M-IDentity - For a maximum protection , and a high level of user-friendliness.
Secure payment through M-IDentity
Ever new threats render e-banking unsafe. A better way to protect users is the deployment of mIDentity as chip card reader with integrated mobile Internet browser. Man-in-the-middle attacks can be used to outfox traditional security solutions such as the twofactor authentication systems commonly used by banks inside and outside Switzerland. Printed TAN lists, indexed TAN lists, tokens with altering or cryptographically calculated codes are all at hazard. The man-in-the-middle does not become active until an e-banking or another interesting website is called up. Whenever that happens, it hits home. According to the latest information available to MELANI, one of two scenarios begins to unfold: Either the user is referred to a bogus bank website, or the attacker manipulates the data shown in the browser. The chip card, which includes a custom PKI certicate, provides additional safety. The M-Identity is not functional until it has been inserted. In order to gain access to the M-BancNet, a given user must moreover show identication, using a PIN code known only to the user.
A Mobile and Secure Solution
In face of todays threats, the M-Identity solution is considered by many experts an auspicious e-banking system. Since the clientele of Migros Bank includes a high number of private customers, an important characteristic of the new system is, of course, its user-friendliness in addition to the highest possible degree of security and a low overhead. According to its spokesman Albert Steck, Migros Bank is convinced that the M-IDentity is easy to handle. The fact that M-Identity can be used with any major operating system, including Windows, Linux, or MacOS X, suggests as much.
With M-IDentity, our customers are getting the technologically most advanced log-in process in internet banking, said Stephan Wick, Member of the board at Migros Bank. Browser on the Stick
Naturally, new, safer solutions for e-banking are already available that deect the current threats. Migros Bank introduced one of them in mid-January of this year. It is the rst Swiss bank to send in mid2008 a mIDentity to every user of the M-BancNet, replacing the two-step log-in process previously used. The new system bears the name M-Identity, and includes a chip card reader, a chip card in SIM format, and a ash memory. The ash memory of the MIdentity contains a specially secured Internet browser. When plugging the stick into the USB port of the computer, the browser will automatically start and navigate the user directly to the preset e-banking platform. In other words, all processes involved are run on the M-Identity, and do not require the use of any of the computers resources, which may or may not be infested.

The Secure Browser

At the core of the e-banking solution is the secure browser, located in a read-only area. Together with the physical separation from the computer, this browser is what actually protects you from the man-in-the-middle. To this end, a special browser is used. Migros Bank, and with it KOBIL, uses a customcongured browser within its system.

About KOBIL KOBIL Systems stands fo r secure dat a and secure communi cation on every computer w orldwide. Business or personal use KOBIL offers securi ty to everyone. The technol ogy market leader i s setting new standards and is deemed to be a trendsetter with products such as the mIDentity, the worlds smal lest bank an d offi ce on 16.94 square centi meters onl y. KOBI L te chnology, enabl ing new busi ness model s, is used by numerous compani es such as Deutsche Tel ekom, Swisscom, Arcor/Vodafone, T-Systems, Commer zbank, Mi gros Bank, Rothschil d Bank , Yapi Kredi, Isbank as well as the German Parl iament, and the German Federal Offi ce for Inform ation Securi ty (BSI). KOBIL Systems GmbH, founded in 1986 by Ismet Koyun, is headquartered in Worms, Germany. Media Contacts KOBIL Systems GmbH Headquarters * Salim Gler * Pfortenring 11 * 67547 Worms Phone: +49 (0) 62 41- 30 E-mail: salim.gueler@kobil.com
Vice President Business Development * Germany * Fax: +49 (0) 80 * www.kobil.com
With RTC mobile e-banking-security solution from one source
Mobile online banking: RTC enhances service with authentication solution mIDentity from KOBIL
Bern / Worms, October 30th, 2008. On the Finance Forum (November 4-5, 2008 in Zurich) http://www.finance-forum.com/ RTC will introduce the new mobile security solution for online banking. In the context of a strategic partnership between RTC and KOBIL RTC will enhance its service with the authentication solution mIDentity from KOBIL. With a bank office in pocket form, the mIDentity of KOBIL Systems, RTC now offers its well proven onl ine portal CyberIBIS wi th a s trong aut hentication. With mIDenti ty RT C now has a platform independent non-install solution in its portfolio. With this smart card based solution RT C offers even more comfort and security, powered by KOBIL. This high security solution within the framework of the RTC security infrastructure can now be used within Sw itzerland an d ev en w orldwide to improve the security of online transaction of banks and financial service providers substantially. The RTC/KOBIL mIDentity solution ensures a security level in the field of online banking in w hich f or t he f irst time ban king cu stomers, amongst them an in creasing number of mobile u sers, can t rust in perf ect secu rity wh en u sing th eir appl ications. T his mobile security solution has alread y been adopted by numerous fi nancial institutions wi thin Europe. Thanks to the partnership with RTC, KOBIL is now able to reach bank customers within Switzerland even better. Ismet Koyun, Founder & CEO of KOBIL Systems stated. About RTC RTC Real-Time Center AG, www.rtc.ch, is a servi ce centre for banks and other fi nancial services pr oviders. The centre of excellence for fully m ature banking solutions offers a comprehensive portfoli o of products and se rvices. This encompasses banking software, desktop and system m anagement solutions, print and despatch services as w ell as integrated solutions. In addition, RTC offers IT outsourcing services that provide optimum support to banks core expertise in all areas. Today, with its IBIS banking platform, RT C is the e xperienced and professional partner of ch oice f or ban king sof tware an d complet e ou tsourcing solu tions in Sw itzerland. Wit h IBIS, RTC relies on the integrated depiction of all mission-critical banking processes, the use of state-of-the-art business rule and wo rkflow engines and total s upport of b usiness process outsourcing pa rtners. Ove r a period of more than 30 years, the IBIS banking platform for universal, retail and asset manag ement banks has grown to become a comprehensive, fully-featured solution, a third-generation integrated banking solution.

