PayControl

PayControl is an electronic signature solution in a smartphone that allows customers to confirm their transactions created in any digital channels (Internet banking, mobile banking, CNP operations, telephone banking (Private-bank) and others). It can work both as a separate application for a smartphone and be built directly into the mobile banking application.

PayControl provides the user with the opportunity to verify the correctness of the transaction data or electronic document and generate a signature regardless of the device used. No additional scratch cards or cryptocalculators. No dependence on the availability of cellular communication and delivery speed. SMS Using PayControl is no more difficult than calling from a mobile phone.

2024: Aurora OS support

SafeTech has added support for the domestic Aurora mobile operating system to its flagship PayControl product. The company announced this on January 18, 2024.

Support for Aurora OS in the PayControl platform allows, along with Android and iOS, to provide fast and safe confirmation of transactions in mobile applications and services operating in devices with a domestic OS.

There are credit organizations that have already released and plan to release mobile banking applications for Aurora OS in the near future. Therefore, we decided to release a version of PayControl for the Aurora OS so that banks could, even at the stage of developing a mobile bank for the OS, lay in it the ability to quickly and safely confirm transactions, and thereby take care of those of their clients who, at the duty of service or the behest of the heart, switched to this domestic OS, - said Daria Verestnikova, Commercial Director of SafeTech.

2022

PayControl GOST based on certified CIPZ CryptoPro CSP and JCP

On December 20, 2022, the company SafeTech announced that it had Cryptomissile defense expanded the capabilities of the flagship PayControl solution with the company. Now the solution works using and, certified CIPF CryptoPro CSP JCP which makes it possible to implement the formation and verification of enhanced unqualified electronic signature in accordance state with the standards GOST R 34.11-2012 and GOST R 34.10-2012.

The use of PayControl GOST will allow organizations to ensure maximum security of their digital channels and full compliance with the requirements of legislative bodies to confirm the will of users. The product allows you to solve the following problems:

• Ensuring Maximum Level [[Contactless Payment Security

.|security]] transactions to protect customers' funds;

• enabling customers to quickly and conveniently generate a signature using a mobile device;
• Minimizing financial costs compared to other transaction confirmation technologies
• compliance with the requirements of the regulator in terms of the use of an unqualified electronic signature for transactions.

The PayControl GOST mobile electronic signature is created by cryptographic transformations of the signed information (details of a specific financial transaction or electronic document) in combination with special characteristics of a specific smartphone.

Signing and confirming operations takes place with one touch of the screen. PayControl GOST allows you to most effectively resist the most common fraudulent schemes: interception of one-time confirmation codes in SMS and PUSH, use of malicious software on computers and mobile devices, social engineering and phishing.

The solution is designed to radically improve the security of digital channels and develop secure remote banking services. PayControl GOST greatly simplifies the user experience by transforming a mobile device into an analogue of a USB token with a screen. The solution allows you to confirm a request for bank transactions, perform a multifactor authentication procedure, create and sign electronic documents, record the facts of receipt and/or familiarization with opredelyonnoy̆ information.

SafeTech is trying to provide the market with current solutions both from the technological side and from the side of compliance with legislative trends. The use of CryptoPro certified CIPSI in PayControl GOST makes it possible to massively use not only a simple, but also an unqualified signature in mobile banking. The release of PayControl GOST will undoubtedly become one of the most significant events of 2023 in the field of protecting bank payments from fraud and fraud and will bring remote channels to a fundamentally different level of security, noted Daria Verestnikova, commercial director of SafeTech.

The transition of PayControl, which has proven itself to be an effective solution for ensuring the security of banking operations, to the trusted cryptographic core of CryptoPro, makes it a truly advanced tool for protecting customers' funds. This joint solution will ensure the maximum security and convenience of remote banking services both for customers and for the banks themselves, said Stanislav Smyshlyaev, Deputy General Director of CryptoPro.

