Digital Customer Identity – Curse or blessing?

The customer identity has become the most prized possession in the mobile world. Customers trust companies to keep their personal data safe. By disclosing their names, addresses and even their bank data, customers already show a great level of confidence into the companies.

For many companies this is equally a blessing and a curse.

On one hand this data is used to the benefit of the customer and the companies and is therefore a requirement for new distribution and service channels as well as a better customer experience. The loss of trust and security however can result in the destruction of a company’s reputation and basis of existence.

There is already an extensive trade with security breaches in mobile applications and ways to exploit them.  Behind the scenes of the internet the trade with stolen identities generates revenues in the millions.

With the KOBIL owned Public-Key-Infrastructure (PKI) and the virtual smart card technology as well as numerous integrated security features the most valuable good – the customer’s identity – is protected during the entire digital process and on all platforms.

With the Mobile Application Security Technology (mAST) KOBIL is providing an intelligent software solution that connects and integrates the identities of people, machines and things as well as mobile applications, devices, applications, transactions and processes into the digital world binding and secure.

In the digital world a secure identity isn’t everything but without it everything is nothing. For 30 years KOBIL stands for this.

Author: M. Kubitzke

Evaluation of EBA requirements towards “Strong customer authentication“

Final guidelines on the security of internet payments (EBA/GL/2014/12)” from our product portfolio’s point of view

The article compares the requirements stipulated by the European Banking Authority (EBA) towards Strong Customer Authentication and technical implementations in the products “mIDentity Protection – Trusted Message Sign“ and “mIDentity Protection – Trusted Login plus OTP calculation“.

Requirement: Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint.

  • mIDentity Protection – Trusted Message Sign
    Deployed are the factors of knowledge (PIN) and ownership (device-linkage to mobile terminal equipment)
  • mIDentity Protection – Trusted Login plus OTP
    calculation Deployed are the factors of knowledge (PIN) and ownership (proprietary key for OTP calculation and thus linkage to mobile terminal devices)

Requirement: In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).

  • mIDentity Protection – Trusted Message Sign
    Two-factor authentication is realized (1) by PIN verification and (2) by verifying the device- linkage. Both of these features are verified independently in the SSMS. Once both features have been verified successfully, the signature key used to authorize payments by digital signatures in a subsequent step is enabled.
  • mIDentity Protection – Trusted Login plus OTP calculation
    Two-factor authentication is realized (1) by PIN verification and (2) by verifying the proprietary key for OTP calculation and thus linkage to specific devices. Both features are independently verified in the SSMS in the course OTP verification. For this purpose, the PIN is integrated with OTP calculation by the Client. The successful verification of the OTP as payment authorization requires the correct PIN as well as the use of the correct key. Likewise, the wrong PIN or wrong key will result in an incorrect OTP. However, the determination of an incorrect OTP will generally require verification in the SSMS.

Requirement: At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.

  • mIDentity Protection – Trusted Message Sign
    The features required for device-linkage will be automatically acquired when the application is first used (activated) and transmitted to the SSMS. Users have no influence on this process and can thus neither re-use nor reproduce it. The SDK deploys safety precautions to prevent any unidentified theft of the respective features. The digital signature generated for payment authorization can clearly be allocated to the respective payment transaction. Any repeated use for the purpose of authorizing additional transactions is excluded.
  • mIDentity Protection – Trusted Login plus OTP calculation
    The SSMS generates the proprietary key for OTP calculation when the application is first used (activated) and is then transmitted to the Client. The key’s uniqueness is guaranteed. The SDK deploys safety precautions to prevent any unidentified theft of this key. The OTP generated to authorize payments can only be used one single time. The SSMS will reject OTPs already used. Additionally, payment data can be considered for the OTP calculation. Respective OTPs can be clearly be allocated to individual payment transactions. Any repeated use for the purpose of authorizing additional transactions is excluded.

Requirement: The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

  • The PIN as well as the features related to device-linkage and the key required for OTP calculation are communicated via a dedicated encrypted and authenticated channel. Certificate-pinning, URL white lists and an individual SSL-stack serve to protect the respective channel against Man-In-The-Middle and Man-In-The-Mobile attacks.

