Pain points

The rise of digital financial services, including non-face-to-face transactions and open banking, has increased user convenience. However, it has also led to the evolution of financial fraud, such as phishing (smishing and voice phishing), card misuse, bank account theft, and personal information theft. The instances of significant financial losses due to ID leaks and lost smartphones have surged both domestically and internationally. Despite the implementation of multi-factor authentication (MFA) services like mobile OTP, mobile phone identity authentication, and biometric authentication by many financial service firms, preventing sophisticated financial fraud crimes in advance remains challenging.

- Extensive financial damage from the escalating phishing scams

Numerous cases involve accounts being hijacked for illegal financial transactions, unauthorised payments, or mobile payments. Criminals install remote control apps to steal account numbers and passwords, exposing fixed passwords in mobile financial environments to hacking and phishing risks. According to the Financial Supervisory Service, voice phishing victims over the past five years (2018 to the first half of 2023) reached 148,760, with damages totaling 237,859, amounting to KRW 1.7499 trillion. These incidents incur substantial response costs for financial institutions. In the U.S., 75% of all fraud losses are attributed to consumer phishing, with associated expenses for response activities, investigations, and recovery reaching $4.23 for every $1 lost.

- Growing consumer dissatisfaction with the inconvenience MFA

Enhanced security measures, such as additional authentication procedures (separate OTP authentication, ARS, and terminal designation service) for substantial transactions or logins from multiple devices, necessitate direct entry of authentication codes. Delays or non-receipt of authentication codes require users to go through cumbersome processes like contacting customer service, particularly when authentication services like SMS and ARS are inaccessible in off-network environments.

- Challenges in responding to damage recovery post-financial fraud

Recovering from financial fraud involves varying responses across industries, including finance, telecommunications, and e-commerce. Each case requires investigation and legal interpretation of the cause, scale of damage, liability for compensation, etc. Responding solely to damage recovery limitations hinders receiving full compensation for the incurred losses. Despite national and industrial-level policy preparations, completely preventing increasingly sophisticated financial fraud remains elusive.

Solutions

SSenStone's TAP OTAC proactively prevents financial fraud, such as phishing, by isolating media from cyber attacks. The OTAC module, generating a financial payment authentication code, is embedded into the payment card's IC chip and financial app as an applet and software development kit (SDK). Authentication is effortlessly performed by lightly tapping the payment card on the back of a smartphone with a financial app installed. Utilising a dynamic code newly generated each time ensures a robust yet simple authentication process, significantly enhancing user convenience. Additionally, it is compatible with any mobile device's operating system (OS) and facilitates authentication without a separate cellular network.

Proactive financial fraud prevention with a zero-trust approach

As the landscape of non-face-to-face digital finance expands, there is a concurrent increase in various forms of financial fraud, including voice phishing and SIM swapping. Recent data from the National Police Agency reveals that domestic phishing damage has exceeded KRW 3 trillion over the past six years, with a mere 0.3% reimbursement rate. Similarly, in the United States, a study indicates that 75% of financial fraud losses reported by lenders stem from consumer phishing, notably Authorised Push Payment (APP) scams. In a more proactive approach, the UK's top 14 banking groups have refunded up to 91% of APP losses. SSenStone's TAP-OTAC is positioned as a preventive measure against financial phishing incidents. Its distinctive feature, requiring a card tapping process for additional financial services, proves advantageous even in situations where user information is compromised or the smartphone is lost.

Expansion of various additional functions such as access control

OTAC-embedded cards can serve as a means of diverse authentication beyond payment. Logging into critical sites, such as internet banking, can involve generating a one-time QR code with a simple tap on the back of a smartphone. The same card can grant access to the office or restricted areas via tapping on digital door locks. Businesses can leverage this innovative card by integrating corporate payment cards, access control devices, and employee IDs into one card. The associated manufacturing costs related to contactless payment functions can naturally alleviate through additional applications beyond payment.

Why OTAC

OTAC, developed by SSenStone, is the original technology that provides all of the following features at the same time.

OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as your card details, because the codes must have already been changed when others try to use them.
The network connection is NOT necessary at all for generating OTAC.

Reducing an authentication stage that requires the network connection directly means there are fewer gateways for the hackers to access our personal information.

Moreover, this feature enables users to authenticate even when they are in networkless environments, such as on the plane, underground, rural or foreign areas.
swIDch can guarantee that the code never duplicates with anyone at any given moment.

There is NO chance of someone else having the same code.
The users or their devices can be identified with the code alone.

Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.

It means, you can forget about the bundles of static information including IDs and passwords.