|
Article 35
|
(Management of identity verification method for electronic trading)
- Except for the methods otherwise provided under the Guidelines for Security Control and Management of Use of Fast Identity Verification Methods by Financial Institutions, when an organization allows log-in for electronic trading, its security design should implement any two or more of the following three technologies:
- Information agreed with the organization not known to a third party (e.g. PIN, pattern lock or gesture lock).
- The organization shall verify the physical device (e.g. password generator, PIN card, chip card, computer, mobile device, certification carrier) held by the client is the device agreed to by the client and the organization.
- The organization shall directly or indirectly verify the biometrics (e.g. fingerprints, face, iris, voice, palm prints, vein, signature) owned and provided by the client to the organization. Indirect verification means authentication by the device at the client (e.g. mobile device) or verification by an appointed third party, in which case the organization accesses only the results of verification and may add an authentication where necessary. In the case of indirect verification, the organization shall first review the validity of the client’s identity verification method.
- Where an organization uses PIN as the verification method, the organization shall apply irreversible computing (such as hash function) prior to storing the PIN. Further, to prevent guessing of a PIN by using pre-generated hash values, information should be encrypted or added with unknown data in the computing. In case of encryption, the key shall be stored within the hardware security module certified by third party (such as the FIPS 140-2 Level 3 standards or higher standards) and export of plaintext shall be restricted.
- When an organization directly verifies biometrics and stores the biometric data in its internal system, it should deidentify the original biometric data, make data difficult to be reversed, store the data by encrypting the original biometric data and alia ID, and store different parts of the biometric data separately on different storage media (e.g. databases). The encryption key shall be stored on the equipment meeting the standards higher than the FIPS 140-2 Level 3 standards or equivalent certified security level to prevent export or duplication of the private key.
- When directly verifying the biometric data, an organization shall establish its error tolerance rate and the standards for error tolerance rate based on its risk capacity and perform examinations prior to release as well as regular examinations on an annual basis. There shall be compensation measures for inconsistency with the organization’s requirements. For technologies of indirect verification of biometric data, it should perform regular examinations on an annual basis and collect information security threat intelligence and create compensation measures. In the case of indirect verification, it should first review the validity of the client’s identity verification method.
- When using the certificate as the verification method, an organization shall accept only the certificates issued by a certification agency approved or permitted by the Ministry of Economic Affairs, and strengthen the verification for issue of certificates (e.g. use of OTP) to ensure only the client him/herself may log in the system.
|