KOBIL Systems helps the financial sector to develop new business models with PSD2-compliant IT security solutions

LONDON, UK., 18th January 2018 – KOBIL Systems GmbH, a leading IT security company headquartered in Germany, today presents a security solution that complies with the new Payment Services Directive 2 (PSD2) in time for the launch of the new directive. This will help banks and financial institutions to meet and successfully implement the strict requirements of the updated EU directive. The Dual 7 Layers of Security approach developed by KOBIL – which is the only one of its kind in the world to date – plays a central role, allowing for stricter customer authentication without restricting the end user experience. The foundation of the approach is KOBIL’s mIDentity Application Security Technology (mAST).

“PSD2 will completely change the way a bank’s customers pay. The industry cannot ignore these facts. Just as Industry 4.0 has had a major impact on the industrial sector, these EU regulations will revolutionise the entire financial sector,” explains Ismet Koyun, founder and CEO of KOBIL Systems GmbH. “As a technology partner with over 30 years of experience and expertise in the IT security sector, the Dual 7 Layers of Security approach is our response to the hurdles and opportunities presented by the updated EU guidelines. We would like to communicate this answer together with our partners throughout Europe. At its core, PSD2 enables banks to create exciting new business models. KOBIL is committed to implementing innovations within this framework safely and in compliance with PSD2.”

PSD2 will in particular fundamentally change security requirements, as since the 13th January two-factor authentication is now a prerequisite for electronic payment transactions in the European payments area. This is intended to ensure greater customer security. Before PSD2, banking systems depended on direct interaction with the customer, whereby banks themselves have all the information they need to determine whether a transaction is counterfeit. The provision of a secure environment and the development of financial services – while ensuring consumer protection against fraud and accountability – will therefore be a major challenge for banks.

Strong customer authentication, together with secure communication, makes it possible to master this challenge. KOBIL’s Dual 7 Layers of Security solution takes a holistic approach and offers a robust, agile and compliant solution. This secures the identity of end users at seven different levels and makes any kind of fraud attempt almost impossible.  KOBIL’s mIDentity Application Security Technology is used here. With mAST, KOBIL offers an end-to-end security platform for strong customer authentication and authorisation using trusted identities for continuous, binding and reliable communication between banks, third parties and their customers. KOBIL’s time-tested and market-proven Public Key Infrastructure (PKI) solution uses advanced shielding, protection, prevention, detection and reporting mechanisms.

Even before the login process, KOBIL starts securing the device and application. For example, KOBIL safely checks the device on which the dedicated application runs before the application is started, and binds the application to this device, making it personalised for the user. In addition, the solutions look beyond the technical aspects of security and assess the situation taking into account the real-time context: time, place and situation. KOBIL offers Titanium security with the Digitanium Channel with Dual 7 Layers of Security, providing dual communication technology to provide a secure transport route for sensitive data between user and bank. (For further information on “Dual 7 Layers of Security” please click here.)

There is no doubt that PSD2 presents banks with a number of challenges. Therefore, banks and other financial service providers must carefully weigh up their strategic options. This can lead to the development of different orientations – banks can choose to be PSD2 compliant with minimal effort. You can also use PSD2 as a tool to invest in agility and customer loyalty. “Open banking in particular has many advantages,” says Ismet Koyun, explaining the opportunities offered by PSD2: “But it is those particularly forward-looking banks that are building their own ecosystems and are setting up their own businesses.”