Patent of the Eurasian Patent Office for the technology of confirming user operations in digital channels

The company, SafeTech, Skolkovo resident received a patent for Eurasian Patent Office the technology of confirming user operations in digital channels. It is at the heart of the platform mobile authentications electronic signature and PayControl. This was announced on December 12, 2022 by the press service. Skolkovo Foundation

Illustration: mavink.com

SafeTech transferred the electronic signature to a mobile phone, creating an analogue of a USB token. The PayControl mobile electronic signature is created by cryptographic transformations of the signed information (details of a specific financial transaction or electronic document) in combination with the characteristics of a specific smartphone.

SafeTech is an example of an innovative company that combines the high level of security and convenience of its solutions. For the digital economy, first of all, it is necessary to switch to electronic document management and digital signatures, this is what SafeTech helps with, noted Pavel Novikov, director of the center for innovation in the financial sector of the Skolkovo Foundation's IT cluster.

PayControl allows companies and their customers to confirm a request for bank transactions, conduct customer hosting and multifactor authentication, create and sign electronic documents, record the facts of receiving or familiarizing themselves with certain information.

This patent is another confirmation of the company's focus on developing its own technologies, and not borrowing existing ones. This is not only recognition of the results of many years of work, but also confirmation of the team's competencies. Great efforts are being made to enable partners and customers to use the products to grow their business, said Denis Kalemberg, CEO and co-founder of SafeTech.

SafeTech technology is designed to develop secure remote banking and dramatically improve the security of digital channels, be it mobile and Internet banks or other digital channels where additional authentication is needed. It uses algorithms that protect any user operations by counteracting fraudulent schemes: intercepting one-time confirmation codes in SMS and push notifications, using malicious software on computers and mobile devices, social engineering and phishing.

2020

Integration with Avanpost FAM and Avanpost Web SSO

Avanpost's products for user authentication in corporate resources (Avanpost FAM) and external applications (Avanpost Web SSO) have expanded the range of available authentication factors through integration with the PayControl mobile electronic signature platform. This became known on December 22, 2020.

Now in Avanpost FAM and Avanpost Web SSO, when logging Windows VPN into and Windows RDP, along with push notifications messengers , confirmation of authentication through mobile application PayControl is available. This method is also applicable to other systems (web, desktop and RADIUS) that connect to Avanpost FAM and Avanpost Web SSO and require the delivery of an authentication factor over an alternative channel. communications A complete solution significantly improves user experience multifactor authentication.

The PayControl app is available for installation from the App Store and Google Play on iOS and Android devices. PayControl is ready to be placed in an on-premium infrastructure, so it can be easily integrated into the IT landscape of any organization.

Integration into the mobile application "MINnBank Business Online"

PJSC "Moscow Industrial Bank" (PJSC "MInBank") integrates the PayControl technology into the mobile application of remote banking systems (RBS) for corporate clients of "MInBank Business Online." The bank announced this on November 30, 2020. Read more here.

PayControl v5 compliance OUD4

On October 27, 2020, SafeTech announced that the PayControl Software Package version v5 received positive vulnerability analysis results for the requirements for the fourth assessment level of trust (OUD 4) in accordance with the requirements of the national standard of the Russian Federation GOST R ISO/IEC 15408-3-2013.

Analysis of vulnerabilities in application software of automated systems and applications of credit and non-bank financial institutions is provided for by Bank of Russia Regulations No. 382-P, No. 683-P and No. 684-P. This analysis is mandatory and is carried out in accordance with the requirements of the national standard of the Russian Federation GOST R ISO/IEC 15408-3-2013.

The passage of the PayControl software, designed to confirm transactions in remote banking systems and sign electronic documents, the necessary vulnerability analysis procedure, will allow SafeTech partners and customers who have implemented PayControl to significantly simplify the mandatory analysis of their application systems. Now domestic banks and developers of RBS systems during the analysis of vulnerabilities in their developments will receive a full set of documents confirming that the integrated PayControl software complex has already passed the necessary analysis and will reduce the volume of their own tests. Thus, financial institutions will receive additional advantages when choosing PayControl.

