Blog Feed
Strong Customer Authentication According To PSD2: Summary & Checklist
The changes that are guaranteed to transform the EU financial market have finally arrived. On January 13, 2018, the second Payment Services Directive (commonly known as PSD2) came into force in the European Union. In this article, we’ve gathered all the information on PSD2 security and strong customer authentication requirements to help the existing and future companies to get ready for these changes. So let’s get started with our comprehensive PSD2 summary! Note: in case you are afraid of getting lost in all the abbreviations and legal terms, check out our glossary for PSD2 in the knowledge base at the bottom and download PSD2 security requirements checklist here. How PSD2 Regulation Impacts Fintech PSD2 is going to influence every bank, consumer and fintech company based within the EU’s borders or even outside the EU (in case they make transactions with banks, companies or consumers that are located in the EU). Thus, if one party that takes part in a transaction is located in the EU, the transaction falls under PSD2 requirements. Before diving into the understanding of PSD2 impact on fintech industry, we need to be on the same page regarding the directive’s objectives. We can distinguish three main PSD2 objectives pursued by establishing a single standardized payments system: enforce equal opportunities to succeed in the market for all payment service providers; make the payments system more transparent and more secure against fraud; stimulate implementing innovative fintech solutions. Online payment will continue to play an ever-growing and significant role in the development of e-commerce as well as the stimulation of consumer demand. Lucy Peng, CEO, Ant Financial Services, Alibaba Group But how is PSD2 going to influence fintech industry? First and foremost, from now on, third parties that provide payments services are legally recognized as new players in the market and are regulated accordingly by PSD2. Named Third Party Providers (TPPs), they don’t hold any payment accounts or enter into possession of any funds being transferred. There are two types of Third Party Providers (TPPs), as stated in the PSD2 directive: Account Information Service Providers (AISPs): these are the companies that accumulate data regarding different consumer accounts in one or several different banks. Their primary task is to provide the users with visualized information about their accounts in a convenient way. A wide range of other features can be implemented here, mainly the ones concerning filtering and analyzing data. Payment Initiation Service Providers (PISPs): these are the companies that have a permission to initiate PSD2 payments between the consumer and the bank on the consumer’s behalf. This allows TPPs to facilitate online banking payments. Image source: wso2.com The Bright Side. The pros of PSD2 implications for TPPs are obvious: the traditional financial institutions (banks) are required to open their APIs to TPPs, which allows open competition between TPPs and banks on equal terms. Besides, it opens the floor to PSD2 blockchain solutions that can be revolutionary. All the barriers that could be an advantage for traditional financial institutions are now gone. TPPs are no more operating in the ‘gray area’ of the market, now they are protected by this piece of legislation and have certain rights. Besides, by accessing the banks’ APIs, TPPs can use the data produced by banks without having to acquire the needed infrastructure that banks...
