Internet Banking

Comarch MobileID was designed to be used in internet banking systems. This is shown by two modes of work with the token as well as stress placed on all the security aspects of the solution. The token delivers a strong method of authentication which guarantees a high level of security. It also allows for a significant decrease in costs of the transaction authentication and authorization in internet retail banking services.

Comarch MobileID is designed to easily replace the currently popular methods of authorization and authentication in the banking sector by: text messages and physical tokens for oneoff passwords.

In comparison to common static and masked passwords, ComarchID allows a significant increase in the level of security, owing to two user identification factors. The application on the mobile phone answers for the factor “that which the user has” and the PIN to the application answers for the factor “that which the user knows.” As a result of the shift from masked passwords to Comarch MobileID, the end user gets a more user friendly method of authorization and authentication.

In typical implementations of internet banking, Comarch MobileID may be used in the login process as well as for the authorization of transactions. In the authentication process, the user submits the login as well as a oneoff password generated by the token. When logging in the code generation mode is based on time. Comarch MobileID generates a oneoff password every minute, depending on the unique cryptographic value hidden in the application, the PIN given by the user and the current time. Such a mechanism guarantees a high level of security even if the application was stolen together with the mobile phone. The thief would have to know the PIN in order to generate the right oneoff code. The value of the PIN is not stored in the application in any way and is verified solely on the side of the internet system (the user when entering the PIN, does not know that it is real), which makes the process of trying to gain the password using brute force significantly more difficult.

Authorization of the transactions carried out by the system is realized by the same application installed on the phone. In order to increase the level of safety, Comarch recommends using the second mode under which the token may operate, i.e. generating oneoff codes based on the challenge-response mechanism. In this model the user enters the details of the transaction and, based on this data, creates a character string, which should be entered into the Comarch MobileID application. The internet service indicates the data which should be entered to the token. This could be the last four digits of the bank account number, the value of the transfer, or another combination defined by the system. Based on this information Comarch MobileID generates a oneoff password (which also depends on the entered PIN and the unique cryptographic value hidden in the application), which the user enters in the internet service. Such a connection between the transaction details with the oneoff code guarantees that the transaction cannot be disputed and eliminates the possibility that the system is attacked by "a man inside", e.g. where the intruder uses the overheard password to authorize a false transaction. The service which verifies the oneoff password also carries out an operation which collects a character string based on transaction data and then checks whether they are correct compared to the value introduced by the user. If the values cannot be correctly verified this means that the transaction data was changed by an intruder or the authorization code was not generated using the Comarch MobileID application. Such an authorization mechanism increases the level of security for the transactional system.

Additionally, to increase user satisfaction and comfort, Comarch MobileID offers a transaction authorization using 2D QR codes. The option can be used for applications used on the iPhone platforms, Android as well as Windows Mobile. Based on the transaction details, entered by the user, a graphic QR code is generated. The application automatically, using a phone camera downloads transaction details and then presents them to the user. Then the user carries out a verification of the presented data with the original data and then enters a character string generated by the application, which is launched in the phone or a web page of the transactional service. This is how the transaction authorization is carried out. The character string created by the Comarch MobileID application, as in the case of the classic implementation of the challenge-response mechanism, is directly linked to data. One should underline that the operation used to find and download the QR code is easy and user friendly. The application launches the camera itself, identifies the code in the photo and takes the picture. The user only has to point the phone in the right direction.

The whole process was designed to be as intuitive as possible and relatively simple. Even users who are not very familiar with other methods of authorization than the password, will be able to handle it. Beyond this, the token can be graphically adapted to the needs of the bank and the internet service lauout.

Try MobileID live

Find out more about MobileID