Edited_ A Card Dynamic App Verification
Edited_ A Card Dynamic App Verification
Case study

'A-Card' (De-identified Bank) Dynamic App Verification

swIDch significantly improved customer churn prevention and service availability,
by providing a basis for A-Card (name redacted to protect identity) to streamline
the device authentication process while enhancing service stability and the security level.

'A-Card' bank (name redacted to protect identity), one of the largest credit card companies in Korea, ended their A-Card app service on August 31, 2022, and integrated the existing app service into their own ‘B Pay’ app from September 1. A-Card's 'B Pay', which has over 5M monthly active users (MAU) as of the end of January 2023, is a payment service that can be conveniently used without needing a physical card through various payment methods including barcode, QR code, magnetic secure transmission (MST), and near field communication (NFC) both online and offline. swIDch’s OTAC Device Authentication Token applied to B Pay, dramatically reduces unnecessary payment authentication steps, improving the convenience of using the B Pay app, and enhances security by blocking hacking attempts to control customer devices through other terminals.

 

Challenge

As A-Card's 'B Pay' app had to meet the security level set by the financial supervisory authorities such as the Credit Finance Association and the Financial Supervisory Service, the authentication process was more complicated than that of fintech companies that go through the minimum security process. Frequent card registration authentication was also inconvenient for users. The existing authentication process required at least two steps at the time of payment, and customer churn occurred in this process. In addition, it was necessary to prevent the use of abnormal methods by verifying the transaction interlocking data at the time of payment. Above all, improving the speed of apps that were slow as a result of frequent authentication procedures also needed resolution. The OTAC device authentication token applied with swIDch’s OTAC (One-Time Authentication Code) technology was proposed as a solution that could resolve these challenges.

Hana Card icos-1

The Solution

OTC Device Authentication Token applied to A-Card's B Pay app periodically transmits a dynamic authentication code valid only at the present time from the user's device to the server of the financial institution, thereby unidirectionally checking whether a normal customer's device is accessing it. It is confirmed only by the received OTAC verification.

swIDch_Dynamic Token 03 small-1

OTC Device Authentication Token securely provides a unique value to generate a dynamic authentication code (OTAC) that can be used only on the user's device when a user signs up for or registers an app, and safely stores the unique value in the device. The OTAC generation module in the user's app is installed to safely store unique values for generating dynamic codes on the user's device, and to generate and transmit valid dynamic codes at every point in time. Meanwhile, the OTAC verification module in the server of the financial service company is loaded to verify the periodically transmitted OTAC and assign a unique value to each user.

Expected effect

swIDch significantly improved customer churn prevention and service availability by providing a basis for A-Card to streamline the device authentication process while enhancing service stability and the security level.

While the mobile financial environment has recently become common and non-face-to-face financial transactions are leading, card companies are also strengthening their platforms and building open platforms to respond to big tech companies. swIDch’s OTC Device Authentication Token guarantees user convenience, cost-effectiveness, and security at the same time.

OTC Device Authentication Token automatically generates and verifies OTAC dynamic authentication codes including transaction interworking data, session information, device information in the background, thereby reducing unnecessary user authentication steps and extending the sessions between financial service apps and servers through OTAC verification, resulting in eliminating the inconvenience of frequent logouts or re-login. Therefore, it not only reduces the operational cost by shortening the verification time compared to the token server based on communication, but also supports an environment in which users can make convenient payments even in an offline environment.

In addition, it can be used together with the fraud detection system (FDS) used by many financial companies to further enhance security and can be used as a substitute for the function of FDS. swIDch is helping B Pay to provide more optimized services by preventing A-Card from hacking impersonating users through other devices.

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
sufficient to IDENTIFY user
Single-step IDENTIFICATION
and AUTHENTICATION
Uni-directional authentication in
off-the-network environment

Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.

OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks. 

No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI). 

 

Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.