Survey on Authentication Mechanisms in eFinance and ePayment services

This survey is being launched by ENISA (European Network and Information Security Agency), its purpose is to collect information about the eIDAS (electronic Identity and Authentication Systems) used in e-Finance and e-Payment systems, analyse the risks associated to each eIDAS mechanism, and produce a Guidelines report with the best practices recommended to the main actors of this sector: Financial institutions, Merchants and Payment Service providers.
Participating in this survey you will have the opportunity to get access to the draft report, make comments, influence on those recommendations and start early implementation of them, improving the security of your services.
An important role of ENISA is to provide its stakeholders with guidelines on topics that are related to Network & Information Security (NIS) - especially those topics that are associated with the correct identification of users. Particular focus will be put on informing main stakeholders in the public sector on how risks are evolving and proposing suitable mitigation strategies.
This project will concentrate on e-identity management risks in financial sector: phishing, id-theft, session and identity hick-jacking, etc. Some financial institutions still are not considering the risk associated to the use of inadequate authentication mechanisms, and this project will collect information about the amount of fraud supported by financial institutions, and correlating it with the kind of authentication mechanisms implemented. So that they could evaluate the cost/benefit associated to the implementation of additional authentication mechanisms, depending on the actual estimation of risk, based on the survey analysis.
The goals of this project will be as follows:
  • Identify Authentication mechanisms used in financial and payment services, and the associated risks in collaboration with key stakeholders in the sector.
  • Summarise the result of this analysis in a common perspective
  • Produce guidelines about the best identification and authentication mechanisms to be used to prevent identity theft or spoofing, based on identified risks and some typical use cases.
  • Formulation of key messages to the sector on policies and capabilities improvement.
  • Disseminate the results.
1. Survey objectives
Identify electronic Identification & Authentication (eIDAS) mechanisms used in eFinance and ePayment services.
  • Most relevant One-step mechanisms
  • Nested / chain / multi-factor mechanisms
  • In the e-Banking applications, the application of eID mechanisms to different types of operations, e.g.: read data, modify credentials, money transfer, etc.
Identify characteristics of transactions / operations that share same eIDAS, e.g.:
  • Scope: internal / external / international
  • Risk: identify value thresholds
2. Timelines and working methods
  1. The survey should be carried out until 30th June 2013.
  2. During June and July a collection of Attack Patterns and their impact on the eFinance and ePayment service providers will be carried out.
  3. During August and September, the collected data will be compiled and summarised in a draft report
  4. During October, a number of presentations and meetings will take place, in order to collect comments on the recommendations stated in the draft report.
  5. During November, those comments will be addressed in the production of the final report of the project.

Question details



0 yorum: