[ad_1]
Every digital financial market is unique. In one and the same macro-region you will find many specialties belonging to different countries. This is what I see clearly in the APAC region. In the past few years I used to spend at least 1/3 of the year
In Indonesia, so I found some very unique features here.
Being here I really feel very safe in my daily life: super friendly and hospitable people – not because of ethical norms, rules or anything but just by nature. But just as I feel extremely secure in my day to day activities, I feel totally insecure
When I talk to local digital and security teams.
Obviously, the mobile banking channel is the most popular here, although it is still well integrated with web-banking tools. One of the most popular methods of protecting the Mobile Bank, as I found out, is MPIN, the mobile PIN-code. And frankly, it’s not convenient,
Nor safe.
From a legal perspective, OJK – a local regulator in the banking sector in Indonesia – requires two-factor authentication to log-in to banking apps or perform mobile banking operations. Certainly, following a general approach to strong client authentication,
OJK allows any number of factors to be combined: something you know, something you have and something you are. In the case of the internet bank experience, it is easy to introduce soft-tokens as a confirmation tool, but this may be hardly applicable to a mobile-centric approach.
Therefore, banks mostly use a combination of mPIN (“something you know”) and Touch ID/Face ID (“something you are”). Legally, this authentication tool complies with the local regulation requirement. But let’s figure out the technical side of this approach.
What is MPIN?
In fact, it’s just a static password. At first glance, this method seems to be the simplest and cheapest from many points of view. But in fact, as soon as the bank starts offering MPIN, the security team of the bank has to think about the way to protect it.
Passwords: By internal fraud, by direct attack on the bank’s servers, by any type of spyware that can be installed on the client side, phishing links are distributed through SMS or messenger. Security team will request budget for HSM (hardware security) appropriately
module) to authenticate such MPINs in a tamper resistant manner. In other words, mPIN is the cheapest option if you don’t want to know anything about hidden costs.
At the same time, if a critical operation such as changing a password – which should be a part of security routine hygiene – is confirmed with the SMS OTP, the bank must remain right: customers are at risk. Because in this case it is quite easy to hijack such OTP
and take over the account using the stolen credentials.
“Protection Amulet”
Many banks prefer no-change positions in conjunction with “security talismans” – large billboards with banners “don’t share your credentials or OTP code with anyone”. But in 2023 when there are more than 200 authentication solutions based on Gartner report
Developers globally, such a situation looks more like a shift in responsibility – as if the bank’s customers have to take care of security on their own. The “amulet” no longer works for him.
“Amulets” also do not work in case of intrusion into the communication channel between the bank and the banking app, they do not work in case of changing transaction details in the background – as well as guaranteeing the integrity and non-repudiation of the mPIN bank can’t give
Exchange.
mpin ux
Apart from the security risks, there is one thing that I personally don’t like – MPIN. The annoying requirement is to input this password every time the client performs an operation through the app. Basically, it takes about 10-15 seconds to log-in to the app
You use static passwords and Touch ID.
In Indonesia with a large number of alternative payment solutions, banks must be strong to win the competition for everyday payments.
Ok, then what is the solution?
You can ask this question and I will try to answer without adding anything. The solution lies in rethinking security or at least giving serious consideration to a new passwordless authentication approach: based on cryptographic algorithms, with strong affinity
Device and transaction details. Security should be strong but invisible to the client.
Imagine if it would be possible to authenticate customers using a security key that they don’t even need to remember, but can be activated with just a fingerprint from a precision device? What if security teams could help digital reduce verification time
From 10-15 sec to 2 sec? All this is real and already works.