KOBIL meets Microsoft: Bill Gate s gives a lecture in Munich on Internet security and mentions mIDentity as a positive example. KOBIL achi eves an 80 % market share in the Tu rkish e-banking sector. Th e largest credit in stitutions, n amely Y apiKredi an d Isbank, rely on technology provided by KOBIL. UBS, Com merzbank and other international banks place their faith in the innovative technology produced by KOBIL Systems. Ismet Koyun wins one of the leading Swiss retail banks as a customer. Migros Bank opts for the use of mIDenti ty as an ebanking solution. KOBIL continues to build strategic partnerships in Europe in the ba nking and industrial sector. Nomination for the TeleTrust Innovation Award by Migros Bank.
CentralCreditCommitteeoftheGermanbankingindustry DeutscheGenossenschaftsVerlagderVolksundRaiffeisenbanken 6 TheprizeisawardedonanannualbasistousersinEuropewhohaveintegratedinnovativeandtrustworthy applicationsintheircompany'selectronicbusinessprocedures
Founder and CEO Ismet Koyun

KOBIL References

Worldwide usage of KOBIL mIDentity as high secure mobile data storage for employees. Payment Application in Corporate Banking Portal Secure Online Banking for ALL 120.000 customers (Retail and Corporate) Secure Online Trading (Pilot) Secure Online Banking (Pilot)
Secure Online & Offline Transactions using KOBIL mIDentity with PKI Smartcards and Document Signature
Secure Online Banking (Pilot)

Images & Graphics

o Screenshots o Images o Graphics

Screenshots

User friendly and secure e-Banking with mIDentity

KOBIL Products

Migros Bank M-IDentity

Commerzbank m-IDentity

Smart Card Reader
YAPI KRED KURUMSAL NTERNET BANKACILII
nternette dokunulmazlnz var!

SMART BANKING

444 | www.yapikredi.com.tr

KUTUDA NE VAR?

1 adet Midentity cihaz (Demo cihazda ykldr). 1 adet USB docking cihaz.

SSTEM GEREKSNMLER

Smart Banking kullanm iin bilgisayarnzda aadaki yazlm ve donanm bulunmaldr: letim sistemi olarak Windows XP SP2, Windows 2000 SP4 ve Windows Vista kullanabilirsiniz. Bilgisayarnzn CD okuyucusu otomatik altr desteklemeli. Desteklemiyorsa, ilgili ayar yapmak iin bir bilgiilem uzmanndan destek alabilirsiniz. Bilgisayarnzn kullanma ak USB portu olmal. Yksek hzda kullanm iin USB 2.0 portunu kullanabilirsiniz.
Smart Banking PKI altyaps zerine kurulmu Smart Kart zellikleri. Dijital imza atmaya imkn veren teknik zellikler. Ek ifre gerektirmeyen tek bir al ifresi. Ek kurulum gerektirmeyen tak, altr mant ile kolay kullanm. Mini USB bellek bykl sayesinde her yere tanabilirlik. USB data saklama cihaz olarak da kullanlabilme.

