WHITEPAPER 2021
SECURITYSECURITY IN INTHE THE BANKING BANKING & FINANCIAL& FINANCIAL SOLUTIONSSOLUTIONS SECTOR SECTOR
WHITEWHITE PAPER PAPER | 2020 | 2020 Table of Contents
1. Executive Summary 3 2. Latest Security Threats in BFSI 5 2.1 Moving to Cloud and Cloud-Based tools 6 2.2 Cryptographic leaks 7 2.3 Exploiting Application Vulnerabilities 7 2.4 Spoofing 8 2.5 ATM Hacks 8 2.6 Phishing and Social Engineering 9 2.7 Work from Home 10 2.8 The Internet of Things (IoT) 10 3. Mitigating Security Threats and Recommendations 11 3.1 Cryptography and Key Management 13 3.2 Identity and Access Management 18 3.3 ATM, IoT and Mobile Application Security 20 3.4 Vulnerability Management 23 3.5 Securing Remote Working and Cloud Platforms 25 3.6 Phishing Attacks Prevention 25 3.7 Containment and Recovery 27 4. Summary 28 4.1 Comments from the Industry 29 5. Positioning 33
Contact 35
Security in the Banking & Financial Solutions Sector 2 1. Executive Summary
Real and potential Risks
There are increasing risks and technological challenges to data and transaction security in the Banking Financial Services and Insurance industries (BFSI). This paper will examine the types of real and potential attacks being confronted, and the various technologies available for implementation to avoid data breaches, corruption, and theft.
While the analyses include the classical and known risks to data and financial transactions, they also look at the exposures evolving in traditional data security, quantum computing, and the trend toward working from home and bringing your own device (BYOD) to enterprise architectures.
Financial institutions have not failed to respond to these ominous developments in digital crimes. They have remained largely proactive by investing in technology to improve their security profiles. The complexities of risk management, however, have become almost profound, and traditional approaches to IT security can BFSI firms are three be inadequate as banking continues to emerge in international economies as a “boundary-less” ecosystem. hundred times more likely than Financial services and insurance companies make attractive targets for hackers and digital criminals of all types. According to the Boston Consulting Group, BFSI firms are other institutions three hundred times more likely than other institutions to experience a cyberattack.1 A study by Check Point Software Technologies also indicated that malware has to experience a become an enthusiastic endeavor of crypto miners, and that 28 percent of global cyberattack. enterprises were struck by botnet activity in 2019, an increase of 50 percent over the previous year.
1 https://www.bcg.com/publications/2019/global-wealth-reigniting-radical-growth
Security in the Banking & Financial Solutions Sector 3 Re sk pu Ri ta ry ng to Cloud and ti o Movi on t ud Based Tools a la Clo W l u ork R g fr s om is e ck k R a In H Mobile Bank o h ternet m M e T A de
& Data and security dangers can appear to be
ing T advancing as quickly as technology. Cybercrimes h o e f
c T I i n are no longer the exclusive province of a h h t ATM and QR Co i e p Branch and IVR n r a s g n handful of clever hackers seeking to make easy r
k s e g
a t
o
e t money or shut down business enterprises for
L p POS and Kiosk
y
r various motives. A degree of professionalism
C k
F has begun to inform cyber-criminal groups.
s
BFSI i i
y n
R Hacking groups like Fin7 function almost as a
a
E
l x n
p Video Bank d g
a n professional organization and it is estimated to l n i c
o a r n i
V it e 2 g a
u i yment Gatewa e
o n n make approximately $600 million annually.
i Pa l l
n g i in
ing t h e A s g R
r p i
a a h n
p E i r b
l P l s
i ic nter e l a i a i k
ti t c
p e io Ce o
s n S O Call rty pa rd- S Thi ts poo ting en ng Trus onm Envir
T echnology Risk
The recent pandemic has added new, confounding dynamics to protecting data and transactions. As work forces take up their tasks remotely to prevent viral disease exposure, more businesses and institutions are compelled to increase investments in cloud services and tools. Consequently, a surge in digital transformation is unfolding, accelerated, in part, by the pandemic, and prompting the adoption of cutting-edge technologies like Robotic Process Automation and platforms that facilitate mobility and workplace collaborations.
These transformations also require innovative tactics and strategies for security. A holistic approach that considers the entire infrastructure of an enterprise probably provides the most safety. A comprehensive plan is essential when nothing more than a small, technological loophole can allow a hostile actor to penetrate into a datacenter.
In fact, the increased assault on digital domains began almost as quickly as the pandemic spread across the world. The Indian, English language publication, The Economic Times, reports that cyber security attacks in that country appear to have jumped as much as five hundred percent since the onset of the global lockdown in March.
According to Ginni Rometty, IBM Chairman, President, and CEO, “Cybercrime is the greatest threat to every company in the world”.3 She might have understated the true nature of the danger. In the next five years, cybercrime has the potential to negatively impact almost every element of life in our world, whether it is business, finance, entertainment, education, travel, or government. Digital crime might even be evolving faster than tech security measures.
2 https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches 3 https://www.ibm.com/blogs/nordic-msp/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world
Security in the Banking & Financial Solutions Sector 4 2. Latest Security Threats in BFSI
The risks of online business
Money, in digital or physical form, has always attracted illegal activity, and the BFSI sector has a particular allure for thieves and other cybercriminals. There is an array of valuable data that can be stolen or corrupted for financial gain because there are numerous touchpoints in banking and insurance enterprises. These include, of course, financial transactions, which often involve multiple integrated transaction channels. Sensitive customer and business data are also often irresistible to hackers and criminal operations.
The consequences of a successful attack on any BSFI business vector can be devastating when firms are faced with losing not just money, but also experience non-functioning customer services, stolen private information, and, ultimately, diminished brand reputation.
These risks to the BFSI verticals are not shrinking in intensity or scope. The M-Trend 2020 Report produced by FireEye indicated that the past three years have seen the BFSI sector as one of the top three targets of cybercriminals.4 The industries are, however, constantly evolving to improve and increase customer services but those advances also multiply vectors that might be endangered and can expand the breadth of attack surfaces.
Assaults are becoming more complex and hostile actors increasingly use more sophisticated approaches to breach the perimeters of digital enterprises. The very nature of conducting online business creates probable risk.
