Pain points

Simple authentication methods such as mobile OTP (One-Time Password), mobile authentication apps, mobile phone identity verification, and biometrics are widely used in internet-based financial transactions, which allow for easy authentication with a user's smartphone rather than a separate device. However, it is still difficult to fully block interceptions of personal information incidents in financial services due to the inherent vulnerabilities of connected devices. 

 

 

IT_twi001t3276058 4MP

Risk of smishing incidents in mobile OTP

A phishing scam at one bank in Singapore in 2021 demonstrated how mobile OTP remains vulnerable to smishing. As the OTP was delivered by text message via mobile, it was stolen and a fake text message was sent to bank users by scammers. This resulted in at least 469 victims with a loss of around S$8.5 million, which lead to the banks plans to transition to a digital OTP authentication process being put on hold. In Korea, a case in which a hacker installed a remote-control malicious code on a mobile phone through a link in a text message under the guise of a family member, and then used the stolen personal information to obtain a mobile OTP and transfer a large amount of money, has also been noted.

Relative security vulnerabilities compared to physical OTP

Unlike physical OTP devices (hardware tokens) that generate OTPs while separated from the network, current mobile OTPs (software tokens) are generated online, with user authentication and OTP generation performed within a single mobile environment. This means mOTPs are vulnerable to external cyber-attacks such as hijacking. After all, despite the inconvenience of portability and the need for periodic replacement, physical OTPs still provide unparalleled security in comparison to other two-factor authentication (2FA) methods.

 

Solutions

swIDch provides TAP-OTAC (card tapping mobile OTP) to protect against external threats that exploit the security vulnerability of mobile OTP by utilizing medium separation which is free from cyber-attacks. It can be easily applied to payment cards such as a debit card and/or credit card, generating non-duplicate and non-reusable OTPs by simply tapping the card on the user's mobile device. It means that users acquire the advantages of hardware OTP (hardware tokens) and mobile OTP (software tokens) at the same time; robust security and convenient user experience.

 

HubSpot Video

 

Blocking the sniffing risk fundamentally

Cards equipped with the TAP-OTAC applet generate a first OTAC through smartphone near field communication (NFC). Since the first primary code generated from the card generates a second OTAC through linking with the app, there is no risk of sniffing during NFC, or hacking through stealing the seed value in memory.

 

swIDch card tapping mobile OTP

Prevention of user theft

swIDch’s TAP-OTAC allows for self-authentication by tapping a card equipped with the OTAC applet to the mobile device, so hackers cannot remotely control your smartphone infected with malicious code in order to receive new or reissue mobile OTPs. Above all, it combines user identification and authentication steps without the possibility of code duplication with other users.

Card tapping mOTP_4

User friendly UX

The OTAC-based card tapping mobile OTP is linked to the payment card for cash withdrawal and payment. Therefore, you can safely and easily use financial services that require secondary authentication, such as high-value remittance services, simply by tapping the payment card on the back of your smartphone. There is no need for any separate physical OTP device for 'secondary authentication'.

OTP v1-1
Toss Bank

 

> Read our Toss Bank case study 

Benefits

swIDch’s TAP-OTAC is equipped with a strong user authentication function on the payment card using a unique identification key. Therefore, it not only increases the frequency of card use by cardholders, but also reduces costs associated with the issuance of physical OTPs for banks. In particular, it can be expanded to cover integrated functions which require authentication including payment, access control, and ID cards by utilizing the NFC function (all-in-on card).

Card tapping mOTP_5

Customer loyalty increase

As of 2021, there are 2.8 billion credit cards in use worldwide. Americans have an average of four credit cards, and EU residents have 0.8 to 3.9 mobile cards per capita. In Korea, the number of credit cards held per person stood at 1.79. swIDch’s TAP-OTAC increases the frequency of physical card use by adding the OTP function to the payment card. Considering that most consumers normally use one or two cards, it will naturally lead to the effect of increasing customer loyalty.

Reducing deployment costs

swIDch’s TAP-OTAC is already installed in the form of applet in contactless payment cards, currently used worldwide. Therefore, there is no need to issue the physical OTP device. In addition, there is no need to add more security layers to resolve security vulnerabilities associated with general mobile OTP.

Expansion beyond payment 

OTAC embedded cards can also be used as a means of diverse authentication beyond payment. Even when logging in to mission-critical sites such as internet banking, you can generate a one-time QR code just by tapping the back of your smart phone. You can also use the same card to enter the office or a restricted area by tapping it on the digital door lock. Businesses can use this innovative card by integrating corporate payment cards, access control devices, and employee ID into one card. High manufacturing costs related to contactless payment function will alleviated naturally through additional uses other than payment only.

Card tapping mOTP_3

Contact us today

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
sufficient to IDENTIFY user
Single-step IDENTIFICATION
and AUTHENTICATION
Uni-directional authentication in
off-the-network environment

Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.

OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks. 

No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI). 

 

Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.  

Learn More

'One-time-authentication-code' technical report by University of Surrey Get In touch

Related Topics

How to make complex authentication processes in payment simpler, more efficient and secure.
Payment card fraud costs the global economy approximately $27.85 billion in a single year, and this is projected to rise to $40.63 billion by 2027, according to The Nilson Report. In addition, information theft incidents continue to occur in the secure digital authentication process, such as a short message service (SMS) for one-time passwords, (OTP) for bank account transfers, and PINs for identity authentication.
Read More
Global expansion of card tapping mobile OTP for security and convenience is imminent
If you transfer large sum remittance at once or request sensitive financial information, most global banks ask you either to input mobile one-time passwords (OTPs) generated by mobile banking app, to provide your biometric information via your smartphone, or to type registered PIN codes in order to verify your identity.
Read More
Can convenience and security coexist in digital payment?
The quick and easy way we pay online is the most fundamental agenda of digital transformation accelerated by the pandemic. We live in a world where you can pay for items in your shopping cart with a single click of a purchase button, or transfer money by scanning a QR code without an additional payment process. But, are you sure that your payments are managed safely enough?
Read More