Friday, November 27, 2009

New Position Paper on Security Risks in Online Banking Through European eID Cards



ENISA Launches New Position Paper on Security Risks in Online Banking Through European eID Cards



BRUSSELS and HERAKLION, Greece, November 26 /PRNewswire/ -- The EU's 'cyber security' Agency, ENISA (the European Network and Information Security Agency) today presents its new Position Paper. The paper is focusing on authentication risks with European eID Cards. It analyses 7 vulnerabilities, identifies 15 threats and gives security recommendations.



Major European eID interoperability projects, such as STORK and its successor ELSA are aiming at a European-wide take-up of new technologies. In this context, ENISA takes an independent look at the security risks related to online banking authentication by comparing smart eID cards with other authentication means in its latest Position Paper ( http://www.enisa.europa.eu/act/it/eid/eid-online-banking/).



Online banking in one of the most widely-used electronic services by European consumers. It is a strategic service for financial institutions and users. With 24 hour service availability, it is extremely convenient. It is often without any extra costs; or even at reduced costs compared to traditional banking processes. However, online banking fraud is on the rise. Thus, security is a major concern both for online banking, e.g. tax declarations. The report also includes a case study on privacy issues when authenticating with smart cards to online social networks.



The Agency report explains that because more and more internet applications require authentication, more standardized approaches to user identification and authentication are needed. In Europe, several states have already rolled out electronic ID cards. The first steps when we use internet services are usually to identify ourselves by our names and then authenticate that it is us. The security levels for these steps can vary from a simple combination of username, password, through a secret PIN, to credentials generated by some external device or a smart card using cryptography. Smart cards are increasingly being used for authentication purposes. Many European identity cards contain a smart-card chip, with functionalities for online authentication.



The ENISA Position Paper defines a comprehensive list of requirements for national ID cards to ensure that they become as flexible and as multi-purpose as possible.



The Executive Director of ENISA Dr Udo Helmbrecht concludes: "Electronic identity cards offer secure, reliable electronic authentication to Internet services, but banks and governments must cooperate better to be able to use national eID cards for banking purposes."




Privacy and Security Risks when Authenticating on the Internet with European eID Cards


Whenever we use internet services, the first steps we take are usually identification (we input our names) and authentication (we prove that it is us). How we actually identify and authenticate ourselves depends on the security level of the application.



The means used can vary from a simple combination of username and password, through a secret PIN, to a PIN generated by some external device or a smart card using cryptography. Smart cards are being used increasingly for authentication purposes. Many European identity cards now contain a smart-card chip, equipped with functionalities for online authentication.



They are usually called 'electronic identity cards' (eID cards). This report focuses on authentication using smart cards and compares this approach with other common means of authentication.




Nov 26, 2009







  • Ingo Naumann, European Network and Information Security Agency (ENISA), EU

  • Herbert Leitold, Zentrum für sichere Informationstechnologie (A-SIT), Austria

  • John Velissarios, Accenture, UK

  • Jens Bender, Federal Office for Information Security (BSI), Germany

  • Gregory Henwood, Home Office, UK

  • Andre Vasconcelos, Agency for Public Services Reform, Portugal

  • Giles Hogben, European Network and Information Security Agency (ENISA), EU

  • Jaan Priisalu, Swedbank, Estonia

  • Marc Stern, FEDICT, Belgium

  • Henning Daum, Giesecke & Devrient, Germany

  • Lorenzo Gaston, Gemalto, France

  • Arie Schilp, Rabobank, the Netherlands

  • Frank Zimmermann, Hewlett-Packard, Switzerland

  • Raul Sanchez-Reillo, Universidad Carlos III de Madrid, Spain









Downloads eID_online_banking.pdf — PDF document, 760Kb

Reblog this post [with Zemanta]

Disqus for ePayment News