4 https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
Security in the Banking & Financial Solutions Sector 5 2.1 Moving to Cloud and Cloud-Based tools
As technology has continued to iterate and offer storage infrastructure and computing as services, the trend has been for businesses to transition away from using their own on-premises hardware and software to conduct transactions.Cloud Service Providers There can be perils (CSPs) give executives the option of reducing capital investment in infrastructure associated by by moving their operations off premises and into the cloud. While this is almost always a sound business decision, there can be perils associated with operationalizing moving operations a business in the cloud. into the cloud. There remains, for example, too much unencrypted data in the BFSI vertical segment. Even after encryption in the cloud, insecure handling of keys can lead to invasions of stored data. Further, a misconfigured Access Control List (ACL), poor Key Management Services (KMS), and flawed Identity and Access Management (IAM) policies can generate unknown weaknesses in protective measures. Simply being locked-in to a vendor by a contract can also produce issues; especially if the agreement does not give total key management to the customer.
Analysis of recent cybercrimes has shown that attackers have begun to scan storage buckets that might not be properly guarded, even though they contain confidential data. This type of vulnerability can occur when enterprises employ an unsecure, third- party Cloud Service Provider (CSP). Data captured from these unprotected “buckets” can be published in parts or samples, which elevates exposure and facilitates the theft of large amounts of information from corporations.
The growing implementations of cloud services and cloud-based applications continues to intensify. CIOs and CISOs need to answer how to secure their digital transformation to hybrid multi-cloud environments, considering how they transform their infrastructure to a hybrid multi-cloud environment.
Trusting Third-Party Environments
Networks being operated by BFSI firms are constantly introducing new portfolio components that add to their complexity. Factors like achieving compliance with the revised Payment Services Directive (PSD2) in the European Union and open APIs tend to necessitate the incorporation of third-party environments in the BFSI space. Technological and security diligence requires that these enhancements be consistently scrutinized with regular reviews for safety by the BFSI operator.
Security in the Banking & Financial Solutions Sector 6 2.2 Cryptographic leaks
Website attacks are one of the most common forms of security breakdowns on the Internet. These usually occur when Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificates, which include private keys, are stolen from a site.
A recent and high-profile example of this type of malicious attack occurred in August 2019. The victim was Imperva, a security company that is considered one of the top Web Application Firewall (WAF) providers. The incident resulted when an internal Imperva and Trustico compute instance was found by attackers to be accessible from the internet, which are examples of enabled them to steal AWS and API keys. The AWS keys were then used to take a snapshot of a database, which contained the private keys of an estimated 13,000 recent victims of 5 customers. cyber attacks. A similar crime was executed against Trustico, a secure SSL certificate reseller headquartered in the UK. Archived private keys of Trustico customers had not been securely stored in an isolated Hardware Security Module (HSM) environment, and, in fact, had even been shared by a company executive using email. In February of 2018, an attacker managed to acquire private and public key pairs of Trustico customers, and a social media post revealed a weakness in the company’s web security that allowed attackers to run malicious code on Trustico servers.6
Both incidents described above provide more than anecdotal evidence that it is important to secure private SSL and cloud encryption keys. The storage and management of keys also needs to include 2-Factor authentication as part of protocols to establish a safe cloud configuration.
2.3 Exploiting Application Vulnerabilities
As web and mobile environments continue to evolve, they are also adding new exposures and threats to their expanding configurations. Applications, obviously, can be imperfectly designed and developed, and a flaw can often be exploited to compromise security. Because these systemic weaknesses in applications are sometimes missed during the design stage, an attacker can go directly at high-value targets like confidentiality of data, its integrity, and availability, which is known as the “CIA Triad”. A failure in just one of those dynamics can make the entire application open to intruders.
Repairing these types of flaws after deployment of an application can be very expensive and require significant changes to code. Causes of vulnerabilities can be anything from a lack of sufficient requirements to design failures, coding errors, or simple misconfigurations. These missteps prior to implementation of the app can lead to violations of security through injection, authentication and access issues, and insufficient logging and monitoring.
5 https://www.securityweek.com/imperva-notifies-cloud-waf-customers-security-incident 6 https://www.securityweek.com/23000-digital-certificates-revoked-digicert-trustico-spat
Security in the Banking & Financial Solutions Sector 7 2.4 Spoofing
Impersonating a BFSI Website
Deception is one of the most frequently employed tools used in attacking websites and data. Fake websites can be spun up fairly quickly and almost perfectly impersonate the brand images and functions of the real company site. A social media component often accompanies these copycats and victims are sought out using email, SMS messaging, and by pretending to be company personnel on a phone call. These tactics have led to an untold number of data pirates breaking through with hostile code and bad intentions.
Phishing Emails to Guide Traffic to Malicious Websites
Phishing is another common tactic to steal private information. An email is sent that has been stylized to appear as if it were from a trustworthy brand or a reputable individual. The recipient is usually asked to follow a link or provide information the mail claims is needed to protect something of value. The goal is always to acquire personal information like credit card details or login credentials.
There are several different types of phishing attacks. “Spear Phishing” is the most familiar, and targets specific individuals and companies. Focusing on senior executives and high-profile users is referred to as “Whaling,” and “Clone” phishing involves delivering emails, attachments, and links that appear to come from a legitimate sender.
Phishing has resulted in a significant theft of confidential and sensitive information and has enabled unauthorized users to execute hostile code.
2.5 ATM Hacks
ATMs have begun to serve as primary access points for cybercriminals to exploit vulnerabilities in the security surfaces of financial institutions. ATMs can be compromised by malicious software or by a hardware device that mimics the appearance of legitimate machine components. These pieces of hardware impersonate the real ATM interface and enable “skimming,” which is the siphoning of customer data.
Insecure network communications between ATM machines and the banks also can house major security shortfalls. Without encryption, communications between the bank and its network of ATMs can be manipulated and even allow hostile intrusions into the internal infrastructure.
Financial institutions with the greatest exposure to their networks tend to be those that have not yet transitioned to contemporary platforms and are maintaining the operation of end-of-life systems. The goal of saving money can become very expensive when hackers move into legacy banking and financial networks.
Security in the Banking & Financial Solutions Sector 8 2.6 Phishing and Social Engineering
The development of insider vulnerabilities is one of the primary goals of email campaigns that target users and their organizations. These tactics can succeed because employees of use the same passwords on social media platforms, apps that are not related to their work, and to remotely access their employers’ networks and applications.
