Digital financial transactions are at an all-time high and can be expected to attain new heights in the near future. Mobile POS payments’ transaction value already amounts to $747,618 million in 2019 and is projected to clock in an annual growth rate of 29.7% to reach $2,118,082 million by 2023, according to a recent report by Statista.
The number of users in the mPOS Payments segment is 1131.8 million as of 2019, and it is expected to be somewhere near 1,655.8 million by 2023.
The statistics clearly show an exponential growth of mobile transactions, and with the increase in transactions, there will be an increase in the amount of personal and sensitive data that will be sent out in the digital domain in order to complete these transactions. The downside to this growth is the potential surge in the volume of frauds and the possibility of sensitive information getting compromised. This possibility has led to the introduction of robust
security features in FinTech solutions.
Security Standards
Dealing with people’s money is a risky business. It is important to use the most reliable technologies to ensure that
no data is leaked during any of the multiple steps that are taken while making digital payments. Over the years, mobile financial solutions have leveraged various security standards to make digital transactions secure. These include Hypertext Transfer Protocol Secure (HTTPS) and end-to-end encryption (E2EE) standards, both of which are the go-to security standards for mobile financial solutions.
HTTPS vs. E2EE
One of the most common protocol used by MFS platforms is HTTPS, responsible for securing communication over computer networks. Along with authenticating the accessed website, this protocol protects the exchanged data while it is in transit. It safeguards the data from man-in-the-middle attacks, eavesdropping as well as data tampering. However, there are certain limitations to this protocol. The integrity of the connection between 2 computer systems is well protected by HTTPS, but the systems themselves are not. The protocol cannot stop a web server from being hacked or a web service from divulging information during its operation. On the other hand, E2EE takes a data-centric approach to transfer data in an encrypted form without making it available to any of the third party systems that may be used to transfer it. Cryptographic keys that are used to encrypt and decrypt information, are exclusively saved at the endpoints to prevent all possibilities of data breaches. What sets it apart from HTTPS is that it encrypts and decrypts data only at the end points, regardless of how many points it crosses virtually.
Types of E2EE
Data can be encrypted using two different E2EE techniques - symmetric encryption or secret key encryption and asymmetric encryption or public key encryption.
Symmetric Encryption
Symmetric encryption involves a secret key, which is applied to data or information and the same key needs to be used to then decrypt the information by the destination system. DES and AES are examples of the symmetric encryption standards. DES works by dividing data block into 2 halves, while AES processes the entire block as a single matrix. The latter is more secure than the former and encrypts 128 bits of plain text as opposed to DES
that encrypts 64 bits of plain text.
Asymmetric Encryption
As for the asymmetric encryption type, it involves the usage of a pair of keys which are related to each other. Each of
the keys are used at either ends, providing added security to your sensitive data. The major asymmetric encryption standards include RSA and ECC, both of which make use of a public key and a private key to safely transfer data. While both these asymmetric encryption standards are highly powerful, ECC is comparatively more efficient. ECC or Elliptic Curve Cryptography is known for its capabilities to offer the same level of cryptographic strength as seen in RSA, at comparatively small key sizes. Its small key size is apt for devices with limited processing power and storage capacity.
ECC and Forward Secrecy for Complete Security
The ECC algorithm creates encryption keys using points on an elliptic curve. The key size in ECC certificates continues to be small, but provides advanced-level security to prevent frauds and data breaches. Its ability to work efficiently in a low-computing and low-memory environment makes it the best option for mobile financial solutions. Needless to say, it also secures data exchanges during transactions between the server and client, ensuring all data communications happen within an encrypted tunnel.
Forward Secrecy or Perfect Forward Secrecy is complementary to ECC. It creates a unique session key for every user-initiated session to ensure a unique encryption that is specifically meant for that session. The data used for creating the session keys is never transmitted over the wire. If at all, a private key gets compromised, only a single session will be decrypted and replayed, while the stored communication will be completely safe. Forward secrecy is basically tasked with protecting past sessions from any future data breach or compromise.
ECC in MobiFin Elite 5.0
Panamax has
always been a front runner in providing the best-in-class security to its clients. Our products have had a long history of being the first in the industry to adopt and implement advanced security algorithms, whether it is implementing
P2P security or the more advanced E2E algorithm. We were proponents of E2E security even when no mobile wallet platform was using it and everybody was relying on HTTPS.
Before opting for ECC in MobiFin Elite 5.0, we already had an in-depth experience in using RSA based PKI as a part of our security suite. Considering the benefits of EC curve, we decided to incorporate ECC 256 bits. To be more specific, we use SECp256k1 curve, the same curve that is used by Bitcoin. This helped us to achieve efficacy by curbing the overhead caused by the heavy lifting of RSA key sizes. The lightweight ECC helped us to implement forward secrecy in a remarkably efficient way. Our forward secrecy definition is granularized to the session
level, which means new shared secrets for every new session. This also means that liability of managing secret keys has been reduced to session duration. We use ECDH for generating shared-secrets for managing forward secrecy and ECDSA for authentication purposes (digital signatures). Both mechanisms are extremely robust and efficient performance wise.
Summing it up
The advanced features of MobiFinElite 5.0 make it best in the industry in terms of security and preventing unauthorized access to user data. The holistic platform also boasts a number of scalable and flexible features that make all types of digital mobile transactions a breeze. It can create a digital eco system by integrating the mobile wallet to various digital service systems, enabling banks, MNOs, mobile wallet operators, aggregators and more to seamlessly complete transactions with their customers.
Get in touch with us to know more about the latest FinTech solution by Panamax.