"Our period of being in the red ended two years ago and that's how it should stay".
"If you take me out of the company, it would lose its soul", he states assuredly. Ultimately he could have taken the easier route to the stock market in 2000 and collected 500 million Euro. "I chose the difficult path. And I'm glad not to have played along. Kobil should be a model company - a medium-sized business with a chief executive officer. I believe this to be correct, which is why I work around the clock. My motivation is not the money. For me it is important to set the trends", states Koyun.
Whether he will continue to do that in Germany, however, is in question. For medium-sized companies in Germany it is very difficult to raise funds. "Investors are not as plentiful here as they are in the United States. If a company there had reference customers like we have, it would be able to get money easily. There is no interest in vision here", says Koyun, who is contemplating relocating his company headquarters. "That is a possibility. Particularly as we are already generating more than half of our
turnover from abroad." His preference is leaning towards Switzerland: "I have the utmost respect for Switzerland and how the country has managed to achieve its position with just a few million people. The Swiss must tick differently and work differently to others. That impresses me. We will set up a subsidiary there to start off with", states Koyun. HOLGER SCHMIDT
MOBILE & SECURE ONLINE BANKING

Security on the move

Ismet Koyun*
Security concerns are one of the biggest obstacles preventing bank customers from making online banking transactions. Secure online banking is one of the major challenges facing the increasing importance of e-commerce worldwide. Fraudsters are becoming more and more impudent in their attempts to spy on bank customers passwords, using trojans, phishing, pharming and man-in-the-browser attacks. While user identification with the still used PIN/TANprocedure represents a big risk, a smart card and certificate-based user authentication offers the highest security standard. This kind of user authentication has been standardised in Germany as HBCI/FINTS. The necessity of a card reader, however, makes this procedure highly restrictive for users when carrying out their banking operations. According to a study conducted by Forrester Research, only 30% of all Europeans using the internet believe that important personal information such as data from credit card accounts is always secure in online transactions. The study showed that in future, banks will have to face up to their customers fears that online banking holds unacceptably high security risks. Only in doing so will they be able to win more users for online banking and keep their existing customers. SAFETY NET Potential online banking users fear of fraud is justified. Traditional user identification procedures with PINs and TANs have many weak points and offer criminals numerous points of attack. Since the first phishing attacks began in 2004, fraudsters falsified emails are now looking more and more 22 authentic, thus making it difficult to distinguish false bank websites from real ones. Banks have introduced indicated transaction numbers (iTAN) during an online bank transfer the computer tells the user which TAN from a list they have to use. This procedure protects against phishing, but not against trojans, with which criminals still can spy on passwords. Despite the well-known risks, the majority of internet users in Germany (72% according to a current W3B-survey) are still using paper-based PINs/TANs for their online banking operations. Approximately 30% use the iTAN alternative. The most secure procedure for online banking a smart card and certificate-based user authentication is only used by approximately 6% of online banking customers. For this procedure, the customers need a smart card reader, which has to be installed between keyboard and computer. With the help of the smart card, the user authorises himself to the banks computer and is therefore safe from password theft through phishing, trojans and other attacks. Especially with this future-oriented technology and a secure smart card reader, there is no longer any chance for phishing. All banks should implement a smart card function and in the long term make it available to all their customers for all transactions, says Olaf Jacobsen, security and online banking expert at the German Association of Volks-und Raiffeisenbanken in Berlin. One of the biggest obstacles for customers today is the need to purchase a smart card

T H E F I N A N C I A L - i G U I D E T O I N F O R M AT I O N S E C U R I T Y
reader, which has to be connected to the computer and so restricts those who want to carry out banking operations on the road. With conventional smart card solutions, software has to be installed on the computer to be able to prepare transactions offline. Again, the user is bound to their home computer. To meet users demands for carrying out transactions anywhere, any time, KOBIL Systems developed KOBIL mIDentity. The solution consists of a smart card reader with an integrated SIM-card sized smart card and a flash memory, on which the Mozilla Firefox browser has been preloaded as a CD-ROM image. It is set up so that the internet address of the bank is configured in mIDentity and cannot be changed. Bank customers therefore cant be diverted to false websites. No driver or software has to be installed on the computer, as the browser automatically starts after mIDentity is plugged in. TRAVELLING LIGHT Bank customers are, therefore, completely flexible and mobile and still absolutely secure. Another advantage is the significantly reduced quantity of bank support, as all settings are preconfigured and the user works in a read-only area, where he cannot change anything by accident or deliberately. Customers can start their online banking transactions immediately. The smart card the bank supplies to their customers has all the necessary keys and certificates for authentication already integrated, guaranteeing secure banking. The Mozilla Firefox browser on mIDentity also includes a list of trustable CAs, with which the certificate of the bank is checked. To be able to see account data, SSL authentication from both sides is needed. The bank website is verified with the certificate of the bank on mIDentity. The bank server then checks the identity of the bank customer. If both authentication processes are successful, a secure communication, via SSL
encoding, between bank server and customer will be set up allowing the customer access to their account. At first, however, customers are limited to a readonly authorisation for the account data. To carry out transactions a digital signature is needed. After the bank customer has filled in the transaction data, they confirm this with a digital signature. To do so, a private user key has been saved on the mIDentity smart card. This private key signs the transaction and sends it to the bank. While the bank customer only has to fill in their PIN, the signature of the transaction is automatically carried out by the smart card. In this way, the customer and the bank can be sure that the transaction is only carried out by the authorised customer and that the content has not been manipulated. Customers can prepare transactions offline without connecting to the internet. They only have to plug in their mIDentity to the USB port of any computer and then insert their data into the self-opening Mozilla Firefox browser. They can prepare several transactions and sign them offline. As soon as they are online, they can send the prepared transactions to the bank. With conventional procedures, users have to install special software on their computer to be able to do offline preparation of transactions. With the mobile KOBIL mIDentity solution, bank customers have the software on their smart card reader, which means they can easily make secure online bank transfers from any internet cafe, for example. With the integrated flash memory, users can encrypt their data and access it anywhere, any time. The card reader can be loaded with many applications making it suitable as a secure solution for many company applications as well. *Ismet Koyun is founder and CEO of KOBIL Systems. www.kobil.com 23