Leakage of those credentials could lead to them being sold on the dark web and cause significant financial damage to an institution or enterprise. The Marriott Hotel Corporation suffered a data breach in 2020 that harmed its brand with loyal customers and other travelers. The personal data of 5.2 million Marriott guests was acquired by hackers less than two years after the hotelier’s systems had already left an estimated 500 million people exposed through infrastructure failings.7
Customer account information that has not been properly secured frequently facilitates malicious attacks on data and financial networks. In fact, applications that store and process card information are recurrent magnets for criminals. The two main types of fraud, “card present,” and “card-not-present,” are used to make unauthorized purchases or take cash from private and business accounts. Access to those accounts can also be gained when mobile phones are hacked, and remote management tools are installed to perform financial transactions.
Mobile banking apps are high-value targets for cybercrooks. As those applications are created, developers and vendors might share code on a software site or within a social community. These often contain copyrights and authentication data. The history of software development includes endless cases of source code and hardcoded access credentials being leaked by business insiders.
Ransomware has become one of the most lucrative forms of crimes against digital enterprises. Robbers manage to insert destructive code inside of a network and then Ransomware has make financial demands with threats of destroying databases or entire companies. Ransomware has become so successful at monetization that it is now available online become one of the as a service like a lot of other computational tools. Ransomware attacks against most lucrative forms banks were nine times greater in April 2020 than in February 2020.8 The pattern is for the threat actors to target Personally Identifiable Information (PIA) or credit card of crimes. details and use that data for theft or to further their access to a more lucrative attack on a network.
7 https://securityboulevard.com/2020/04/marriott-data-breach-2020-5-2-million-guest-records-were-stolen 8 https://www.sosdailynews.com/news.jspx?&articleid=E777C905537910705A74E35FC78C285F&sx=79
Security in the Banking & Financial Solutions Sector 9 2.7 Work from Home
A cultural trend toward remote employment was accelerated by the COVID-19 pandemic. Businesses ordered employees to work from home, which prompted changes to networks, often uncontrolled or unauthorized because companies were struggling to get workers hooked up to their systems. There are known vulnerabilities to various ports used to access networks by remote workers. Ports 22/SSH, 25/SMTP, 80/HTTP, 445/SMB and 3389/RDP can easily be entered by hostile users that are intent on doing damage.
2.8 The Internet of Things (IoT)
IoT growth can almost be viewed as overwhelming by businesses. Industry and smart home devices have taught us, IoT is nearly everywhere. Research shows there will be 35 billion smart devices online by 2021, and that number will rise to 75 billion by 2025.9
The innovation offered by IoT will also create security challenges and network weaknesses, which will be a byproduct of custom hardware, frequently outdated operating systems (OS), necessary remote patching, and constraints on memory and processing power. Operationally, the IoT is also complicated by numerous OS that have been spun up in the varying market segments. These include, but are not limited to, Linux OS, Tiny OS, Contiki OS, Google Brillo OS, Mbed OS, and Free RTOS, just to name a few.
9 https://www.forbes.com/sites/danielnewman/2020/11/25/5-iot-trends-to-watch-in-2021/?sh=1ee49669201b
Security in the Banking & Financial Solutions Sector 10 3. Mitigating Security Threats and Recommendations
Let's discuss solutions now.
All of the risks and vulnerabilities detailed above can be either mitigated or eliminated using the proper types of security. Countermeasures are effective when technology is properly implemented on a network.
There are logical steps to protect data repositories and operating networks:
1. Encrypt all data, everywhere
2. Use Secure Key Management
3. Key management for database encryption, ATMs, and IoT
4. Only allow trusted entities use of Public Key Infrastructure (PKI)
5. Maintain constant control of access
6. Secure sensitive personal information
Security in the Banking & Financial Solutions Sector 11 With Utimaco, AGS and Novus, three strong partners have come together to pinpoint the mission-critical business areas and infrastructure elements in the Banking and Financial Service ecosystem that need protection against cyber- physical attacks.
The profound understanding of the region's financial sector dynamics and technology requirements paired with the market-leading solution offering around key and credential generation, distribution and management over their entire lifecycle makes this partnership so uniquely positioned to contribute to the Cybersecurity discussion.
The three partners have joined forces not only to educate the market about current and future cyberthreat attack vectors but also to elaborate the appropriate strategies to cyber-protect your business.
Threat vectors, Cyberprotection strategies, Solutions and Services
g to Cloud an Movin d d Based Tools Clou W ork fr s om ck H a o h Cr m M yptograph e T ss A
Acce
y T Let’s break down some of the most common h o e f
c T I i n service types and relevant solutions. Some h h t i e p Key Identity and n r a s Management Management g n are more general, while others are geared for r
k s e g
a T t o
e t specific utilities. L y p ATM and Ioit
y Secur
r C
E x n Vu p d g Managementlnerability n n lo i a r V i ing e t g u in Phishingeventio Attacks e l rk n n g Pr i in h e A s g r p i Wo n a p h E b y P i lic l li a ia t t c ie io o s n S Remote Securit rty pa rd- S Thi ts poo ting en ng Trus onm Envir
Security in the Banking & Financial Solutions Sector 12 3.1 Cryptography and Key Management
All data in the cloud 3.1.1 Encryption should also be Classify on-premises data and verify that anything sensitive is only stored in an encrypted. encrypted form. All data in the cloud should also be encrypted. Maintain ownership of your keys to facilitate a multi cloud strategy, which will also enable you to always avoid a cloud vendor lock-in. Businesses need flexibility to engage other cloud vendors and avoid surrendering control to a single provider by letting them have your network keys.
Encryption is the process of converting readable text into a non-readable format, which is also known as cipher text. Complex mathematical computations and keys are used for the conversion to encryption. A key is random text that helps in converting plain text to cipher text, and vice versa. Encryption can be performed on Data at Rest, or Data in Motion.
There are important steps to maintain a secure posture within a network:
1. Secure Key Storage
Secure Key storage is critical and requires multiple layers of authentication. These rules should control access, maintain the authorization of who has access to keys, keep an accounting record of who has actually accessed the keys, when they had access and for what purpose. Authentication, authorization and all accounting logs ought to be reviewed periodically.
2. Secure Algorithms
Simple encryption is not enough. Organizations and IT departments make sure that data is encrypted, but little or no due diligence is regularly performed to assess what encryption algorithms are enabled. Algorithms that perform encryption vary in quality and strength. They are products, and it is important to make certain you enable only secure algorithms. Selections of algorithms must consider available compute resources on a particular device and the sensitivity of information being encrypted.
