PSD2 increases the level of user authentication required for the payment service, with the purpose of ensuring that Payment Service Providers (PSPs) can be confident in the authenticity of users. Strong Customer Authentication PSD2 requires PSPs to apply “Strong Customer Authentication” (SCA) in cases where an organization or consumer attempts to access their payment accounts online, initiates an electronic payment transaction or “carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.”In PSD2, SCA must have two-factor authentication or multi-factor authentication (*1). Therefore, authentication procedures must use two or more of the following elements, categorized as knowledge, ownership, and inherence:Something only the user knows, “what you know,” i.e., username and password, personal identification number (PIN) Something only the user possesses, “what you have,” i.e., smart card, mobile phone Something the user is, “what you are,” i.e., biometric characteristics, such as a fingerprint, face, iris, voice, behaviorStrong Customer Authentication Requirements Under PSD2 • 2FA:Mandatory two-factor user authentication, i.e., knowledge, ownership, inherence.KOBIL Trusted Login and KOBIL Trusted Verify helps meet this requirement• Dynamic Linking: Authentication code must be linked to the amount and payee of the single transaction or batch of transactions,KOBIL Trusted Verify helps meet this requirement.• Security Measures: Adoption of security measures to ensure confidentiality, authenticity, and integrity of the information displayed through all phases, including generation, transmission, and use of the authentication code, KOBIL Trusted Login, KOBIL Trusted Verify, and KOBIL Trusted App helps meet this requirement • Scope: Applicable to payment services provided to natural and legal persons on remote channels in the European Union,KOBIL has been helping EU financial institutions meet strict regulatory requirements regarding information security and remote channels since 1984.KOBIL Digitanium Suite was designed to respond to a growing demand from financial institutions and their clients for a multi-channel digital identity, transaction signing, and trusted workflow solution. It enables strong authentication and personal signatures with an audit trail using a secure, scalable and cost-effective infrastructure.KOBIL Digitanium Suite uses a trusted and reliable Public Key Infrastructure (PKI), as well as KOBIL virtual smart cards and KOBIL Digitanium high trust environment and is based on common and widely used industry standards.(*1) Two-factor authentication uses two factors, as the name implies, and Multi-Factor Authentication uses two or more factors. If multi-factor authentication has only two factors, it can be called either MFA or 2FA.

Within the framework of its new statue, the European Central Bank (ECB) Finanz-Tran recommends that financial transactions should be secured with a two-factor authentication. This presents a challenge to financial service providers to find a solution that is acceptable for their customers but cost efficient as well.In most cases, the added value, the so-called business case, is disregarded. Many banks decide for the simple variant. The easiest solution meets the ECB guidelines in the short term, which however does not provide any simplification nor any added value. KOBIL is offering a real solution to this challenge, which is user-friendly, with no transaction charge, and highly secure in addition to providing options for new business processes.Our three solution packages are;Basic SolutionComplementary procedure SMS TANTransaction cost-free, secured communication extendable by new message functions, and no external server.Comfort SolutionA two-device solution, with confirmation amenity.A physical secondary device, two device security level, transaction cost-free, no manual entry – no media interruption, and no external server.Premium SolutionVirtual two device solution, two-channel security level, with confirmation amenityOne device solution, two-channel security level, transaction cost-free, no manual entry of transaction codes, and no external server.Implementation Examples:Bank-Verlag GmbH (Basic Solution) The so-called BV appTAN procedure sends the TAN through a secure, end-to-end encrypted channel to an app on the mobile device of the customer. This way the user, as well as the mobile device, can clearly be identified to the bank.Migros Bank AG (Comfort Solution) The Swiss bankers consider the security solution of their future e-banking service to be secure as it is based on two components: a highly secured app on the smartphone, tablet or pc of the users and a security server in the bank, that, following diverse checks, provides the app with a one-time password, granting access to the banking application itself.ING-DiBa (Premium Solution) In addition to the actual mobile banking app of ING-Diba a secondary app provided by KOBIL (SmartSecure App) establishes an additional, secured channel as well as a secondary, virtual device. Thus, the Bank is meeting the security requirements of the Committee of European Banking Supervisors (CEBS), without the need for the customer to authorize his mobile transactions on a secondary physical device.

Spring has finally come to Germany this week. In time for this change from a wintery grey to a spring green, we gave the KOBIL homepage a complete makeover as well. With our new homepage, we are up to date. According to Google, 94 percent of all users in the USA use mobile end devices to surf the internet. Therefore, we have now optimized our website for mobile devices. The percentage of users who use search engines to find “whatever-it-may-be” is even higher. Thus, our homepage is Google optimized. In addition, the homepage has literally become more inviting. At many points, the visitor is invited to make direct contact. Both can be seen at first glance, even better at a second.What hopefully should be seen at a first glance: KOBIL proudly presents the one and only KOBIL Identity Blog! With this blog, we welcome everyone to upload posts, news, links and much more regarding the topic of “Secure identity” and share it with others.Fancy a blog? Then go for it. Taking part is everything that matters.Oezguer Koyun

