Okay LogoOkay Logo

Okay Blog

Security matters.

artifact
12/12/2019

Current challenges for banks and fintechs

Back when we started the design of the Okay solution we made the following assumptions:

Erik Vasaasen
28/11/2019

Protecting Users Against Unauthorized Transactions on Mobile Devices: Tamper Resistance Using Honeypots

The internet has made building great solutions that solve plenty of problems fairly easy. However, it does not come without its problems and security issues.

Ben Ogie
22/11/2019

What can malware do? Mobile malware part 2

In the previous post we discussed what malware can do once it is active on your phone. But, how do end-users get malware in the first place? You might think that you’re protected if you don’t really do anything else than messaging and Facebook on your phone, but that is not the case.

Erik Vasaasen
14/11/2019

Adding PSD2 Compliance To Your Flutter App

With the recent success and trend in the Flutter SDK, it is no surprise that a good number of mobile developers will consider using Flutter as their preferred choice for cross-platform mobile app development.

Ben Ogie
07/11/2019

What can malware do? Mobile malware part 1

So far in 2019, there has been a rapid growth of malware, particularly in the mobile banking sector. According to the latest report from Checkpoint the growth in banking malware has been more than 50% compared to 2018. At the same time, Kaspersky reported that 438,709 of their mobile users encountered a total of 3,730,378 financial attacks, which does not include other types of mobile malware. So, clearly, there is a lot of malware out there trying to target the financial sector. In this post, we’ll look at what malware can do once it is installed. Don’t worry, we’ll look at how malware spreads in the next post.

Erik Vasaasen
21/10/2019

EBA releases Opinion on SCA elements

Back on the 21st of June, the European Banking Authority published an opinion on the elements of Strong Customer Authentication (SCA) under PSD2.

Erik Vasaasen
30/04/2019

Auditing and documenting

This topic might appear to be quite boring, but this does not make it any less important. While documentation has been a requirement for a long time, the RTS creates new challenges for anyone involved in payments. There are a number of new articles that are more demanding than previously referring to the documentation.

Erik Vasaasen
23/04/2019

Traceability and Payment Transaction Security

Along with the articles 29, 72 and 73 from the RTS, we explore how seriously we take traceability and payment transaction security with our Single Device SCA service.

Erik Vasaasen
10/04/2019

Secure Execution Environments

One of the most interesting new developments with the PSD2 in the last couple of years is that the regulatory authorities are now apparently more open to single-device solutions. This is made clear in article 9 of the RTS.

Erik Vasaasen
09/04/2019

Linking payments to the user: using authentication codes

Both article 4 and article 5 of the RTS uses the term “authentication codes” quite a lot. While it is not explicit in the regulation what an authentication code is, it is likely that most people will associate it with a TAN, a “Transaction Authentication Number”, which is a variant of a One Time PIN (OTP).

Erik Vasaasen
01/04/2019

Multi-factor authentication: Knowledge, inherence and possession

The most traditional way of authenticating to a service is to simply use a username and a password. This is what is known as single-factor authentication. Although this is the most common authentication process, it’s not ideal for today’s standards since it can very easily break.

Erik Vasaasen
22/03/2019

The impact of the Revised Directive on Payment Services (PSD2) on security

The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and many merchants. Fundamentally, as long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.

Erik Vasaasen
14/03/2019

PSD2 SCA Compliance & How You Can Prepare for the Deadline

As a bank or PSP, you have to be ready to test your PSD2 compliance with strong customer authentication under the Commission Delegated Regulation before the deadline on the 14th of March 2019. A good place to start for a Single Device SCA is with our own - Okay This.

Trond Lemberg
11/01/2019

PSD2 explained and why you should care

Since the revised ) was proposed by the European Commission back in 2013 it has already created widespread of disruption in the European payment market. New payment processors are popping up almost daily, and the big banks are clearly moving to secure their positions before the directive comes fully into force in September 2019.

14/11/2018

Strong Customer Authentication Service

We are pleased to announce the general availability of our Strong Customer Authentication solution, OKAY

29/08/2018

Android root attacks can persist and live forever

The Hacker News describes how it is possible for malware to become persistent through exploiting vulnerabilities in the bootloader. But why is the bootloader such a tempting target for root attacks? Let’s have a look.

Didrik Steen Hegna
28/08/2018

The latest news in overlay attacks

Some times it feels like security vendors are fighting an endless battle against malware creators who come up with new exploits. A common goal for malware authors is to find new ways of stealing user credentials and passwords, so that criminals can hijack accounts and even do fraudulent transactions. The mechanisms used to do this has gone under several different names: Tapjacking,

28/08/2018

Mobile phones are under attack through from Bluetooth and Wi-Fi

Lately there have been two much published reports of vulnerabilities which threatens billions of mobile phones. First, in July it was vulnerability in the firmware of a little known chip powering almost all modern smartphones, a Wi-Fi chip made by Broadcom. The vulnerability, known as BroadPwn, allows a smartphone to be infected simply by looking for known networks, something that all mobile phones do regularly. In theory the vulnerability could also be used convert the Wi-Fi chip into an access point, so that it could automatically spread itself to other phones, potentially spreading worldwide in just a few hours. You can read more about this vulnerability in this . As the firmware can be updated through the operating system any phone not updated since July is likely to be vulnerable.