Dr. Erik Dahmen

KOBIL m-IDentity protection defends against recent attacks on Android Multimedia System

©SprengART

Currently, there are some reports about successful attacks on Android devices, exploiting weaknesses in multimedia handlers, e.g. for MMS messages or MP4 videos. These exploits allow attackers to get control over the smartphone: MMS Not the Only Attack Vector for “Stagefright” (Tendmicro) or Stagefright: It Only Takes One Text To Hack 950 Million Android Phones (Forbes)

KOBIL m-IDentity protection helps on several layers to protect your Apps against such threats. Even if the smartphone’s system-wide multimedia components are successfully attacked using any of the above mentioned exploits, the attack cannot be extended to an App secured with m-IDentity protection. This is achieved by protecting the App against manipulations by local processes – including privileged system processes. If your App is also using HTML5- or Web content, the URL whitelist filter as well as certificate pinning avoid loading of compromised content from manipulated web sites. Only authentic web pages of the content provider are displayed.

KOBIL estimates that shortly more exploits of this class will appear. Hardening functions of the KOBIL m-IDentity protection solution are permanently improved and adapted to latest knowledge.

Markus Tak

Why DIRECTebanking (“Sofortüberweisung”) is, indeed, “acceptable!“

©www.istock.com/Shivendu Jauhari

The popular payment method “instant bank transfer”, or DIRECTebanking, was classified as inacceptable by the district court of Frankfurt, because it poses considerable risks for data security and supposedly opens doors to fraud and misuse. Online-Bezahlverfahren Sofortüberweisung (Link to the german newsticker of www.heise.de).
Instant bank transfer accesses customer online banking login details – a procedure banks have often criticised and compared to a man-in-the-middle attack.

But, thanks to its simplicity, instant bank transfer is among the most popular online payment methods. The question arises: why do banks and Sofortüberweisung not choose to cooperate? Banks and Sofortüberweisung would both benefit from working together. Sofortüberweisung could effectively counter any criticisms it faces, and banks would find a very popular payment method inside their portfolio.

Banks who wish to offer this payment method would have to make money transfers equally as simple as Sofortüberweisung has done previously, and transfers would have to be processed by banks themselves.

A Swiss bank has already implemented such a method. Here, customers choose their favourite direct payment method, without having to bypass their banks’ security mechanisms. Users are involved in payment transactions and can authorise payments, without having to worry about a man-in-the-middle attack.

This makes for a typical win-win situation. For customers, this path is highly desirable.

Dr. Salim Güler

App to date

©www.istock.com/Alex Belomlinsky

*ding* – the phone display lights up, in the middle a bright bar spelling out the words: “New message from…” A short click on the corresponding app and, within a moment, the message that was sent off only seconds before, perhaps even from hundreds of kilometres away, opens up. That’s how communication works today: in real-time, on your smartphone, using apps.

The lyrics to a famous old German folk song are as follows: “A birdie comes a-flying, it settles on my foot. It has a note in its beak: a greeting from mother.” (German: „Kommt ein Vogel geflogen, setzt sich nieder auf mein‘ Fuß. Hat ein‘ Zettel im Schnabel: von der Mutter einen Gruß…“).

The song dates back to 1824. Almost 200 years have passed since, and everything has changed. What was once a birdie is now an app: communication. While the bird would take several hours to deliver a message to its recipient, message transfer today only takes a few seconds, if that.

Our new web 2.0 world is all about direct contact, fast data exchange and communication. This is where communication apps come in handy: they are fast, personal, reliable and will definitely be received and read.

But not only the private sector benefits from these new developments. Apps may also act as helpful assistants to corporations: for most business people and employees, smartphones have become as much part of the basic gear as neckties. So why not use mobile devices for fast internal communication as well? Numerous corporations have already implemented this option for different purposes: for internal document access on the road or at external customer meetings, or simply for informing colleagues about one’s whereabouts or arrival time when on the way to a meeting.

Corporate apps are useful companions that can simplify workflows. Some apps enable access to digital staff newspapers, which include news or information about the company and videos or audio files. This allows employees to keep in touch with their company outside of office space and hours or deadlines, which again leads to a stronger identification with the company and its values.

With some apps, employees can send direct feedback and establish contact by means of a dialogue box. “Establishing contact” can also be applied to contact between companies and customers: once the app is installed on the smartphone, any news or offers can be accessed with one simple click. Customers can CHOOSE to receive offers whenever they want, instead of being bombarded by unwanted pop-up ads when checking their e-mails.

To conclude: communication apps are no longer limited to the private sector, but can also provide great benefits to companies, thus making them a welcome addition in comparison to classic communication platforms – and the little birdie with the note in its beak.