3. Secure Factors for IoT Devices
These factors are extremely relevant with IoT devices because they tend to perform tasks very quickly and with minimum processing delays. A list of secure algorithms is published the National Institute of Standards and Technology (NIST) or the German Federal Cyber Security Authority (Bundesamt für Sicherheit in der Informationstechnik BSI). The NIST maintains the Commercial National Security Algorithm Suite and the BSI publishes Technical Guidelines.
4. Complex Key Length
Use of strong keys and key length is also crucial. A single password or just passphrases make data and networks susceptible to brute-force attacks. A random key generator is recommended to produce a longer and more complex key length, which makes it theoretically impossible and time consuming to perform brute force attacks.
Security in the Banking & Financial Solutions Sector 13 All UTIMACO products support strong encryption and sophisticated key management. Keys are generated using secure algorithms based on strong random number generators.
3.1.2 Signatures for Authentication and Integrity
Public Key Infrastructure (PKI) plays a vital role in securing IT. PKI ensures trust in passport issuance, border control, and user and device authentication within an enterprise. The chain of trust PKI generates within an organization and across its boundaries facilitates a secure and trustworthy exchange of data.
All transactions in an infrastructure have to be validated up to the root certificate of a PKI. The trust model for an operation depends on the measures taken to properly safeguard the Root of Trust – the Root CA. The Root CA’s private key is directly, or indirectly, used for signing any public-private key pair that traces to the end user or device certificate. The Root of Trust is a potential single point of failure that must be guarded from attack or corruption, which is a basic tenet of modern information assurance.
Products like Utimaco's Security Server can manage this most critical protection sequence.. When integrated into a PKI, UTIMACO SecurityServer generates and secures the CA key pairs. Keys never leave the HSM and are only used within its secure boundaries.
3.1.3 Hybrid Models for Key Exchange
Hybrid models for key exchange combine the benefits of symmetric and asymmetric crypto technology. They use the save, but performance wise slow, concept of asymmetric crypto algorithms to exchange symmetric keys, which are then used to secure bulk data shared between two parties.
Asymmetric crypto allows a key holder to pass a public key to a sender. That sender can use the public key to encrypt data that only the private key can decrypt. This is the technique used for digital signing and encryption. The disadvantage of asymmetric Hybrid crypto algorithms is very slow performance. They do not enable the exchange of huge amounts of data. Symmetric crypto algorithms have very good performance and offer a similar technology for security level as asymmetric algorithms. The disadvantage, however, is that both sides need the same key. The primary challenge is to exchange the data encryption key. secure encryption.
Security in the Banking & Financial Solutions Sector 14 There is a logical process for two parties wanting to exchange data in a secure environment:
1. Both parties generate an asymmetric key pair and exchange the public key.
2. The sender generates a symmetric session key that will only be used for one communication.
3. The sender encrypts the data with the symmetric session key, and the encrypted data is transmitted to the receiver.
4. The sender prepares a message to the receiver. The sender encrypts the session key with the public key of the receiver, which can only be decrypted by the receiver.
5. The sender signs the message with its private key and adds the signature to the message.
6. The receiver verifies the signature of the received message with the sender’s public key.
7. The receiver then decrypts the symmetric session with the private key.
8. The receiver is finally able to decrypt the data with the symmetric session key.
An example of the above exchange is the Transport Layer Security (TLS) protocol that uses an asymmetric algorithm for key negotiation, and a symmetric algorithm such as AES for data security.
3.1.4 Cryptographic Leak and Data Leakage Prevention
Always use state of the art algorithms and software as recommended by the NIST Suite B or the German Federal Cyber Security Authority (Bundes- amt für Sicherheit in der Informationstechnik BSI).
Implement key rotation.
SSH (Secure Shell) keys, SSL certificates and other types ofkeys are easy to identify on endpoints of people managing servers and infrastructure. They can also be readily found on the servers that house their files, which is why it is mandatory to generate private keys and store them in a secure manner by using general purpose HSMs. Access to keys should be automated, authorized and audited.
Security in the Banking & Financial Solutions Sector 15 An application-to-application, hardware communication is the safest method for generating a private key, and the same protocol should be used to decrypt messages.
3.1.5 Key Management
Protection and management of encrypted keys must always be a critical business and infrastructure consideration
of data protection. Cryptography is a well-proven method Automate, autho- Access to keys needs to always be reliable. rize and audit access Consider various approaches for deploying encryption with secure to keys. key management.
Encryption has become an easy solution to protect confidential data and remains the best defense against breaches. Highly effective and generally considered a necessary cost of doing business digitally, encryption is simple to implement using approved standards like AES (Advanced Encryption Standard), which are often already embedded in delivered solutions.
Stringent key management is critical to the networks and servers of any enterprise or institution and is achieved by maintaining central controls and never losing access to keys or the data. Consistent audits must also be conducted to prove compliance with regulatory mandates, which often require evidence of protection.
a. PKI Keys Stored in an HSM
A PKI uses an HSM as security anchor to store private asymmetric keys. Access to the keys is always controlled. Authentication is achieved with user names and passwords or signatures based on encrypted key files or signatures based on smartcards using 2-Factor authentication.
Solution: SecurtiyServer (Se Gen2) from UTIMACO ensures the security of cryptographic key material for servers and applications, and includes integration software that supports the industry standard PKCS#11 and other interfaces. The SecurityServer manages applications like public key infrastructures (PKIs) and database encryption and is available in Gen2 as a PCIe plug-in card or as network-attached appliance.
Security in the Banking & Financial Solutions Sector 16 b. Cloud Keys Stored in an HSM
No business, enterprise or institution should trust a single cloud provider, which would make them subject to potential vendor lock-in. A multi-cloud-enabled HSM on premises, or in the cloud, facilitates easy switching between cloud providers.
The UTIMACO AT1000 and the PaymentServer are PCI Standards Security Council accredited PCI PIN Transaction Security Hardware Security Modules Version 2 (PCI PTS HSM V2) and Version 3 (PCI PTS V3) solutions that are delivered with the HSM. They come with integration support, certification assistance, and tiered maintenance. UTIMACO partners are enabled to focus on business innovation with the confidence that their work has sustaining PCI compliance.
c. Rotate your keys
In ATMs and transaction security, change the keys on a regular basis. This is mandated by regulations like PCI DSS, PCI PIN
The UTIMACO Atalla AT1000 is a payment HSM that enables inter-banking bussines and provides superior hardware security to deliver maximum privacy, integrity, and performance for host applications. The AT 1000 supports Rotate your keys - cryptographic operations to execute PIN translation and verification, card verification, card production and personalization, electronic funds interchange moving targets are (EFTPOS, ATM), cash-card reloading, EMV transaction processing, and key generation, rotation and injection. harder to hit!
