[Openid-specs-fapi] [Bitbucket] Issue #127: CIBA: security issues (openid/fapi)

Dave Tonge dave.tonge at momentumft.co.uk
Tue Nov 28 22:02:48 UTC 2017


Tom, there seems to be some confusion here. The CIBA profile provides a
standard for backchannel auth. It is not tied to mobile phones even, it is
just that the first "use case" was for Mobile Connect.

In FAPI we are proposing that banks use CIBA in the following way:

   1. A bank onboards a customer to the bank's mobile app (this is in the
   competitive space, but this onboarding process should hopefully include the
   generation of a key-pair, with a private key that never leaves that device).
   2. The customer uses this banking app for everyday banking interactions
   - the bank can obviously implement this in any way they see fit
   3. The bank implements CIBA and defines some login_hint that third
   parties can use to start a CIBA request - this could be a username, an
   email address, a card number, etc.
   4. When the bank receives a CIBA request from a valid client with a
   valid login_hint, it sends a push notification to the user's device. (NB,
   not an SMS, but rather an Apple or Android push notification)
   5. The user opens their banking app from the push notification and is
   shown a consent screen where they can authorize the requested access
   6. Once the user authorizes the request, the client is issued an access
   token

(NB the flow will probably include the comparison of binding messages, but
we are still working through the detail of that)

The bank should have as strong an assurance that it is interacting with its
user as any other time that the user is using the banking app.

An attacker couldn't spoof this flow by hijacking the user's phone number
as the flow doesn't use SMS messages or any telco based identity factors.

If an attacker hijacked the Apple / Google push notification system, the
flow still wouldn't break as the banking app would need to retrieve the
consent details to display directly from the the bank's servers.

Hopefully, this clarifies the proposed use case of CIBA in a FAPI context.

Dave

On 28 November 2017 at 16:12, Tom Jones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> To be really clear then. Only the telco can support CIBA, correct?
>
> Note that i voted against the MODRNA specs because, IMO, they do not
> uphold the user consent requirements in OpenID Connect. For FAPI to endorse
> the telco involvement in a financial transaction would exacerbate this
> failing.
>
> ..tom
>
> Peace ..tom
>
> On Tue, Nov 28, 2017 at 7:16 AM, Gonzalo Fernández <
> issues-reply at bitbucket.org> wrote:
>
>> [image: xixon2002]
>> *Gonzalo Fernández* commented on issue #127:
>> CIBA: security issues
>> <https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues>
>>
>> Hi Nat,
>>
>> Telcos companies do know the device associated with a user, in fact they
>> use such information to improve customer care when he calls for something
>> related with the device. As far as I know, when the terminal has been
>> registered in the network, it sends the IMEI and thanks to that the
>> operator is able to know the device and associated it to the MSISDN and
>> IMSI because at this time it also has that information.
>> View this issue
>> <https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues> or
>> add a comment by replying to this email.
>> Unsubscribe from issue emails
>> <https://bitbucket.org/api/1.0/repositories/openid/fapi/issue/127/unsubscribe/tomcjones/f30a0030618b6476696b7a6f4abe3a0090d0f6ad/>
>> for this repository. [image: Bitbucket] <https://bitbucket.org>
>>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171128/568db87a/attachment.html>


More information about the Openid-specs-fapi mailing list