SECURITY

Mobile Security
 

Mobile security challenges

In a nutshell, customer authentication and application protection can be summarized to the following two main challenges:

  • Functional mobile customer authentication: make sure that a PIN code cannot be brute-forced, that a fingerprint cannot be spoofed or that a face verification cannot be fooled by a static picture. Although most of these controls now depend on a reliable smartphone hardware implementation, it is not enough and still represents a security challenge
  • Protection against software hacking: even with the best fingerprint scanner or face recognition, what if a hacker could hack the code to turn a {"authentication"="failure"} into a {"authentication"="success"}? This is the challenge that all security softwares face: resist against the attacks of highly skilled hackers with potentially unlimited resources. The issue is even bigger on a mobile device as it is an open platform on which an attacker can have full access to all programs running on the device, including yours.

Security is our strength

Because we come from the chip-card payment industry, software security has been our key concern from the very beginning. With the seismic shift from physical (chip-based card security) to digitized (software-based card security), security risks associated with mobile payments have been at the forefront. Card networks stated from the begining that software-based proximity payments could be deployed only if ensuring a “chip & PIN like security level”.

Antelop invested a lot to achieve this "smart card" security level through in-house engineering proprietary solutions. Thus we were the first company in the world to reach the level of security required by Visa in 2015! Since then, the solution has been constantly evolving to reach one of the world’s highest levels of software security.

Today, Antelop is among the Top 2 worldwide to be certified and connected to both Visa VTS (Visa Token Service) and Mastercard MDES (Mastercard Digital Enablement Service); also connected to CB STET tokenization.

All security is handled by our highly expert teams and doesn’t rely on any 3rd party software. This unique approach ensures highest flexibility to face future threats.

Consequently, this security asset is at the core of the authentication solution with same “chip-card” level of security, whether it’s used for online payment, credit transfer, software token…

 

Security at the front end

 
 
 
Front-End Security

Any software exposed to an open environment – such as the mobile device – can become the most critical part of the authentication chain.

Even if relying on phone’s hardware protection, the software part of a mobile banking could be attacked to leak or modify information, alter results or steal sensitive data. A skilled attacker can typically access a program’s memory, execution flow or source code, then read and alter all inputs and outputs with the system. This leads to several possible attacks such as stealing critical assets (payment keys, PIN codes…), cloning the application on another device, modifying customer requests…

Although all software protections can theoretically be hacked, adding security layers can make the job practically undoable, or at least complex enough to force attackers turn to another target. Amongst these techniques, Antelop mobile SDK relies on best-in-class obfuscation to prevent reverse engineering, anti-debug mechanisms, anti-cloning mechanisms, complex assets encryption, hardware assets storage, embedded cryptography, device fingerprinting...

Our mobile SDK not only provides (strong) customer authentication features, but also helps banking applications to protect against these threats.

 
 

Security at the back end

While front-end security is the most critical part, the back-end is also a key component in global security

 

Although “easier” to protect because hosted in a closed environment, ensuring back-end security is still a complex task. The many hacking cases around the world are here to remind it is a key concern.

In 2017, Antelop achieved PCI-DSS certification - one of the world’s most stringent security standards.

Initially designed to prevent card numbers from being stolen, PCI-DSS aims at preventing server-side attacks that could result in denial of service, data leakage or processing alterations. PCI-DSS is now recognized as one of the best security standards, beyond banking and card processing. With almost 270 requirements, PCI-DSS ensures that our solutions comply with the best security practices. This includes, amongst others, code design, development procedures, data encryption, security policy management, risk identification and remediation, network security, monitoring, and testing procedures…

As part of the certification, the solution and the company are periodically audited, and the servers are pen-tested by white-hat hackers to try to identify flaws.

Back-End Security
 

Antelop goes beyond these requirements in the very design of its solutions: by limiting to the minimum all PII (Personal Identifiable Informations) data processing and storage, and relying whenever possible on end-to-end encryption between mobile devices and third-party services, the solutions aim to make any sensitive information storage impossible by design.

In short, at Antelop we made security our primary and major concern. And we are proud to say that Antelop Solutions achieved the highest level of security defined by the major payment networks, that we apply to the whole solution from customer onboarding to authentication and payment.