Trust as Vulnerability: The Zero Trust Security Model and Mobile Applications
The widespread acceptance of mobile devices, cloud computing, remote work, and the like have brought the need for smarter-security to the top of the discussion charts. With attack surfaces having widened considerably, defences now need to be focused on users and assets. This was Okay’s perspective from the very beginning, but was also the premise of The Zero-Trust Security Model. Let’s see how they align, and where they apply for mobile apps.
Banking-as-a-Service in 2021: the SCA Dilemma
Banking as a Service (BaaS) refers to the services and tools that allow financial institutions to adapt to the current digital shift by offering their customers an omnichannel experience. BaaS providers are the ones that build the web and mobile applications for these institutions so that customers may access their accounts digitally. But has this environment changed since the release of PSD2? Let’s take a look.
Payment Trend Updates for June 2021
Okay is mainly concerned about security and Strong Customer Authentication. However, that doesn't prevent us from taking part in industry conferences or being a member of industry groups like the Emerging Payments Association, the Open Banking Excellence, l'Association du Paiement, or the Mobey Forum. Today, we take a look at a few of the hot topics that have been on the payment market table over the past year, with some insight as to where they may be headed.
Can Strong Customer Authentication (SCA) be Web-based?
A question we often face during customer discussions is whether or not we support web browser-based authentication. Our answer so far has remained the same: we focus on mobile-based authentication, particularly by helping payment service providers (PSPs) secure customer authentication through their smartphone apps. In this post, we explain why this is the case and discuss some signs hinting at browser-based authentication becoming more popular in the future.
Investing With Okay - Some Thoughts From Christen Bakke
Okay is here today because of the people who believed in our idea to make an affordable PSD2 Compliant Strong Customer Authentication solution. One of those people was Christen Bakke - investor, supporter, and financial industry expert. We reached out and asked him to reflect on what it was like getting involved in Okay, his thoughts on the industry, and where he sees it all headed in the future.
Buy vs. Build: the Million-Euro SCA Question
Perhaps the most common question we get asked when it comes to SCA software is how to choose between going for in-house development or outsourced expertise. Since the Build vs. Buy debate is heavy and multifaceted, in this blog, we discuss a few of the pros and cons to help you and your team make the best decision.
Reviewing Access Control Server Integration for SCA
What is an access control server, and why is it important when it comes to strong customer authentication? In this week’s post, we take a closer look at how these servers run, their limitations when it comes to outdated mobile operating systems, and the way Okay utilises them for our applications.
Ozone API and Okay Tackle Compliance Demands
Compliance is a generally complex topic that takes from both the budgets and resources of banks and financial institutions. When talking specifically about the compliance related to the Revised Payment Services Directive (PSD2), the mandated Open Banking interfaces and Strong Customer Authentication (SCA) deliverables have proven to be the most significant undertakings.
Why Should Issuers Care About SCA User Experience?
Today’s issuers live in a world marked by the increasingly challenging demands of regulators. With the “fear” of penalisation that comes with being non-compliant, it’s easy for these issuers to “choose” compliance over user experience. This we understand, especially when the consequences of non-compliance are so substantial. However, there are still consequences that come from forgetting about the user experience. What are they, and how much of an impact do they have?
PSD2 RTS SCA Compliance and Okay - Part 3 of 3
We have so far talked about compliance, requirements PSPs should be aware of, and the April 30th deadline regarding consumer protection rights. In the final instalment of our 3-part series on compliance, we wrap up with how the Okay solution can help you meet SCA PSD2 RTS compliance standards.
PSD2 SCA Compliance and the April 30th Deadline - Part 2 of 3
When it comes to the PSD2, it has been difficult to keep up with the ever-changing compliance deadlines. We wrote about the latest 2021 deadlines in a previous post, and can only hope that they are here to stay. But amidst these countless dates, there is one deadline that you should be aware of: the April 30th deadline. Let’s get into it in part two of three of our mini-series on PSD2 SCA Compliance.
PSD2 RTS SCA Compliance - Part 1 of 3
Compliance. A scary term for any payment service provider in a world of increasingly stricter regulations and requirements. So to make it just a little less scary, we are opening up the PSD2 RTS Compliance door and extracting some key points of interest. In part one of three, we start by covering the fundamental requirements Payment Service Providers (PSP) should be aware of if issuing cards or e-money payments and why said requirements are necessary.
