Social engineering attacks in Corporate Banking: PKI and WYSIWYS solutions

Recent social engineering attacks

Social engineering fraud in corporate banking is the term used for a broad range of malicious manipulations designed to perform fraudulent digital operations and transactions in domains such as cash and credit management, asset management and underwriting to small and medium-sized enterprises and large corporations.

What makes social engineering (computer-based) attacks especially pernicious is that it exploits the human element prone to errors such as misinterpretation, routine…and too much trust instead of system vulnerabilities.

Recent social engineering attacks on financial institutions in the digital world include trying to:

  • Impersonate mandated account holders and signatories to perform fraudulent operations on their behalf,
  • Modify the content or the purpose of operations when they get signed by these mandated users.

The Gemalto PKI ​Software Suite includes complementary solutions to develop more defensive capabilities for legacy PKI infrastructures.

Authenticate. Encrypt. Sign. In any form factors. 

Thales Gemalto PKI solutions keep your corporate assets safe.

These solutions address corporate banking and complement the digital banking security solutions developed for retail bank customers.

Understand What You Sign (UWYS)

Gemalto Swat is our high-end solution for corporate banks that wish to provide best-in-class security to their customers and subsidiaries for their electronic Bank Account Management (eBAM), their Automated Clearing House (ACH) activities, their wire transfers, and interbank payments.

Gemalto Swat reader is a signature device that can fit into existing PKI systems to provide contextual control and device authentication during all the PKI signature operations.

The solution allows financial institutions to bind any sensitive operation with a context description warranting the integrity of both the content (see: WYSIWYS) and the purpose of an operation (understand: UWYS).

In the case below: "You are signing a batch of 52 transactions amounting to 350 USD".

It provides a UWYS (Understand-What-You-Sign) experience to the signer, mitigating state-of-the-art MitB (Man in the Browser) and social engineering attacks while privileging ease-of-use and mobility.

    Gemalto Swat Reader

    Gemalto Swat Reader

    This signature device can fit into existing PKI systems to provide contextual control and device authentication during all the PKI signature operations.

    • Embedded secure element processing device authentication and displayed text signature
    • Secure PIN entry
    • Large display providing signature purpose description
    • USB or BLE connexion
    • PC, Mobile, and Tablet support
    Gemalto eToken 5300

    Gemalto eToken 5300

    An ideal solution for an enterprise looking to deploy high security of PKI while maintaining a convenient solution for employees.

    • Compact, tamper-evident USB with presence detection, which creates a third-factor authentication (3FA)
    • Advanced certificate-based applications such as digital signature, email encryption, and pre-boot authentication
    • Secure remote access to VPNs, web portals and secure network logon
    • Two possible sizes: Mini or Micro

    Gemalto eToken 5300 is a 3-factor authentication smart token to enhance legacy PKI systems.

    What You See Is What You Sign (WYSIWYS)

    WYSIWYS refers to a functional method that visibly ensures the integrity of electronic documents and their digital signatures.

    The truth is that a signer never really sees what he/she digitally signs.

    He/she sees only a representation of the electronic document and the e-signature. This process is due to the technology underlying the implementations of the digital signatures. A document and its signature are just a set of bits.

    So how can a signer be sure that the message read on a browser is genuine, from the right source, and agree on the content it displays?

    Full "see and understand" signature experience.

    With Gemalto Websigner, the new web extension technology promoted by the leading browser suppliers, the Swat solution can provide a full web-based WYSWYS and UWYS signature experience on recent Chrome, Firefox, and Edge browsers.

    Web Signer

    The Swat device features a standard PIN pad enabling Secure PIN Entry (SPE) and allowing to perform usual cryptographic operations using a PKI smart card.

    But besides, the Swat device allows the signer to understand precisely what he is requested to sign to mitigate specific social engineering attacks.

    This feature is the UWYS concept that relies on three features:

    1. Secure PIN code (against PIN login malware and replay)
    2. WYSWYS control of the operation details by the signer in sync with the Bank PKI signature control (against MitB and MitM)
    3. UWYS control of the context by the signer (against social engineering and HTML injection to fool the user).

    Compliance with corporate banking standards

    The presented solutions are also fully compatible with the main standards requested by financial institutions such as:

    • ISO 20022 for electronic data exchanges much used by eBAM and ACH,
    • XMLDsig and PKCS#7 for digital signatures,
    • or PSD2 compliance for strong authentication and dynamic linking of transactions.
    PSD2

    Gemalto Swat Solution

    Featured Resource

    Gemalto Swat Solution

    How to protect corporate banking customers against social engineering and state-of-the-art technological attacks?