The security of mobile banking and payment applications is deeply linked to their capacities in preventing attackers from tampering with them.

Key Blocks have been invented as a standard way for protecting the integrity of symmetric cryptographic keys and for identifying what the keys can be used for. Key Blocks are used to protect Triple-DES keys (Key Blocks can be used as 3DES key bundles), but also AES keys (often using AES key wrapping).

Today, financial institutions are driven by a strategic question: How can they embrace the benefits from the cloud’s flexible and scalable on-demand services, while perpetuating a trustworthy, banking-grade level of cryptographic security? This article looks at some of the trends, challenges and security concerns that financial institutions face when considering whether to migrate their business-critical applications and cryptography to the cloud.

In June 2019, the PCI Security Standards Council issued an information supplement titled PCI PIN Security Requirement 18-3 – Key Blocks, which requires that encrypted symmetric keys be managed in structures called “Key Blocks.”

Attacks against mobile banking & payment applications often start by using an emulator for the mobile operating system where the targeted application will be run and analyzed.

The first practical chosen-prefix collision attack on SHA-1 was announced in January 2020 by researchers Gaëtan Leurent and Thomas Peyrin: “SHA-1 is a Shambles”.  

This article discusses recent warnings that a chosen-prefix collision attack on SHA-1 is now practical and cost-effective for attackers.

The ANSI X9.24-1-2017 norm details how symmetric cryptographic keys should be managed and handled by the relevant actors of the retail financial services companies. Here we outline the general techniques and methodologies that are required or suggested by the standard.

Unlike other operating systems like Windows, Linux, or OSX, both Android and iOS operating systems are usually shipped with built-in user rights restrictions. The process of removing such restrictions, which is not supported by either Google or Apple, is named rooting and jailbreaking, respectively for Android and iOS.