KOBIL solutions are today a standard for digital identity and highly secure data technology. Founded in 1986, the 120-strong KOBIL Group, headquartered in Worms, is a pioneer in smart card, one-time password, authentication and cryptography. The core of the KOBIL philosophy is to enable continuous identity and mobile security management on all platforms and all communication channels. Almost half of KOBIL’s employees are involved in development, including leading specialists in cryptography. KOBIL plays a key role in the development of new encryption standards. Commerzbank, DATEV, German Bundestag, Migros Bank, Société Générale, UBS, ZDF and many others rely on and trust in KOBIL.
Press contact

LEWIS Communications
Millbank Tower
Millbank, London
Tel: +44 20 7802 2626


Download PDF

KOBIL Systems listed as a Representative Vendor in Gartner’s Market Guide for User Authentication

Worms, 22.11.2017 – KOBIL, a leading provider of digital identity and application security solutions, today announced that is has been identified as a Representative Vendor in the Gartner “Market Guide for User Authentication” report. KOBIL Systems was named in the user authentication vendor’s category among 39 other providers.

According to Gartner, “to enhance network, application and data security, reduce fraud and other risks, and to address specific threats and regulatory requirements, security and risk management leaders seek products and services that provide user authentication for an enterprise’s workforce, partners, customers and so on, to enable their access to electronic or digital assets owned or managed by, or provided on behalf of, the enterprise.”

KOBIL’s mIDentity Application Security Technology (mAST) provides an end-to-end security platform to deliver strong customer authentication and authorization using trusted identities for continuous, binding and reliable communications. KOBIL’s time and market proven Public Key Infrastructure (PKI) based solution utilizes advanced hardening, shielding, protection, prevention, detection and reporting mechanisms.
This makes it unique in the way that KOBIL enables organizations to expand the scope of their digitalization use cases by introducing a high trust environment which improves the user experience and user interaction at the same time. KOBIL’s Smart Security Management Server and its own Digitanium™ Channel are continuously protecting the users, apps, devices and business workflows for any scenario. It also helps organizations to comply with regulations such as Payment Services Directive 2 (PSD2), Regulatory Technical Standards (RTS) or General Data Protection Regulation (GPDR).

“Our sole focus for 31 years has been to secure identities in a trusted, reliable and binding way”, says Ismet Koyun, CEO of KOBIL Systems. “Our target has always been to help customers and partners to achieve 360° security and a better user and customer experience at the same time. We believe being named by Gartner as a Representative Vendor reinforces our solution’s value to our customers and business partners.”

The Gartner Market Guide for User Authentication can be downloaded by Gartner subscribers at: https://www.gartner.com/document/3823258?ref=solrAll&refval=194286440&qid=4d376eb7e61d2d5d5202b1af73e741e2

This press release refers on „Gartner Market Guide for User Authentication” by Ant Allan, David Anthony Mahdi, Anmol Singh, 16 November 2017.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

KOBIL solutions are today a standard for digital identity and highly secure data technology. Founded in 1986, the 120-strong KOBIL Group, headquartered in Worms, is a pioneer in smart card, one-time password, authentication and cryptography. The core of the KOBIL philosophy is to enable continuous identity and mobile security management on all platforms and all communication channels. Almost half of the KOBIL employees are involved in development, including leading specialists in cryptography. KOBIL plays a key role in the development of new encryption standards. Commerzbank, DATEV, German Bundestag, Migros Bank, Société Générale, UBS, ZDF and many others rely on and trust in KOBIL.

Download PDF

dropbox business

KOBIL and Dropbox develop 2FA-Login with QR-Scan

WORMS / HAMBURG – 10 October 2017 – The US provider Dropbox and the German security specialist KOBIL have jointly developed a login solution for Dropbox Business customers, which makes the two-level authentication at the collaboration platform easier. By logging into the KOBIL “Trusted QR-Login” app, Dropbox Business users can log into Dropbox via a QR code scan as of the end of October via 2-factor authentication.

Instead of e-mail address and static password, Dropbox Business users must scan a QR code provided for the secure application with the mobile “Trusted QR-Login” application from KOBIL to prove their identity and authorization against Dropbox. Business customers who already have a specific Dropbox URL can log on to the QR code even without specifying their e-mail address.

“Obviously, some complicated security processes have to take place for a secure 2-factor authentication in the background. But unlike classic 2-factor solutions such as one-time password, tokens, SMS or smartcards, the user does not notice it, “explains Tan Sarihan, Product Strategy & Innovation Leader at KOBIL.

