VTB activated the procedure of confirmation of transactions of mobile application a finger

2017: VTB started confirmation of transactions of mobile application a finger

On January 18, 2017 the VTB bank announced providing to clients an opportunity to confirm transactions from mobile application by means of a fingerprint. According to the statement of the press service of bank, such method of confirmation does not work in one bank of the world yet.

The bank considers this method of confirmation more reliable, than the technology of sending the SMS with the one-time code which it is possible to intercept^[1].

Advertizing of VTB, (2015)

Possibility of identification on a fingerprint as the pilot project, will begin to work in January, 2017. Full-scale implementation is planned in February, 2017 – the updated application will appear in App Store and Google Play. An opportunity - development of the technology used in Mobile bank for individuals of VTB Bank. The test audience of the pilot will consist of employees of the bank - several dozens of people.

VTB declared superiority in the world, regarding the organization of confirmation of transaction by means of a fingerprint. A similar system, using unique key which is stored only in memory of the smartphone, but without fingerprint, is developed by Gemalto company and is used in BNP Paribas European Bank. The solution is called Ezio Mobile Protector.

Service of confirmation of transaction on a fingerprint will be implemented in so-called "big" VTB.

Confirmation of transactions by a fingerprint should not be confused with biometric user identification according to video and a voice which already works in VTB 24 bank. The functionality of VTB embedded directly in the application Mobile bank suggests clients to confirm transactions while VTB 24 allows to prove only so far biometrically the identity at an input in mobile application, and the method of confirmation of transactions remains traditional.

In authentication process the client starts the application on the smartphone, it sends a request in the system of the mobile authentication application cryptolibrary (MAA). The user enters passcode, MAA decrypts a key of the authentication application, calculates a set of cryptograms, and then creates a CAP token.

After this MAA diversifies session keys which will be used for the organization of the protected connection between the application and the server of an authentication system. Then the application on the smartphone sends the token created by CAP to an authentication system. Further the SA system executes the calculations concerning cryptograms and compares the received and calculated CAP value of a token. After that authentication is considered complete, the protected connection is established.

At transaction confirmation the authentication system sends the ciphered command to MAA. MAA on the protected disposable form displays parts of transaction and suggests to confirm it using the pass-code known only to the client. Further using the received passcode MAA value decrypts a key of authentication of the application, calculates the cryptogram and the token using critical data of transaction (TDS) creates CAP. The application sends the ciphered value of a token to a system, the authentication system carries out calculations and compares the received and calculated value. If values match, transaction is recognized as valid.

2016

At the beginning of summer of 2016 Gemalto began to deliver for VTB 24 bank the solution Ezio Mobile Protector – the protected mobile application allowing to create one-time codes (One Time Passwords, OTPs) for confirmation of transactions in channels of remote bank service through the application for smartphones. This implementation of VTB 24, the leading player in the Russian market of banking services, carried out in cooperation with the Russian system integrator "CompuTel".

VTB 24 bank numbering more than one thousand offices in 72 regions of Russia brought this service under the name Token VTB 24 Online into commercial operation in March, 2016 and it is available to clients – individuals in the VTB 24 Online system, and also clients – legal entities and SP in the Bank — the Client Online system will be able shortly to use it.

It is enough to clients of VTB 24 to install the application on the smartphone or the tablet running Android, iOS or Windows Phone and to register it through the VTB 24 Online Internet bank. After that they will be able to use the application for generation of one-time codes worldwide, is time-invariant day and without the need for use of any additional devices. From the point of view of VTB 24, implementation of Ezio Mobile Protector will help to get rid of the expenses connected with traffic of the SMS and PUSH messages and to give to the clients an opportunity to perform operations on the Internet or mobile bank for higher amounts. Besides, the solution supports work in offline mode and does not require existence of cellular communication or Internet connection, thus, access to service of authentication remains even in that case when the user is abroad.

Thanks to the solution Gemalto VTB 24 bank will be able to use all safety features implemented in Ezio Mobile Protector which provide a comprehensive protection from the majority of the most hi-tech cyberthreats. Thanks to a possibility of local generation of one-time passwords and several security levels, this solution is not subject to such widespread types of the attacks as SIM Swap or interception of the SMS. The center of authentication of VTB 24 integrated with the server of registration Gemalto’s Ezio Enrolment and Provisioning Server (EPS) guarantees the protected remote registration of new mobile tokens and allows to perform verification of one-time codes. Thanks to scalability of the solution the bank in the future will be able to implement within Ezio Mobile Protector additional functions, including support of QR codes and biometric authentication.

Notes