Trusted Transactions | Entersekt Blog

Trusted Transactions | Entersekt Blog

Fingerprints and the gap between identity and authentication in digital banking

Posted by Christiaan Brand, chief technology officer, Entersekt

Jul 23, 2015 10:30:00 AM

FingerprintsIdentity, security, privacy

Apple’s TouchID has taken the world by storm and, with official fingerprint biometric support now also coming to Android M, it looks like username and password prompts on mobile applications will soon go the way of the VCR and the gramophone player.

Still, unlike usernames and passwords, which we can change at will, we only have one set of biometric prints. If our biometrics fall into the hands of hackers, they become useless to us, forever. The consensus amongst industry experts such as the FIDO Alliance and Apple is that we must limit exposure to our private biometric data by not sharing it, keeping it instead locked down on our personal devices. In other words, that record of your fingerprint used to unlock your iPhone should never leave your device. Not even Apple has access to it.

Read More

Topics: Biometrics, Public-key cryptography, Apple, Privacy

Into the jungle of smartphone app permissions

Posted by Altus van Tonder, VP sales support Europe, Entersekt

Apr 2, 2015 9:30:00 AM

App_permissionsIn the age of smartphones, we mainly use our phones for apps – many, many apps. Making voice calls and performing other traditional phone functions come second to using the wealth of apps available. Most of us are aware by now that apps bring with them additional risk – that they can expose us to unwanted prying and data theft. So, I’d like to look at app permissions a little closer. It’s a topic you probably do not lose much sleep over, but it does impact your security and personal data directly.

The trade-off
Apps can do a plethora of scary-seeming things on our smartphones: access our location, peek at our photo galleries, read our address books, and gather personal information about us and our devices. This would arguably be okay if you fully trusted the apps you use – but can you really? There are millions of app creators out there – some, surely, with less pure intentions than others – and we mostly end up giving them carte blanche to access our information at any time via their software.

So what can we users do to limit any unwanted intrusion into our privacy?.

Read More

Topics: Mobile app vulnerabilities, Apple, Mobile app permissions

Fraud on Apple Pay spikes up to 100 times the industry average

Posted by Christiaan Brand, chief technology officer, Entersekt

Mar 19, 2015 9:30:00 AM

ChristiaanBrandNewWe have all seen the reports about Apple Pay fraud plastered over the Web. Less informed commentators seem to blame Apple, but is this problem really their fault this time?

As I suggested in my previous blog post on this topic, Apple Pay is nothing more than institutionalized card cloning. The only barrier standing between a fraudster loading your credit card onto their mobile phone, as opposed to your doing so, is a concept called “identity proofing.”

Every time a new credit card is linked to Apple Pay on a mobile device, the card number is sent off to one of the payment networks and exchanged for a “token,” which will be used in lieu of the card number for transactions in the future. Before this exchange can take place, a real-time call is made to the bank that issued the card to request its permission to do so. It’s at this step that many card issuers flounder.
Read More

Topics: Apple Pay, Apple

A look at Apple Pay’s SMS OTP and tokenization

Posted by Christiaan Brand, chief technology officer, Entersekt

Dec 11, 2014 4:32:00 PM

ChristiaanBrandNewOn the weekend, I finally had a chance to load my three credit cards into Apple Pay. The process was slick and painless, as you’d expect from Apple: a simple snap of the credit card auto-populated the data on my phone. Only the card security code (three or four digits long) is entered by hand.

Below, I’ll explore the security mechanisms I encountered during the Apple Pay enrollment process, as well those in place for making actual payments.

Enrollment with one-time passwords

One of the inherent risks in any authentication solution is the initial onboarding or identity proofing process. In many deployments, a simple username and password offer greater security than a hardware token does because the identity proofing intended to pair the token with a specific user is not sufficiently rigorous.

Read More

Topics: One-time passwords, Tokenization, Apple Pay, Apple

About Trusted Transactions

Trusted Transactions is Entersekt's blog devoted to keeping our customers, prospects and friends updated with industry news, security threats and technology advances in consumer authentication. We can protect against online banking fraud and account takeovers. Trusted Transactions brings you industry data and insights to help safeguard your online and mobile banking and payments transactions. 

Subscribe to Entersekt's Blog

 

Download white paper: The importance of transaction  signing to banks  

 

Follow Entersekt