Okay Blog

Security vulnerabilities through the payment process

For the last few years, Okay has been laser-focused on one particular part of the payment process: Strong Customer Authentication (SCA); the process to authenticate and authorize payments. However, the authentication and authorization are not the only vulnerable phases in the payment process; there are several other phases, where each phase has its own unique set of vulnerabilities.

SCA On-premise or SaaS

With everything going into “the Cloud” these days, do we still need to assess SaaS Vs On-premise when it comes to SCA projects? Well, it seems so.

Okay, GDPR and SCA

Over the last few years, GDPR has gotten a lot of attention in Europe. But, what is the GDPR, and how does it relate to Strong Customer Authentication (SCA)?

News in hardware-based vulnerabilities

Recently Check Point Research made public that they had performed a security review of one of the leading mobile chipset manufacturers, Qualcomm Technologies. While the review is not yet public, they’ve apparently found more than 400 vulnerabilities in the Hexagon DSP that has been included in more than one billion chips provided by Qualcomm over the last few years.

The history of PC malware and the future of mobile malware

Over the past few decades, different types of malware have regularly been in the news: Worms, trojans, spyware, backdoors, ransomware, RATs, adware, cryptojackers and viruses have all gotten their 5 minutes of fame. These types of attacks have become common enough that everyone working with computers is aware of their existence. While the history of personal computer-based malware goes back at least to the 1980s, the history of mobile malware began in the mid-2000s. Can we learn something from the malware of the past, and if we can, is it possible to predict something about the future?

Accessibility and malware

Since 2009, when both Android and iOS gained accessibility support, it has been possible to use alternative input methods on the current main mobile operating systems. Today, the goal of accessibility is not just to make it possible for people with disabilities to use a smartphone; the use extends beyond that.

Digital ID and SCA outside payment

If the current crisis does not spur growth in the adoption of digital identity and strong authentication everywhere, what will?

Money mules and laundering: When criminals get access to your account

In several previous articles, we’ve discussed how criminals can get access to your banking app, but what happens after they gain access is not a topic we have covered, until now.

Jailbreak and rooting: What are the real dangers?

Rooting or jailbreaking a mobile device is not that uncommon among mobile owners, either by choice or as a result of an attack. Having a rooted device most often come with a series of dangers for any smartphone owner.

SCA to fight fraud - A real life example

Okay’s raison d’être is to fight fraud and financial crime, with a particular focus on protecting card-not-present fraud. Quite ironically, I was victim to such a fraud during lockdown - I couldn’t resist sharing. But more importantly, this sheds light on the very importance of SCA to protect all of us as eCommerce is accelerating

SCA for eID – a marriage made in heaven?

As SCA gains footing within the banking industry it is only natural to address the topic of eIDs. A successful implementation of nation-wide - or even international - eIDs would benefit more than just the banking industry.

Taking contactless to a new level

During the past few months, with lockdowns and physical venues closed, the need for more digital solutions was exacerbated. Tasks that previously were fairly simple - like proving who we are - suddenly became a process spanning not just days but weeks.

Okay and United Biometrics join forces

To provide authentication security to the entire chain of corporate payment, from PC authentication to transaction validation and authentication on mobile, we are proud to announce our partnership with United Biometrics.

Echoes of Stagefright: Samsung releases bugfix for all phones sold since 2014

That mobile manufacturers release security updates and bugfixes are nothing new, so what makes this bugfix noteworthy? To understand that we have to go back in time to 2015.

How to Setup Two Factor Authentication with Okay

Though a cloud-based multi-tenant solution, Okay provides a simple way to integrate a secure two-factor authentication (2FA) in your app without the need to rewrite or build a security system yourself. This tutorial acts as your step by step guide on how to add 2FA to your service using the Okay solution.

Containers, virtualization and sandboxes: What does it all mean?

Three of the most common terms used when talking about computer security in general and mobile security, in particular, are containers, virtualization and sandboxes. All three are technologies which in some way are being used to protect mobile applications. In this post, we’ll try to give a quick introduction to the various terms, and the meaning behind each of them. We’ll also shed some light their importance for secure customer authentication.

How to evaluate the security of your mobile banking app - Part 2

This is the second part of a two-part series where we look at how you can evaluate the security of your mobile banking app. In the first part, we looked at how you can check for issues with communication and encryption, such as checking for man-in-the-middle style attacks. In this post, we’ll go deeper into the smartphone and the app itself.