read more10 Most Popular Two-Factor Authentication Apps Compared
This article discusses two-factor authentication apps, which feature different functionalities, are based on different principles but serve one purpose – reliable protection of access to sensitive information. Today, we will try to review some of the most popular applications for one-time passwords generation from the Google Play market and two hardware OTP tokens that can replace two-factor authentication apps. There are a lot of convenient or security-oriented features that the apps’ and OTP tokens’ authors offer. Let’s finally figure out some of the pros and cons of each. Turn on all security features like two-factor authentication. People who do that generally don’t get hacked. Don’t care? You will when you get hacked. Do the same for your email and other social services, too.Robert Scoble Test free 2FA authenticator with cloud backup Protectimus SMART OTP Top 3 Most Popular 2FA Applications 1. Google Authenticator Google two-factor authentication app is probably the most popular and best known among 2FA evangelists. It’s free, handy, and offered on many websites by default. Let’s have a look at its features: User-friendly. Google Authenticator has decisive, easy to use, clear UI (user interface) that even a child would find informative. Besides, it should be noted that the software works on almost all versions of Android and takes no more than 2 MB, which is significant for owners of phones with a small amount of RAM. TOTP and HOTP algorithms. Google Authenticator app supports both Time-based One-Time Password (TOTP) and HMAC-based one-time password (HOTP) OTP generation algorithms, which allows using it with more resources. TOTP is more widespread and reliable – this is an algorithm in which time is used as one of the parameters for one-time passwords generation. Though there are still websites using HOTP algorithm where the counter is used to compute the passwords. The lifetime of all OTP passwords generated according to TOTP or HOTP algorithms is 60 seconds, i.e. every minute a new password is created. No need for network connection.The use of such OTP generation algorithms allows Google Authenticator to work without the network connection. The same one-time passwords would be generated on your smartphone without access to the Internet or cellular network and on the authentication server (in client-server paradigm), if the one-time passwords match, you get access to your account. Many accounts in one place. You can use one app for all your accounts on different websites as well as for your multiple accounts on one website. This is very convenient when compared with SMS authentication, but mind that you may have a lot of troubles when losing or wiping a phone if you don’t take care of Google Authenticator backup. Are there any drawbacks in Google Authenticator? Here we have some black clouds above the app: There is no built-in possibility to backup your data. It means that the users must renew information each time they change the phone or account. They say it’s not quite convenient to use this app if you turn on 2-factor authentication for more than 4 websites. Four one-time passwords are enough to occupy the whole screen and if you have, for example, 12 accounts, you won’t see all passwords at a glance. Google two-factor authentication app could be the most known one, but let’s be honest – there are many other...
read moreThe Pros and Cons of Different Two-Factor Authentication Types and Methods
Along with the first digital devices rose a need to ensure the security of stored data and to differentiate access to various functions. A variety of methods for unambiguous authentication of users on which security is based are called authentication factors. These include codes, logins, passwords, certificates, hardware keys, and so on. The whole set of authentication factors can be divided into three groups: Factors of knowledge (something known to the user); Ownership factors (something that the user owns – documents or items characterized by some unique information (usually these factors boil down to “devices”, although this narrowing is not always justified)); Biometric factors (physical characteristics of the user). There is a huge variety of authentication factors, not all of which are equally convenient and safe. In order to raise the security level of the authentication process, multifactor authentication is used, in which several authentication factors of different types are used to verify access. The disadvantages of some factors can and should overlap by the merits of others. Despite the greater security, the more authentication stages are used, the more effort and time it takes to authorize. According to the combination of characteristics, two-factor authentication is considered the most optimal today by the combined security, convenience and applied effort characteristics. Two-Factor Authentication What is two-factor authentication? Two-factor authentication (2FA) is one of the most reliable types of the user authentication nowadays, used to obtain the rights to access any resource or data (from mailboxes to bank card payments). Two-step authentication is a much more reliable alternative to the traditional one-factor authentication (1FA) with the help of a login-password pair, the security of which is quite low currently. There are a huge number of methods for hacking and circumventing password authentication, from social engineering to distributed bruteforcing, based on pre-organized botnets. In addition, some users use the same password to log into all their accounts, which in turn further simplifies the access of scammers to protected information and transactions. The main advantage of two-factor authentication is the increased login security. As for the shortcomings, the main two being the increase in the time of entry into the system and the risk of losing the physical media serving to pass one of the authentication steps (mobile phone, U2F key, OTP-token). In this article, we reviewed several of the most convenient and secure second authentication factors for use in 2FA. | Read also: Social Engineering Against 2FA: New Tricks 1. SMS Codes SMS codes generated by special services are the most common kind of factors used in the mobile two-factor authentication. It is quite convenient (most modern users always keep their smartphones on them) and does not take much time. In addition, this check is in most cases effective, for example, to protect against automated attacks, phishing, password bruteforcing, viruses, and the like. But in case someone is intent on hacking you, bypassing SMS authentication is possible. After all, usually the phone number tied to the account is not a secret (as a rule, it is the same contact number that can be found from your friends, social network or business card). Having received personal information of the owner of the number, scammers make a fake identity card and use it at the nearest office of the mobile operator. Despite the fact...
