Pain points

Simple authentication methods such as mobile OTP (One-Time Password), mobile authentication apps, mobile phone identity verification, and biometrics are widely used in internet-based financial transactions, which allow for easy authentication with a user's smartphone rather than a separate device. However, it is still difficult to fully block interceptions of personal information incidents in financial services due to the inherent vulnerabilities of connected devices. 

 

 

IT_twi001t3276058 4MP

Risk of smishing incidents in mobile OTP

A phishing scam at one bank in Singapore in 2021 demonstrated how mobile OTP remains vulnerable to smishing. As the OTP was delivered by text message via mobile, it was stolen and a fake text message was sent to bank users by scammers. This resulted in at least 469 victims with a loss of around $8.5 million, which lead to the banks plans to transition to a digital OTP authentication process being put on hold. In Korea, a case in which a hacker installed a remote-control malicious code on a mobile phone through a link in a text message under the guise of a family member, and then used the stolen personal information to obtain a mobile OTP and transfer a large amount of money, has also been noted.

Relative security vulnerabilities compared to physical OTP

Mobile OTP is vulnerable to external cyber-attacks such as hijacking, since it generates OTPs only online, unlike physical OTP devices that generate OTPs even when disconnected from the network. Mobile authentication apps that use trusted execution environment (TEE) to protect the encryption key for OTP generation are also unlikely to be considered as a perfect alternative, because it’s possible to manipulate by malicious code. After all, despite the inconvenience of portability and the need for periodic replacement, physical OTPs still provide unparalleled security in comparison to other two-factor authentication (2FA) methods as mentioned above.

Smart OTP's separate card requirement, limited OS support and operation delay

Smart OTP is evaluated as an incomplete service because it still requires a seperate card to be carried by the user despite offering enhanced security. It also cannot be used on iPhone, despite the advantage of being compatible with other banks unlike existing mobile OTP. In addition, many problems remain including operational delays in generating OTPs.

Solutions

swIDch provides a mobile OTP that can be easily applied to payment cards such as a debit card and/or credit card. Whenever a user taps their mobile device with our patented OTAC (One-time-authentication-code) applet embedded debit or credit card, it generates a first OTAC, which is used to generate a second OTAC for their financial transactions. It means that users acquire the advantages of hardware OTP and mobile OTP at the same time; strong security and convenient user experience. Since near field communication (NFC) is possible through the IC chip of the card, it can be applied not only to payment, but also to financial transactions, physical access, system login, and even identity verification.

 

 

HubSpot Video

 

    • By using a second OTAC for financial transactions generated from a primary OTAC by tapping the card on the back of mobile device, it fundamentally blocks hackers from stealing the seed value in the memory.
    • It prevents hackers from infecting someone's smartphone with malicious code and then using that person's information through remote control to illegally use financial services such as large sum remittance.
    • Regardless of Android or iOS, it authenticates payment card registration and financial transactions by simply tapping an OTAC applet embedded card even without entering PIN codes.

 

Card tapping mOTP_1
OTP v1-1

Card tapping mobile OTP
based on OTAC

swIDch’s card tapping mobile OTP reduces the hassle of carrying a separate device by adding an OTP generation function to a payment card thus providing strong security through authentication medium separation, normally only provided via physical OTP. A card with OTAC applet embedded generates the first OTAC through communication with the smartphone NFC. Since the first code generated from the card is changed into a second ‘OTAC’ via the application, there is no risk of sniffing, something that can occur during standard NFC transactions.

As the card tapping mobile OTP based on OTAC is embedded on a debit/credit card, you can use financial services that require 2FA such as high-value remittance services more safely and easily by simply tapping the payment card on the back of your smartphone. In other words, there is no need to issue a separate physical OTP device for 2FA only. Above all, it provides a safer financial service environment by preventing mobile OTP incidents associated with high-value remittances, including theft of user information from a smartphone infected with malicious code.

 

swIDch card tapping mobile OTP
all in one card image without KYC

All-in-One Card with
Integrated Mobile OTP

OTAC embedded cards can also be used as a means of diverse authentication beyond payment. Even when logging in to mission-critical sites such as internet banking, you can generate a one-time QR code just by tapping the back of your smart phone. You can also use the same card to enter the office or a restricted area by tapping it on the digital door lock. Businesses can use this innovative card by integrating corporate payment cards, access control devices, and employee ID into one card. High manufacturing costs related to contactless payment function will alleviated naturally through additional uses other than payment only.

 

 

Card tapping mOTP_3

Contact us today

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
Sufficient to IDENTIFY user
DYNAMIC Authentication code
that does NOT duplicate
Uni-directional authentication
in off-the-network environment

OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.

The network connection is NOT necessary at all for generating OTAC.

Reducing an authentication stage that requires the network connection directly means there are fewer gateways for
the hackers
to access our personal information.

Moreover, this feature enables users
to authenticate even when they are
in networkless environments, such
as on the plane, underground, rural or foreign areas.

swIDch can guarantee that the code never duplicates with anyone
at any given moment.

There is NO chance of someone else having the same code.

The users or their devices can be identified with the code alone.

Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.

It means, you can forget about the bundles of static information including IDs and passwords.