The purpose of analyzing the vulnerabilities of the PayControl software complex in accordance with the requirements of DMA 4 was to comprehensively check the security level of the solution as a whole. The study, which includes documentation analysis, architecture and solution components, static and dynamic source code analysis, and penetration testing, assesses software quality, "said Denis Kalemberg, CEO of SafeTech. - In addition, the vulnerability analysis procedure was carried out to help our partners and customers in the process of analyzing their own application system according to the requirements of DMA 4. And we are glad that in addition to a comprehensively tested and safe solution, we can offer banks and developers of RBS to reduce the cost of mandatory research of software of automated systems.

As part of Abanking and SafeTech's Paperless Office joint solution

Companies Abanking and, SafeTech residents, Skolkovo Foundation Information Technology Cluster presented a solution -. This was "Paperless Office" announced on July 17, 2020 by it Skolkovo Foundation In is based on digital service technologies from Abanking and a software package for user confirmation of operations in the system () remote banking service and from RBS electronic document management SafeTech. More. here

PayControl Inform Model

PayControl Inform is a PayControl solution module that provides PUSH messages to customers of application systems and services with subsequent control of their delivery to mobile devices, and, in case of failed delivery, duplication of the same message through an SMS gateway.

With the increasing number of Internet banking users and the number of mobile payments, financial institutions and service providers are faced with the need to promptly inform their customers in a mass manner with control over the delivery of messages to users' mobile devices. Previously, SMS messages were used to solve this problem, but currently a more reliable and effective alternative was required. On the one hand, SMS messages have ceased to meet increased security requirements - the means of interception and substitution of messages available to attackers have been significantly developed, and on the other hand, the protocols themselves used in sending SMS messages were not originally intended to transmit confidential information and are currently compromised. In addition, the cost of using an SMS channel to inform customers with an increase in the number of users and mobile payments has become quite noticeable for small banks and service providers and is not always available.

2019: Integration with Group-IB Secure Bank to protect against financial fraud

On October 9, 2019, Group-IB and SafeTech proposed an approach to protecting financial transactions in remote banking systems based on a real-time risk assessment of a user session. The combination of SafeTech PayControl and Group-IB Secure Bank provides adaptive user authentication, electronic signature confirmation of transactions, and scoring of customer devices to detect signs of financial fraud and immediately respond to a suspicious event.

According to the developers, the integrated solution provides comprehensive and continuous protection for individuals and legal entities using remote banking systems, reduces the burden on the call center and anti-fraud systems of the bank, and also makes payment transactions convenient for users.

Group-IB Secure Bank conducts scoring, smartphone tablet or any other device from which the user logs mobile banking application into or into his personal account on the bank's website. In real time, the device "" it is scanned to identify signs of socio-technical, attacks cross-channel payment fraud, suspicious user behavior, attempts to steal, illegal use of accounts, data bank infection or trojans the presence of web injections.

In the process of signing a specific financial transaction, PayControl receives transaction data from the RBS system, and from Group-IB Secure Bank - the result of scoring, that is, an assessment of the risk level of transaction creation and signing sessions. Based on this data, PayControl "decides" how many factors to access the signature key to request from the user, and only after their entry signs the operation with a cryptographically strong electronic signature, which allows you to guarantee the authorship and invariability of the payment document.