This is also emphasised by Marc Paczian, Solutions Architect, from Dropbox Germany. “We are constantly developing new solutions to make our users’ 2-factor authentication as easy as possible. Passwords and their duplicate use are still the biggest weakness in online accounts. 2-factor authentication is therefore essential.”

The solution will be available from the end of October 2017. It works with the browser access to Dropbox as well as with the Dropbox Desktop Client and the Dropbox app on mobile devices. The QR code additionally secures access to Dropbox when requested from external or public devices. Key loggers and similar attack methods are powerless because no sensitive password or other logon data must be entered through the keyboard of the device.

The 2-factor authentication with Dropbox then runs as follows: A unique user-specific QR code is generated and displayed for the users. The existing LDAP or Active Directory user administration of business customers can serve as a basis for the system. The KOBIL components SAML Connector and Smart Security Management Server (SSMS) access this and use the identity stored there for the secure app.

The Dropbox customer scans the generated QR code with his smartphone and the app “Trusted QR-Login” installed on it. This separately secured app sends the scan automatically to the SSMS, which can then confirm identity and authorization to Dropbox. This requires two factors: the PIN (or touchID fingerprint on iOS devices) to unblock the app and the unique assignment of the KOBIL app “Trusted QR-Login” to the user’s smartphone. (A detailed technical explanation of the registration procedure can be found here)

“With the KOBIL” Trusted QR Login “integration, common customers can use the Dropbox login process simplify and speed up -and with the integrated safety logic from KOBIL. Our partners work together with us to deliver the security architecture that is not just Dropbox, but also other cloud and on-premise systems. KOBIL is an excellent example “, says Marc Paczian of Dropbox.

For Tan Sarihan, Product Strategy & Innovation Leader at KOBIL, the collaboration with Dropbox demonstrates KOBIL’s commitment to partnering with best in class solutions. “We offer optimally protected apps that, in cooperation with the Smart Security Management Server, can secure virtually any online registration and registration, while providing a high level of user experience Comfort and great simplicity.“


Technical explanation

The end user accesses the service provider’s service via a URL, in this case Dropbox. This request is forwarded by the service provider to the Identity Provider (KOBIL SAML Connector). SAML stands for Security Assertion Markup Language (SAML). This is an XML framework for exchanging authentication and authorization information. It provides functions to describe and transmit security-related information. At the same time, the KOBIL Smart Security Management Server generates a unique QR code. This is transferred to the SAML connector via a SOAP interface and displayed to the calling user.

The user uses the KOBIL app “Trusted QR-Login” to scan the QR code displayed in the Dropbox login process. The code is sent from the app to the SSMS mentioned above via an encrypted communication based on the user identity in the KOBIL virtual smartcard, where it is compared to the code displayed to the user on the Dropbox website. If the QR code is the same, the service is released to the user or, depending on the use case, he receives an access token with which he can log on to the service.

The app is hardened. Already during the initial registration, the registered smartphone is bound to the user. The app cannot be copied to other devices, an abuse is not possible. KOBIL’s SSMS, which is responsible for monitoring security, checks this device binding, checks whether the device is classified as safe, detects possible attacks on the app and their use (debugging, reverse engineering, key logger, etc.). Only when all security checks have been successful, the server establishes a protected connection. The entire process runs in quasi-real-time.



KOBIL solutions are today a standard for digital identity and highly secure data technology. Founded in 1986, the 120-strong KOBIL Group, headquartered in Worms, is a pioneer in smart card, one-time password, authentication and cryptography. The core of the KOBIL philosophy is to enable continuous identity and mobile security management on all platforms and all communication channels. Almost half of the KOBIL employees are involved in development, including leading specialists in cryptography. KOBIL plays a key role in the development of new encryption standards. Commerzbank, DATEV, German Bundestag, Migros Bank, Société Générale, UBS, ZDF and many others rely on and trust in KOBIL.


