RubeanSign employs a forward-looking methodology which enables standard EMV contactless debit or credit cards to be used in combination with NFC capable smartphones as a simple, convenient and highly secure authentication factor for a variety of use cases, such as online/mobile money transfers, person-to-person mobile payments and Out-of-Band (OOB) user authentication.
RubeanSign is also an effective replacement for the ‘CAP’ devices, also known as ‘PIN Sentry’ or ‘Challenge-response’ devices, currently distributed by banks to their customers. It offers the same functionality but without the associated peripheral hardware device. It’s a software-only solution delivered as a mobile app.
The card provides proof of its presence through a digital signing data with a secret key. The risk of a criminal using a transponder device to provoke a fraudulent signature on some unwitting victim’s card (un-noticed by its rightful owner) is eliminated through the system’s use of the card’s access control facilities.
Ordinarily a card signature would be invoked by a PIN, entered on the phone and transmitted by NFC, however, this renders the signature exposed to phishing attack. RubeanSign, therefore, invokes the signature directly from the card issuing bank’s secure server. Before authorizing the card signature, the banking server will first authenticate the user through a variety of methods which go beyond traditional ‘phone-centric’ methods like fingerprint or PIN. These include geo-location and detection of behavioral anomalies. If approved, the server then authorizes the card signature by issuing a token (end-to-end encrypted) which it transmits to the card, via the phone.
RubeanSign can be delivered as a standalone app, or a component module within an app, for Android smartphones. It will enable users to authorize a wide variety of mobile transactions originating from PC, laptop or from the phone itself. Typical user-journey follows this (configurable) path:
- User presses their (enrolled) finger on the phone’s biometric sensor (usually built into the phone’s “home” button as standard Android functionality), and then …
- Presses the appropriate (NFC capable) debit or credit card to the back of the phone to digitally sign the transaction. The signature may be based on asymmetric RSA or symmetric 3DES keys.
In line with current cyber-crime prevention best-practice, no card details are stored on the phone - all sensitive personal data is kept securely on the card. Not only is the process of holding a finger, then a card on the phone simple for the user - but it is also highly secure, offering would-be fraudsters a negligible attack surface.
RubeanSign App library requests customer to press finger on home button …
...and then to hold card to back of phone.
Authorized transaction can facilitate PC, laptop or mobile money transfer, e-Comm payment or IDaaS.
Figure: The “user journey” - Steps to authorize a transaction
The target customer for RubeanSign is typically a card issuing bank whose Mobile Banking App would be extended by the RubeanSign SDK library.
End users need to have:
- An Android phone* and
- A standard EMV contactless debit or credit card**
* Currently accounts for approx. 75% of smartphone user-base in UK, Germany, France, Italy and Spain.
** Currently accounts for approx. 60 to 70% of debit cards in UK, France and in one year also in Germany.
The new benchmark for on-card authentication
This authentication methodology is new and unique to Rubean. Through addition of a simple on-card signature application (cardiet), RubenSign will work with new generation EMV cards.
- Easy to use: The use of fingerprint biometrics and the concept of contactless cards are both familiar and trusted by users. They are simple to use and highly secure when used in combination.
- For all Android phones: RubeanSign library is protected by white box cryptography, designed to be a white-labelled app which can be added-to (and invoked by) an established master app, e.g. a mobile banking app.
- Multi-factor: The PSD2 compliant, strong multi-factor user authentication provides two independent authentication factors:
- First: biometrics (or alternatively knowledge – e.g. PIN)
- Second: possession of the correct card
- Highly secure: The electronic signature on the NFC card provides optimal security. The mobile phone is generally regarded as a vulnerable device, as such, RubeanSign restricts its role to purely collecting secure biometric information (or PIN) and for transmission of previously encrypted messages between server and card. User authentication is undertaken on the server side offering another level of security and fraud protection, away from the phone.
- All on the card: In-line with GDPR and current Cyber-security best practice, no sensitive customer or financial details are stored on the phone, all data remains securely on the card.