Désirée Leisner

Should banks have to decide between innovation and security when it comes to digital strategies?

© www.istock.com/AndreyPopov

At the “bank supervision dialogue” symposium, Dr. Andreas Dombret, managing board member of the German Central Bank, outlined the challenges banks may be confronted with in the face of on-going digitalisation.

In order to allow banks to maintain their status with customers, they must meet threats posed by new players arising on the market with innovations in the digital banking field. Both start-ups and established businesses are beginning to extend their feelers in the direction of banking, whereby banks may actually find they have good starting positions – if they manage to act fast. Digitalisation also offers great potential for cost reduction in branch offices.

However, Dombret also points out the risks of digitalisation. The German Central Bank – and especially its management – must pay stronger attention to security issues for innovative digital solutions, as cyber risks have significantly increased over the past years.

What appear to be incompatible factors at first glace are no longer a problem with KOBIL.

KOBIL technology makes it possible to realise new concepts that emphasise usability and innovation, without having to worry about compromising security. KOBIL technology offers the highest possible security that is verified by experts. For instance, procedures may be implemented that make TAN procedures redundant and allow customers to make money transfers with a mere click of a button.

Also, telephone and e-mail banking can be easily implemented, thus making fraud almost impossible.

With KOBIL the question of whether to choose innovation over security or vice versa is eliminated – because KOBIL stands for innovation and highest security for banks.

Jochen Laun

The CIO, the Special Department and the Mobile World

©www.istock.com/Nopestudio

Digitalization and transformation put many IT departments with their given competencies, structures and development procedures to a tough test. Business Apps provide customers, business partners and employees with corporate data and abolish the business divisions’ traditional responsibility areas.

The specialized departments ask for a quicker development of new solutions and want existing applications to be adapted. They request for more agility in order to benefit from digitalization and to thus gain a competitive edge for your business.

Unfortunately, many specialized departments have only few concerns regarding security loopholes, identity or data theft and support issues related to the utilization of external applications (mobile, cloud, etc.). Sectors like marketing and communication, HR or sales enjoy more abilities for making purchases by themselves, because the internal IT department either cannot or does not want to provide them with adequate services.

Specialized departments spend excessively much money on external cloud-solutions like platform- or infrastructure-solutions and software-as-a-service (SaaS) (Mavericks-Buying) which the IT departments are not frown on. They fear adverse consequences when it comes to standardizing and automating your IT. Another risk is that shadow IT and new data silos might be established.

The IT department, which considers itself a business partner, plays a central role when it comes to presenting digitalization and governance for mobile transformation, mobile business and business apps.

KOBIL supports the CIO with its security platform mIDentity that provides top-level security for the challenges described above. For more than 25 years, KOBIL has been researching and developing in the cryptography sector. Based on this know-how, we created a foundation that enables the CIO to provide security on all levels (mobile, web and desktop) and to mobilize corporate processes safely.

Murat Ayranci

Why and what do companies on the web invest in?

Screensblog_300

KOBIL

Being a work in progress for some time but only published recently is a study by the consultant company PAC on behalf of the Deutsche Telekom dealing with the question of why and what companies on the web invest in. The management summary of this study: “Web applications are advancing. More than 10 percent of all companies are planning the first use beyond of the external or internal communication. Today more than 60 percent of the companies are already providing web applications for mobile platforms – a fast growing trend. The number of mobile apps for sales or purchasing will increase by 40%. (…) Security, mobility and collaboration are the top drive for investments in web applications. (…) Security, individuality and agility are core requirements to the web application management in the digital age”.

No, KOBIL is not involved in this study. Although in summarizes exactly what we have never tired mentioning for quite some time: Web applications are imperative for the development of new business areas. Web applications first and foremost but not only support mobile solutions. Investments in mobile solutions have an essentially more critical success factor, the security of the solution.

Or to quote the study: „The relevance of web application is increasing significantly during the course of the digital transformation – especially in the areas beyond external and internal communication. Web application management in the digital age is more than the operation of websites, intra or extranets. It is a company-wide discipline with major relevance for the entire business success of companies. (…) Mobility support requested in many areas today is a clear growth trend and a major challenge at the same time – especially for the web application management. After all more and more applications for different platforms have to be developed and tested and their trouble-free and secure operation ensured – and all that with ever shorter development cycles and in general limited budgets. (…) Application management in the digital age not only has to meet the increasing demand for mobility and networking but has to take the increased requirements of data protection and data security into account as well. The increase in mobility and networking will after all result in more security risks.