KOBIL Systems GmbH
Corporate Communication
Pfortenring 11
D-67547 Worms

Tel. : +49-6241-3004-959
Fax : +49-6241-3004-80
E-mail: marketing@kobil.com


About Dropbox

Dropbox keeps more than 500 million registered users on the same page with easy-to-use collaboration tools and the fastest, most-reliable file sync platform. From the smallest business to the largest enterprise, we make teamwork better. For more information, please visit dropbox.com/news.

For more information about Dropbox and DBX Platform, click here.


Larissa Haida, PR Manager Dropbox
Tel. +49 (0) 40 8000 84 618
E-Mail: larissahaida@dropbox.com

logo yapi kredi 03 150x150

For the first time KOBIL and Yapi Kredi implement secure login without PIN

Worms, July 20th, 2016. Yapı Kredi Bank, a company of the Yapi Kredi Group, fortified its mobile and internet banking services for corporate, commercial and SME costumers by integrating mIDentity Security Technology developed by KOBIL, a leading company in digital data security solutions.

Customers who use Yapı Kredi’s corporate internet or mobile banking channels can login the corporate internet branch and make banking transactions in secure and much easier way than the previous method through the innovative login technology, implemented first time in Turkey.

Users can login to the internet banking instantly without user code or password by scanning QR code on Yapı Kredi Corporate Internet Branch login panel with Yapı Kredi Corporate Mobil Branch application thanks to the login method with QR-code scanning technology.

As part of the cooperation with KOBIL, Yapi Kredi also offers “secure login with USB” technology to its customers. The USB login technology provides maximum security in banking transactions with “plug & play” method and can be used on both MAC and Windows operating systems. When users plug their mini USB into computers, a screen is being opened automatically to let the users make their banking transaction in secure environment. When establishing a connection or signing in to the web service users only have to enter the PIN of their smartcard to be instantly logged-on. Thus users can use Yapı Kredi banking services in a secure environment with its special security infrastructure.

Apart from internet and mobile banking services, Yapı Kredi also secures the customers in other banking transactions such as EFT, or money transfer that uses KOBIL’s mIDentity Security Technology.


Secure banking transactions across PCs and mobile phones

With its two-factor identity authentication feature, KOBIL’s mIDentity Protection close-circuit encoded messaging platform fortifies bank’s web sites and mobile apps’ security in order to protect customers from possible cyber-attacks during mobile and internet banking transactions, even on public computers and tablets without firewalls. The platform, compatible with iPhone, iPad, Android and Windows PC operation systems, not only provides security automatically, but also removes customers’ security concerns, fulfills high-security expectations and contributes to banks’ efforts to increase customer satisfaction.

mIDentity increases convenience while providing maximum security

“Today, digital banking became a main stream for banks. Banks were only focusing on user experiences and functions previously but now they pay much more attention on application security. Stronger security means more convenience for users. But convenience needs a solid security infrastructure. If security infrastructure is strong, a simple PIN or finger touch will be enough for secure banking transactions even on mobile devices. Our mIDentity technology, which used on Yapı Kredi Corporate Mobil Branch application, is a security platform that increases convenience while providing maximum security. Users can login Yapı Kredi Corporate Internet Branch even without passwords thanks to solid security infrastructure of mIDentity technology,” said Ümit Yaşar, KOBIL Turkey Country Director.

netbank logo 01

netbank decides for KOBILs Trusted Message Sign

WORMS, 24 May 2016 – Since February 2016, netbank – Europe’s first internet-only bank headquartered  in Hamburg – has been securing its online banking not only with mobile TAN and chip TAN but also by  Secure-App, which is based on the mIDentity Trusted Message Sign solution designed by KOBIL.

Secure-App enables netbank clients to authorize transactions set up on their PC or tablet through a registered Smartphone without having to enter any TAN. “Hereby, we offer our more than 160,000 clients a most convenient and extremely safe authorization procedure for their transactions. Moreover, we were able to implement this solution quickly“, says Nico Koller, netbank AG’s IT department manager.