concerned. Kobil has developed a mechanism for the occasionally required browser updates by which it claims new software versions may be "securely" installed. The USB device with smart-card will verify the new contents' signature. According to Kobil, it is thus possible to also use the system in very secure environments. If USB ports are disabled, the MIDentity stick may be specifically enabled as the only permitted device if necessary even at serial number level. Because the stick is "read only" and the integrity of updates will be verified, data cannot be smuggled out or viruses brought in. Low support requirements The payment transaction application on the Commerzbank's corporate customer portal has been in use for three-quarters of a year. Of the many benefits that the new system delivers, the distributed particularly signature popular function appears The with customers.
Commerzbank says that experience with the MIDentity platform is generally positive. The number of support queries was pleasantly low and focused primarily on customers' specific proxy constellations. The many different kinds of customer environments meant that sometimes the system wasn't able to recognize all proxy network settings. But these problems have been solved with a new version. Generally, the support required during the one-off initialization of the EBICS solutions was less with the Kobil system than, for example, with conventional electronic-banking client-server products. Which, as the IT department at the Commerzbank explained, is simply due to the fact that the m-IDentity system requires no installation.

Case Studies

Migros Bank M-IDentity e-Banking security solution by KOBIL
Page 1 of 7 Case Study Migros Bank 14.10.2008
M-IDentity: secure e-Banking
In response to the ever increasing phishing attempts and fraud on the Internet1, the Migros Bank has become the first Swiss bank to offer its M-BancNet customers the new e-Banking technology of MIDentity. The high security and great user-friendliness that the M-IDentity device offers is impressive. The technology is mobile and easy to use. Due to the fact that customers don't have to install any computer software, they are able to just connect the USB stick to any PC when they wish to access the MBancNet system. The solution was developed by KOBIL Systems, a German IT security provider based in Worms. The Migros Bank is the first bank in Switzerland to provide the M-IDentity device to all its e-Banking customers. The M-BancNet system is available free of charge.
What's so innovative about M-IDentity?
The M-IDentity device delivers protection through a hardened browser Communication between Java applets on the M-IDentity device and the chip card from the Migros Bank is encrypted All activities with the chip card, e.g. e-banking transactions, are signed The M-IDentity device works with conventional operating systems, e.g. Windows, Linux and MacOS

According to BITKOM, fraudsters in Germany withdrew around 13 million euros from victims' accounts in 2006. The figures for the first half of 2007 do not give any cause to be any less vigilant.
Page 2 of 7 Case Study Migros Bank 14.10.2008

What does that mean?

Hardened Mozilla Firefox browser The M-IDentity system uses a version of Mozilla Firefox that has been specially developed for the Migros Bank and which has two features that make e-Banking secure. The browser starts automatically
with the Migros Bank's e-Banking Web site (it's not necessary to enter any Web addresses). It's not possible to enter a different Web address this protects the browser against attacks and viruses from the Internet.
The browser is closed, the cache is emptied and cookies deleted when the M-IDentity device is removed from the computer's USB port. This ensures that no-one is able to access the eBanking user's data.
Encrypted communications Communications between the Java applications installed on the M-IDentity device (e.g. login and transaction) and the Migros Bank's chip card are encrypted. So if a fraudulent attack is made, the intruder will not end up with anything useful. Signing of activities All activities with the chip card, e.g. transactions, are signed. This authorizes the users.
Page 3 of 7 Case Study Migros Bank 14.10.2008

Using M-IDentity

Page 4 of 7 Case Study Migros Bank 14.10.2008
Page 5 of 7 Case Study Migros Bank 14.10.2008

About KOBIL:

