Blog(eng)

[Case Study] DOKU e-wallet

Written by SSenStone | Nov 4, 2022 1:01:57 AM

The 'Doku e-Wallet' service provided by Doku, an Indonesian payment gateway (PG) is Indonesia's representative electronic wallet payment service with more than 2.5 million active users. By supplying OTAC Dynamic Token to Doku's e-wallet service, SSenStone is supporting consumers to stably and safely use the service without any inconvenience even in off-the-network environments.

● Challenges

Doku is liable for personal information leakage problems caused by 2D barcodes or QR codes that use fixed values including card-not-present (CNP) fraud using fixed card numbers, even when personal card information is not exposed, lost, or stolen. A more secure authentication method was needed to respond to financial crimes such as fraudulent use following the BIN Attack, which randomly generates card numbers according to certain rules and finds valid card numbers. In addition, since most token payment methods based on two-way communication cause payment errors due to unstable communication networks, an authentication method that can provide stable services even in poor communication environments was required.

 

Solutions

SSenStone has provided a safe and convenient electronic payment authentication process to DOKU by using its own OTAC (One-Time Authentication Code) algorithm, a one-way dynamic authentication method, to block the possibility of fraudulent use due to personal information leakage, and allowing users to directly create tokens even when there is no communication network.

The OTAC Dynamic Token provided by SSeStone to Doku generates a non-overlapping dynamic code even in an offline environment where the communication network is unstable or there is no connection at all without the help of additional infrastructure. The authentication code generated in this way replaces ID/PW and card numbers based on fixed values. The OTAC Dynamic Token applied to Doku’s e-Wallet consists of ‘OTAC Dynamic PAN’, a token for payment, and ‘OTAC Device Authentication Token’, a token for device authentication.

OTAC Dynamic PAN is a one-time dynamic card number created based on the OTAC algorithm. It can be issued and registered in the same way as the existing payment process and can be used even if communication with the server is restricted. In the e-wallet payment approval method using existing tokens, when a token is requested from a token service provider for e-wallet mobile payment, a payment token is provided rather than an actual card number. The user then receives the token, presents it to the store, shop, and/or POS, and payment is made. OTAC Dynamic PAN does not require a user to request a payment token from a token provider, it simply creates a payment token directly on the user's device that has already been applied with OTAC to be presented for payment. In this way, there is no need to make a separate request to the server, meaning user convenience is further improved.

 

 

The OTAC Device Authentication Token, periodically transmits a dynamic code valid only at the present time from the user device to the financial institution server, so that access from a normal customer device can be verified only by one-way verification of the received dynamic code. In addition, it provides a unique value for generating a unique dynamic authentication code only in the user's device when the user signs up for or registers the app and safely stores the unique value in the device. As a result, login session extensions can be easily performed with OTAC device authentication, enabling a stable payment process. Also, it can be extended and used as a function of a fraud detection system (FDS) that blocks hackers' attempts to attack through other terminals.

 

 

● Expected Effects

SSenStone ensures a foundation for Doku to provide a stable, convenient and safer electronic wallet service without any impact even in Indonesia's isolated islands and mountainous areas where the communication network is rather poor. Doku's e-wallet users utilize payment tokens generated on their mobile devices to enjoy convenient and safe services not only in online shopping but also in offline stores.

Through the introduction of OTAC Dynamic Token, Doku was able to significantly reduce the initial deployment cost as well as the operating cost. OTAC Dynamic PAN can be easily applied to the existing payment infrastructure through OTAC matching with the user's mobile device and token server. In addition, when using offline, tokens are generated directly on the user's device, minimizing network traffic between existing users and token servers.

Thanks to its convenient usability and stable service, it is also helping to increase customer loyalty. Doku e-Wallet users can make payments in offline mode even in an environment where the network is not stable as long as they have authenticated the local user of their device in advance. This can be utilized by supplementing the shortcomings of communication-based tokens, contributing to preventing customer churn due to network instability during payment.

OTAC Device Authentication Token can be used as a function of (FDS) that blocks hackers from attacks through other terminals, as well as extending the login session between financial service apps and servers through OTAC verification. It resolves inconveniences caused by frequent logout and re-login when using the financial company app.