Comarch Transaction Protection - tPro Mobile

tPro Mobile is a mobile platform supporting strong user authentication and transaction authorization in accordance with the PSD2 directive. It consists of an external application and development libraries to be integrated with the existing products.

Its security mechanisms, based on strong cryptography, along with internal mechanisms analyzing the platform’s behavior ensure a high level of both security and convenience. tPro Mobile comes with a number of tools that make it difficult for third parties to launch an attack and intercept relevant data. Full OATH compatibility allows the application to be used as a second vector of authentication for services such as email and social networks.

tPro Mobile Overview

Authentication

The platform provides a wide range of authentication mechanisms, from traditional PIN codes up to fingerprint and face recognition authentication. With full OATH compatibility, tPro Mobile can be used as an additional component of 2FA authentication for critical resources such as email, administration panels, and social media. Using programming libraries that come with the platform, it is also possible to integrate tPro Mobile with the existing products quickly.

Authorization

What you see is what you sign – this, in short, is the principle the tPro Mobile platform builds upon. Its real-time threat detection mechanisms allow you to easily spot potentially dangerous factors such as configuration gaps and suspicious activities in the platform itself. Interactive data entry protects you against switching key transaction data, e.g. such as IBAN or transfer amount. The information on activities within the protected resources is delivered to you by means of a PUSH notification (instead of text message). The solution architecture along with the pairing procedure protect you from the platform being cloned and accessed by unauthorized third parties. The offline mode lets you generate the authorization code for transactions even if your device is out of range. Additionally, the tPro Mobile solution implements a number of mechanisms that hide information about the results of security-sensitive operations (such as entering a PIN code).

Proactive mode

In order to minimize the fraud risk, tPro Mobile comes with various transaction authorization variants. From a standard variant – which takes pressing a button – up to an interactive one where the user is asked to re-enter portions of critical data before confirming a transaction. Such a scenario allows the user to be involved in the process of transfer authorization so that potential anomalies can be detected before the actual money is sent. tPro Mobile can also store transactions offline by means of dynamically generated authorization code. Apart from strong cryptography, the user security is also ensured by a number of monitoring mechanisms detecting threats in real time.

Security

  • authentication using biometrics
  • face authentication with faceID (iPhone X)
  • fingerprint authentication with touchID
  • mechanisms for monitoring the internal state of the application
  • root detection
  • jailbrake detection
  • debugging detection
  • simulator mode detection
  • two-component pairing process (QR + SMS)
  • encrypted communication with the authentication server
  • elliptical curve cryptography

OATH compliance

tPro Mobile offers strong customer authentication and transaction authorization using the HOTP, TOTP and OCRA algorithms adopted by the Initiative for Open Authentication (OATH).

Comarch tpro Mobile features

tpro mobile

 L.p.

Feature name

Feature description

SDK

Application

 1.

Voice assistant

Leads you through the application using voice instructions

X

V

2.

Anti tampering

Detects suspicious activity in real time

V

V

3.

Strong cryptography

Protects user keys with strong cryptography algorithms when TPM is unavailable

V

V

4.

Secure storage

Uses dedicated hardware storage for critical data

V

V

5.

Device identification

Prevents spoofing with persistent identification

V

V

6.

Device binding

Links users to authorized devices

V

V

7.

ECC based secure channel

Encrypts communication to the end server by ECC cryptography

V

V

8.

WYSIWYS

What you see is what you sign 

X

V

9.

Face authentication

Authenticates with facial recognition

V

V

10.

Fingerprint authentication

Authorizations with fingerprint

V

V

11.

QR Code Support

Supports secure pairing via QR codes

V

V

12.

PUSH Notification

Uses push notifications instead of legacy technologies like text messages

X

V

13.

Transaction signing

Protects transaction data using strong cryptography

V

V

14.

Online/Offline mode

Allows user authentication and transactions authorization when mobile phone is offline

V

V

15.

Interactive mode

Requires retype part of IBAN and amount to protect against fraud

V

V

16.

PIN hint

Informs user in a secure way about potential mistake during PIN code type

X

V

17.

PIN brute force prevention

Attacker cannot distinguish if entered PIN is correct or wrong

X

V

Interested in reselling our mobile application?

Contact us and discover all the benefits of our tPro Partner Program.

Comarch Transaction Protection solutions