How Can You Secure Digital Channels Without Compromising User Experienceby Denis Kalemberg, Chief Executive Officer, AIROME Technologies April 6, 2022
All banks and digital banking systems developers strive to make their services and mobile applications as convenient and safe as possible.
Ideally, the user should be able to confirm documents with a single gesture, a single glance at a smartphone camera, or a single tap of a biometric sensor. This will most likely satisfy ordinary users.
They will get a feeling of convenience and safety, and won’t give a second thought about the processes behind this security. However, banks need to think beyond this.
So how do we make a customer service system simple and convenient with no loss to the high level of security?
Push notifications and SMS — is it about convenience or security?
Developing customer experience in mobile banking is often limited by the need to find a compromise between convenience and security requirements.
Banks strive to make their applications as user-friendly as popular digital services, but not all UX solutions that are already the standard in other industries can be used in their mobile applications due to stricter security requirements.
After all, a bank’s mobile app has direct access to their clients’ money and personal data. One of these typical issues is whether to use SMS OTP technology or push notifications to confirm transactions.
Unfortunately, in the pursuit of improving digital service channel usability, which directly affects the number of active users, banks have often erred on the side of convenience, rather than implementing sophisticated verification technologies.
As we know, this increases the risk of someone stealing their customers’ money. Thus, many banks bet on SMS OTP.
This type of verification was definitely a step forward for convenience and security at the time they were introduced.
However, once it became obvious how insecure SMS are, and as their costs grew, banks began to transmit confirmation codes in push notifications, sometimes even autosuggesting the code.
This also didn’t ensure the security of transactions for reasons we’ll discuss later.
Worst of all, some financial institutions have stopped using transaction confirmations at all or made them nominal or formal—without using cryptographic technologies and digital signatures.
And they’ve even started saying that this improved their customer experience since transactions have become so convenient and easy for customers!
The problem is, this approach doesn’t protect the customers from fraudsters in any meaningful way, nor does it protect the bank from a lawsuit from affected (or allegedly affected) customers.
The weakest link and how to protect it
It’s safe to say that the weakest links in digital service channels that use OTP via SMS and push notifications are the clients and their inability to fight against fraudsters by themselves.
Sometimes an alleged “security officer” or a “customer service department representative” calls a customer and tells them partial information like their name details in a well-trained and polite voice.
These social engineering techniques are often enough to deceive the customers and make them tell the fraudsters the information necessary to carry out unauthorised transactions.
Nowadays the codes transmitted via SMS and push notifications are no longer able to protect digital service customers from the most common attacks, which include not only payment details spoofing, SMS interception, and malware, but also social engineering.
Moreover, the use of OTP via SMS and push notifications is no longer perceived as convenient. Users want to confirm documents in digital channels with a single tap.
It turns out that in order to protect clients, we need transaction confirmation methods that exclude any transfer of information necessary for this.
Digital signature – when is it genuine?
One of the ways to ensure the security of operations in digital banking systems is to use electronic transaction authorisation, and given the widespread use of smartphones, a digital signature.
But are all digital signature implementations reasonable?
Some banks, unfortunately, use solutions in their digital channels that cannot be called a “signature” at all. After touching the smartphone screen, looking at the camera or placing a finger on the reader, no cryptographic transformations occur.
After these actions either nothing happens at all, or a session ID, which is the same for any transfers, is added to the operation. This doesn’t even remotely look like a safe confirmation.
This approach only creates the illusion of safety or the illusion of a signature, which leads to attacks on clients and makes it impossible to deal with the problem correctly.
But it’s not enough for banks and customers to merely feel secure. The goal is to provide real security, reliability, accessibility, and, of course, to make sure the signature has legal effects.
But what is a genuine or full-fledged digital signature?
A genuine digital signature provides control over the integrity and authorship of a transaction or document. It can only be created on the user’s smartphone and cannot be reproduced on a fraudster’s device.
It is the result of cryptographic transformations of payment details or an electronic document.