read more10 Steps to Eliminate Digital Security Risks in Fintech Project
Any kind of project can be of potential interest to attackers, since the information stolen in an attack can be turned into cash. In the case of financial projects, though, an attack usually results in attackers transferring user or system funds to an unknown location. This eliminates the extra steps it would otherwise take them to reach their ultimate goal. Regardless of what stage your fintech project is at, it’s never a bad idea to make sure that everything has been done that can be to eliminate all possible digital security risks to ensure that clients and the business itself are adequately protected. “There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, Director FBI In this article, we’ll go over the key financial cyber security concerns, as well as a list of ten components for putting together an effective system to protect the financial information of both users and the company itself. Note: In early 2018, PSD2, the amended Payment Services Directive for the European Union, enters into force. Later in this article, we’ll describe the main IT security requirements of this directive. If your company operates in or plans to operate in Europe, we recommend that you familiarize yourself with it and download our checklist. The main financial cyber security concerns We’ll begin by looking over the main traditional digital security risks facing personal data protection in IT systems for fintech companies. SQL injection SQL injection is the kind of digital security threat that involves the introduction of altered SQL queries. Using vulnerabilities in the system’s software implementation, an attacker can execute arbitrary database queries. Brute force attacks Brute force attacks attempt to recover a password by automatically guessing from a pool of possible passwords. Using a database of likely passwords (like a dictionary), this process becomes much more efficient. Zero-day vulnerabilities Zero-days are unknown vulnerabilities used by hackers before software developers have fixed them. In addition, system administrators don’t always update software in a timely manner causing additional digital security risks. Man-in-the-middle (MITM) attacks In a MITM attack, messages being exchanged between the ends of a communication channel are intercepted and spoofed using an unauthorized connection. Phishing Phishing is a kind of the greatest financial cyber security concerns nowadays that involves the theft of a user’s information with the help of fake websites and web applications that mimic legitimate resources. Through nefarious means (often a link in an email or another message), users end up at these fake resources and voluntarily enter their login details into forms that look identical to the real ones. Banking Trojans This type of malware is aimed at compromising specifically banking cyber security. It gathers account details, collecting stored information about users’ accounts and sending this data to an admin panel. The admin panel, either by automatic rules or manual intervention, chooses a target and displays a fake page to the user. Ransomware Ransomware is typically spread through phishing messages. When run, the user is locked out of the system by the malware, which demands a ransom payment. For 2017, the Open Web Application Security Project (OWASP) identified the following as the most critical web application security risks: SQL injection Cross-site scripting Broken authentication Broken access control Sensitive data...
read moreTop 7 Tips How to Protect Yourself from Phishing Scams
What phishing is has been well-known for some time now. The first phishing attacks were noted shortly after the World Wide Web appeared. But despite the efforts of IT security specialists to create more effective ways of anti phishing protection, new phishing sites continue to appear every day. According to the data from several studies, there were about 5000 new phishing sites created every day in 2016. In 2017, this figure will be even greater. The secret to the resilience of this type of fraud lies in how it is based not on “holes” in software, but on a vulnerability in human beings themselves, particularly those with access to important data. That’s why we’re going to remind you once more what phishing is, what the most common phishing attacks examples are, and what you can do to counter them. “Phishing is a real threat, which is relatively easy to implement and difficult to identify and counteract.” ― Max Oliinyk, Chief Executive Officer, Protectimus Solutions LLP Basic phishing examples 2017 Phishing is a kind of internet fraud that’s based on social engineering principles. The main purpose of phishing scams is to gain access to critically important data (passport data, for example), accounts, banking details, secret company information, and so on; so that it can be used to steal funds at a later date. Phishing works by redirecting users to fake network resources that function as complete imitations of a real site. | Read also: Social Engineering Against 2FA: New Tricks Deceptive phishing examples The majority of phishing attacks fall under this category. Attackers send out emails pretending to be from a real company, in order to receive users’ account data and thus gain control over their personal or official accounts. You could receive a phishing email claiming to be from a payment processor, a bank, a courier service, an online store, a social network, a revenue service, and so on. Phishing emails are created very exactingly. They can be practically indistinguishable from the emails a user would normally receive from the company. The only difference may be in the request to follow a link in order to perform some kind of action. This transition, however, leads to the scammers’ site, which acts as a doppelgänger of the entity’s real website. To get you to click on these links, the emails may dangle a proverbial carrot in front of you: “Take 70% off our services if you sign up within 24 hours!” They may also try to scare you: “Your account has been locked due to suspicious activity. To confirm that you are the account owner, click on the link.” Here’s a list of some of the scammers’ favorite phishing examples: “Your account has been/is going to be locked/disabled.” Scare tactics can be quite effective. The threat of having your account locked if you don’t immediately log in can cause users to let their guard down, follow the link in the email, and enter their username and password. “Suspicious/fraudulent activity has been detected on your account. You must update your security settings.” These kinds of emails urgently ask you to log into your account and update your security settings. They work on the same principle as the previous attack. The user panics and lets their guard down. “You have received an...