It’s 2021: Do You Need Two Channels for Strong Customer Authentication?
Okay has been running compliance audits since 2016. What did it look like back then compared to today? Are two channels for SCA really needed? This week we briefly explore the changing security environment of mobile phones related to identity verification.
Announcing a Successful Re-evaluation of our PSD2 RTS SCA Solution
If you are working within Strong Customer Authentication Solutions, you will need to be evaluated by auditors in order to stay up to date and within regulation compliances. In this post, we talk about our own recent re-evaluation, including how we prepared and the final results.
What is Pay360 and Why Should You Tune In?
Pay360 is an annual event that gives major payment industry players the time and space to come together and brainstorm solutions to the industry's advances, opportunities and challenges. We highly recommending signing up for free at the link provided in this blogpost to ensure you don’t miss out.
SCA Deadlines Across Europe
We have spoken a lot about strong customer authentication (SCA) over the past year. However, the regulation has technically been in effect since mid-September of 2019. Like many major economic or financial overhauls, change takes time and most European countries have chosen to take a pretty gradual implementation approach. Now well into 2021, it is time for all European countries to fully enforce the updated SCA regulations. Let’s take a look at some of the deadlines.
The Future is Frictionless: Customers Care About Shopping, Not Payments
Okay wants to make the payment process as smooth as possible, specifically when it comes to customer authentication. While this is just one part of the payment process that can introduce friction, it is often where checkout abandonment occurs. In this post, we’ll try to describe some of the options that we’ve seen in the market regarding frictionless payments, including their strengths and weaknesses.
Evaluations, Penetration Testing & Security Certifications: Lessons Learned
Over the last few years, Okay has gone through both security certifications and penetration testing. While they represent two uniquely different processes, each has greatly improved our product’s security, code quality and architecture. In this post, we discuss the importance of each, as well as what we've learned along the way.
Which is More Secure: Apple’s iOS or Google’s Android?
Will our smart devices be able to implement the necessary security measures to keep up with an ever-increasing digital marketplace? If so, which ones will reign supreme? In this post, we reflect on an age-old question of iPhone vs Android device, well worth considering by all financial industry players, big or small.
How to customise the Okay solution to your brand
Keeping your clients’ authentication secure is paramount when implementing an SCA Solution, however, keeping your brand consistent is also important, both for your brand and your clients’ user experience. This article explains how you can customise the Okay solution and add your brand’s logo and colours.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication - most often referred to as SCA - is a requirement in the Payment Services Directive 2 (PSD2) that was passed by the European Banking Authority (EBA) back in 2018. SCAs role in the PSD2 is to protect end-users when making payments.
Security Vulnerabilities Through the Payment Process
For the last few years, Okay has been laser-focused on one particular part of the payment process: Strong Customer Authentication (SCA); the process to authenticate and authorize payments. However, the authentication and authorization are not the only vulnerable phases in the payment process; there are several other phases, where each phase has its own unique set of vulnerabilities.
News in hardware-based vulnerabilities
Recently Check Point Research made public that they had performed a security review of one of the leading mobile chipset manufacturers, Qualcomm Technologies. While the review is not yet public, they’ve apparently found more than 400 vulnerabilities in the Hexagon DSP that has been included in more than one billion chips provided by Qualcomm over the last few years.
The history of PC malware and the future of mobile malware
Over the past few decades, different types of malware have regularly been in the news: Worms, trojans, spyware, backdoors, ransomware, RATs, adware, cryptojackers and viruses have all gotten their 5 minutes of fame. These types of attacks have become common enough that everyone working with computers is aware of their existence. While the history of personal computer-based malware goes back at least to the 1980s, the history of mobile malware began in the mid-2000s. Can we learn something from the malware of the past, and if we can, is it possible to predict something about the future?
Accessibility and malware
Since 2009, when both Android and iOS gained accessibility support, it has been possible to use alternative input methods on the current main mobile operating systems. Today, the goal of accessibility is not just to make it possible for people with disabilities to use a smartphone; the use extends beyond that.
