If you transfer large sum remittance at once or request sensitive financial information, most global banks ask you either to input mobile one-time passwords (OTPs) generated by mobile banking app, to provide your biometric information via your smartphone, or to type registered PIN codes in order to verify your identity. These kinds of two-factor authentication (2FA) process are so convenient and are loved by both financial service firms and their users. In fact, most users trust in the convenience and ‘security’ of this method as they don’t need to bring a physical certificate device with them to authenticate themselves. However, can we totally get away from cyber-attack concerns just because we are verified twice?
Here are some examples of why these worries remain:
In South Korea, a SIM swapping incident triggered an alarm for authentication that operated on smartphones only. Criminals copied the SIM card of a victim’s smartphone via hacking and bought a new smartphone with the name of victims by issuing a new SIM card with victims’ personal information stolen, resulting in damage to victims' financial assets.
In the quest to reduce the reliance on smartphones for authentication and to protect users from the risk of phishing, card tapping mobile OTP currently stands out the most. When a physical card with mobile OTP is tapped on a smartphone with near field communication (NFC) function, dynamic codes are generated for user authentication. It provides not only strong security in cyber security since user authentication is possible only with their own smartphone and payment card, but also great convenience because there is no need to carry another authentication device.
Card tapping authentication was proposed as a simple authentication method in the early stages of fintech. Some credit card companies, banks, and e-commerce platforms have also provided pilot services. However, it failed to spread widely because the manufacturing cost of cards with NFC was very high, and consumers also wanted to use their smartphones like a universal key.
But now, almost all smartphones support NFC, a majority of newly issued payment cards is equipped with NFC by default, regulations for simple authentication have been improved, and consumers' awareness of cyber security has increased significantly. In other words, there is no reason not to use the convenient and secure 'card tapping mobile OTP'.
There are still a few people who expect that the mobile payment apps will replace the physical card and that there will be a limit to card tapping authentication.
However, even now when payment apps have become common-place, the average number of credit cards held per person in the UK is 1.7 and in the USA is 4. If we include non-payment cards, such as access cards and employee IDs, the average number of physical cards per person is 3.5. In addition, the mobile app card cannot be used if the smartphone battery is dead or network is poor or unavailable, meaning physical cards still serve a purpose despite the convenience of paying via mobile app.
There is no reason for financial institutions to discourage customers from using physical cards. If they can add features such as identity verification for financial transactions, employee ID, digital door access pass, web login token to their payment card, not only can they attract more customers, but they can also collect more customer data. In the era of big data, collecting such diverse customer behavior data will be the key to unlocking new business opportunities.
Card companies may be concerned that card manufacturing costs will increase when multiple functions are integrated into one card. However, if they can expect a number of new customers or an increase in payment card usage with a multi-function payment card, they may welcome the card that enhances customer convenience and secures financial transactions.
Toss Bank, a Korean bank with 21 million customers, is a representative example of the versatility of card tapping mobile OTP. For easy and reliable financial services, Toss Bank boldly introduced card tapping mobile OTP into its own financial service authentication process, such as large remittance services.
Toss Bank's choice is a switch OTP based on swIDch's OTAC (One-Time Authentication Code) technology that provides a one-time dynamic code that cannot be reused. By embedding the OTAC algorithm to an IC chip in Toss Bank's debit card in the form of an applet, swIDch has simplified the authentication process so that Toss Bank users can authenticate themselves by simply tapping the debit card to their mobile phone. In addition, by having the OTAC applet use the unique value of the IC chip as a code generation seed, cyber threats caused by card duplication are also completely blocked. For Toss Bank, it is possible to level up user convenience and security at the same time.