Tag Archives: Katrin Talihärmi

PIN2 code not needed to make payments in Danske Bank

Most internet bank users using ID-card or Mobile-ID are used to first enter PIN1 and then confirm by PIN2 again when making a payment. Danske Bank, however, has solved the matter differently, and will only ask for PIN1 for both login and for payment confirmation.

Annika Maiste, head of Danske Bank’s e-banking, told that indeed the same PIN code should be used for both login and payment confirmation, and according to the bank, this does not have any effect on security. “In our risk assessment, we have analyzed various attacks and concluded that the use of the digital signing function in Internet Banking may not provide significant additional protection to the user in the case of modern malware,” Maiste said.

She added that the above principle is used for both Mobile-ID and ID-card, and that the company can confirm that, although compared to other banks, Danske Internet Bank does not ask PIN2 from users, it is safe for the users.

Katrin Talihärm, Managing Director of the Banking Association, said that what kind of security code to ask is the responsibility of each service provider and they have not made recommendations to their members about it. She added that both ID-card and Mobile-ID are categorized by their definition as strong authentication tools, when used in an electronic environment in addition to PIN.

If only the modern malware is considered in the threat model than indeed PIN2 does not provide any additional protection. However, there are other attacks where, while the compromise of one key is feasible, the compromise of both keys is not.

Links:
https://geenius.ee/uudis/danske-bankis-pin2-koodi-vaja-ei-lahegi/

Estonian Banking Association publishes new technical specification for Banklink

eesti-pangaliitbanklink_authentication

Press Release 09.10.2014 Banks will raise the banklink service security

Estonian banking association managing director Katrin Talihärmi said the most important changes concern the comfort and security. “Merchants now have much easier way to set up e-services. In the the past banks used a variety of solutions. Now you can use banklink service to accept payments from customers with similar technical solutions,” explained Talihärm. According to her, the banklink service is made even more secure, since widely implemented digital signatures allow to determine whether the customer uses for authentication ID card, Mobile-ID, PIN-calculator or code card. The new service allows for merchants to use also the IBAN format account numbers.

During the transition period, which lasts until the end of 2015, banks will support both the old and the new banklink protocol format.

The renewed specification is supposed to fix protocol level security flaws discovered previously.

Links:
http://pangaliit.ee/et/uudised-list/356-pressiteade-pangad-tostavad-pangalingi-teenuse-turvalisust
http://math.ut.ee/~arnis/bankauth/