Signing transactions in mobile services. The main question today is how to mitigate risks and maintain customer confidence
“Generation Z” has recently become the target audience of banks. The youth, which until recently was profitable only for game developers, has now suddenly got a well-paid job and even its own business with an impressive bank account. In addition, they want to get access to their accounts from the device in which they spend most of their time: from the smartphone.
The problem is that while transaction authorization technologies in classic remote banking systems for the last 20 years have reached perfection, a dramatical increase in the popularity of mobile services has forced banks to simplify the transaction authorization process at the expense of customer security. Banks send passwords through channels that were not originally intended to transmit sensitive information, such as SMS and PUSH. This has led to a significant increase in the number of mobile user frauds and a general decrease in trust in remote banking services.
What are the risks of modern mobile banking and what technologies will help make its customers’ work truly secure?
The risks of stealing money from user accounts also existed in classic online banking, but due to the merge of channels for issuing and authorizing documents in a smartphone, fraudsters have got new opportunities. On the other hand, the traditional process of authorization using SMS raises a lot of criticism: messages can be intercepted both in the channel of the telecom operator and in the smartphone itself. To drastically reduce the risks of stealing money from user accounts, two main conditions must be met:
- Do not transmit transaction authorization codes via insecure communication channels, but generate them on the client side;
- Generate authorization codes in relation to the details of each transaction.
- These tasks can be solved with the help of specialized devices, MAC tokens (a costly option which requires complex logistics), but the most effective way is transaction signing software installed on a smartphone or integrated directly into the bank’s mobile application.
PayControl: A solution for modern mobile services
SafeTech PayControl is a standard solution for safe and convenient replacement of SMS passwords, providing authentication, visualization of payment details, and authorization of transactions in a smartphone. It combines the convenience of a smartphone and the security of a MAC token: payment details (and even a PDF document) are opened automatically, conveniently viewed on the screen, while the transaction is authorized with an enhanced digital signature.
PayControl protects users from all known attacks today, without reducing their mobility and even making the work more convenient compared to the legacy “secret codes”.
Crypto services in the clouds
The synergy between mobile and cloud technologies for authentication and transaction signing gives a fresh impetus to the development of remote banking (and not only banking) services. A good example is a comprehensive solution based on PayControl and the CryptoPro DSS cloud-based digital signature service.
The solution was submitted for certification to the FSB of Russia. Now banks are able to implement authorization of payment documents on mobile devices with a qualified signature cost-efficiently. The solution does not require hardware keys which will dramatically lower the threshold for using a qualified digital signature for customers. This will also support full mobility while maintaining the legal effect of electronic document management.