KOBIL stands for secure data and secure communications on computers anywhere in the world. KOBIL provides protection to everyone both private and commercial users. The company is the technological market leader and is setting new standards with its developments. Its products, e.g. the mIDentity solution, the with 16.9 cm smallest bank branch in the world, have resulted in KOBIL being regarded as a trendsetter. KOBIL Systems GmbH has been an internationally leading supplier of IT security technologies for digital identities for over 20 years. IT security solutions by KOBIL are mobile, flexible and user-friendly. KOBIL is the world's only manufacturer to offer an entirely developed range of products. As a pioneer in the areas of cryptography, smart-card technology and PKI ( = digital certificates ), KOBIL now provides products that are today the recognized standard for digital identities and highly-secure data technologies. KOBIL applications comply with such internationally recognized standards as EMV-CAP, ISO 7816, ISO 9001 and the German signature act. KOBIL products also support all commercially available technological standards. These standard-friendly security developments make it very easy and fast to integrate the company' solutions into any IT infrastructure. Many businesses work with KOBIL's technologies: e.g. Deutsche Telekom, Swisscom, Arcor, T-Systems, DATEV, Commerzbank, Migros Bank, YapiKredi and Isbank as well as the German parliament, the ZDF television channel and the Bundesamt fr Sicherheit in der Informationstechnik (BSI Federal Office for Information Security). Contact details: KOBIL Systems GmbH Headquarters * Salim Gler * Vice President Business Development Pfortenring 11 * 67547 Worms * Germany Phone: +* Fax: +3004 - 80

Benefits

Reduces integration and management costs Supports signing of text based content in an IdenTrust compliant format Enables easy management of applications on the token Allows updates to the token to be distributed instantly to an entire population without cost Provides the greatest level of protection without compromising individual privacy Accelerates IdenTrust compliant certification of any application Delivers Zero-Foot Print Technology: - no trace on guest PC - admin rights not required

The IdenTrust Trust Gate

The IdenTrust Trust Gate token combines the power of the IdenTrust globally, interoperable identity Rule Set with a secure browser, two-factor authentication, and a hardened smart card interface onto a user friendly USB Token. By integrating these elements into a single device, IdenTrust (along with its technology partners) has created a solution that provides defense against MITB and other forms of attacks. As illustrated below, the solution also lays the foundation for defending against future threats that may evolve in the wild.
THREATS VS COUNTER-MEASURES
Operating System Exploits:
Threats - Level of Sophistication/Risk
Root Kits System Files/Registry Network Stack Direct UI Manipulation PKI Token Sniffers

Trust Gate

Advanced exploits appearing in-the-wild

Non IdenTrust

Man-in-the-Browser Exploits:
BHO, Plug-ins, Browser Modification
Portable Device Version 1
Secure Browser with PKI Credential and IdenTrust Signing Interfaces (WYSIWYG)
Portable Device Future Version
Secure Virtual Machine + Secure Browser with PKI Credential and IdenTrust Signing Interfaces (WYSIWYG)

Rogue Software:

Trojans Viruses Spyware Key-Loggers
Attacks in-the-wild on the rise

One Time Password

PKI Credentials

Site Exploits:

Phishing, Pharming, Man-in-the-Middle
Minimal protection against all Threats

Username Password

or on Hardware or Software Devices Running on mobile device (USB Token) Running on mobile device (USB Token)
Challenge Response Devices
Counter Measures - Level of Mitigation
The IdenTrust Trust Gate token contains all the necessary components for creating a digital signature and performing two-factor authentication. Trust Gate delivers both the application(s) and necessary drivers, eliminating the need for either software installation and/or administrative privileges. Digital signature and two-factor authentication is provided by the on-board smart card which holds the users bank-issued IdenTrust Identity and other administrative key material. The smart card is designed to only accept authentication and digital signature instructions from the application residing on the IdenTrust Trust Gate token. This prevents any Rogue software, plug-ins or PKI Token sniffers from compromising any digital signature or authentication events. Applications delivered from the IdenTrust Trust Gate token are read-only, with software integrity validation built into the token. With this capability, any attempt by malware or hacker is detected when launching the application. If an application has been modified, the user will be alerted and the application will not launch. The combination of software integrity validation, a hardened browser, a smart card, and zero reliance on a workstation footprint delivers an impenetrable MITB solution.

Benefits of IdenTrust Trust Gate
In combination with an IdenTrust Identity, Trust Gate provides increased security, portability, enhanced user experience, global interoperability, and legally enforceable transactions. Security Benefits Read-only Application Executables and Plug-Ins Pre-configured read-only security settings (Java, Trusted Certificates, etc.) Application access controlled via PKI credentials residing on the Trust Gate token On-board browser configurable with authorized web sites Portability Eliminates the need for any installation or configuration on the client workstation Increases mobility by only requiring Guest privileges on the workstation User Experience Simple two-factor authentication and digital signature functionality Consistent digital signature interface across applications Management and Integration Overall reduction of integration and management cost Customized bank home page and URL address on the token Automates remote and secure update (for Firmware & Software on board) Easy management of applications on the token, allowing: Software updates to the token can be distributed to the entire user population without cost Development of web applications with uniform user experience for digital signatures

