The ViCA application is Cardinal Kft’s modern mobile authentication tool, which fulfils all requirements set out for two-factor strong customer authentication (SCA) in the Regulatory Technical Standard (EBA-RTS) included in the European Union’s PSD2 Directive. It is available on the Android, iOS and Windows platforms.
Act LXXXV of 2009 on the Provision of Payment Services provides that, as of September 14, 2019, payment service providers shall use strong customer authentication (SCA) also in Hungary when a payer accesses their payment account online, or initiates an electronic payment transaction on their account.
Mobile phone – a personal authentication device
Our company developed an application called Virtual Chipcard Application (ViCA), which can turn mobile phones into personal authentication devices. With the help of this application the installed Electra Client Program, the Electra Internet Banking and Mobil Banking applications are able to generate signature key pairs and certificates, and register them for use with the Electra system. Users can use these certificates to securely log in to their internet banking and mobile banking applications and to electronically sign and authenticate the orders they add on the bank’s interface.
Our application ensures compliance with the ‘dynamic linking’ condition set out in the PSD2 Directive for the approval and authentication of transactions to be submitted to banks.
To ensure compliance with PSD2 requirements on a broader scale, we created the ViCA microserver, a standalone, server-based version of the application. This allows banks to use the strict authentication procedure specified in the PSD2 Directive not only with the Electra systems, but to make the service available to all of their processing systems where effective laws or the bank’s internal regulations require a strong customer authentication procedure.
One application – several banks
The ViCA application registered by a user is linked not to a given bank but to the user, so it can be simultaneously registered in several banks’ Electra systems. While running, the application can maintain concurrent connections with all the banks it has been registered with, so users do not need to keep switching between banks when they use multiple bank connections at the same time. The ViCA application displays each message received from banks with the image elements of the respective bank.
In comparison with other authentication procedures, ViCA offers great flexibility. Unlike chipcards, it can be used in situations where the user wants to use bank services via their phone or tablet. SMS passwords only contain a one-time authentication code, whereas ViCA uses the user’s private key to sign orders.
The SCA-compliant application can also receive messages sent either by the bank’s Electra system or by other bank systems via a suitable API (e.g. notifications about changes in bank account balances, marketing messages targeted at specific customer segments). ViCA stores all incoming messages in an encrypted form.
Authentication via two channels
One of the strongest features of ViCA is that it opens a separate communication channel to the bank, independent of Internet or Mobil Banking. So even if a hacker attacks the Internet or Mobil Banking connection, they will ultimately fail as the connection between the ViCA application and the bank remains secure.
In addition to using PKI, this two-channel authentication further improves user security. When using ViCA, users do not need to care about passwords or token codes, which could be stolen in a data phishing attack. Apart from that, the application also provides a means to detect pharming attacks.
A cost-efficient solution
With ViCA, there are no SMS costs (regardless of whether we want to confirm a login, or sign an order). Since ViCA runs on the user’s phone, the bank does not need to procure tokens, chipcards or card readers.
In addition, ViCA is also a suitable tool if the bank wants to send users other bank information currently forwarded mostly in SMS (e.g. daily balance) via a secure channel and without additional costs. This way banks can save significant amounts by sending various notifications (Card Guard, Account Guard etc.) via ViCA instead of SMS.
Who can use this service?
This application is not suitable for internet banking on its own. To use it, a user needs access to the Internet or Mobil Banking service. The list of the financial institutions providing services with the ViCA application is available under the References menu.
The application, which implements standard and easy-to-audit tools and algorithms (RSA, SSL, PBKDF2), can be downloaded from Google Play and the iOS App Store.
The above described ViCA implementations running on mobile operating systems were supplemented with a desktop Windows version of the application in April 2019. Desktop ViCA is available for download for the Windows 10 operating system from the Microsoft Store. The services offered by Desktop ViCA operate exactly the same way as those available in the ViCA applications for the Android and iOS platforms.