How to evaluate the security of your mobile banking app - Part 1

Providing a secure app is paramount when offering a mobile banking experience to your clients. That means choosing the right set of service providers and being compliant with the current regulations, but it should also include security evaluations. You should evaluate the security of your mobile banking app thoroughly before launch and then continue evaluating the security as the app and the environment changes.

Lessons from 6 years and 11 patents

In early 2014 Okay applied for its very first patent. The patent was for a mechanism allowing computer users to use a phone, even a landline, as a second factor during a strong customer authentication. Since then we have applied for 10 more patents, both nationally and internationally. In the 6 years since that first patent application, we have learned quite a bit about how to apply for patents. In this post, I’ll try to summarise the most important lessons we have learned around the process of applying for a patent.

SCA for corporate transactions

One of the biggest challenges when introducing Strong Customer Authentication (SCA) is to render the purchasing experience fast and frictionless to cardholders or bank app users. Looking at the requirements for speed and convenience, corporations would be at the opposite end of retail users: The amounts can be much larger, so security is paramount. Friction does indeed translate into more security when making a corporate transfer to make payment. So how does this all translates to SCA?

SCA enrolment and re-enrolment

Enrolment and re-enrolment are both critical stages in the SCA process. If the enrolment of a client is compromised in any way, all SCA challenges for that client can be compromised. That makes enrolment and re-enrolment the most security-sensitive part of the customer relationship.

Unlocking Strong Customer Authentication (SCA)

While the first Payment Services Directive (PSD1) brought payments into the scope of regulation for the first time  throughout most of Europe, the second Payment Services Directive (PSD2) will be known as the real game-changer; the one that created the market for new players to infiltrate the systems of the traditional providers to give customers a different way to access services and get more from their own data. I’ll explain the nature of the new players below, but my interest lies in the second significant change introduced by PSD2, which was brought in to counterbalance this new openness: Strong Customer Authentication (SCA).

The cost of SCA Integration

Minimizing integration costs and total cost of ownership is a concern voiced by most issuers when implementing an SCA project. Of course, any IT project involves integration and integration costs. SCA is no different in that regard, but it does have its own cost drivers. In this article, we look at ways for issuers to reduce SCA integration costs as much as possible.

Innovative malware attacks

Security vulnerabilities are a major headache when providing secure digital services. With hundreds of vulnerabilities surfacing each year just on Android, it can be challenging to stay on top of the trends. Then, what channels can be used to stay up to date, and what are the current trends?

The mobile OS headache

When providing strong customer authentication (SCA), smartphones with outdated OSs are one of the major hurdles that have to be addressed. Should these users be opted out, forced to update or is it possible to find an alternative?

SCA for low-tech phones and fallback options

Today it is easy to assume that everybody has a smartphone and is able, and willing, to use it for all tasks, including banking. That is not always the case though. A significant number of users either won’t or can’t use a smartphone for banking purposes. How do we deal with that? How can we offer a PSD2 SCA compliant authentication without a smartphone?

The taxonomy of SCA challenges

Authentication in the banking industry continues to be a headache for many. While everybody would like to have a “one-size-fits-all” solution to SCA, experience shows that the authentication use cases are too complex for that to be feasible. Let’s take a look at the different scenarios.

SCA Security and 2FA

There is no denying that two-factor authentication (2FA) has significantly improved authentication security. But, is 2FA enough to cover the requirements of strong customer authentication (SCA) under PSD2?

SCA industry challenges

When implementing Strong Customer Authentication (SCA), most organisations come across a number of challenges. Through discussions with different actors in the PSD2 SCA industry, some issues have emerged that are shared across the industry, regardless of company size or whether you are an incumbent or challenger bank.

2FA - Why sending OTP via SMS is vulnerable

Most organisations today provide two-factor authentication (2FA) to their users and customers, to provide them with a more secure mode of accessing their accounts. 2FA has indeed helped most users keep their accounts more secure than they were before its inception. However, with the introduction of 2FA as a more secure way of authenticating users came other issues that made it vulnerable to certain hacks.

Expectations for Strong Customer Authentication in 2020

2019 was an exciting and challenging year in the payment and strong customer authentication industry. With New Year’s Eve just behind us, this is a good time to look forward to 2020, both for what we know will happen and for some speculation on what might happen.

PDS2 SCA compliance checklist

One of the aims of the Revised Payment Service Directive, more commonly known as PSD2, is to better protect consumers when they pay online. The requirement for a strong customer authentication (SCA) in a majority of electronic payments is a key element of the regulation.

