The PayControl platform. Mobile signatures for everyone
The iEcp.ru portal, as well as other media, announced the release of an updated digital signature, which banks began to switch to in late May 2020. The purpose of the tool remains the same: to confirm operations. However, technology has changed. Among other things, the proposed solution made it possible to eliminate the step that requires the client to enter a verification code or deal with a push notification received on their phone. These one-time passwords open up a “window of opportunity” for fraudsters who can compromise combinations, for example, by using social engineering techniques, cleverly misleading the victim.
iEcp.ru portal interviewed the developer of the PayControl solution, that more and more banks are switching to. Daria Verestnikova, Commercial Director of SafeTech, spoke about what a digital signature is when using PayControl, about its application areas, as well as about the mobility, reliability, and prospects of introducing new financial services.
— Tell us about the PayControl solution developed by SafeTech, what is its purpose and scope?
— PayControl is a digital signature solution for smartphones that lets customers confirm their transactions on any digital channel (online banking, mobile banking, CNP operations, private banking, etc.) with a high level of security and convenience. It can work as a standalone application for smartphones, or can be integrated directly into a mobile banking application.
PayControl completely blocks common attacks on RBS clients, such as SIM card reissuing, phishing, document spoofing and, most importantly, social engineering methods. When confirming their will, users have the opportunity to verify the correctness of the transaction data or electronic document on their smartphone screen, and generate a signature no matter what device it was created on. No additional scratch cards or physical password generators, no dependence on cellular signal strength and the rate of SMS delivery. Using PayControl is as easy as calling from a mobile phone. Users, not only individuals, but also corporate clients, note the ease of use and a shorter customer journey, while banks get a decrease in their security costs and level of fraud.
Implementing the PayControl solution lets financial and insurance institutions introduce new digital services: register a new business online, open an account remotely without visiting a bank office, and eventually authorize payments and documents anywhere and at any time.
— What is the architecture of PayControl? What are the solution elements?
— The PayControl solution features a client-server architecture. The backend is deployed on the bank’s or customer company’s infrastructure, and the client part is installed on users’ mobile devices. Since the PayControl structure is modular and the solution consists of many “bricks” that can be used depending on the customers’ specific needs (see Fig. 1), we position PayControl specifically as a platform—a mobile authentication and digital signature platform.
The PayControl platform includes several functional modules:
- PayControl Mobile Signature, a base module for generating mobile digital signatures;
- PayControl Inform, a module for informing customers about remote service issues and the results of their transactions;
- PayControl investigation tool, a dispute analysis module (dispute analysis workstation);
- PayControl KYC, a customer identification and authentication module;
- PayControl Secure Bank, an early fraud prevention module.
Each bank and its customers need to determine the scope of implementation, which makes each project absolutely unique.
— What are the advantages of PayControl in comparison with other solutions? For example, compared to banks’ traditional digital signatures generated on the basis of a confirmation code sent in an SMS message or in a Push notification?
— The main advantage of PayControl compared to traditional payment authorization methods (i.e., a one-time password via SMS or Push notification) is that the transaction confirmation code is generated directly on the customer’s mobile device. The code is tied to transaction details, the unique characteristics of the user’s smartphone, and even a hypothetical interception of this code by fraudsters will not lead to theft of funds from the account.
The second advantage of PayControl is its ability to effectively resist fraudulent activities using social engineering techniques, a wave of which has literally swept the financial sector. You are probably familiar with the numbers: according to the FinCERT of the Bank of Russia, in 2018 alone, more than 97% of thefts from individual accounts were made using social engineering. In 2019, the situation worsened: attackers began to replace their outgoing phone numbers with a “real bank” one. And with the beginning of the pandemic crisis of 2020, the situation worsened further: customers were busy literally solving questions of life and death. They thought primarily about preserving their health and saving their business, so it became even easier for fraudsters to mislead them.
At the same time, PayControl lets you exclude any possibility of giving any code to the attackers. Users independently confirm transactions with a mobile digital signature, but only after viewing the full payment details and only from their smartphones. This excludes the possibility of confirming a document without the customer’s wish and control. It also ensures the legal significance, as well as integrity and authorship control. Moreover, a mobile electronic signature is much more stable and convenient than SMS and push.
— Which banks and companies have already implemented PayControl in their business processes, and who plans to do so in the near future?
— Over 70 banks are SafeTech customers. Projects using the PayControl platform have been implemented in 5 of the TOP-5 and 8 of the TOP-10 Russian banks. More than 300,000 organizations and 2,000,000 private clients use SafeTech solutions.
Projects using PayControl include: implementations in remote customer service systems for individual and corporate customers; embedding premium services (private banking) in digital customer service channels; providing the possibility of mobile document signing with customers in electronic document management systems; projects in the logistics and transport areas; as well as collaborations with our partners on complex solutions to provide the most innovative services for interaction with the State: online business registration and registration of real estate in Rosreestr.
Published on July 8, 2020 on the iEcp.ru portal