Martin Rupp (guest)

Why a Banking Key Management System Must Support Atalla Key Blocks

Invented by Mohamed Atalla, the Atalla key block is the root of all key blocks. All over the globe, hundreds of millions of financial transactions are secured daily using hardware security modules (HSMs) and the Atalla key block format that follows TR-31 guidelines. Here we will explain a bit about AKB and why a banking-grade key management system (KMS) must support it.

Read more

Secure Hardening for Mobile Banking Apps: Native Code Obfuscation

In the mobile environment, source code is often distributed without enough security. Programs compiled as bytecode, such as the ones developed for Java or .NET, contain almost all the original information from the source code. Programs developed with native code, usually developed in C, Objective-C, or C++, are much more difficult to reverse. In what follows, we will look at the difference between interpreted code and native code in mobile operating systems and why we still need native code obfuscation.

Read more

Secure Hardening for Mobile Banking Apps: Data Obfuscation

When developing an application for mobile banking, application hardening using code obfuscation is one possible way of protecting sensitive data. However, this may not be an acceptable solution in many different scenarios: when the data to protect must be (partially) displayed, linked to other accounts or other data, or sent to a remote network, etc. The general solution to this problem is data obfuscation.

Read more

Secure Hardening for Mobile Banking and Payment Apps: Anti-Debug

In the mobile environment, while debuggers are legal and legitimate development tools, they can also be used to reverse mobile banking and payment applications. This article describes some of the possible anti-debug techniques.

Read more

Secure Connectivity for Mobile Banking and Payment Apps: HTTPS Vulnerabilities

Here we describe some of the HTTPS vulnerabilities in the context of mobile banking and their countermeasures.

Read more

ANSI X9.24-1-2017: Key Distribution 

Key distribution is perhaps the most important and crucial aspect of the ANSI X9.24-1-2017 part 1 standard. But first, let us explain what cryptographic key distribution is.

Read more

ANSI X9.24-1-2017: Key Loading

The ANSI X9.24-1-2017 standard defines the requirements for the loading of key components or shares, and the loading of cleartext keys. The loading of encrypted keys is described in other parts of the standard.

Read more

Secure Connectivity for Mobile Banking and Payment Apps: HTTPS Tunneling

In this article, we will describe what HTTPS tunneling is and how it has been used in mobile banking and payment applications. We also look at some of its vulnerabilities and remedies to the described attacks.

Read more

Secure Connectivity for Mobile Banking and Payment Apps: Access Token Protection

In this article, we introduce the role that access tokens play in mobile banking applications and provide recommendations on how to secure these access tokens. We will also explain why such security measures are important.

Read more