Enabling 2FA on your mobile App in compliance with SCA PSD2

Current challenges for banks and fintechs

Back when we started the design of the Okay solution we made the following assumptions:

Protecting Users Against Unauthorized Transactions on Mobile Devices: Tamper Resistance Using Honeypots

The internet has made building great solutions that solve plenty of problems fairly easy. However, it does not come without its problems and security issues.

What can malware do? Mobile malware part 2

In the previous post we discussed what malware can do once it is active on your phone. But, how do end-users get malware in the first place? You might think that you’re protected if you don’t really do anything else than messaging and Facebook on your phone, but that is not the case.

Adding PSD2 Compliance To Your Flutter App

With the recent success and trend in the Flutter SDK, it is no surprise that a good number of mobile developers will consider using Flutter as their preferred choice for cross-platform mobile app development.

What can malware do? Mobile malware part 1

So far in 2019, there has been a rapid growth of malware, particularly in the mobile banking sector. According to the latest report from Checkpoint the growth in banking malware has been more than 50% compared to 2018. At the same time, Kaspersky reported that 438,709 of their mobile users encountered a total of 3,730,378 financial attacks, which does not include other types of mobile malware. So, clearly, there is a lot of malware out there trying to target the financial sector. In this post, we’ll look at what malware can do once it is installed. Don’t worry, we’ll look at how malware spreads in the next post.

EBA releases Opinion on SCA elements

Back on the 21st of June, the European Banking Authority published an opinion on the elements of Strong Customer Authentication (SCA) under PSD2.

Auditing and documenting

This topic might appear to be quite boring, but this does not make it any less important. While documentation has been a requirement for a long time, the RTS creates new challenges for anyone involved in payments. There are a number of new articles that are more demanding than previously referring to the documentation.

Traceability and Payment Transaction Security

Along with the articles 29, 72 and 73 from the RTS, we explore how seriously we take traceability and payment transaction security with our Single Device SCA service.

Secure Execution Environments

One of the most interesting new developments with the PSD2 in the last couple of years is that the regulatory authorities are now apparently more open to single-device solutions. This is made clear in article 9 of the RTS.

Linking payments to the user: using authentication codes

Both article 4 and article 5 of the RTS uses the term “authentication codes” quite a lot. While it is not explicit in the regulation what an authentication code is, it is likely that most people will associate it with a TAN, a “Transaction Authentication Number”, which is a variant of a One Time PIN (OTP).

Multi-factor authentication: Knowledge, inherence and possession

The most traditional way of authenticating to a service is to simply use a username and a password. This is what is known as single-factor authentication. Although this is the most common authentication process, it’s not ideal for today’s standards since it can very easily break.

The impact of the Revised Directive on Payment Services (PSD2) on security

The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and many merchants. Fundamentally, as long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.

PSD2 SCA Compliance & How You Can Prepare for the Deadline

As a bank or PSP, you have to be ready to test your PSD2 compliance with strong customer authentication under the Commission Delegated Regulation before the deadline on the 14th of March 2019. A good place to start for a Single Device SCA is with our own - Okay This.

PSD2 explained and why you should care

Since the revised ) was proposed by the European Commission back in 2013 it has already created widespread of disruption in the European payment market. New payment processors are popping up almost daily, and the big banks are clearly moving to secure their positions before the directive comes fully into force in September 2019.

Strong Customer Authentication Service

We are pleased to announce the general availability of our Strong Customer Authentication solution, OKAY

Android root attacks can persist and live forever

The Hacker News describes how it is possible for malware to become persistent through exploiting vulnerabilities in the bootloader. But why is the bootloader such a tempting target for root attacks? Let’s have a look.

The latest news in overlay attacks

Some times it feels like security vendors are fighting an endless battle against malware creators who come up with new exploits. A common goal for malware authors is to find new ways of stealing user credentials and passwords, so that criminals can hijack accounts and even do fraudulent transactions. The mechanisms used to do this has gone under several different names: Tapjacking,

Mobile phones are under attack through from Bluetooth and Wi-Fi

Lately there have been two much published reports of vulnerabilities which threatens billions of mobile phones. First, in July it was vulnerability in the firmware of a little known chip powering almost all modern smartphones, a Wi-Fi chip made by Broadcom. The vulnerability, known as BroadPwn, allows a smartphone to be infected simply by looking for known networks, something that all mobile phones do regularly. In theory the vulnerability could also be used convert the Wi-Fi chip into an access point, so that it could automatically spread itself to other phones, potentially spreading worldwide in just a few hours. You can read more about this vulnerability in this . As the firmware can be updated through the operating system any phone not updated since July is likely to be vulnerable.