In order to sign transactions via app, the customer needs to download the app from the Android- or Apple-Store, register it once with their bank and can then use it to enter a PIN. Secure-App has been hardened by KOBIL’s technology. It is e.g. secured against copying from dedicated devices, manipulation and fake-app creation.

If, for instance, a money transfer is to be signed, the bank‘s online banking application will send an authentication request to KOBIL’s Smart Security Management Server (SSMS), which works at the bank’s backup. Simultaneously, the SSMS will verify various safety parameters while it is communicating encoded with the client’s app – for instance, it will check if the device user corresponds to the identity of the authorized bank client.

If any of these safety parameters cannot be verified, the SSMS will terminate its communication with the app and the respective transaction cannot be authorized.  However, if all parameters are correct, the signing procedure is completed and the money transfer can be processed.

All transaction-related details will be encoded and sent to the backend-server, which opens another secured communication channel and sends the information to the app.  Now the user can verify the information’s correctness and sign the transaction by pressing a specific button or reject the process. The Security Server will confirm the transfer’s confirmation to the online banking application in the PC’s or tablet’s browser.  That means, clients will not have to wait for an SMS to enter the TAN communicated therein manually nor do they have to generate the TAN to be entered in a chip TAN generator.

“We are glad to see KOBIL’s technology has convinced netbank. It will help them completing their mobile banking service by an advanced, easy to use and most of all convincingly safe and reliable authorization alternative to mobile and chip TAN”, says Adnan Garip, KOBIL Systems’ head of sales in Germany, Austria and Switzerland.

The PSD II-compliant KOBIL technology is based on the platform-concept of easy extension. “Based on mIDentity, banks can offer their clients other reliable online services, like secured communication”, Garip explains. Of course, netbank knows that, too. “I can well imagine to offer our customers more services on this base“, says Nico Koller.

bekb logo 01

Berner Kantonalbank secures mobile banking with KOBIL security technologies

WORMS – 18 February 2016. From now on, the Berner Kantonalbank (BEKB) is offering its e-banking customers KOBIL’s mIDentity Protection Platform, a software-based and mobile multifactor authentication for logging in to mobile banking. The platform is made available as a service through the HP Enterprise Service Banking Centre in Bern.

BEKB is continuing its partnership with KOBIL with the implementation of mIDentity Protection. With the mIDentity Stick, their customers are already using USB-based security technology by the platform supplier from Worms. In future, customers can log on to BEKB mobile banking by means of a smart phone app. Soon it will also be possible to sign off transactions via the app. The app has the same level of security as the USB stick and corresponds to the regulations of the European Banking Authority (EBA) for multifactor authentication, without having to use an additional hardware.

The mIDentity Protection product line includes a range of services. It consists of the multifactor authentication Trusted Login and the transaction signature Trusted Message Sign. While Trusted Login serves the purpose of identifying and logging in authorised subscribers to a service or network by means of multifactor authentication, Trusted Message Sign allows transactions and other confidential communications to be signed off from mobile devices. Apart from multifactor authentication, an important role is played by specially developed apps, device linking and encrypted communication channels, as well as security servers in the background. The back-end Smart Security Messaging Server (SSMS) ensures the definitive identification of the user, by checking whether it is the right app, the corresponding mobile end device activated for it and the correct user identity.