read moreHow to Program Protectimus Slim NFC Token
If you have an NFC-enabled smartphone running Android, download and run the Protectimus TOTP Burner app. Initiate the software token setup on the system where you require enhanced security. Program Protectimus Slim NFC OTP token: Run the Protectimus TOTP Burner application. Tap the button “Burn the seed”. Tap “Scan the QR code” and scan the QR with the secret key you see on your account. You can also input the secret key manually, but we recommend the automatic method. If you enter the seed manually, set the required OTP password lifetime. Activate the Protectimus Slim NFC OTP token and place it near your phone’s NFC antenna. While holding Protectimus Slim NFC near the NFC antenna, tap “Continue”, and wait for a message confirming that the 2FA token was programmed successfully....
read moreHow to Set Up Two-Factor Authentication on Dropbox with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Dropbox account! How to enable Dropbox two-factor authentication with hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Dropbox account and initiate the enrolment of the software token: Go to the “Setting” section through the navigation menu -> Choose “Security” section -> Enable two-step verification by turning on the trigger -> Consider important information regarding two-factor authentication before getting started and click the “Get starter” button-> Choose the “Use a mobile app” option and click “Next”-> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment click the button “Next” Enter the one-time password from Protectimus Slim NFC token in the...
read moreHow to Set Up Two-Factor Authentication on Kickstarter with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Kickstarter account! How to enable Kickstarter two-factor authentication with programmable hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Kickstarter account and initiate the enrolment of the software token: Go to the “Account” section in navigation menu -> Turn on two-factor authentication -> Consider important information regarding two-factor authentication before getting started -> Choose “Generate codes with a mobile app” and click “Continue”-> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment enter the one-time password from Protectimus Slim NFC token in the field “Enter the verification code generated by the...
read moreHow to Set Up Two-Factor Authentication on MailChimp with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your MailChimp account! How to enable MailChimp 2-factor authentication with programmable hardware token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your MailChimp account and initiate the enrolment of the software token: Go to the “Account” section in the navigation menu -> Click “Settings” and Choose the “Security” section from the settings list -> Enable two-factor authentication using an authenticator app -> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Save the backup code in a secret place. To finish the token enrollment enter the one-time password from Protectimus Slim NFC token in the field “Authentication...
read moreHow to Add Protectimus Slim mini NFC token to Facebook
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Facebook account! How to enable the Facebook two-factor authentication with Protectimus Slim NFC hardware OTP token. Make sure that your Android smartphone supports NFC and download the Protectimus TOTP Burner application. Log in your Facebook account and initiate the enrolment of the software token: Go to the Facebook Settings -> Choose the “Security and Login” section -> Choose “Use two-factor authentication” -> In the “Code generator” section, click the “third party app” button -> You’ll see the QR code with the secret key (seed). Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Enter the one-time password generated with the help of Protectimus Slim NFC token in the field “Security code”. Enjoy reliable and convenient protection for your Facebook account — make hackers’ lives...
read more