Security in the Banking & Financial Solutions Sector 17 3.2 Identity and Access Management
3.2.1 Identity and Access Management Systems
Identity and Access Management (IAM) systems enable the creation, modification, and deletion of digital identities and their authentication. IAMs can control access authorization and maintain an account of all actions performed by a specific identity. This is of significant importance when a person or object has a singular identity but can also access multiple resources with varying levels of rights.
IAM systems functionalities:
Record, capture, and authenticate user login information, (usernames, passwords, certificates).
Manage the employee database of users and job roles.
Allow for addition, deletion, and change of individual users and broader job roles.
Provide a history of logins and systems access for audit purposes.
Allow for properly segmented definitions and controlled access for every part of business systems and data.
Track user activities across all systems and data.
Report on user activities.
Enforce systems access policies.
IAM components:
Single Sign On (SSO): An access and login system that allows users to authenticate themselves one time and then grants them access to all the software, systems, and data they need without having to log in separately to each of those areas.
Multi-Factor Authentication (MFA): A system process that uses a combination of something the user knows, like a password, something the user has, which can be a security token, and something the user is, and that might be a fingerprint. Each of these distinguishing user characteristics can be assessed to authenticate individuals and grant them access, even in instances where a password has been breached.
Privileged Access Management (PAM): In association with an external system, an IAM can define which identity has what access, and at what level.
The management of account roles can be simplified using enterprise “Privileged Account Management” software. Various companies provide methods to define user roles, give them access to resources based upon policies, manage who in the
Security in the Banking & Financial Solutions Sector 18 organization will fulfill specific jobs, and provide full audit capabilities for all of those authorizations and users.
These packages generally work based on the premise of a single system key (SSK), which is used to protect every operation within the infrastructure that is subordinate to the key. The PAM cannot be controlled in an attack without compromise of that system key. Failures in PAM manager roles tend to be the recurrent causes of system key compromises, but they can also be stolen when stored on hard drives. Preventing Certified Hardware exposure or compromise of the PAM system key is a primary requirement for the protection of corporate resources and data. Security Modules ensure significantly A much safer and more secure methodology involves storing the system key in a NIST, FIPS 140-2 certified Hardware Security Module (HSM) like the UTIMACO higher safety. CryptoServer.
Hardware Security Modules are designed to securely store cryptographic keys and other proprietary business information.
HSM Secure Storage Guidelines
Requiring for four-eyes or more as a standard to authorize use of the protected secrets.
Providing policies around not allowing the export of secrets. When not permitted, keys must be used in situ with input sent to the HSM, which uses the key and returns only the results. The key never leaves the protection boundary.
Physical protection of the secrets and keys that are erased by well- designed HSMs in the event of physical attack. Compromised security is prevented. An HSM-protected primary system key should also be safeguarded by policies and procedures that are implemented using the HSMs own user management schemes.
3.2.2 Work from Home
1. Implement change management processes and ensure they are all authorized before launching on a production system.
2. Periodically scan for risky ports. There are known flaws associated with 22/SSH, 25/SMTP, 80/HTTP, 445/SMB and 3389/RDP, which makes them high- profile targets for malicious users.
Security in the Banking & Financial Solutions Sector 19 3. Regularly update security patches on systems.
4. Educate users to change their home network password on internet routers and restrict access to known systems.
5. Implement procedures to ensure secure remote working policies:
A process for approval of remote workers.
Defined responsibilities for employees.
Outline protocols for users to secure their remote workspaces.
Delineate workstation, or device hardening steps, which can be a separate policy.
Ensure encryption is used for all data that is stored and in transit.
Mandate the use of a VPN for remote workers.
Outline the procedure for incident reporting.
Demand users avoid public Wi-Fi.
Lock the system when not in use to ensure safety and security.
3.3 ATM, IoT and Mobile Application Security
3.3.1 ATM hacks
ATMs (Automated Teller Machines), which dispense cash to account holders, are autonomous telecommunication computer devices that allow customers to independently perform various financial operations.
The most frequently used of these withdraws cash from a personal, private bank account. Withdrawals are accomplished using a credit or debit cards that are, invariably, protected by a Personal Identification Number (PIN).
To prevent ATM hacks:
Promote card less payment options like QR codes for cash withdrawals.
Software Whitelisting solutions can be implemented to prevent unautho- rized modification.
Harden the ATM OS and install ATM surveillance systems to centrally manage and identify issues in real time.
Security in the Banking & Financial Solutions Sector 20 Launch an Intrusion Detection System that is configured to monitor all traffic and dispatches alerts on any abnormal behavior.
Regularly update patches released from OEMs, including applications, OSs, and hardware.
Deploy an incident management system and develop and effective incident plan for rapid response in case of a compromise.
Use EMV (Europay, Mastercard, VISA) chip card reader, and remote password management for cash deposit lockers and for ATM OSs.
Perform periodic verification to identify skimming devices and security threats.
Follow all the guidelines in the PCI (Payment Card Industry) and PIN Transaction Security (PTS).
Require regular rotation for ATM master keys using Remote Key Loading.
Remote Key Loading
The payment card industry requires systems to encrypt the PIN when captured. The HSM keys used to encrypt and validate PINs must regularly rotate to meet PCI requirements and maintain a high-level of security. Manual methods of key loading require an unnecessary effort and labor costs, which turn proving compliance into an onerous task. Multiple key custodians, physically present and entering secret keys in an ATM’s PIN pad also cause an increased risk for error and collusion.
Remote key loading provides a secure, efficient, and cost-effective way to use Four million devices and manage encryption keys across ATM networks. Before remote key loading are forecast to be in became an accepted industry standard, key holders had no choice but to personally visit each ATM to alternate network keys. As ATM networks continued to proliferate, operation worldwide attending to machines in person became a very cumbersome process that drove up operating costs. by the end of 2020.
ATM growth continues unabated. Four million devices are forecast to be in operation worldwide by the end of 2020. There is no affordable way to sustain an operation that requires two key custodians to visit an ATM to make a physical key changes on that remote device. A UTIMACO Atalla AT1000 is a Hardware Security Module (HSM) to manage these procedures for banks.
Security in the Banking & Financial Solutions Sector 21 3.3.2 Mobile application security
Just as mobile phones have become constant companions in the business and private lives of employees - so have mobile applications. According to Gartner 75% of all mobile applications are not sufficiently protected against attacks.10
Here come the top recommendations to achieve adequate mobile application security:
Educate developers and vendors to not store source code or apps on coding sites or in social communities. Code may contain copyrights or authentication data.