Another reason why Özgür Koyun, General Manager Switzerland at KOBIL, has a very positive view of the implementation of the mIDentity Protection Platform for digital banking at BEKB is that further digital banking services can be realised on the basis of mIDentity. These could include binding call centre processes, customer communications or real-time customer interaction. Customers could sign contracts online. Together with other partners of the bank, entire digital ecosystems could also be built up, for which the customer only has to log in securely once. Such services would not only extend the digital service portfolio of the bank, but also significantly reinforce connectivity between the bank and the customer. “We look forward to a potential widening of the partnership with BEKG and see great potential for the future”, Özgür Koyun summarises.

hpe logo 01

KOBIL Enters into Partnership with HPE Banking Service Center

Innovative full services for secure client communication expedite the digitalization strategies of financial service providers and companies

WORMS – 21 January 2016. From now on Swiss financial and other companies can benefit from the services provided by KOBIL’s mobile mIDentity Protection platform for identity authentication and transaction safety. The service is provided by the Hewlett Packard Enterprise (HPE) Banking Service Center from its Bern-based data center specialized on the financial industry. The partners also intend to offer more services based on KOBIL’s platform.

Banking institutes will be able to use the service as integrated security feature of core-banking system IBIS3G for their e-banking and other banking services. Other companies will deploy the solution for instance to secure their e-commerce transactions and for safety-relevant aspects of communication to protect user identities throughout all platforms used. Since the solution is available as a service, investments in proprietary infrastructure can be spared and the implementation time required is reduced significantly. In its role as service provider, HPE will of course assume the respective administration and maintenance.

mIDentity Protection is composed of various individual services. The platform comprises multi-factor authentication Trusted Login, transaction signature Trusted Message Sign and one-time password technology SecOVID. While Trusted Login ensures that respectively authorized users of specific services or networks are identified and logged-on reliably through multi-factor authentication, Trusted Message Sign facilitates the mobile signing of transactions and other safety-relevant communications. Apart from multi-factor authentication, also specifically hardened apps, device dependence and encrypted communication channels as well as secure servers in the background play an important role in this context. So-called Smart Security Management Server (SSMS) ensures clear user identification.

Özgür Koyun, KOBIL‘s Country Manager for Switzerland, explains the partnership‘s advantages: “Swiss clients can thoroughly secure their e-commerce and e-banking activities by using mIDentity Protection or the platform’s individual features as a service. Investments in proprietary infrastructure and administration can thus be spared. Thanks to the interfaces used, the services can furthermore be quickly integrated with existing business applications”. Banking institutes that use IBIS3G as core banking system will only incur minimal integration efforts as the Service Banking Center virtually provides the integration services “ex works”, Koyun explains.

Dr. Marc L. Brogle, Chief Technologist / CTO at the HPE Banking Service Center, points out on the partnership potential: “On the one hand, we can offer KOBIL’s mIDentity Protection as a service. However, at the same time we are able to provide other services that require clear identification of users and their communication, which are based on suchlike secured communication. This facilitates the realization of new, binding services between clients and the banking institute – starting with bank accounts and secured virtual communication space all the way to binding client-bank-interactions and concluding contracts online”.

The cooperation commenced in December 2015 and initially involve the services app-security, multi-factor authentication as well as reliable and mobile transaction signing in mobile and online banking.

vontobel logo

Swiss Asset Manager Provides Extensive Security with KOBIL’s new Platform

WORMS – 14 January 2016. Swiss asset manager Vontobel relies on KOBIL Systems’ security platform mIDentity Protection when it comes to e-banking. The platform optimizes aspects like strong authentication and secured access from desktops and mobile terminals – not only for private banking clients but also for independent asset managers and proprietary employees.

Basic components of the new e-banking portal used by Vontobel are Trusted Login, Trusted Web View and the Trusted app made by KOBIL Systems. So-called “mini” serves as login-code to verify the digital client identity with. This USB token contains the Trusted Web View (secured browser) app for Windows and Mac-OS required for secured e-banking from desktops.

The output browser is “solidified” by Trusted Web View (TWV), i.e.: the browser is pre-configured and clients can exclusively activate the bank’s website. The chip card integrated with mini encodes the communication and authenticates the user.

If platform mIDentity is being used, a dedicated server in the background continuously monitors and secures the applications. The server deploys a separate security channel to verify equipment uniqueness, applications authenticity and users authentication. “Through mIDentity Protection we offer clients, partners and employees secured access to applications they permanently need”, Dr. Erik Dahmen, KOBIL’s Product Manager, proudly explains.

