At present, mobile payment is a popular public service in the financial field, but its security issues are constantly emerging, and security threats are becoming increasingly serious. Mainly reflected in two aspects: First, mobile payment authentication relies on SMS verification code; Second, various financial bills and reset account password hyperlink are sent by plain text email.
For the first security issue, the SMS verification code can be intercepted by the pseudo base station or intercepted by malware on the mobile phone, this suffered a loss of money. SMS verification code has changed from the out-of-band authentication method in PC Internet era to the in-band authentication method in mobile Internet era. In this way, SMS verification completely loses the technical foundation that can be used as an authentication method! NIST SP 800-63B “Digital Identity Guidelines” – “out-of-band authentication using the PSTN (SMS or voice) is deprecated, and is being considered for removal in the future editions of this guideline”
For the second security issue, it is obvious that the financial bill or statement contains many sensitive and confidential information, and the use of plaintext email is very easy to be illegally stolen and the bank user suffers property damage, which not only hurts the user but also causes the reputation of the financial institution suffers an irreparable loss. Therefore, some banks have used plain text email to inform users to log in to the bank’s official website for safe viewing. Some banks use the social network to send important bill. These are a compromise method.
A better solution is to send verification code through encrypted email instead of SMS; retrieve account passwords or reset account passwords by encrypted email; send financial bill and statement to users via encrypted emails with digital signature to help users effectively identify fraudulent emails; and provide online customer service by encrypted email.
How to send encrypted email? The financial system could call the MeSince® API to obtain the public key of the user’s encryption certificate, then the system can automatically encrypt and send the financial bill and statement, notification information and various public service information in encrypted emails to the users, thereby ensuring the security of the user’s confidential information.
And MeSince® API also provides an interface for checking if a user’s email is using MeSince, if it is not used, the API will return NO, then financial system shall send an unencrypted email to the user to inform the user how to download and install MeSince® to receive the encrypted email, then the system can send the encrypted email to users.
MeSince APP is completely free. It supports Windows, Android and iOS. Bank users can decrypt the bank system delivered encrypted email in just a few minutes by downloading and installing the MeSince APP, ensuring the security of bank information.
As shown in the following figure, MeSince maintains a global public key certificate database (CerDB). The innovation technology enables the MeSince API to provide financial institution with the encrypting certificate public key for all email addresses, ensuring that the financial system can seamlessly send encrypted notification emails to all users.
For more detail of this solution, please contact us.