Periodically scan internet websites and also check for unauthorized app stores.
Restrict access to source code and the app store to designated employees.
Implement two-factor authentications on the authorized application store.
3.3.3 The Internet of Things (IoT) Secure communications between the IoT, the IoT support systems, and central Consider using servers in the Cloud or on premises by using PKI. lightweight Restrict any management consoles by using a secure channel. Keeping open IoT device management consoles as if they were SSH connections will encourage cryptography in malicious attacks. Continuously monitor malicious traffic, build custom alerts, IoT systems. control source code changes in IoT devices. Consider using lightweight cryptography in IoT systems, which can include RFID TAGs, sensors, contactless smart cards, and health care devices. Perform regular network vulnerability scans to identify IoT devices in corporate enterprise networks, set strong passwords, and regularly update patches from manufacturers.
Deploy Security-by-design principle - it is almost impossible to retrofit security into IoT systems. Secure update of devices firmware with rollback capabilities to ensure devices connectivity. Secure roll-out and update of applications (AppBundles) Managing device groups based in i.e. organizational units or countries Batch deployments using device groups Management of users and employees Secure management of different firmware versions, applications and versions
10 https://medium.com/flutter-community/how-to-make-a-flutter-app-with-high-security-880ef0aa54da
Security in the Banking & Financial Solutions Sector 22 3.4 Vulnerability Management
3.4.1 Regular Patching
Keep software up to date and participate in the latest security patches.
3.4.2 Vulnerability Assessment, Penetration Testing and App Scans
Keep track of the actual risks that exist in your current IT environment. Define what, and how, threats are covered with disaster management guidelines and rules.
Maintain these essential services:
Network Mapping
Vulnerability Scanning
Phishing, Wireless, Database, and Web Application Assessments
Operating System Security Assessment (OSSA)
Penetration Testing
Best practices for Vulnerability Assessment and Penetration Testing:
Processes shall be implemented to identify and scan every device that touches your ecosystem.
Perform periodic vulnerability scans and penetration testing.
Regularly patching all assets and periodically updating devices to new firmware releases by the OEM.
Perform white box application security testing and secure code review using automated tools as part of the software development lifecycle. Conduct these processes during development and user acceptance testing, before and after the project moves to the production environment.
Use vulnerability management metrics that improve and fine-tune detection, prioritization, and remediation processes.
Security in the Banking & Financial Solutions Sector 23 3.4.3 Training Culture and Software Solutions – Phishing, Social Engineering, and Ransomware
A properly trained staff is likely to be more aware and resistant to phishing attacks and social engineering. Incoming emails must be scrutinized for phishing attempts.
Maintain sophisticated update and configuration management of your network.
Phishing and social engineering
Educate employees not to use the same password on social networking and unofficial applications and require periodic changes of passwords.
Do not allow workers to store or share sensitive information.
Inform customers about about techniques for fraud prevention.
Regularly update antivirus applications.
Ransomware
The most effective way to handle ransomware attacks is to restore data using a backup. An enterprise should maintain at least two separate versions of its data and at least one ought to be stored offsite.
Provide training to employees on best practices to identify phishing emails and reporting on security incidents
Implement tools to block malicious executables, spam, and phishing emails.
Deploy application whitelisting, memory exploitation prevention, and machine-learning based protection.
Perform system hardening and provide the least amount of privilege to users.
Logically separate networks and restrict port access.
Subscribe to an advisory and block malicious IP and hash.
Security in the Banking & Financial Solutions Sector 24 3.5 Securing Remote Working and Cloud Platforms
3.5.1 Cloud Security
Ensure adequate data protection policies that depend upon data classification. Silo data according to type, including transactional and customer sensitive. Assign policies that govern what data can be stored. Set limitations on the sharing of data and periodically review access control policies across all services.
Use your own keys to encrypt sensitive stored data. Although encryption available within a cloud service will protect data from outside parties, the cloud service provider still has access to your encryption keys. This can lead to a vendor lock-in, which should be avoided using independent cloud key management and usage solutions.
Block downloads and access to the cloud environment from unmanaged devices. Require device security verification before clearing a download.
Ensure advanced malware protection when using infrastructure-as-a- service, (IaaS). Anti-malware technology can be applied to the OS and virtual networks to defend an infrastructure from attacks. Constant training
Deploy application whitelisting and memory exploitation prevention tools. ensures greater security in the cloud. Enable two-factor authentication for administrators and users accessing sensitive data in a cloud service.
Perform periodic vulnerability and penetration testing.
Constantly train employees on cloud security’s best practices.
3.5.2 Third-party environments
Perform periodic reviews of third-party infrastructure.
Ensure agreements and NDAs with third parties.
Before onboarding any third party, review security best practices.
3.6 Phishing Attacks Prevention
Phishing attacks are among the most common security challenges for corporations trying to keep information secure. Hackers can use email, phone calls, social media and almost any form of digital communication to steal valuable data like credit card numbers and passwords.
Security in the Banking & Financial Solutions Sector 25 Phishing protection applications can provide sender authentication and email compromise detection capabilities. These tools use machine learning techniques, behavior analytics, and relationship modeling to protect against identity deception threats.
Implementation of a Bot Mitigation solution will help to prevent attacks. As the sheer volume, sophistication, and business damage caused by automated threats grows, bots put a costly strain on corporate enterprises. They mimic human behavior and can slip by traditional security tools. Evaluate bot mitigation vendors that possess industry expertise and technological vigilance to avoid abusive traffic.
Launch malware protection and antivirus tools that are capable of machine learning protection. Use behavioral analysis and threat detection on end user systems to protect organizations from threats.
3.6.1 Botnets
A botnet is a group of compromised computers manipulated by one, or as many as three, controllers. These botnet controllers, also referred to as bot masters, provide commands to bots through Command-and-Control servers. Bots are able to perform actions remotely based upon directions from their bot masters.
Web-based botnets, which are increasingly working across the web, use the HTTP protocol to communicate. Because HTTP is almost universally used on the internet, botnet communication can be hidden by attackers behind the relatively massive HTTP traffic. Administrators of network equipment like routers and switches cannot block suspicious bot traffic directly because it is difficult to identify. Botnets can, however, frequently be detected by data inside HTTP streams, and administrators can determine if those are normal applications or OS commands given by hostile Command and Control servers.
3.6.2 Spoofing
A digital risk management tool should perform regular scans to detect spoofs of a system or website using internet fake domains. Website impersonations, false social media profiles, phony applications, and illegal use of organization logos must be ferreted out by protective technology.
Verify all URL redirects. Determine if it was sent to a copy or fraudulent website with identical design. Cross check the spelling of URLs.
“Sandbox” inbound emails and verify the safety of links any user clicks.
Inspect and analyze web traffic.
Security in the Banking & Financial Solutions Sector 26 3.7 Containment and Recovery
Businesses in the current digital environment must plan for worst case scenarios. They have to assume that an intruder will, eventually, take control of company systems. When that happens, procedures should already be in place to contain any attack and perform recovery of systems to get the enterprise back to functional and the business up and running. Business Continuity Planning should already be in place and ready to execute in the wake of an assault by hostile actors.
Containment
Containment refers to controls within an environment that prevent a breach from going outside of a specific system, or its sub-systems. Generally, network segmentation and granular network access rules ensure that intruders cannot move between zones, and it is equally important to contain the breach at its source and stop the leak of sensitive data.
To be safe, data must be encrypted. Keys need to be secured in an organized fashion with access provided to limited and required users and approved systems and processes. Keys should never be kept on the same server as the encrypted data.
3.7.1 Recovery
Businesses need to recover as quickly as possible from any attacks.The goal is always to return to normal with no loss of information, or minimal impact on data. Backup Network copies of all data always play an important role in recovery. The Confidentiality, segmentation and Integrity and Availability (CIA) of backup copies of data and its systems must not be destroyed or sabotaged. granular network
Encryption of data ensures an expedited return to a previous functional and normal access rules set state of operations and will make certain that information inside backups is not boundaries. leaked, altered, or erased by any intruder.
Security in the Banking & Financial Solutions Sector 27 4. Summary
We provide the Root of Trust.
As banking, financial services, and insurance companies expand their digital networks across the globe, they offer increasing targets for hostile attacks. Cybercriminals are also evolving their technologies and have begun to work collaboratively to steal valuable data and digital financial resources.
Protecting an enterprise and its digital infrastructure has become a critical part of doing business. Technology like cryptography and algorithmic keys are creating sophisticated tools to keep businesses and institutions safe from hackers.UTIMACO is advancing hardware and software services in the cloud and on premises with market leading solutions.
With increase in number, types and losses due to cybersecurity incidents, encryption of information is important. With sophisticated targeted attacks, it is very important to protect the keys across the organization. AGS Transact Technologies has been working in payments space to provide payment, security and monitoring solutions. It now focuses on secure Key Management Solution and a Nextgen SOC services backed with XDR technology.
Security in the Banking & Financial Solutions Sector 28 4.1 Comments from the Industry
Cybersecurity has been a key pillar of corporate IT strategies since the beginning of distributed computing especially during the last two decades. However, the massive increase in fraud post-Covid-19 has become an industry-wide major concern. To tackle this issue, Paynnovate, in partnership with Utimaco, AGS Transact Technologies, and Novus Technologies, assembled a distinguished line-up of global experts who facilitated a series of webinars with the final aim of producing this comprehensive whitepaper. The panellists and participants engaged in an interactive dialogue, sharing valuable experiences, shedding light on fraud proliferation root causes, exposing types of attacks, and suggesting mitigating strategies. We hope you find this whitepaper useful while devising your cybersecurity strategy and we remain at your disposal for further clarifications and, most importantly, a continued dialogue.
RICARDOS KHOURY, FOUNDER AND CEO, NOVUS TECHNOLOGIES PTE LTD, SINGAPORE
At our bank (Bank Central Asia), we use the Triple D formula to fight frauds i.e. Detect, Deter and Detain. In growing economies new customers have increased exponentially as now anyone can open a bank account using their smartphones. These new-comers are more vulnerable to security risks. Hence, it’s important that we keep educating our customers, employees, programmers and security custodians with the most recent developments & mitigation mechanisms.
A single hole in security holds a low frequency but high impact consequence. Therefore, it is important to secure our codes and architecture. Banks should take enough steps to detect, deter and detain. It discourages the growth of the hacking community.
ARMAND HARTONO, DEPUTY PRESIDENT DIRECTOR, BANK CENTRAL ASIA, INDONESIA
Pandemic has enforced a work-from-home model for most organisations. For banking and payment organisations, this meant a quick but well-thought step towards infrastructure readiness. As internal stakeholders had to use their devices and networks for working from home, additional security layers had to be incorporated. Since the cloud is designed to be universal and easy to use, many organisations face the issue of misconfiguration. Therefore, it is important to follow strict configuration procedure with the use sophisticated technology to safeguard data.
ASHISH MEHTA, PRESIDENT IT, AGS TRANSACT TECHNOLOGIES LIMITED, INDIA
Security in the Banking & Financial Solutions Sector 29 While most banks and financial organisations have the budgets and technology to tackle fraud, there is need for optimal utilisation of these security tools. Additionally, there should be adequate resources to implement these solutions. Organisations must realise that security is a continuous process. Our systems must be monitored continuously as it helps to reduce fraud.
The pandemic has pushed digital acceptance across industries. Hence, it is important to encrypt data and administer the availability of technology optimally. Data protection has the power to reduce loss of information massively. There are enough solutions in the market that companies should utilise.
DR. N. RAJENDRAN, CEO, IFTAS (a subsidiary of RBI), INDIA
To fight vulnerabilities, there are 3 Cs that we must focus on – Content, Compute and Communicate. Content is the Data we have; Compute is the Computer Power; Communicate is our way of moving the data. All these have changed tremendously over the last few decades. The data magnitude, computer power, technologies have seen a remarkable rise. Data is moving faster and quicker with an increased accuracy. Hence, it is important to strategize for today as well as the future. We cannot view the data size as of today to make our organisations future ready.
JOHN YONG, GLOBAL CYBERSECURITY ADVISOR, SINGAPORE
Security in the Banking & Financial Solutions Sector 30 The ever-evolving digital payment market is vulnerable to threats. Digital is at the core of everything we do and at its centre is trust. Therefore, all regulatory bodies expect banks and payment players to be compliant with policies. Phishing attacks are one of the major frauds we have experienced thus far in the Philippines. To tackle this, awareness is important across all stakeholders. Security goes beyond the efforts of banks and players.