Secured banking also on mobile platforms

The adaptation also enables Vontobel to offer its clients new and reliable mobile banking options as secured log-on and safe access to mobile banking are now realized through iOS and Android apps based on KOBIL’s Trusted App. Vontobel uses this basic security feature to protect its apps.

However, it is not only Vontobel’s end clients who benefit from KOBIL’s new security platform. Also employees can now access internal applications via Trusted-Login provided through smartphone-apps. As an additional upgrade, the new online-portal for independent asset managers is also going to be optimized and secured by safe log-on based on Trusted Web View and USB token mini.

That means the entire authentication of third-party access to Vontobel’s applications was consolidated on KOBIL’s platform. Now there is one central access point to define, which programs and information are made available to specific users.

logo migros

KOBIL provides security for Migros mobile payments

WORMS – 10 November 2015 Since the end of August, the Migros Cooperative Association has enabled its customers to pay by smartphone – even if the mobile phone is offline. In order to process the payment transactions securely, the Swiss company uses the mIDentity security platform by KOBIL Systems to protect the App and the identity of the user against hacker attacks. KOBIL also provides the back-end security infrastructure and ensures communication between the Migros payment servers and the payment providers.

No bothersome cash, no expensive credit cards and no bank cards. Buyers only need to whip out their constant companion, their smartphone, and can settle the due payment via an App. This is quicker and easier for the customer. The mobile payment function integrated into the Migros App generates a 2D code containing information about the identity of the payer and the payment method. This code is scanned at the checkout and transmitted to the Migros payment servers, which handle secure communication with the payment providers that ultimately authorise the transaction. The whole payment process, including the back-end processing, takes place at least just as quickly as a traditional payment with cash or bank/credit card, with more convenience and security for the customer. The advantage for Migros is that mobile payments promote customer loyalty and the company can provide incentives to make using the Migros Bank even more popular among its customers.

Before customers use the App for the first time to make a payment, they must activate the function, be allocated a PIN code and provide details of method(s) of payment (Migros bank account or current credit cards). To make a payment, a customer enters the PIN code and selects the method of payment. The App then generates the aforementioned 2D code that authorises the payment transaction. After that the customer receives a payment confirmation on their mobile phone.

The App is not dependent on Near Field Communication (NFC). It works on Apple and Android smartphones and does not require any special hardware. The payment function is also active if the mobile phone has no network connection.

Migros secures the mobile payment transaction by using the mIDentity security platform by KOBIL Systems in Worms. The platform offered by the German provider ensures the security of the App, which was developed with the help of the App Security Toolkit by KOBIL that contains various security mechanisms and generates the 2D code. It offers a range of integrated security functions, such as protection from debugging and reverse engineering, security sensors (jailbreak and malware detection), methods to make software more resilient to prevent known run-time attacks, encryption, secure keystores for application-specific certificates, as well as trustworthy certification mechanisms independent of the operating system. The SDK also ensures that the Migros App cannot be accessed by other applications, which could lead to corruption.

KOBIL is also involved in the payment server, which not only processes the data for the relevant customer transaction contained in the 2D code, but also ensures secure communication with the systems at Migros Bank and other payment providers. The payment server is fitted with the Smart Security Management Server (SSMS) by KOBIL. Its functions include checking the code generated by the App, including the PIN and device signature, as well as authorisation. This ensures that the encrypted data is indeed coming from the relevant App and that the latter is using the selected method of payment correctly. It is only after the server has successfully completed its checking routines that it forwards the data contained in the 2D code and the transaction data to the Migros Bank core system or that of a third-party payment provider. After these have confirmed the solvency of the customer, the checkout activates the transaction in the payment server and the customer account is debited. The whole of this process takes place in real-time, so the customer does not have to wait at the checkout.

