A convenient and secure user interface of online banking is vital for success of any contemporary bank. In the context of cyber security of Online Banking service (OBS), the most sensitive data to protect are transactions with customer accounts, and, consequently, digital signing transactions. The cloud technologies of digital signing are the most convenient to end-users, as these methods do not require additional cryptographic devices (tokens, smart cards etc.). However, the absolute majority of cloud signature implementations center around user authentication via SMS and key information being stored at servers in HSM. In other words, a user does not possess the private keys used in cryptographic operations. The Indeed AirKey Cloud (Indeed AK Cloud) platform uses a completely new approach to the task, utilizing the asymmetric cryptography and PKI infrastructure.
Secure replacement of SMS
As distinct from SMS message, where the information is sent in non-secure form, Indeed AK Cloud encrypts all data sent to the user smartphone with asymmetric algorithms. This guarantees that the data can be viewed only on the device it is intended for.
A user sees all the details of a transaction to be signed in a push notification. The confirmation procedure takes up a pair of taps on smartphone screen.
Our solution makes it possible to implement all the types of digital signature on a smartphone. This allows for solution adaptation to the current needs and for easy adaptation of new scenarios as they come out.
A user possesses his/her private key
The private keys used for cryptographic operations are always generated within the user smartphone and never leave its memory. This guarantees that the user himself/herself is the owner of the private key in digital signature scenarios. Therefore, a company is released from the need to store the private keys on its side.
Solution key features
No need to install additional software
The Indeed AK Cloud mobile application is a self-contained method of digital signature. A user does not need to obtain and install additional software and hardware to PC or tablet, purchase a separate device to store digital signature key, install drivers, web plugins etc.
Push message explicitly notifies a user of digital signature operation being started
Each digital signature operation starts with explicit notification of a user via sending a push message to his/her smartphone. As distinct from SMS, a push message is cryptographically protected from interception and forgery (as it is signed with AK Cloud server digital signature).
Transaction details are displayed on smartphone screen
A user can view transaction details on the smartphone screen before confirming the operation.
Digital signature key remains on smartphone
Digital signature key generation, as well as generation of request to issue a key certificate for signature verification, and signing operation itself - all these are performed on a smartphone. Digital signature key is stored in smartphone memory, never leaves it and is not synchronized with the cloud.
Protection of access to digital signature key with password and Touch ID
The procedure of user access to digital signature key requires that the user knows the password. The devices with biometric sensor can also use Touch ID or similar biometric technology to protect the digital signature key.
Integration via SMPP protocol
To migrate from SMS confirmation to secure push notifications seamlessly, you can use SMPP protocol. This makes it possible to connect AK Cloud to OBS system without any tweaks. OBS would still send one-time passwords (ОТР) via SMPP gateway, whose role is played by AK Cloud server.
Using SMS as backup method of transaction confirmation
When it is not possible to deliver a push notification to user (say, in case of no 3G communication available), the system may send SMS messages. This makes OBS operations possible even in low communication conditions.
Description of Indeed AirKey Cloud solution
Indeed AirKey Cloud is a client-server platform. The client is mobile application running under iOS or Android operating system. Indeed AK Cloud application makes a simple to use digital signature method out of a smartphone. A user does not need to obtain a smart card or install additional software. Application usage is as simple as receiving SMS messages and replying to them.
Digital signature in OBS using a smartphone
Online banking service tools are commonly used nowadays. Regulatory requirements force financial institutions to use enhanced encrypted certified digital signature technology to protect and confirm transactions. In fact, this means that every OBS user has to obtain, install and properly use cryptographic service provider (CSP) and digital signature. The question of storing the digital signature key on a security device external to PC (USB disk, smart card or USB token) is specifically singled out.
Described approach requires a certain competence level from a user. Lack of this competence induces a large number of calls to OBS technical support. Another problem to mention is that security of PC environment where smart card is used cannot be guaranteed. This gives rise to fraudulent activities intended to steal money of OBS user.
Indeed AirKey Cloud makes it possible to solve these problems in a new way. A digital signature user does not have to make any complex preparations. He or she gets a convenient and fully functional method of digital signature by simply installing the application to smartphone.
Comparison with a classic smart card
|Characteristic||Indeed AirKey Cloud||Classic smart card|
|Form factor||Smartphone||USB key, card, MicroSD|
|Memory available for key and certificate storage||Limited only by smartphone memory||up to 90 Kb|
|Processor||Smartphone CPU is used||Cryptographic microprocessor|
|Cryptographic algorithm support||
||Depends on the manufacturer.|
|Authentication in web applications using tablet PC||Yes, fully supported.||Limited support:special version of tablet PC is required along with additional software installation|
|Opportunity to enter PIN code not on the user PC (keylogger protection)||Yes, PIN code is entered on smartphone||Limited support: a separate device is required|
|Display of transaction details not on the user PC||Yes, smartphone screen is used||Limited support: a separate device is required|
|Remote removal of keys and certificates from the user device||Yes||No|
|Biometrics support||Yes. Smartphone built-in technology is used.||Yes. A separate device with match-on-card technology support is required.|
Integration to OBS
Integration of Indeed AirKey Cloud product to a target system is performed via incorporating WebAPI calls from the target system server to Indeed AK Cloud Server.
The Indeed AK Cloud mobile application is installed by user from App Store on his/her own. No additional software components are to be installed on a user PC or tablet PC.
Indeed AK Cloud scheme