SCA to fight fraud - A real life example
Okay’s raison d’être is to fight fraud and financial crime, with a particular focus on protecting card-not-present fraud. Quite ironically, I was victim to such a fraud during lockdown - I couldn’t resist sharing. But more importantly, this sheds light on the very importance of SCA to protect all of us as eCommerce is accelerating
Taking contactless to a new level
During the past few months, with lockdowns and physical venues closed, the need for more digital solutions was exacerbated. Tasks that previously were fairly simple - like proving who we are - suddenly became a process spanning not just days but weeks.
Unlocking Strong Customer Authentication (SCA)
The original Payment Services Directive (PSD1) brought payments into the scope of regulation for the first time throughout most of Europe. But it is the second Payment Services Directive (PSD2) that will be known as the real game-changer; the one that created the market for new players to infiltrate traditional provider systems to give customers a different way to access services and get more from their data. I’ll explain the nature of the new players below, but my interest mostly lies in the second significant change introduced by PSD2, which was brought in to counterbalance this new openness: Strong Customer Authentication (SCA).
How to Setup Two Factor Authentication with Okay
Though a cloud-based multi-tenant solution, Okay provides a simple way to integrate a secure two-factor authentication (2FA) in your app without the need to rewrite or build a security system yourself. This tutorial acts as your step by step guide on how to add 2FA to your service using the Okay solution.
Containers, virtualization and sandboxes: What does it all mean?
Three of the most common terms used when talking about computer security in general and mobile security, in particular, are containers, virtualization and sandboxes. All three are technologies which in some way are being used to protect mobile applications. In this post, we’ll try to give a quick introduction to the various terms, and the meaning behind each of them. We’ll also shed some light their importance for secure customer authentication.
How to evaluate the security of your mobile banking app - Part 1
Providing a secure app is paramount when offering a mobile banking experience to your clients. That means choosing the right set of service providers and being compliant with the current regulations, but it should also include security evaluations. You should evaluate the security of your mobile banking app thoroughly before launch and then continue evaluating the security as the app and the environment changes.
How to evaluate the security of your mobile banking app - Part 2
This is the second part of a two-part series where we look at how you can evaluate the security of your mobile banking app. In the first part, we looked at how you can check for issues with communication and encryption, such as checking for man-in-the-middle style attacks. In this post, we’ll go deeper into the smartphone and the app itself.
Lessons from 6 years and 11 patents
In early 2014 Okay applied for its very first patent. The patent was for a mechanism allowing computer users to use a phone, even a landline, as a second factor during a strong customer authentication. Since then we have applied for 10 more patents, both nationally and internationally. In the 6 years since that first patent application, we have learned quite a bit about how to apply for patents. In this post, I’ll try to summarise the most important lessons we have learned around the process of applying for a patent.
SCA for Corporate Transactions
One of the biggest challenges with Strong Customer Authentication (SCA) is making the purchasing experience fast and frictionless for cardholders and bank-app users. So when we look at speed and convenience, corporations would be at the opposite end of the requirement spectrum of retail users. Why? Because the amounts can be much more significant, making security paramount. Ultimately, friction does indeed translate into more security when making a corporate transfer to make payment. So how does this all translates to SCA? Let's take a look.
SCA Enrolment and Re-enrolment
Enrolment and re-enrolment are both critical stages in the SCA process. If the enrolment of a client is compromised in any way, all SCA challenges for that client can be compromised. That makes enrolment and re-enrolment the most security-sensitive part of the customer relationship.
SCA Industry Challenges
When implementing Strong Customer Authentication (SCA), most organisations face a number of challenges. And after having discussions with different players across the PSD2 SCA industry, we have found that some are much more uniform than others, regardless of company size or type of bank. As a result, we have put together a list of the top 8 SCA challenges, which over the next 8 weeks, we will be diving deeper into one at a time.
The Cost of SCA Integration
Minimising integration costs and the total cost of ownership is a concern voiced by most issuers when implementing an SCA project. Of course, any IT project involves integration and integration costs. SCA is no different in that regard, but it does have its own cost drivers. In this article, we look at ways for issuers to reduce SCA integration costs as much as possible.