LITO VILLANUEVA, EVP AND CHIEF INNOVATION & INCLUSION OFFICER, RCBC, PHILIPPINES CHAIRMAN, FINTECH ALLIANCE.PH, PHILIPPINES
Quantum Computing has the potential to change the world we are living in. It has the ability to transform the way we live, how our medicines are made, how we communicate, etc. It is imperative to allocate specific budgets to the research and development of Quantum Computing. We need to take steps to make our systems future-proof and ready to take on tomorrow’s world.
MARIO GALATOVIC, VICE PRESIDENT, PRODUCT MANAGEMENT & TECHNICAL ALLIANCES, UTIMACO, GERMANY
Today, in Banking and Digital Payments the ecosystem constitutes a new league of players, at times collaborating with Banks, and at times, competing. With both Banks and the new Digital First Players pursuing a comprehensive digitalisation strategy, Cyber-security has come centre-stage in the Boardroom and with the Government and Regulators.
While Financial Services industry in India, has been scaling up their Cyber-security Readiness and Technology adoption, a sharper focus on continuous Risk Assessment & Mitigation, Leadership Capability Building and Technology choices & partnerships to manage Cyber risk, is now a key business priority. RAMA VEDASHREE, CEO, DATA SECURITY COUNCIL OF INDIA (DSCI), INDIA
Security in the Banking & Financial Solutions Sector 31 With digital times, the points of attacks are now occurring at various levels of the supply chain. Sometimes the technologies used by fraudsters are better than the bank itself. Moreover, social engineering is the primary form of attacks anywhere. Hence, to mitigate these attacks, awareness and design are of utmost importance.
Hardware security should be made mandatory for authentication at every step of the value chain. Further, organisations should rethink how they design security. In the past, security design was sequential. Now everything is happening simultaneously, and we must be ready for that.
STEVE MONAGHAN, GENERAL PARTNER, FINMIRAI, JAPAN
The future has arrived faster than anticipated and brought many users and businesses under the digital payment ambit. Gullible users are prone to sharing their sensitive information online, so it is imperative to constantly monitor, share intelligence with partners, deploy authentication solutions and use AI and ML optimally. We should empower consumers and clients to make informed risk decisions and organisations should explore new security technologies to stay ahead of fraudsters.
The road to the future and stronger cybersecurity involves collaboration with all stakeholders. The transition to a safe digital economy will require us to strike the right balance between responsible innovation and security. Digital security is not a one launch activity; it’s a continuous commitment to facilitate secure transactions for all times to come.
VIPIN SURELIA, CHIEF RISK OFFICER INDIA AND SOUTH ASIA, VISA, INDIA
Security in the Banking & Financial Solutions Sector 32 5 Positioning
5.1 AGS Transact Technologies positioning
AGS Transact Technologies is one of the leading providers of end-to-end cash & digital payment solutions in India. It provides customised solutions to leading Banks, Financial Institutions, Oil Marketing Companies, Retail chains as well as the fast-growing MSME base. The company manages Automatic fare collection (AFC) and Electronic Toll Collection (ETC) services for well known projects in India. AGS Transact Technologies offers a wide spectrum of digital payment solutions through its brand ONGO, including POS, Payment gateway, Prepaid solutions, and other Value Added Services. The company has also developed and implemented Fastlane, India’s first-ever mobile fuelling app and UPIQR based Cash withdrawal on ATMs.
Over the years, AGS Transact Technologies has gained vast experience in handling novel security threats and protecting sensitive financial data, card data and PII like PAN and Aadhar data. The company has maintained strict adherence to compliance requirements of PCI, NIST, Reserve Bank of India and NPCI.
AGS Transact Technologies has been trusted by its partner banks and customers for its confidentiality, integrity and availability of their payment and business data. With such vast experience in payment industry and data protection, AGS Transact Technologies enters the cybersecurity space with commitment to provide best- in-class security solutionto organisations across sectors.
5.2 Novus positioning
Headquartered in Singapore with direct presence in Philippines, Cambodia, Sri Lanka & Indonesia, Novus Technologies Pte Ltd (Novus) is a digital transformation specialist commanding deep understanding of the region's business and technology requirements.
Its market-tested omni-channel digital platform is enabling innovations across Banking, Retail and Petroleum industries as well as powering various Banks and FinTechs to affordably and timely go to market with banking, payments and financial inclusion services.
With specialists on the ground, and through the alliance with Utimaco and AGS, Novus is well positioned to offer its clients a comprehensive set of onsite and cloud-hosted security solutions that would further reduce the time to market and related costs.
Security in the Banking & Financial Solutions Sector 33 5.3 Utimaco positioning
At UTIMACO our mission is to create trust in the digital society. We develop hardware- based encryption and key management solutions that provide the highest level of security and assurance. Over the last 35 years we have put together a broad portfolio, which can address the requirements of the BFSI market, as recommended by PCI, NIST and German BSI. Our solutions are centered around cryptography, secure key management as well as data encryption with a variety of auditing options – certified and read-to-use.
We strongly believe that it is in everyone’s interest to have a trust anchor, that allows them all, individually, to protect and control their own data. The core of UTIMACO’s business is providing the hardware and software necessary to implement these trust At UTIMACO our anchors. Correctly implemented, hardware-based trust anchors can mitigate risk, and lesson liability, when viewed through the lenses of these laws, acts and regulations mission is to create designed to protect personal data. trust in the digital As a global platform solution leader of trusted Cybersecurity and Compliance solutions, society. we are driven to take a leading market position by providing uncompromised Cyber Security solutions fulfilling the highest standards. With responsibility for global customers and citizens we create innovative solutions to protect data, identities and communication networks.
Security in the Banking & Financial Solutions Sector 34 Get in Touch.
APAC APAC Novus Technologies Pte Ltd AGS Transact Technologies Ltd. 152 Beach Road, 14th Floor, Tower - 3, One International Center, #13-05 Gateway East, S. B. Marg, Prabhadevi (W), Singapore 189721 Mumbai - 400013 +65 6297 7085 +91-22-7181 8181 [email protected] [email protected] www.novustech.com.sg www.agsindia.com
EMEA Americas APAC UTIMACO IS GmbH UTIMACO Inc. UTIMACO IS Pte Limited Germanusstrasse 4 900 E Hamilton Ave., Suite 400 50 Raffles Place, 52080 Aachen, Campbell, CA 95008, Level 19, Singapore Land Tower, Germany USA Singapore 048623 +49 241 1696 200 +1 844 UTIMACO +65 6631 2758 [email protected] [email protected] [email protected]
Security in the Banking & Financial Solutions Sector 35