'A-Card' bank (name redacted to protect identity), one of the largest credit card companies in Korea, ended their A-Card app service on August 31, 2022, and has integrated the existing app service into their own ‘B Pay’ app from September 1. A-Card's 'B Pay', which has over 5M monthly active users (MAU) as of the end of January 2023, is a payment service that can be conveniently used without a physical card through various payment methods including barcode, QR code, magnetic secure transmission (MST), and near field communication (NFC) both online and offline. SSenStone’s OTAC Device Authentication Token applied to B Pay, dramatically reduces unnecessary payment authentication steps, improving the convenience of using the B Pay app, and enhances security by blocking hacking attempts to control customer devices through other terminals.
● Challenges
As A-Card's 'B Pay' app had to meet the security level set by the financial supervisory authorities such as the Credit Finance Association and the Financial Supervisory Service, the authentication process was more complicated than that of fintech companies that go through the minimum security process. Frequent card registration authentication was also inconvenient for users. The existing authentication process required at least two steps at the time of payment, and customer churn occurred in this process. In addition, it was necessary to prevent the use of abnormal methods by verifying the transaction interlocking data at the time of payment. Above all, improving the speed of apps that were slow as a result of frequent authentication procedures also needed resolution. The OTAC device authentication token applied with SSenStone’s OTAC (One-Time Authentication Code) technology was proposed as a solution that could resolve these challenges.
● Solutions
OTAC Device Authentication Token applied to A-Card's B Pay app periodically transmits a dynamic authentication code valid only at the present time from the user's device to the server of the financial institution, thereby unidirectionally checking whether a normal customer's device is accessing it. It is confirmed only by the received OTAC verification.
OTAC Device Authentication Token securely provides a unique value to generate a dynamic authentication code (OTAC) that can be used only on the user's device when a user signs up for or registers an app, and safely stores the unique value in the device. The OTAC generation module in the user's app is installed to safely store unique values for generating dynamic codes on the user's device, and to generate and transmit valid dynamic codes at every point in time. Meanwhile, the OTAC verification module in the server of the financial service company is loaded to verify the periodically transmitted OTAC and assign a unique value to each user.
● Expected Effects
SSenStone significantly improved customer churn prevention and service availability by providing a basis for A-Card to streamline the device authentication process while enhancing service stability and the security level.
While the mobile financial environment has recently become common and non-face-to-face financial transactions are leading, card companies are also strengthening their platforms and building open platforms to respond to big tech companies. SSenStone’s OTAC Device Authentication Token guarantees user convenience, cost-effectiveness, and security at the same time.
OTAC Device Authentication Token automatically generates and verifies OTAC dynamic authentication codes including transaction interworking data, session information, device information in the background, thereby reducing unnecessary user authentication steps and extending the sessions between financial service apps and servers through OTAC verification, resulting in eliminating the inconvenience of frequent logouts or re-login. Therefore, it not only reduces the operational cost by shortening the verification time compared to the token server based on communication, but also supports an environment in which users can make convenient payments even in an offline environment.
In addition, it can be used together with the fraud detection system (FDS) used by many financial companies to further enhance security and can be used as a substitute for the function of FDS. SSenStone is helping B Pay to provide more optimized services by preventing A-Card from hacking impersonating users through other devices.