• Gemalto is now part of the Thales Group, find out more.

Social engineering attacks in Corporate Banking: PKI solutions


​​​​​​​​​​​​​​social engineering attacks

Authenticate. Encrypt. Sign. In any form factors. Gemalto PKI solutions keep your corporate assets safe.

These solutions address corporate banking and complement the eBanking security solutions developed for retail bank customers.

Recent social engineering attacks

Social engineering fraud in corporate banking is the term used for a broad range of malicious manipulations designed to perform fraudulent digital operations and transactions in domains such as cash and credit management, asset management and underwriting to small and medium-sized enterprises and large corporations.

What makes social engineering (computer-based) attacks especially pernicious is that it exploits the human element prone to errors such as misinterpretation, routine…and too much trust instead of system vulnerabilities.

Recent social engineering attacks on financial institutions in the digital world include trying to:

  • Impersonate mandated account holders and signatories to perform fraudulent operations on their behalf,
  • Modify the content or the purpose of operations when they get signed by these mandated users.

The problem? Think about it.

In a public key infrastructure (PKI), qualified signature is legally binding.

The question is:

Can we mitigate this kind of threats?

The Gemalto PKI ​Software Suite includes complementary solutions to develop more defensive capabilities for legacy PKI infrastructures.

Understand What You Sign (UWYS) – Gemalto Swat Reader 

Gemalto Swat is our high-end solution for corporate banks that wish to provide best-in-class security to their customers and subsidiaries for their electronic Bank Account Management (eBAM), their Automated Clearing House (ACH) activities, their wire transfers and interbank payments.

Gemalto Swat reader is a signature device that can fit into existing PKI systems to provide contextual control and device authentication during all the PKI signature operations.

The solution allows financial institutions to bind any sensitive operation with a context description warranting the integrity of both the content (see: WYSIWYS) and the purpose of an operation (understand: UWYS).

In the case below: "You are signing a batch of 52 transactions amounting to 350 USD".

It provides a UWYS (Understand-What-You-Sign) experience to the signer, mitigating state-of–the-art MitB (Man in the Browser) and social engineering attacks, while privileging ease-of-use and mobility.

Gemalto Swat Reader

Signature device that can fit into existing PKI systems to provide contextual control and device authentication during all the PKI signature operations.

  • Embedded secure element processing device authentication and displayed text signature
  • Secure PIN entry
  • Large display providing signature purpose description
  • USB or BLE connexion
  • PC, Mobile and Tablet support
WYSIWYS experience

​Gemalto eToken 5300

Ideal solution for enterprise looking to deploy high security of PKI while maintaining a convenient solution for employees.

  • Compact, tamper-evident USB with presence detection, which creates a third-factor authentication (3FA)
  • Advanced cerificate-based applications such as digital signature, email encryption and pre-boot authentication
  • Secure remote access to VPNs, webportals and secure network logon
  • 2 possible sizes : Mini or Micro

 

third factor authentication

Gemalto eToken 5300 is 3 factor authentication smart token to enhance legacy PKI systems.

What You See Is What You Sign (WYSIWYS) – with Gemalto Websigner

WYSIWYS refers to a functional method that visibly insures the integrity of electronic documents and their digital signatures. 

The truth is that a signer never really sees what he/she digitally signs. 

He/she sees only a representation of the electronic document and the e-signature. This is due to the technology underlying the implementations of the digital signatures. A document and its signature are just a set of bits.

So how can a signer be sure that the message read on a browser is genuine, from the right source, and agree on the content it displays?

Full "see and understand" signature experience

With Gemalto Websigner, the new web extension technology promoted by the leading browser suppliers, the Swat solution can provide a full web-based WYSWYS and UWYS signature experience on recent Chrome, Firefox and Edge browsers.

The Swat device features a standard PIN pad enabling Secure PIN Entry (SPE) and allowing to perform usual cryptographic operations using a PKI smart card.

But in addition, the Swat device allows the signer to understand precisely what he is requested to sign in order to mitigate specific social engineering attacks. 

This is the UWYS concept that relies on three features:

  1. Secure PIN code (against PIN login malware and replay)
  2. WYSWYS control of the operation details by the signer in sync with the Bank PKI signature control (against MitB and MitM)
  3. UWYS control of the context by the signer (against social engineering and HTML injection to fool the user).

Compliance with corporate banking standards 

The presented solutions are also fully compatible with the main standards requested by financial institutions such as:

  • ISO 20022 for electronic data exchanges much used by eBAM and ACH, 
  • XMLDsig and PKCS#7 for digital signatures, 
  • or PSD2 compliance for strong authentication and dynamic linking of transactions.

Corporate banking and Gemalto

Based on over 15 years of experience in corporate banking, Gemalto has gained the trust of millions of users in corporate banking that daily use Gemalto authentication solutions especially PKI’s ones.

Now you can mobilize Gemalto security solutions and experienced banking service teams to support your project.  

Our customers trust us to deliver. So you can.​​


 


 Gemalto PKI ​Software Suite

social engineering fraud

​​​​​​​​
social engineering

Gemalto​ Websigner

Gemalto Websigner is a PKI software that enables your web applications with Sign-What-You-See (SWYS) capabilities in compliance with the most recent browser security standards.

what you see is what you sign

Gemalto Web Connector

The Gemalto solution that directly links your web application to your connected OTP or PKI devices without requiring any middleware installation or administrator rights on your PC.