Payment service image small-2
Payment service image small-2
Case study

'A-Card' (De-identified Bank) Dynamic App Verification

swIDch significantly improved customer churn prevention and service availability,
by providing a basis for A-Card (name redacted to protect identity) to streamline
the device authentication process while enhancing service stability and the security level.

'A-Card' bank (name redacted to protect identity), one of the largest credit card companies in Korea, ended their A-Card app service on August 31, 2022, and integrated the existing app service into their own ‘B Pay’ app from September 1. A-Card's 'B Pay', which has over 5M monthly active users (MAU) as of the end of January 2023, is a payment service that can be conveniently used without needing a physical card through various payment methods including barcode, QR code, magnetic secure transmission (MST), and near field communication (NFC) both online and offline. swIDch’s OTAC Device Authentication Token applied to B Pay, dramatically reduces unnecessary payment authentication steps, improving the convenience of using the B Pay app, and enhances security by blocking hacking attempts to control customer devices through other terminals.

 

Challenge

As A-Card's 'B Pay' app had to meet the security level set by the financial supervisory authorities such as the Credit Finance Association and the Financial Supervisory Service, the authentication process was more complicated than that of fintech companies that go through the minimum security process. Frequent card registration authentication was also inconvenient for users. The existing authentication process required at least two steps at the time of payment, and customer churn occurred in this process. In addition, it was necessary to prevent the use of abnormal methods by verifying the transaction interlocking data at the time of payment. Above all, improving the speed of apps that were slow as a result of frequent authentication procedures also needed resolution. The OTAC device authentication token applied with swIDch’s OTAC (One-Time Authentication Code) technology was proposed as a solution that could resolve these challenges.

Hana Card icos-1

The Solution

OTC Device Authentication Token applied to A-Card's B Pay app periodically transmits a dynamic authentication code valid only at the present time from the user's device to the server of the financial institution, thereby unidirectionally checking whether a normal customer's device is accessing it. It is confirmed only by the received OTAC verification.

swIDch_Dynamic Token 03 small-1

OTC Device Authentication Token securely provides a unique value to generate a dynamic authentication code (OTAC) that can be used only on the user's device when a user signs up for or registers an app, and safely stores the unique value in the device. The OTAC generation module in the user's app is installed to safely store unique values for generating dynamic codes on the user's device, and to generate and transmit valid dynamic codes at every point in time. Meanwhile, the OTAC verification module in the server of the financial service company is loaded to verify the periodically transmitted OTAC and assign a unique value to each user.

Expected effect

swIDch significantly improved customer churn prevention and service availability by providing a basis for A-Card to streamline the device authentication process while enhancing service stability and the security level.

While the mobile financial environment has recently become common and non-face-to-face financial transactions are leading, card companies are also strengthening their platforms and building open platforms to respond to big tech companies. swIDch’s OTC Device Authentication Token guarantees user convenience, cost-effectiveness, and security at the same time.

OTC Device Authentication Token automatically generates and verifies OTAC dynamic authentication codes including transaction interworking data, session information, device information in the background, thereby reducing unnecessary user authentication steps and extending the sessions between financial service apps and servers through OTAC verification, resulting in eliminating the inconvenience of frequent logouts or re-login. Therefore, it not only reduces the operational cost by shortening the verification time compared to the token server based on communication, but also supports an environment in which users can make convenient payments even in an offline environment.

In addition, it can be used together with the fraud detection system (FDS) used by many financial companies to further enhance security and can be used as a substitute for the function of FDS. swIDch is helping B Pay to provide more optimized services by preventing A-Card from hacking impersonating users through other devices.

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
Sufficient to IDENTIFY user
DYNAMIC Authentication code
that does NOT duplicate
Uni-directional authentication
in off-the-network environment

OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.

The network connection is NOT necessary at all for generating OTAC.

Reducing an authentication stage that requires the network connection directly means there are fewer gateways forthe hackers to access our personal information.

Moreover, this feature enables usersto authenticate even when they arein networkless environments, suchas on the plane, underground, rural or foreign areas.

swIDch can guarantee that the code never duplicates with anyone
at any given moment.

There is NO chance of someone else having the same code.

The users or their devices can be identified with the code alone.

Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.

It means, you can forget about the bundles of static information including IDs and passwords.