About IdenTrust

IdenTrust is the global leader in trusted identity solutions, recognized by global financial institutions, government agencies and departments, and commercial organizations around the world. IdenTrust enables organizations to effectively manage the risks associated with identity authentication; work interoperably with countries around the world; minimize investment in creating their own policies and legal frameworks; and deploy a spectrum of products insuring trust, smarter, faster, and more cost effectively. The only bank-developed identity authentication system, IdenTrust provides a unique legally and technologically interoperable environment for authenticating and using identities worldwide. The IdenTrust Trust Infrastructure is predicated on a proprietary framework that combines policies, legal framework, trusted operations and technology (P.L.O.T.) to create a comprehensive environment for issuing trusted identities. IdenTrust is the only company to provide a solution incorporating all four of these elements. Customer agreements are valid, binding and enforceable in 172 countries. IdenTrust identities are globally interoperable under uniform private contracts recognized in countries around the world. Competing offerings, in contrast, rely on a dizzying maze of public laws that vary from jurisdiction to jurisdiction. Additionally, the IdenTrust Trust Infrastructure maintains the privacy of each and every transaction processed by reading only digital certificate information, not the message itself.
Features of IdenTrust Trust Gate MITB Solution
Zero Foot Print Device Driverless operation Only Guest privileges required On-Board application and software component storage Man-In-The-Browser Protection Hardened Browser (on-board) Secure PKCS#11 driver restricted to only accept instructions from on-board browser Integrity checks to ensure modified application is not executed IdenTrust Rule Set Compliance CC EAL4+ or higher evaluated smart card chip Minimum PIN protection policy IdenTrust Signing Interface Libraries (ISIL) Specification IdenTrust Signing Plug-In (ISPI) Specification (available Dec-08) Miscellaneous Platforms: Windows 2000, Windows XP, and Windows 2003 Server USB 2.0 and 1.1 compatible Secure Remote Software Update Capability

mIDentity starts all banking software automatically
The mIDentity is a non install device. That means that the mIDentity can be used immediately without installation. Therefore the customer does not need to use any extra software except that is specically demanded by the bank. On the ash memory of the mIDentity a Firefox browser is integrated. In this case it is a hardened Firefox browser (see below) which is secured against attacks from outside. When the end customer is putting the mIDentity in a free USB slot in his computer Firefox is started automatically. If the customer does not have Autostart he has to go into the Explorer and has to start the Autostart.exe himself. The mIDentity is recognised by the system as a CD-drive. The Firefox starts the banking portal automatically. Through Whitelists the bank can control which other websites can be opened. Firefox can be customized so specic that not even the address eld is shown but only the portal of the bank without any possibility to
through the PIN the smart card authenticates the customer to perform secure transaction in that area. Now the customer can do all his banking transactions without entering his PIN every single time. At this the mIDentity is again very exible which means that for example a time management can be integrated like for example if the customer is not performing any action within a timeframe of 15 minutes the mIDentity logs out itself. If the customer wishes a the PIN can be asked for at every transaction. This can individually be regulated in accordance with the banks demands. rmware of the mIDentity are two keys preventing others from writing on to the rmware or the CDROM. Therefore that part is safely signed. The bank receives one key enabling it to perform updates to the CD-ROM area. The Flash memory can be devided on customer demand. Technically it is thinkable that for example there could be an un-writable CD-ROM part and a Flash memory on which customers can store content. mIDentity can be used as a PKI device but also simply as a key to sign with private and public key. The mIDentity can be used as a card reader as well or for HBCI-Banking. Technically seen the mIDentity hardly has any limits, it just needs to make sense.
Technical aspects of the mIDentity
The mIDentity USB device is recognised by the computer as a CD-Rom drive. This is done to prevent the customer from writing on the mIDentity and eventually damage it. However in order to install updates to the mIDentity the rmware which is stored on the EPROM of the midentity changes the device from a CD-ROM drive to a USB drive. That way the update server can write the newest updates to the mIDentity and then turn it back into a CD-ROM state. Not only the CD-ROM part of the mIDentity can be updated but the rmware part as well. This option can be used if for example the bank is switching to new smart cards. That way the bank doesnt have to provide new hardware but it is sufcient if the rmware is updated highsecure. To burn the new image a specially developed software is used. As the CD-ROM le is an image it would theoretically be necessary to burn a complete new image with every update. With the mIDentity however this is not necessary because the intelligent Update Server with the appending tools makes it possible to burn even diffs. Diffs are small packages which only include the differences between the new image and the image existing on the mIDentity. Only this difference is burned to the mIDentity on a bit to bit level. This way updates can be performed very fast. On the

