PSD2 – Strong Customer Authentication

In February 2017, the European Banking Authority (EBA) published the final draft of the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under the revised Payment Services Directive (PSD2).

Maybe not the most selling title, but it is nevertheless important that your services use a security solution that meets the requirements. Let us tell you how the Keypasco Solution complies, and exceeds these new requirements for Strong Customer Authentication.

Why is Strong Customer Authentication needed?
PSD2 regulates how financial institutes and third-party services receive customer data information. The revised directive will allow new players access to consumers’ payment accounts, to make payments on their behalf, and to provide them an overview of their various payment accounts. The institutions holding the payment account of the consumer will have to provide these new players access to the account. As a natural consequence, the customer authentication requirements are strengthened.

”The implications will be severe for those companies that will not comply with the new EU- regulations in terms of PSD2. The direct implications will be sanctions and fines against those companies.”
Ria Vadpa / EU-commission in Brussels

Strong Customer Authentication requirements
If you are a Payment Service Provider you are, according to PSD2, required to authenticate a user when he or she; accesses an online payment account, initiates an electronic payment transaction or carries out an action through a remote channel that may imply a risk of payment fraud.


Transaction protection

It is unfortunately not uncommon with attacks where the amount, and payee have been altered, and then unwittingly confirmed by the user. For example, on mobile devices, this type of malicious attacks often use overlay windows. To prevent this kind of attacks, it is stated that the payment transaction data needs to be protected throughout all the phases of authentication.

"...payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity…through all phases of authentication…”
PSD2, article 2

The Keypasco Solution:

Keypasco's mobile SDK can be used either as a specific authentication app, using a two-app interface for communicating with the payment app, or be included directly in the payment application. In any case, out-of-band communication through a secure and double encrypted channel is used for displaying the payment information.


Authentication elements
The basic definition of Strong Customer Authentication in PSD2 states that authentication has to be based on the use of two or more possible authentication elements. These elements are knowledge, possession and inherence often explained as something only the user knows, has and is. These elements must be independent from each other, and their usage must generate a one-time authentication code.

In the case of a payment transaction, the authentication code must be dynamically linked to the amount and the payee. If the payment amount or payee changes, the authentication code should change too.

The Keypasco Solution:

The Keypasco Solution utilizes all of these three elements. The basic factors include the PIN code, device ID, PIN code and / or the user’s fingerprint.

In addition to this, the Keypasco Solution has the opportunity to further enhance security by adding the user’s geolocation, history, and a proximity device as additional authentication factors.


The possession element requirements
Requirements related to the possession element are particularly relevant for mobile devices, such as smartphones and tablets. It is stated that possession elements "shall be subject to measures to prevent replication of the elements".

Mobile applications are easy to clone; in fact, entire mobile devices can be cloned without even having physical access to the device. A countermeasure can be to take device properties into account when generating an OTP or encrypting data used by the app.

The Keypasco Solution:

The foundation of the Keypasco solution, the patented six-level device ID uses besides device properties, five other layers to create a robust device ID. Every clone will be detected by us.

What about encrypting data then? Keypasco takes this security level one step further. The private key of the asymmetric key pair used for authentication code creation and digital signatures isn't stored on the mobile device. Where competitors store the entire private key somewhere on the device, Keypasco splits the private key into two parts; one part is stored on the server, and the other part on the mobile device. This second part is encrypted with the user's PIN code or some biometric property.


Independence of authentication elements
The PSD2 requirements regarding the independence of various authentication elements are especially important in the context of mobile devices.

If any elements of strong customer authentication or the authentication code is used through a multi-purpose device, like a mobile phone or tablet, the payment service providers shall adopt security measures to mitigate the risk resulting from the device being compromised.

For this purposes, the mitigating measures shall include, but not be limited to;

  • the use of separated secure execution environments through the software installed inside the multi-purpose device
    • This states that secure execution environments can be used. Mobile operating systems like Android and iOS meet this requirement via their sandboxing techniques. However, these mechanisms are only functioning correctly as long as the device is not jailbroken or rooted.
  • you must have mechanisms to ensure that the software or device has not been altered by the payer or by a third-party or have mechanisms to mitigate the consequences of such alteration where this has taken place.
    • This means that you as a Payment Service Providers must use security controls to detect, prevent and respond to the alteration of mobile apps and devices.

