The 'Doku e-Wallet' service provided by Doku, an Indonesian payment gateway (PG) is Indonesia's representative electronic wallet payment service with more than 2.5 million active users. By supplying OTAC Dynamic Token to Doku's e-wallet service, swIDch is supporting consumers to stably and safely use the service without any inconvenience even in off-the-network environments.
Doku is liable for personal information leakage problems caused by 2D barcodes or QR codes that use fixed values including card-not-present (CNP) fraud using fixed card numbers, even when personal card information is not exposed, lost, or stolen. A more secure authentication method was needed to respond to financial crimes such as fraudulent use following the BIN Attack, which randomly generates card numbers according to certain rules and finds valid card numbers. In addition, since most token payment methods based on two-way communication cause payment errors due to unstable communication networks, an authentication method that can provide stable services even in poor communication environments was required.
swIDch has provided a safe and convenient electronic payment authentication process to DOKU by using its own OTAC (One-Time Authentication Code) algorithm, a one-way dynamic authentication method, to block the possibility of fraudulent use due to personal information leakage, and allowing users to directly create tokens even when there is no communication network.
The OTAC Dynamic Token provided by swIDch to Doku generates a non-overlapping dynamic code even in an offline environment where the communication network is unstable or there is no connection at all without the help of additional infrastructure. The authentication code generated in this way replaces ID/PW and card numbers based on fixed values. The OTAC Dynamic Token applied to Doku’s e-Wallet consists of ‘OTAC Dynamic PAN’, a token for payment, and ‘OTAC Device Authentication Token’, a token for device authentication.
OTAC Dynamic PAN is a one-time dynamic card number created based on the OTAC algorithm. It can be issued and registered in the same way as the existing payment process, and can be used even if communication with the server is restricted. In the e-wallet payment approval method using existing tokens, when a token is requested from a token service provider for e-wallet mobile payment, a payment token is provided rather than an actual card number. The user then receives the token, presents it to the store, shop and/or POS, and payment is made. OTAC Dynamic PAN does not require a user to request a payment token from a token provider, it simply creates a payment token directly on the user's device that has already been applied with OTAC to be presented for payment. In this way, there is no need to make a separate request to the server, meaning user convenience is further improved.
Previous E-Wallet payment approval method using existing tokens (TOKENIZATION)
NEW E-Wallet payment approval method with OTAC applied
The OTAC Device Authentication Token periodically transmits a dynamic code valid only at the present time from the user device to the financial institution server, so that access from a normal customer device can be verified only by one-way verification of the received dynamic code. In addition, it provides a unique value for generating a unique dynamic authentication code only in the user's device when the user signs up for or registers the app, and safely stores the unique value in the device. As a result, login session extensions can be easily performed with OTAC device authentication, enabling a stable payment process. Also, it can be extended and used as a function of fraud detection system (FDS) that blocks hackers' attempts to attack through other terminals.
swIDch ensures a foundation for Doku to provide a stable, convenient and safer electronic wallet service without any impact even in Indonesia's isolated islands and mountainous areas where the communication network is rather poor. Doku's e-wallet users utilize payment tokens generated on their mobile devices to enjoy convenient and safe services not only in online shopping but also in offline stores.
Through the introduction of OTAC Dynamic Token, Doku was able to significantly reduce the initial deployment cost as well as the operating cost. OTAC Dynamic PAN can be easily applied to the existing payment infrastructure through OTAC matching with the user's mobile device and token server. In addition, when using offline, tokens are generated directly on the user's device, minimizing network traffic between existing users and token servers.
Thanks to its convenient usability and stable service, it is also helping to increase customer loyalty. Doku e-Wallet users can make payments in offline mode even in an environment where the network is not stable as long as they have authenticated the local user of their device in advance. This can be utilized by supplementing the shortcomings of communication-based tokens, contributing to preventing customer churn due to network instability during payment.
OTAC Device Authentication Token can be used as a function of (FDS) that blocks hackers from attacks through other terminals, as well as extending the login session between financial service apps and servers through OTAC verification. It resolves inconveniences caused by frequent logout and re-login when using the financial company app.
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Sufficient to IDENTIFY user
that does NOT duplicate
in off-the-network environment
OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.
The network connection is NOT necessary at all for generating OTAC.
Reducing an authentication stage that requires the network connection directly means there are fewer gateways for
the hackers to access our personal information.
Moreover, this feature enables users
to authenticate even when they are
in networkless environments, such
as on the plane, underground, rural or foreign areas.
swIDch can guarantee that the code never duplicates with anyone
at any given moment.
There is NO chance of someone else having the same code.
The users or their devices can be identified with the code alone.
Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.
It means, you can forget about the bundles of static information including IDs and passwords.