Innovative Malware Attacks
Security vulnerabilities are a major headache when providing secure digital services. With hundreds of vulnerabilities surfacing each year on Android alone, it can be challenging to stay on top of the trends. If that is the case, what channels can be used to stay up to date, and what are the current trends?
SCA for Low-tech Phones and Fallback Options
Today it is easy to assume that everybody has a smartphone. It is also easy to assume that they are able, and willing, to use it for all tasks, including their online banking. Yet that is not always the case. A significant number of users either won’t or can’t use a smartphone for banking purposes. How do we deal with that, and how can we offer a PSD2 SCA compliant authentication method without a smartphone?
The Taxonomy of SCA Challenges
Authentication in the banking industry continues to be a headache for many. While everybody would like to have a “one-size-fits-all” solution to SCA, experience shows that the authentication use-cases are too complex for that to be feasible. Let’s take a look at the different scenarios.
2FA - The Risks of Sending OTP via SMS
Most organisations today provide two-factor authentication (2FA) to their users and customers. They do this to provide them with a more secure mode of accessing their accounts. 2FA has indeed helped most users keep their accounts more secure than they were before its inception. However, with the introduction of 2FA as a more secure way of authenticating, users came other issues that made it vulnerable to certain hacks.
Expectations for Strong Customer Authentication in 2020
2019 was an exciting and challenging year in the payment and strong customer authentication industry. With New Year’s Eve just behind us, it is a good time to look forward to 2020, both for what we know will happen, and for some speculation on what might happen.
PDS2 SCA Compliance Checklist
One of the aims of the Revised Payment Service Directive, more commonly known as PSD2, is to better protect consumers when they pay online. The requirement for a strong customer authentication (SCA) in a majority of these electronic payments is a key element of the regulation.
Current Challenges for Banks and Fintechs
We made some assumption when designing Okay, before the Payment Services Directive 2 (PSD2) was even released. How correct were we? Are any still valid concerns? Read this week’s post to learn more about mobile choices, security and fintech investments.
Part 1/2: What Can Mobile Malware Do?
In 2019 there was a surge of malware, particularly in the mobile banking sector. According to the latest report from Checkpoint, the growth in banking-malware has been over 50% compared to that seen in 2018. As an example, Kaspersky reported that 438,709 of their mobile users encountered a total of 3,730,378 financial attacks - and this does not include other types of mobile malware. In this post, we’ll look at what malware is, why it works, and what it does once installed.
Auditing and Documenting
While documentation has already been a long-time requirement, the RTS has created new challenges for anyone involved in payments. Here we find a number of new articles that are more demanding than ever before when it comes to authorisation documentation.
The Revised Directive on Payment Services (PSD2) and it's Impact on Security
The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and a vast array of merchants. As long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.
Using Authentication Codes to Link Payments to the User
Article 4 and 5 of the RTS each uses the term “authentication codes” quite a bit. While it is not explicit in the regulation what an authentication code is, it is likely that most people will associate it with a TAN, or “Transaction Authentication Number”, which is a variant of a One Time PIN (OTP).
Multi-factor Authentication: Knowledge, Inherence & Possession
The most traditional way of authenticating to a service is to use a username and a password. This is what is known as single-factor authentication. Although this is the most common authentication process, it’s not ideal for today’s standards and does not meet PSD2 SCA compliance regulations.
Why Should You Care? PSD2 Explained
Ever since the European Commission proposed the revised PSD2 in 2013, there has been widespread disruption in the European payment market. New payment processors are popping up almost daily, and the big banks are moving fast to secure their positions. Will PSD2 be good? Why should you care? Here are some thoughts before the directive hits in September 2019.
PSD2 SCA Compliance: Preparing for the Deadline
Whether a bank or payment service provider (PSP), it is time to prepare for PSD2 and strong customer authentication (SCA) requirements. With the Commission Delegated Regulation having set a deadline of March 14th, 2019, here is some information regarding regulations, deadlines, and our Okay services.
The Latest News in Overlay Attacks
Security vendors are fighting an endless battle against malware creators. Their most common goal is often finding new ways of stealing user credentials and passwords, so that criminals can hijack accounts and do fraudulent transactions. How can the Okay SCA solution protect your app from this? Read on.