The so called "runtime application protection techniques" can accomplish this level of control, and also aid in detecting whether the device is run simulated and used through an emulator.

The Keypasco Solution:

The execution environment protection of Keypasco's mobile SDK not only detects whether or not a device has been rooted or jailbroken, it also provides continuous runtime monitoring that detects whether a debugger has been attached to the application - i.e. the possibility that sensitive data is retrieved from the memory as the application runs.

Moreover, Keypasco's SDK has for many years been able to detect every single mobile device emulator software in the world. This is a vital part to the security of any authentication software executing on mobile devices. Through internal and external testing facilities, we continuously update our simulator detection and execution environment protection.


Transaction risk analysis
PSD2 mandate the usage of transaction risk analysis based on such as, known fraud scenarios, signs of malware infection, and payment amount. Exemptions from risk analysis and Strong Customer Authentication are mentioned for payments that are rated as low-risk purchases by the payment service provider.

The transaction risk assessment should take payment patterns, location and time into account. Even though the maximum payment amount that can be exempted from Strong Customer Authentication is 500 euros, there is a lot of uncertainty and ambiguity regarding what a low-risk amount is. For instance, one factor that weighs heavily on which amount is considered to be a low-risk amount is the fraud rate of the payment service provider.

The Keypasco Solution:

The cost of the Keypasco Solution is by default based on the number of end-users, not the number of transactions. Therefore, a payment service provider using the Keypasco Solution can provide Strong Customer Authentication to every single transaction, regardless of the payment amount, for the same cost.

A core feature of the Keypasco solution is the device based risk engine. Traditional risk engines use probabilistic algorithms that calculate and estimate decisions based on times, transaction type etc. This leads to a certain percentage of false positives that cause inconvenience for all parties involved. The Keypasco's risk engine makes decisions directly based on device data containing device ID, location, time and behavioural history.

In this way, a device that has been used for fraudulent activities for one payment service provider becomes immediately blacklisted and denied access when it appears elsewhere as well. This can provide a single service provider, using the Keypasco Solution, protection and information that greatly exceed what can be obtained by collecting data exclusively from their own users' devices.


What about SMS OTP and other authentication solutions?

There are several other authentication solutions, which could meet the PSD2 requirements of Strong Customer Authentication. Here are some of them, along with the reason why the Keypasco solution does not utilize these:

  • OTP – very insecure, vulnerable to attacks and brings additional cost for the payment service provider.
  • Hardware tokens (one-button OTP generator, PIN challenge-response token, smart card reader etc.) – brings large additional costs for the payment service provider; purchase, distribution, maintenance. Also, they are inconvenient for the end-user.

Get a step closer to secure authentication for your online services, contact us today!

info@keypasco.com | +46 31-10 23 60

 

Are your services PSD2 compliant?

Maybe you already have full control of PSD2, and what it means for you, and your business? If not, no need to worry. Our security solution is PSD2 compliant!

We put together a short summary of the new regulation to give you an overview of what it’s all about.

What is PSD2?
The EU Payment Services Directive, PSD2, has been submitted by the European Banking Authority (EBA) and regulates how financial institutes and third-party services receive customer data information.

PSD2 will allow new players access to the consumers’ payment account to make payments on their behalf and to provide them an overview of their various payment accounts. The institutions holding the payment account of the consumer will have to provide these new players access to the account, for example via an API.

Why PSD2?
The purpose of PSD2 is to make payments safer, increase consumer protection, and create an environment for innovation and competition on equal terms for all players, both established and new ones.

With PSD2 the aim is to reduce the risk of fraud for electronic transactions using Strong Customer Authentication, and enhancing the protection of the consumers’ data.

Strong Customer Authentication
One of the most important things in PSD2 is the need to perform strong authentication of users of electronic payment services.