"In the process of creating PayControl, we set ourselves the goal of ensuring the maximum possible level of security when performing any transactions in digital channels, without reducing the mobility and convenience of users. Integration with Group-IB Secure Bank made it possible to achieve an uncompromising combination of these indicators. Bank customers will either need to enter a password, or present TOUCH/FACE-ID, or an electronic signature under a trusted operation will be formed without any actions on the part of the user. Such adaptive authentication can minimize the wide range of security risks associated with all types of payments, while making the lives of bank customers easier, " noted' Daria Verestnikova, Commercial Director of SafeTech '

If a financial transaction raises suspicions at the level of session analysis (Secure Bank) or transaction analysis (anti-fraud system), PayControl will definitely ask for an additional factor for an electronic signature, for example, biometric confirmation or entering a PIN code. Execution of the transaction will be impossible if the device has not passed scoring and obvious signs of fraud have been identified. These capabilities are based on an automatic assessment of the risk level of user sessions, monitoring the state of the client device and a mobile electronic signature that controls the integrity and authorship of the confirmed document.

The developers of the integrated solution rely on ease of implementation: the bank receives a ready-made tool for assessing risks and electronic signing of specific financial sessions of users. Equally important is the reduction of the load on anti-fraud systems due to the absence of the need to compare disparate user transaction data from the system RBS and user device data and events related to payment. The advantages of adaptive payment confirmation also include a direct reduction in service costs (telecom operators costs SMS), savings due to the already implemented integration of systems with each other, on their technical support and operation.

"A joint solution with SafeTech allows banks to offer a ready-made solution not only to identify fraud, but also to respond in the process of signing the document. This functionality expands the possibilities of using Group-IB Secure Bank, since scoring is carried out in real time in all channels of communication between the client and the bank. For example, if a payment was initiated through remote control on a mobile device, then the signing of the transaction will be rejected on the basis of a socio-technical attack. This is an easy and convenient way for banks to protect their customers: no matter how many attempts to fraud with social engineering regarding a particular user, even if he believed a dummy "bank employee," technologically such an operation will be stopped by the bank, " noted Pavel Krylov, Head of Product Development at Group-IB's Secure Bank/Secure Portal

According to FinCERTBANK of Russia, the number of attempts at bank fraud is constantly growing. So, in 2018, the regulator recorded 6151 unauthorized transactions from the accounts of legal entities for a total of 1.469 billion rubles. At the same time, compared to the previous year, there was an increase in the number of attempts at theft by 631% (7.3 times). Almost half of the thefts (46% in 2018) occurred as a result of cybercriminals gaining access to RBS systems using malware and social engineering techniques.

2015: PayControl Description

The PayControl system was developed taking into account the requests and wishes of the information security services and business divisions of Russian banks. PayControl provides the user with the opportunity to verify the correctness of the transaction data and generate a confirmation code regardless of the computer used.

As of September 2015, the security of the solution is based on the best practices for building electronic document confirmation systems, combined with maximum usability for the Bank's client.

No additional scratch cards or cryptocalculators. No dependence on the availability of cellular communication and delivery speed. SMS Using PayControl is no more difficult than calling from a mobile phone.

The PayControl mobile app is

• visual inspection of the signed document of any format on a separate device - mobile phone
• generation of confirmation code "linked" to payment details
• independence from the presence of a cellular communication channel
• guaranteed notification of the client about the transaction being made

PayControl Security

• The document is created and confirmed on different devices
• the user sees the payment details on the phone screen and has the ability to check their correctness
• To carry out a successful attack, an attacker must gain access to both the client's computer and his mobile phone
• Securely communicate key information to the user
• the user has the opportunity to receive key information remotely, without visiting the Bank's office
• two independent communication channels are used to transmit key information to the user
• Non-predictability of transaction
• the transaction before confirmation shall be certified by a qualified electronic signature of the Bank
• the user not only confirms the payment details, but also "signs" in receipt of notification about the transaction

Convenience of PayControl

• no additional devices (tokens, password generators, scratch cards, etc.)
• automated transaction data entry (QR code)
• automated key information entry
• independence from cellular communication channels (work in roaming, outside the coverage area of ​ ​ operators, etc.)
• intuitive interface
• distribution through familiar app stores (Apple AppStore, Google Play)