I still remember the Cebit conference where the topic of Digital Transformation came up. I don’t remember the exact year it happened, however, I know it has been a while. What did digital transformation actually mean? Well, have no fear, Google is here. As usual, Wikipedia entry came up on top of the Google search: “Digital Business Transformation or Digital Transformation will, in the long term, change the foundation of every company in terms of its strategy, structure, culture, and process through the possibilities and the potential of digital media and the internet.”The one thing this Google search also brought up was a link to Cebit. However it wasn’t for the Cebit on which I came across this particular term for the first time, that today feels as if it were 20 years ago, but to the Cebit 2016! How can the resurrection of Digital Transformation be explained? It is a perfectly normal development every hype has to go through. It is, if you like, a variety of the well-known Gartner “Hypecycle”. Someone discovers a new megatrend and spreads a new term, for example, Digital Transformation. The whole world is talking about this new megatrend, trade fairs offer expert forums, seminar organizers offer workshops, consultants offer advice … and that had been it, those were the only ones earning money with this megatrend Digital Transformation. Subsequently, the hype around this megatrend has died down. No more expert forums, hardly any workshops, hardly any advice. When that happens, many highly discussed megatrends then fade into oblivion. Only a few of these megatrends experience a revival in the real business world. This, however, is what is presently happening to Digital Transformation. “Digital Transformation done right” is not a seminar, but an article of the German magazine “Computerwoche”. In particular, an article about “practical examples”.Digital transformation is a term that has moved away from purely expert discussion rounds to become a major agenda of CIOs. The fact that Digital Transformation has arrived in the real business world, is a major chance for KOBIL, as everyone who deals with it quickly realizes that a secure identity is an obvious critical success factor for Digital Transformation. Therefore I can legitimately renew a statement I introduced to KOBIL one year ago: “In the Digital Transformation a secure identity is now everything, but without it everything is nothing!”Thomas Siegner

Has the good old SMS reached its end? What sounds like a legend is reality for the SMS. The goal had been to find an option to send short messages instead of sending a letter or a post card. This is the reason why the SMS is limited to 160 characters as it had been realized that the common character length of postcards is approximately 160 characters. Then on December 3rd, 1992 it was done. The world’s first SMS (Short Message Service) was sent. (Wikipedia) What interests me the most is what the content of this SMS was?I can only guess it was the classic “Hello World”. Unfortunately, I wasn’t able to find out what the message really was.It is the year 2015, and I am looking back to my first SMS. I remember quiet well that I thought twice If I should send this message or not as back then, it was around 1996, an SMS had really been expensive. I had to be brief but at the same time had to make the best of the 160 characters as I didn’t want to let my expensive SMS go to waste.Then there came the time when an MMS with a picture could be sent. I believe that up to this day I have never sent a single MMS. Years later I was sending emails or exchanged thoughts with friends via chat technologies such as ICQ.Today, in the year 2015, I use Whatsapp privately and Emails for business purposes. To make something binding I use the good old fax. What is the SMS still used for? Interestingly it is being used in the financial sector and the by online service providers. A security code is sent so the user can authorize himself with a so-called two-factor authentication.If you look at the current statistics of SMS (german link) you realize that the number of sent SMS has decreased significantly.Hardly anyone is sending messages to family or friends with the classic SMS. The alternative is Whatsapp, free of charge, mobile and convenient for the private user.Whatsapp for companies and company services? A No Go!Still relying on SMS? There are 3 reasons against it:First of all is the price. An SMS costs money which at the end of the day has to be paid for by someone. Second is its usability. SMS in the financial sector serves as a passive one-way technology, answering is impossible. Thirdly; security. SMS stands for Short Message Service, not Secure Message Service. Therefore, it is not surprising that it can be easily attacked.An alternative must be found. Many try to create this alternative by developing systems similar to Whatsapp or by offering SMS at a more favorable price than the respective telecom provider. However, that will not be the solution in the long run.Companies are looking for alternatives to email, fax, and the SMS, that should be integrable into processes, presenting an additional benefit to your customers as well as a method to create customer loyalty and follow-up business. A new binding communication channel is the goal of every company. Not a chat program such as Whatsapp but a system allowing someone to work highly secure and convenient but also mobile as well as on the classic desktops. But to get back to the initial question: Has the good old SMS reached its end? No. But it was never intended to be used for business processes. Therefore, our answer is Identity Processing.More about this in my next blog post.Özgür Koyun

No, no, I am not confusing the seasons. (Then again; I had to defrost the windshield of my car this morning) “Merry Christmas is the answer to the question, brought up in this blog by Oezguer two days ago.“What interested me the most was what this (first) SMS was saying. So I am guessing it was the classic “Hello World”. Unfortunately I have never been able to find out what it really said”.The correct answer is: “Merry Christmas”. This was the text of the very first SMS, which was sent on December 3rd, 1992 by the Briton Neil Papworth, the inventor of the SMS. He sent this message to his customer, Richard Javis, a Vodafone Manager whom he knew had been on a Christmas party at the time. Therefore “Merry Christmas”.Hence the SMS stepped into the world with kind triviality. And this kind triviality has also marked the stellar rise of the SMS. It is the profound reason why liability and security are of no importance for the SMS. One point in the history of the SMS fittingly sums it up: Neil Papworth has of course been anxious to find out if his SMS had been received by Richard Jarvis. So what did he do? He called Jarvis and asked him.If you would like to know have more details you can read the Interview with Neil Papworth here (german magazin).Thomas Siegner