We have nothing else to add. The study is available to anyone who would like to read it in detail. A registration is required to access the study for free at the following Link:

https://it-transformation.t-systems-mms.com/home/pac-studien.html

Murat Ayranci

What actually is a digital ecosystem?

iStock-Leaf

© iStock / Alex Belomlinsky

The quickest and shortest answer to the question „What actually is a digital ecosystem“ is: “Something like Apple”. This answer is not entirely false but it is not right either. It is right that the world Apple created fits the definition of an ecosystem quite well: “Ecosystems usually describe the relationship of living organisms with their environment and each other” (Schaefer 2012 according to Wikipedia). Let’s be generous and assume the intention to be truth: Apple created a world in which everything more or less exists and in which more or less everything suits everything. The fact that there isn’t an app for everything that happens in the digital life of an Apple user and that in the Apple World not everything suits everything does not change this basic idea.

However a very important part of the definition of ecosystems is missing. That part is the openness. We don’t have to study the subject to know that biological ecosystems are generally open. That is why the Asian ladybird is able to migrate from his ecosystem and oust the European ladybird. That is why the Indian jewelweed is able to line palatine waysides in abundance. There are not only just negative examples. Food we taken for granted to be native products such as cherries or potatoes have originally been imported from other ecosystems.

Back into the digital world. Not only Apple but Google and Microsoft as well have created digital ecosystems in which, more or less, everything exists and everything more or less suits everything. In doing so they have made the life of their users easier while filling their pockets. But all of these systems are missing the openness. That is why we at KOBIL are certain that if we are going to focus on digital ecosystems in the future, our intension should not be the invention of yet another closed digital world but to create a system that combines the familiar user comfort with a high level of security while offering openness at the same time. Achieved in compliance with our motto, we will never tire to mention: “Secure your identity”.

Murat Ayranci

Why Kobil’s Solution is Superior to any Mobile Device Management

Securtiy_Blogpost

@Istock.com/jackethead

In 2014, security provider Kaspersky recorded about 12,100 mobile banking Trojans, which all were after the users’ banking access and transaction data. All in all, security specialists identified more than 295,000 mobile malware programs attacking Smartphones in 2014. Please note: we’re not talking about three hundred thousand attacks but three hundred thousand aggressive programs!

A key gateway for cyber criminals is the mobile communication between staff and proprietary servers. If, for instance, sales staffs retrieve CRM data from their tablet PC or Smartphone or use these devices to confirm orders and transmit customer data, inadequately secured mobile devices are major risks. They can be used to introduce viruses or Trojans into the corporate network or to steal data. In B2C-E-commerce the situation is a similar one. Customers use their Smartphone to order goods or services and for online banking transactions. These days, this is usually realized through mobile apps. Suchlike apps frequently reside on unsecured or inadequately secured Smartphones and are thus prone to cyber-attacks themselves.

Many companies try to address such risks by making use of Mobile Device Management (MDM) solutions, which – to put it simple – centrally control and protect all programs and the entire data exchange on the mobile device. However, this is not the perfect solution for devices that employees use for private and for business purposes. And customer devices are completely out of a company’s control. It thus seems natural to secure the app instead of the device – and to do so in a manner that it cannot be corrupted even in unsecured environments that cannot be fully controlled.

KOBIL’s solution comprises a frontend and a backend component. The Software Development Kit can be integrated with just any mobile app. It allows for protecting apps from being copied by dedicated devices, from manipulation and the creation of fake-apps. The apps developed with the SDK accommodate the security solution’s frontend component.

When being activated initially, the app created with the SDK connects to the respective mobile device and registers itself with the Smart Security Management Server (SSMS), which is the security solution’s backend component.  It provides the below information:

  • does the mobile app actually run on the device it was initially registered with or has it been copied to another device;
  • does the running app still feature its original code or has it been modified;
  • is the app’s version correct or does it have to be updated;
  • if applicable, the authentication (user’s PIN) for the mobile platform.

The company can thus rely on having a secured connection to the terminal device and on the encrypted data received from the app being authentic – even if the app’s environment should be unsecured. Moreover, the solution can be used to clearly identify users. And apps being secured like this can serve to reliably authorize transactions and realize secured (encrypted) communication.

Murat Ayranci