model AuthenRcaRon measurement models Rule-engine decision maker •  Behavior profile •  Environment data •  End-point device fingerprint •  Ac:on data •  Anomaly behavior •  Change in environment •  End-point device fingerprin:ng •  Ac:on risk scoring •  Set thresholds for interpre:ng measurement results •  Rules for combining results of measurements •  Rules for including external data and models results •  Decision making conveyer 22
  • 18. #RSAC How to measure auth alempt? 18 Supervised learning Unsupervised learning Rule engine Based on appeals from customers or IDS/Fraud incidents detec:on User behavior profile for anomaly detec:on Set of rules, describing: •  know alacks/frauds •  interpreta:on of outputs from models 23
  • 19. #RSAC Authen:ca:on measurement models Behavior model Environment score End-point score Factors weight Overall score User behavior scoring looks at previously aggregated sta:s:cs of typical user ac:ons End-point device scoring takes into account device alributes (model, S/N, hardware etc) Rule-engine as mandatory component of decision making for risk-based approach – our approach to use rules for interpre:ng scores from models Environment scoring based on geoloca:on, network provider, IP 24
  • 20. #RSAC Rule-engine for risk-based models Rule-engine is mandatory component of decision making for risk-based approach Interpre:ng models scoring Defining known alack/fraud cases Selec:ng available and allowable authen:ca:on factor Rule-engine used for: Composing final decision 25
  • 21. #RSAC How to measure auth factor’s trust? 21 Frequency of usage by user – how usual this factor is for this user? «Resistance» to compromising (based on experience) – set by security experts based on best world prac:ces and experience Channel type – how secure is channel of registra:on? Alack sta:s:cs – how much security incidents with this type of factors? 26
  • 22. #RSAC How to measure biometrics template’s trust? Biometrics template enrollment channel 22 Biometrics enrollment sample quality Step-up bio template confirma:on VS ? VS ?Liveness detector score Step-up template confirma:on process Enrollment environment risk score 27
  • 23. #RSAC Risk-based transac:on verifica:on Financial transac:on scoring 1 Confirma:on of payment 3 Is transac:on good? 2 Decline Allow Yes No Not sure •  Transac:on risk score •  Authen:ca:on risk score •  User environment, etc. •  What factors available in this channel? •  What factors are available for user? •  Supposed fraud case restricts sufficient auth factors •  What factors set are sufficient to ensure trust? Models adjustment 4 •  Adjus:ng transac:on and authen:ca:on measurement models according to confirma:on result •  Transac:on risk score •  Authen:ca:on risk score •  User environment, etc. 29
  • 24. #RSAC RBA: Typical transac:on Legi:mate user makes a typical transac:on in a banking mobile app RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try Known device with a good background info Typical geoloca:on and IP-address Typical behavioral palern Typical transac:on No red-flags from the other systems, e.g. SIM-card never switched, mobile number never changed, no SIEM alerts, etc. User Risk: low TransacRon risk: low AcRon: allow transac:on Result: transac:on allowed with no addi:onal ac:ons from a user 30
  • 25. #RSAC RBA: Step-Up and De-escala:on Legi:mate user makes purchase abroad RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try Known device with a good background info Non-Typical geoloca:on and IP-address Typical behavioral palern New transac:on type, but no fraud-signs detected No red-flags from the other systems, e.g. SIM-card never switched, mobile number never changed, no SIEM alerts, etc. User Risk: low or medium TransacRon risk: medium AcRon: allow transac:on or request step-up using addi:onal factor Result: transac:on allowed aver two-factor authen:ca:on 31
  • 26. #RSAC RBA: Fraud Preven:on Fraudster alempts to make non-legal transac:on RBA checks the pre-requisites Login+pass Device “fingerprint” Geoloca:on, IP- address, etc. Behaviour palern Transac:on metadata Metadata from the other systems Current operaRon paZern: Entered correctly from the first try New device, no background or red-flags. Non-typical geoloca:on and IP-address Non-typical behavior Risky transac:on and/or fraud signs Red alerts from the other systems: e.g. new mobile number was added recently User Risk: high TransacRon risk: high AcRon: request step-up using addi:onal factor Result: transac:on denied because of authen:ca:on failure 32
  • 27. #RSAC Unified authen:ca:on plaBorm concept 27 Authen:ca:on plaBorm’s API Biometrics management sub- system Basic authen:ca:on sub- system Analy:cs and decision subsystem External models and data sources pwd otp token face voice palm Bank’s systems Channels ACS Partners Universal id Ac:on’s risk measurement Dynamic challenge selec:on Mul:factor authen:ca:on Mul:modal biometrics Key principles Addi:onal trust factor for ID One of the many authen:ca:on factors Comfortable tool for end-users Biometrics role 33
  • 28. #RSAC Next steps for applica:on 28 Iden:fy and categorize all the authen:ca:on op:ons used Iden:fy all channels, where authen:ca:on is needed Create matrix of applicability for channels and auth factor Set weight’s for auth factors in each channel Biometric tuning is a must Integrate biometrics with IAM and fraud-monitoring solu:ons