To get back to the topic of the SMS: What is it used for in business?First: Strong authentication through transmission of onetime codes.Second: Transmission of codes for the finalization of transaction processes.Third: Transmission of flight data, parcel delivery information and information on activities you defined on assorted applications. The good thing is that you only need to know the telephone number.Unfortunately, it is a fact that most users are more likely to know the mobile phone number of family members and friends than their own which is somewhat understandable as someone hardly ever calls their own number. The worst part about this is that phone numbers are being traded on the black market to the highest bidder for the distribution of SPAM or other malicious activities.This means that I as a user only have to know my phone number. However, this also means that an attacker has known it for a very long time. If an attacker is aware of my phone number he is also able to get my SMS. Sure, you might say, but how does someone intercept an SMS? Very simple: “Ask Google”.The SMS is and has always been prone to attacks. It has not been developed for the transmission of sensitive text messages. In my point of view, “Kisses” are more than worthy of protection, but more about that in another post.Trusted Message Sign, a KOBIL technology based on more than 25 years of experience in the protection of digital identities solves this issue. The best part about this solution: I only have to memorize a PIN and receive messages on my smartphone, tablet or even desktop PC in form of push notifications and can confirm, deny or simply ignore them with preset responses.Benefits at a glance:2 channel, 2 device security level (Identity characteristics or other security elements are being transmitted through an independent security channel, invisible to other applications.)Transaction cost-free (It’s not the few cents per transaction but the total amount that makes the difference. Send and receive as many interactions as you like.No media interruption (I don’t have to juggle with two devices)No external server (Everyone trusts the telco providers. I only trust the one I am able to control myself) An example from the life of an online service user e.g. by online bankingEnter your username and password=OKPlease wait! You will receive an SMS with an access code. This code is only valid a single time=OKSMS immediately opens up as plain text on my smartphone, I memorize the six-digit code and enter it on the portal – forgot the code or mistyped? Back to the SMS. It is also not possible to enlarge the message.Following the successful entry of the PIN, I am done.How does Trusted Message Sign work? (take a look at the video)- Enter your username and password=OK - An encrypted message is being received by the smartphone. Enter PIN to open the message. - Check the content of the message. If required, the text of the message can be enlarged. - Answer the message by either confirming or denying it.I have seen a lot of things, but this solution is really creating some new and exciting possibilities – not just for strong authentication but for every interaction that requires a reply from me.In short, Trusted Message Sign is not the first system interacting with me. But, it is the first system on which I can perform a binding interaction with my identity.Next time, I will tell you a few stories of my daily life in which I would have wished to have such a technology.Özgür Koyun

The information came up again last week that due to a bug in an iOS library, distributed worldwide, more than 25 thousand iOS apps would become extremely vulnerable to attacks. “A bug in a popular iOS library means user data can be intercepted by attackers using any SSL certificate for any web server. As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates. ”Before Android users start smiling – the figures for the Android universe are a whole different matter. It is mentioned that 930 million Android devices (Please note: the link leads to a german website) are known to be vulnerable to attacks.What both worlds have in common is the dependence on manufacturers, on the manufacturer’s ability to find relevant bugs and on their ability to quickly patch these bugs as soon as they have been recognized. This entire process however is beyond the control of users. In the case of Android, it is a fact that older versions are no longer being patched.What can one do? KOBIL customers using mIDentity Protection do not have to worry about this issue as it is not going to happen with mIDentity protection. KOBIL provides an independent SSL stack with its own SSL Truststore. It works like a VPN connection but in this particular case between a specific application and the services on the backend.Naturally, KOBIL technology is not 100 percent immune to bugs, software is software after all. In case of a bug the KOBIL customer will receive an SDK patch that he can use in combination with his app so that within a very short time, the app will be secure again. Between the app, the device and the central services there is a constant active connection, which is checking if an update is required or not. Unlike with the classic apps of Android or iOS, mIDentity Protection is able to force an update of the app. Consequently, this ensures, without having to rely on the lead time of Apple, Google or Android hardware manufacturers, that the safety of the user is never being jeopardized before contacting the service again.Markus Tak

Mainz has got large historical university is a known fact. However, not quite so many are aware of the fact that this university accommodates an “Institute for Historical Regional Studies”. And the fact that this Institute maintains an internet portal regarding the economic history of the federal state of Rhineland-Palatinate is almost an insider know-how. Additionally, the portal provides information on industrial enterprises in Rhineland-Palatinate. KOBIL has also being presented on this portal for three days. If you would like to take a look, please click the following link:http://www.wirtschaftsgeschichte-rlp.de/a-z/k/unternehmensgeschichte-der-kobil-systems-gmbh.htmlThomas Siegner