For all electronic transactions this means that two, or more of the following independent elements must be used:

  • Knowledge – Something only the user knows like password or PIN
  • Possession – Something only the user possesses, the key material
  • Inherence – Something the user is like fingerprint or voice recognition

Strong Customer Authentication will have to be applied each time the user makes a payment, unless:

  • The payment amount is less than, at the moment € 30
  • The beneficiary is already identified

And the first time, and at least every 90 days a user consult their payment account, or an aggregated view of their payment accounts, using an additional service.

Dynamic linking
For secure remote Internet or mobile transactions, you will also need a unique authentication code that dynamically links the transaction to a specific amount and a specific payee.

Fraud protection
PSD2 also implies that you have to detect signs of malware infection in any sessions of the authentication procedure.

When does PSD2 apply?
PSD2 applies to all transactions made, where at least one party is located within the EU, and to all official currencies.

Are you concerned?
This is just the short version. Contact us today for more information. The Keypasco Solution meets all PSD2 requirements and can ensure that your services are PSD2 compliant.

The new road to Internet security

photo-rikkichanunsplash700x410

Over the years, reports have been pouring in about leaked account information, stolen passwords, credit card fraud and other troublesome and costly incidents, all due to poor security solutions. Now, the Swedish company Keypasco has come up with a solution that could revolutionize how we address the security problem.

Internet security is an on-going problem for any company that uses a login for their services. Often we are stuck with inadequate existing solutions, and it is easy to be discouraged by all the work involved with implementing a new one. But, by challenging the traditions and making things easier and more adapted to human behaviour Keypasco has come up with a new way to make the Internet a safer place.

“I changed all my passwords to “incorrect” so whenever I forget, it will tell me “your password is incorrect”” – With the Keypasco solution you can stop hassle with passwords

Why does it continue to happen when we all know how important good security is?

There are of course many reasons that contribute; for example username and password is still the most common authentication solution. But as we all know, it is hard to keep track of all the different passwords we need in our daily life, so we tend to use the same or similar password for all services. Some providers, such as in the banking sector, has chosen to add to the security with different hardware tokens, but this solution is not for everyone since they are expensive, difficult to roll-out and to update, and very inconvenient for the end-users.

Another problem with these two solutions, and all other traditional authentication solutions is that they use distributed credentials. But, credentials can, and will be stolen.

Why continue on a dead end street?

We are all dependent on the new smart online services so it is just not an option to continue on this dead end road with the old authentication methods – we need to strengthen the security in a new way.

The solution is already here

To solve this problem the Swedish company Keypasco has come up with a simple but clever solution.

By using the unique device ID on the end-user’s own device, like a smartphone, tablet or a desktop/laptop computer, you can make sure that a username and password only works on the right device and in the right location. Simply, Security By Your Own Device!

The core technology of the Keypasco solution, the collecting of device-related data – makes it possible to offer something no one else does – a risk-based authentication solution that is easy to integrate and can be rolled-out in the background to ALL end-users at once, regardless of the number of users.

“With its ground breaking innovative technology, the Keypascos solution offers you a way to secure ALL of your customers without them even knowing it! With our two new service models we can help all types of Internet content providers to secure their customers” – Maw-Tsong Lin, CEO, Keypasco

In addition, the Keypasco solution provides you with a unique risk engine, analysing the device behind every authentication attempt to detect fraudulent behaviour, to further increase the security. Several other features also add to the security.

To provide customers with the best security solution for their needs, Keypasco have now launched two new service models; the Generic Service Model and the Premium Service Model.

The Generic Service Model is an embedded solution, without any end-user interaction that instantly secures 100% of the customers. With the Premium Service Model additional features can be added to maximize the security. This is useful for services that demand an extra high level of security like: Finance, eGovern­ment, Credit card protection, Cardless ATM withdrawal and Mobile payment.

The Keypasco solution in short

  • Automatic enrolment in background – no end-user interaction
  • Risk-engine – a unique risk engine powered by device data mining
  • Easy to integrate with a current solution
  • Instantly protects all customers after implementation
  • The provider still own the information about the customers, Keypasco can’t access it
  • Scalable solution – suitable regardless of the number of end-users
  • No distributed credentials

Meet up at TRUSTECH

To showcase the solution Keypasco will attend TRUSTECH in Cannes on the French Riviera, November 28 to December 1 at the Palais des Festivals.