High secure thanks to PKI technology Noticeable reduction of helpdesk costs as end customers do not have do any installations Cross selling opportunities because of PKI technology for example online address changes, online increase of borrowing limits, online credit request Secure communication with the customer thanks to PKI technology. Possibility of secure email trafc between customer and bank (if for example an online contact is build into the online banking) Advertisement When the mIDentity is plugged in advertisement appears which the bank can use to price their products. This can be customized to a customer. Future-proof as PKI technology will be the standard of tomorrow.

mIDentity Token

Next to the standard mIDentity there will be a mIDentity token. It will be without memory, will be explicitly smaller than the mIDentity and will be equipped with an exchangeable smart card too. The mIDentity token will be placed in competition to OTP technology.
It doesnt though have the advantages of a mIDentity with an installed Firefox as there is no memory. However it is offering PKI technology at an unbeatable price.

Update Server

The update server is a KOBIL innovation enabling to keep KOBIL product solutions up to date.

Internet

Client (Windows, Linux, MacOS)

secure update server

Image: Technical functionality of the KOBIL Update Services
Image Creation and Signature Station
The update server technology offers the KOBIL product line the option to keep its products up date at all times which is centrally controlled. Therefore three options for updates exist: 1. Update of the rmware (hardware) 2. Update of the smart card (Certicate information) 3. Update of the Flash memory (Applications stored on the Flash memory)
So if the bank wants to update the mIDentity they will rst create an image with the most actual data which is usually done by the banks system administrator. This image is created with software especially developed by KOBIL. Usual software such as Nero or similar will not function as specic security requirements have to be fullled by the image which can only be achieved by using KOBIL technology. That image is made available to the customer on an existing web server by the admin. Once the customer is plugging in his mIDentity to any PC (Windows, Linux, MacOS) to get into his online banking the mIDentity automatically checks for available updates.
How does the update Service of KOBIL work?
There are cases when the bank for example has to update the software like the browser on the stick because certain security leaks have been detected or because a new browser version is available.
If an update package for this mIDentity exists the package is downloaded (with or without afrmation) on to the mIDentity and installed. The update only works in interaction with the mIDentity for that specic bank and for the applications on the mIDentity. Therefore it is not possible to receive that update with a different mIDentity. However the bank can decide if a customer has to download the update or not, the bank decides if the update is performed without the approval of the customer or if the update must be performed within a certain time limit. A mandatory update is useful if a security leak as been detected and has to be done on all mIDentity immediately. If updates are available the entire image is not all send and burned but only the difference. That means that only the difference between the version on the mIDentity and the one on the server is actually transmitted which decreases the workload of the network considerably. As the memory (Flash memory) of the mIDentity is presented to the operating system as a CD-ROM drive it is not possible to falsify, destroy or even change this part without the proper KOBIL application. Only the KOBIL Update Technology Intelligence is able to edit this un-writeable area and to do the update. The Trick behind is very simple, the CD-ROM drive (Flash memory) is switched to a USB drive and enables the update to the mIDentity. This update is performed on the highest security level to eliminate attacks by third persons. An identical update is also used for smart cards and within the mIDentity rmware. That way the bank has full exibility and control over the mIDentity devices and can thanks to the Intelligent Update Server Technology by KOBIL react to expected / unexpected changes / incidents in a short amount of time without great efforts (recall of sticks in case of changes is no longer necessary) and high costs (for example with the use of new smart cards no new mIDentity devices have to be issued). It has to be considered that like with every update technology the customer must not remove the mIDentity device from the computer during the update process. Otherwise it may be possible that the mIDentity is in an undened and unusable state and can therefore no longer be utilized. An appropriate emergency recovery mechanism has already been implemented but will create an unwanted effort for the customer. A relevant notication during the update informs the user of this situation and advises not to remove the mIDentity during the update.

Kaan Tribank Overview:

Full Secoder-Functionality Prepared for future Secoder-2 standard throuth secure rmware updates Useable even without connection to the pc (Sm@rtTan plus, cash card reader) Continuous use of current HBCI software Load cash cards and pay over Secoder Useable for qualied Signatures Large, easy to use keyboard for safe pin-entry Secure data indication on integrated display Easy Plug-and-Play installation Robust fabrication

EMV-TriCAP

The EMV-TriCAP chip card reader has the same housing as the KAAN Trib@nk however the rmware of the reader is exclusively programmed for international functionality (CAP or PKI).

