In our previous posts, we reviewed the CWYS (Confirm What You See) mechanism, which allows generating ОТР tied to the data being protected. Users are often faced with this question: what data should be included in the ОТР generation for ensure the best protection for the system.
Let’s consider the most common situation where the CWYS function is used – verification of transactions in payment and banking systems. To ensure protection for such transactions, we recommend using the following data:
- identifier or transaction number;
- user’s current balance or balance after transaction;
- any additional data that needs to be protected against modification or falsification from the point of view of your business processes, for example, transaction date, user’s IP address, or payer.
It is important to note that at each step of working with Protectimus only the current data that a user is working with at this moment should be used, not cached data; we are talking about the balance which is sometimes recalculated based on a certain system event, and a user sees it reflected as of a certain moment in time.
Using such details in the ОТР generation process protects them from being modified or falsified between creating and performing a transaction, thus protecting a user against losing money and protecting your system against reputation risks and other types of risks.