TRUSTECH is one of worlds the largest annual events dedicated to trust-based technologies and attracts visitors from all over the world.

Keypasco can be found at stand LERINS E001. Don’t forget to stop by to talk about secure authentication, secure mobility and to see a live demonstration of the Keypasco solution.

Asia’s first all-in-one smart home app launched — in collaboration with world class security by Keypasco

Central_Business_District_skyline_viewed_from_the_Lower_Boardwalk_of_Marina_Bay,_Singapore_-_20121022-01Habitap - dashboard

Habitap, Asia’s first fully integrated smart home management system, is now officially launched. The system seamlessly combines smart home features, smart condominium management as well as lifestyle offerings to provide solutions for holistic smart home living. The high security that is crucial for smart home is obtained through the Keypasco solution.

Leading the way in providing smart living solutions, Habitap and Keppel Land have collaborated to introduce Asia’s first fully integrated smart home management system at Keppel Land’s luxury waterfront development, Corals at Keppel Bay in Singapore.

Habitap is the first to integrate the management of smart home devices, management of condominium facility bookings and lifestyle offerings – three key features for smart home living – into a single platform. With a mere tap of the finger on the Habitap mobile application, homeowners can easily manage these systems.

To create a safe and secure home, Habitap is using the security solution from Keypasco who provides a state-of-the art bank-grade security system.

– Keypasco represents a key feature and an important ingredient in the success of Habitap. It addresses key concerns of mobile application security and gives our users peace of mind, knowing their smart home is safe, says Franklin Tang, CEO Habitap.

Keypasco offers a unique and innovative new generation of software-based solution for secure online transactions. The trend is to use the many new innovative personal wearable device as part of your own security, and Keypasco is at the forefront of this trend and development. The Internet of Things will continue to surround and connect people at home, at work and on the road. This creates new security and privacy challenges that needs innovative thinking to maintain the mobile security we are becoming increasingly dependent on.

– Smart home solutions is a rapidly expanding market. For mobile security systems, this is a whole new market that has taken off globally. Keypasco technology is now proven to be useful for a wide range of applications: Authentication (Internet/mobile banking, eCommerce, mobile payment, online gaming, online betting), fraud protection (Credit card, ATM withdrawal etc), precision marketing (DeviceID application) and now even for access control like Smart Home. Our solution offers a convenient and secure service via the end-user’s own device, the mobile phone, says Maw-Tsong Lin, CEO and founder of Keypasco.

Keypasco are happy to announce a new product feature at the CARTES Exhibition in November 2015. This new feature is a natural extension of the secure authentication and secure mobility solution offering secure signatures in a PKI solution.

Keypasco are happy to announce a new product feature at the CARTES Exhibition in November 2015. This new feature is a natural extension of the secure authentication and secure mobility solution offering secure signatures in a PKI solution.Keypasco are happy to announce a new product feature at the CARTES Exhibition in November 2015. This new feature is a natural extension of the secure authentication and secure mobility solution offering secure signatures in a PKI solution.

Let me introduce the Keypasco PKI Sign feature.

The PKI Sign solution is a dynamic feature that offers ICPs (Internet Content Providers) full support of PKI in a portable mobile device. The solution can easily be integrated into an existing PKI infrastructure. We consider us the best vendor of a PKI in a portable mobile device due to our unique security design. Traditionally PKI systems have been various forms of hardware and dependent on the end user as the carrier of the sensitive private keys. Our PKI Sign solution is a versatile and customizable soft PKI option to the market of authentication.

Don’t forget to stop by our booth at the conference (4 N 080) in Paris November 17th to 19th. Join us to talk about secure authentication, secure mobility, our unique features, and see a live demo of our solution.

 

About Keypasco
With more than 20 years of individual experience in IT security, Keypasco’s founders are the minds behind some of the revolutionary authentication technology solutions used today. Keypasco offer a patent-approved secure authentication and secure mobility solution to 13.9M end users in the online gaming and financial/banking industry.
For more information, visit www.keypasco.com, email info@www.keypasco.com or contact us at +46-31-102360.

Link to the official PDF version of the press release.