Finally, a genuine signature implies an explicit procedure for dealing with conflicts.
The PayConfirm solution is a successful implementation of a mobile signature
A few years ago, Airome Tech introduced its PayConfirm signature platform, designed to mitigate the risks associated with using SMS OTPs and push codes.
This solution turns a mobile device into a convenient and portable analogue of a regular digital signature-generating USB token.
Now a high level of transaction security, which was previously only available for enterprise digital banking systems on their work computers, has become available to all users.
PayConfirm completely blocks common attacks on digital banking clients, such as SIM card reissuing, phishing, document spoofing and, most importantly, social engineering methods.
When confirming their will, users have the opportunity to verify that the transaction data or electronic document is correct on their smartphone screen, and generate a signature no matter what device it was created on.
There’s no need for additional scratch cards or physical password generators, no dependence on cellular signal strength and the SMS delivery speed. Using PayConfirm is as easy as calling on a mobile phone.
The main advantage of PayConfirm compared to traditional payment authorization methods (i.e., OTP via SMS or push notification) is that the transaction confirmation code is generated directly on the customer’s mobile device.
The code is tied to transaction details, the unique characteristics of the user’s smartphone, and even a hypothetical interception of this code by fraudsters.
At the same time, PayConfirm lets you exclude the possibility of giving any code to the attackers.
Users confirm transactions independently with a digital signature, but only after viewing the full payment details and only from their smartphones.
This excludes the possibility of confirming a document without the customer’s wish and control.
It also ensures the legal effect, as well as integrity and authorship control.
The tip of the iceberg, and beneath
PayConfirm has another compelling advantage—simplicity.
The simplicity of embedding into the bank’s digital infrastructure, connecting clients to the digital banking system, generating a digital signature for transactions and documents on the customer’s smartphone are just the tip of the iceberg.
And this simplicity sometimes leads some experts to the idea of cutting corners and developing an analogue on their own.
But they forget that they are only seeing the tip of the iceberg called PayConfirm and overlook the complex structure of the platform and the need to develop such a platform and keep it up-to-date themselves.
But what is hidden under the hood? Firstly, PayConfirm is a software platform for generating a cryptographic electronic signature, which cannot be replaced by a simple session ID value, customer’s data obtained through Touch ID and Face ID, or OTP autocomplete from an SMS or push notification.
And it certainly cannot be replaced by a simple “sign” button that does nothing at all.
The PayConfirm digital signature is a result of cryptographic transformations of the signed information (details of a specific financial transaction or electronic document).
It is generated with the use of asymmetric cryptographic algorithms and the unique characteristics of a particular smartphone.
Digital signature keys and digital signature verification keys are generated, protected and encrypted in a certain way. Their owner’s access to them is also arranged in a certain way.
This way, PayConfirm implements a digital signature that could previously only exist on a stationary computer with a crypto provider installed and a USB token plugged in.
Secondly, PayConfirm is not merely a signature solution. It includes a set of functional modules; mobile digital signature, conflict analysis, transaction push notification, additional biometric client authentication, and early fraud prevention.
A bank can build its own service from these modules. Usually, the scope of the project implementation depends on the needs of the specific enterprise and its customers.
Thirdly, even if a bank decides to develop something between merely a signature solution and a proper platform, it will still not be able to save money.
Development will require a team of professionals, including experts in cryptography, information security, mobile and internet banking.
The problem is, even after the development is completed, the bank will have to keep the team and continuously improve the product.
Consider this, sooner or later, there will be a new attack implemented by a new method, and the bank will have to block it as well.
The bank will have to study the fraudsters’ methods, support, update, and maintain this compromise solution. As a result, they will become an information security developer.
And it’s a well-known fact that a company can’t be cost-effective if it has to focus on something that is not in its area of expertise.
Airome Tech is ready to provide customers with a ready-made PayConfirm platform with all of its protection mechanisms so that the clients can focus on their core business and create convenient and modern digital services.