Dr. Adrian Büren, responsible for the mobile payment project at Migros, is convinced that the mobile payment function in the Migros App ensures greater customer convenience and therefore loyalty. “In future more and more customers will expect that they can pay us by mobile phone and we would like to offer them this convenience with the greatest possible security. The security and identity mechanisms necessary for this have been provided to us by KOBIL. As we have already cooperated with them for mobile banking for the Migros Bank, we were already familiar with their expertise and did not have to start anew for mobile payment. The cooperation with KOBIL therefore enabled a swift implementation of the platform.” Thomas Balgheim, the chief representative at KOBIL, states: “Our mIDentity platform is extremely secure and is used, for example, by major banks and logistics providers for authorisation and identity management. We have now extended the platform for mobile payment transactions. We are especially delighted that Migros uses our technology across a range of business areas, thereby creating an ecosystem between them.”

Paying with the Migros App – this is how it works

Evaluation of EBA requirements towards “Strong customer authentication“

Final guidelines on the security of internet payments (EBA/GL/2014/12)” from our product portfolio’s point of view

The article compares the requirements stipulated by the European Banking Authority (EBA) towards Strong Customer Authentication and technical implementations in the products “mIDentity Protection – Trusted Message Sign“ and “mIDentity Protection – Trusted Login plus OTP calculation“.

Requirement: Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint.

  • mIDentity Protection – Trusted Message Sign
    Deployed are the factors of knowledge (PIN) and ownership (device-linkage to mobile terminal equipment)
  • mIDentity Protection – Trusted Login plus OTP
    calculation Deployed are the factors of knowledge (PIN) and ownership (proprietary key for OTP calculation and thus linkage to mobile terminal devices)

Requirement: In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).

  • mIDentity Protection – Trusted Message Sign
    Two-factor authentication is realized (1) by PIN verification and (2) by verifying the device- linkage. Both of these features are verified independently in the SSMS. Once both features have been verified successfully, the signature key used to authorize payments by digital signatures in a subsequent step is enabled.
  • mIDentity Protection – Trusted Login plus OTP calculation
    Two-factor authentication is realized (1) by PIN verification and (2) by verifying the proprietary key for OTP calculation and thus linkage to specific devices. Both features are independently verified in the SSMS in the course OTP verification. For this purpose, the PIN is integrated with OTP calculation by the Client. The successful verification of the OTP as payment authorization requires the correct PIN as well as the use of the correct key. Likewise, the wrong PIN or wrong key will result in an incorrect OTP. However, the determination of an incorrect OTP will generally require verification in the SSMS.

Requirement: At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.

  • mIDentity Protection – Trusted Message Sign
    The features required for device-linkage will be automatically acquired when the application is first used (activated) and transmitted to the SSMS. Users have no influence on this process and can thus neither re-use nor reproduce it. The SDK deploys safety precautions to prevent any unidentified theft of the respective features. The digital signature generated for payment authorization can clearly be allocated to the respective payment transaction. Any repeated use for the purpose of authorizing additional transactions is excluded.
  • mIDentity Protection – Trusted Login plus OTP calculation
    The SSMS generates the proprietary key for OTP calculation when the application is first used (activated) and is then transmitted to the Client. The key’s uniqueness is guaranteed. The SDK deploys safety precautions to prevent any unidentified theft of this key. The OTP generated to authorize payments can only be used one single time. The SSMS will reject OTPs already used. Additionally, payment data can be considered for the OTP calculation. Respective OTPs can be clearly be allocated to individual payment transactions. Any repeated use for the purpose of authorizing additional transactions is excluded.

Requirement: The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

  • The PIN as well as the features related to device-linkage and the key required for OTP calculation are communicated via a dedicated encrypted and authenticated channel. Certificate-pinning, URL white lists and an individual SSL-stack serve to protect the respective channel against Man-In-The-Middle and Man-In-The-Mobile attacks.

Dr. Erik Dahmen