1
SECURITY AND TRUST IN THE NEXTGEN ATM NETWORK
Peter KulikDirector, Digital ATM
February 2017
2
Target: 2020
• Citi’s Progress towards a NextGen ATM Network
• What We’ve Learned so far:
• Technology Enablers
• Next Generation of ATM Security
• Maintaining Consumer Trust in a new era of Secure Transactions
• ATMIA Next‐Gen ATM Network Committee: Industry RFI
3
VISION OF A NEXT‐GEN ATM NETWORK
4
Vision of an Evolutionary Redesign
Citi’s future technology stack will have a service based architecture that is built on decoupled, scalable, and responsive applications that run on Cloud.
Client Layer: Customer Facing & Highly Scalable:
• Responsive web design and cross‐channel client apps, built using HTML5, to reduce duplicate development
• Client is responsive and supports User Interface (UI) logic
Services
• Service API Gateway manages Citi’s production traffic globally
• Multi‐layered security ensures a consistently secure, high‐performing user experience on any device
• Refactor large monolithic CBOL app into small, reusable microservices
• Apps across all channels built to cloud standards
• Multi‐tenant and shared PaaS across multiple projects/applications
Mainframe Host Systems
• Core business logic migrated into a central business service catalog.
• Application Programming Interfaces (APIs) to common business services facilitate UI integration
• Enterprise System Bus (ESB) Provider services allow API‐based access to the host systems.
Citi Future NextGen Architecture
WOA Client Layer
Native Mobile, Tabletand Wearable App
Hybrid MobileAnd Tablet App
Browser / Thin Client
PaaS Cloud Container
Service Management
Web Server Advanced Security
Provider Services
C3 framework
Distributed CacheBanking Microservices
Service Catalog
NEW
NEW
NEW
Developer Portal
Branches
Citi Client Apps (ATM) Thin Client ATM
Application
ATM Application ServerATM Content Server
Message Routing and Protocol Translation
Gateway
Host 2 Host 3 Host NHost 1 . . .
5
Key Enabling Technologies
Platform as a Service (PaaS) Cloud ContainerAn execution and storage solution delivering on‐demand operating systems and associated services which drastically reduce setup and installation times allowing for greater elasticity and resiliency.
Application Programming Interfaces (APIs)Application Programming Interfaces (APIs) provide a service contract definition that can be leveraged by internal applications across banking channels.
Thin Client ATM Optimal customer experience on ATMs leveraging Web Oriented Architecture used by Branch and Digital Channels
Enabling Architecture & Infrastructure
Gateway ServicesATM Message Routing and Protocol Translation Layer funnels ATM transaction and API‐based common service requests to common service providers. Enforces advanced security measures and facilitates integration and discovery.
Micro‐servicesA reusable componentized service that is bound to a specific business capability. Allows for releases by module thereby reducing dependencies, shortening test cycles and enabling faster deployment.
6
Business Benefits of Next‐Gen ATM Vision
• Truly Global Customer Experience for Citi Cardholders• Every Citi Cardholder will see:
• Same transactions, screens, accounts, and balances• ...at any Citi ATM Worldwide
• Faster, cheaper global deployment of marketing campaigns, software updates, patches, etc.• Marketing screens pushed to a server become instantly
available to all ATMs• A single server software update replaces multi‐week phased
rollouts
• Improved efficiency by leveraging APIs in Citi’s Next‐Gen Digital Infrastructure• Simplifies infrastructure with a unified global codebase by
design• ATM Apps can reuse services from Digital Infrastructure
• Enhanced security with Thin Client architecture• A single server update can drive global response to a fraud
attack• One copy of business logic and sensitive data• Secure in a controlled cloud environment with mature security
technologies
7
PROGRESS
8
2016 Proof of Concept Work
“Headless” ATM Proof of Concept (2015)– Mobile App prestages cash
withdrawal– Customer identification via:
NFC QR Code Dual Iris Scanner
Cloud ATM + App Server and Content Server– Proof of Concept demonstrated instantaneous deployment of:
Rebranding Text Changes Insert new screen
Balance Inquiry transaction using Citi Digital API Proof of Concept– Same account list through all channels– Same balances through all channels
9
WHAT WE’VE LEARNED
10
Technology Enablers
What we’ve learned:– Cardholder Authentication
ATMs use Card Number and PIN Web Services use User ID and
Password
– Session Management ATM Interactions are Session‐based Web Services are Stateless
– Caching strategies More needs cached on ATMs with slower communications Microservices architecture may enable scalable caching
– “Thin” is a state of mind
11
Next Generation of ATM Security
Current Points of Cyber Vulnerability:– ATM– Monitoring & Management Server(s)– Host System– Telecoms
Today’s ATM Network
Monitoring & Management
Next‐Gen Architecture Expands Possible Attack Vectors
Big‐Data based Fraud Detection systems emerging for end‐to‐end protection– Each component feeds analytics engine– Analytics identify anomalies
“Alibaba has built a fraud risk monitoring and management system based on real‐time big data processing and intelligent risk models. It captures fraud signals directly from huge amount data of user behaviors and network, analyzes them in real‐time using machine learning, and accurately predicts the bad users and transactions.”‐ http://www.sciencedirect.com/science/article/pii/S2405918815000021
12
Maintaining Consumer Trust
ATMs are part of the Social Fabric of our Lives
– Euro 1999– Cyprus 2013– Greece 2015– India 2016– US ATM Withdrawals increased by $100
Billion between 2012 and 2105 according to a recent Fed report.
Country Population (Millions)India 1,334 Indonesia 262 Pakistan 195 Nigeria 189 Bangladesh 164 Mexico 129 Philippines 103 Ethopia 103 Vietnam 95 Egypt 94
2,668
% of World 36%
Sources:http://www.worldometers.info/world‐populationhttps://www.linkedin.com/pulse/what‐top‐10‐cash‐based‐economies‐world‐mattias‐l i ivak?trk=pulse‐det‐nav_art
Biggest Cash‐Based Economies 2016 What we’ve learned from Consumers:– Consumers are generally aware of
payments risk and fraud– Positive response to payments security
measures– Consumers trust their smart phones– Positive response to Biometrics
Dual Iris Scan holds promise Part of multi‐factor authentication
– All About Customer Experience!
13
ATMIA NEXT‐GEN ATM NETWORK COMMITTEE
14
ATMIA Next‐Gen ATM Network Committee
Co‐Sponsored by:– Rich Barron, Bank of America– Peter Kulik, Citibank
Contributing thought leaders include:– Chase Adkins, PNC Bank– Billy Arnold, Iberia Bank– Ryan Campbell, Prosperity Bank– Eric de Putter, Payments
Redesign– Paul Gooch, Elan– David Gwynne, Capital One– Kathy La Fleur, US Bank– Brenda Pino, Bank of Montreal– Rensche Van Der Merwe, FNG
South Africa
Deployer Committee decided to take a “problem‐based” approach to the RFI
Target problems to be solved in a Next‐Generation ATM Network:– Inter‐Operability– Creating an App Model for ATMs– Operating System– Monitoring and Management– Standards– Security
Schedule:– Final draft reviewed: 17th January 2017– Distribution to vendors by ATMIA: 31st
January TBC– Vendor responses due: TBD
Industry Request for Information
15
THANK YOU!
Peter KulikDirector, Digital ATM DevelopmentCitibank