Product Advantages are:

Online / Ofine Use Secure Firmware updates Zero Footprint for smart card applications Easy Plug-and-Play installation Exchangeable Battery
Smart Card Readers At a glance
According to ZKA-Specication (Zentraler Kreditausschuss) chip card readers are divided into three security classes: Security Class 1: The card reader is simply a contact unit for the chip card. Security Class 2: This chip card reader has a build-in keyboard over which for example the PIN for home banking can directly be entered. That way the exposure of the PIN (for example through keyloggers or troyans) are practically impossible. Security Class 3: Additionally to the keyboard these devices have an own display. With a security class 3 reader can be used to pay with a cash card over the internet. The data (for example payee) to be signed is shown on the display before the PIN is entered.
Zero Footprint for Smart Card Applications
This is a technology developed by KOBIL allowing security at highest mobility and exibility. Without any installation of software or drivers the user can utilize his smart card reader (EMV-TriCap & Kaan TriB@ank) on every computer worldwide.

Secure Update Service

The Secure Update Service ensures your investment in KOBIL chip card readers in the long term. Through a cryptographically secured Process the hardware of the reader is equipped with current standards and new processes.

The SecOVID software and the administration tool are installed on the network of the particular company. The SecOVID server takes over the verication of the one-time passwords, the administration of user rights and logging of access attempts. The system is
The One-time password system for more security and less effort
The user now enters the generated password on the login screen. VPN, rewall or RAS transfer it to the SecOvid server encoded. The server checks the inquiry. If the user data on the server corresponds with the entered information the user gains access.

Advantages

Limitless Token use Due to exchangeable batteries the costs for the exchange or the reintroduction of new tokens do not apply. KOBIL SecOVID for a fast ROI Event synchronized technology minimal support prevents problems with server sided time synchronisation and the waiting for time based passwords. Easy administration, simple maintenance and support of user data High cost efciency An excellent priceperformance ratio provide additional added value potential at security of network resources. Limitless scalability The solution keeps up with the growth and the change of your company without any problem. International standards OATH, TACAS+, RADIUS

Safe and comfortable

Especially with online banking user the use of one time valid TAN is very common. The easy and comfortable use of the TAN has a high acceptance. However such TAN is an enormous security risk as it only offers minimal protection. It is easy for phishing, farming, Trojans or other methods of online fraud to manipulate an account at the use of a simple TAN. SecOVID shuts down this fraud method the smart way no chance for phishing. For the end user there is hardly any change with use of SecOVID compared to the use of TAN. Furthermore he requires a TAN respectively a one-time password to conrm the transaction. However this time he doesnt need a list but a token or a chip card. The press of a button guarantees the highest security based on two factors: Knowledge of the PIN and possession of the token or the chip card.
selling potential. Because the higher the security the higher the trust in online offers and accordingly high is the use of such offered services. Our technologically leading IT solutions and smart card terminals are used by companies of every size and every segment wherever identity, access control and data security have the highest priority. Amongst our customers in the banking sector are Migros Bank, Commerzbank, YapiKredi, Volks- und Raiffeisenbanken, Sparkassen.
Security is a good feeling
The easy use and the comfort combined with high security suggest the feeling of condence and loyalty between the online banking user and his bank. This user no longer needs to be concerned with current threats can have a carefree access to his account online. With the switch from TAN to the one-time password system the bank does not just get cost advantages and an ideal measure of customer retention (with branding of the tokens) but the possibility to tap the full cross-

A cache is a buffer on the hard drive of a computer or on an external computer.

Cookie

A cookie is a small text le which the web browser saves on the computer of the user on demand of a web server and which for example includes information about his web inquiries. Cookies are basically used as electronic reminders for the server to keep user specic browser inquiries like for example how often and how long a user visited a certain website or if the inquired website has to be transmitted in a user specic version.
Small program which has additionally been developed to a program version in order to x security problems in due time.

Pharming

Pharming or DNS Spoong is a form of attack at which the attacker exchanges the IP address of a known Domain Name with his own. At such an attack the URL is correctly shown even though the user is on a wrong website.

Firewall

A rewall is a computer regulating the data trafc a local network and a single computer and other networks like the internet. The rewall is meant to protect the computer and/or the network from unauthorized access. A personal rewall describes a program realising a rewall on your PC which means that your PC is protected against unauthorized access without the use of an additional computer.
Form of attack on which the attacker fakes the email address or the website of a bank or a service provider or an internet shop. The customers are asked to enter their account data as well as PINs, TANs and passwords on a fake internet site.

Java Applet

Java is a program language developed in the beginning of the 90s. A Java applet is a small program which after is has been downloaded from the internet is interpreted within a browser and the executed. For that the java commands are executed on a HTML site.
Personal identication number, serves to authenticate a person

Rootkit

A rootkit is an operating systems proximate software tool compromising a computer with the aim of cover-
ing the activities of an attacker such as the spying of condential access data or the copying of les. With the help of root kits the attacker can act with administrator rights. memory of the mIDentity. Updates are required if for example the bank is using new smart cards.

Flash memory

The data on the ash memory of the mIDentity are neither writeable nor deleteable.

Spyware