Helping to close security gaps for banks and payment service providers

Keeping up with customer demand for anytime, anywhere ecommerce and/or payments is an ongoing challenge for many banks and payment service providers (PSPs) who need to be quick to market with new services that provide greater convenience and better experiences for their customers.

Unfortunately, as ecommerce ecosystems have become more complex and global, so have threat models. And the coming regulatory requirements for open APIs will further increase the difficulty of securing payments in an already challenging environment. Increased openness and complexity brings more frequent and sophisticated cyber-attacks, often targeting the most vulnerable points in the ecosystem – the web browser and apps on client devices.

Web browsers are frequent targets of cyber-attacks because they are inherently insecure, which makes web and mobile applications insecure. If the browser is compromised, web applications are sitting ducks for malicious code, which can be used to probe and view the application’s JavaScript. Attackers can then learn how to compromise the application and gain access to customer data via man-in-the-middle (MITM) attacks. Unfortunately, web APIs cannot be protected by network or perimeter security, best development practices, or other common approaches. APIs in the client are vulnerable simply because the JavaScript in the web browser is vulnerable.

Only Irdeto can neutralize JavaScript vulnerabilities in the browser. Irdeto Payments & Banking solutions protect web and mobile applications beyond the perimeter, all the way from the server to the user interface. By establishing trust in the browser, Irdeto solutions enable banks and PSPs to rapidly bring new and innovative services to market quickly while maintaining the highest levels of security.

Traditional security is not enough

Today, cryptography protects virtually all electronic communication: from sending texts to making payments. But the current standard for cryptographic models is that the communication endpoints, the user’s or merchant’s devices, are presumed to be trustworthy. In other words, they are assumed to be used in a safe, attacker-free environment. But this is an unrealistic scenario for ecommerce.

Ecommerce is most often conducted in a “whitebox” environment, which means the end-points (consumer devices that use web browsers) are presumed to be insecure. Cryptography used in this sort of environment is called whitebox cryptography, and in its most effective implementations, the end-point devices are assumed to have been compromised.

To prevent data breach in such a hostile environment, cryptography needs to be supported by technologies that can ensure the authenticity and integrity of the JavaScript that’s requesting the communication. If the requesting code is trustworthy, the communication can be secure.
Protecting the most vulnerable part of the payment process

Until now, it has been presumed that JavaScript could not be hardened in a whitebox environment. But Irdeto Cloaked.JS does just that. It uses the industry’s most advanced whitebox cryptography to ensure the application’s JavaScript can be trusted at all times and applies an additional layer of encryption to the APIs. This protects the client-side online payment application and customer data from the insecurities inherent in web browsers. By creating a secure boundary around the application interface and/or payment form, Irdeto Cloaked.JS ensures secure, encrypted communications in even the most hostile e-commerce environments.

Cloaked.JS detects any attempts at tampering with the JavaScript or unauthorized access to API data in real-time. In addition, all API data is dispatched via an HTTPS wrapped-whitebox encrypted connection that is continuously monitored. This prevents third parties from tracking and/or accessing API data to block Man-in-the-Middle and Cross-site Request Forgery attacks. Once the data has been verified and passed securely to the server, it is exposed to only a minimal set of authorized systems, and tokens are used to fetch any data that needs to travel beyond the perimeter for payments or other purposes. In addition, Irdeto Payments & Banking solutions integrate directly into the software build process, so protection can be quickly replicated across any platform.

With nearly 50 years of experience, Irdeto is a pioneer in security with its technology protecting over USD 750 million in payments and more than 2 billion devices against cyberattacks for some of the world’s best known brands. Irdeto leverages this security expertise to enable banks and PSPs to deliver a convenient and safe digital shopping and banking experience for consumers.

About David W. Jones

David joined Irdeto in 2008, since that time his responsibilities have included Global partnership strategy and management, and technical partner support services. Dave has extensive international experience working with diverse global partnerships and their introduction to Irdeto’s global customers. In 2014 David moved to the Business Development team to drive entry into new markets/segments which can benefit from Irdeto’s core technologies. David now leads Irdeto’s Payments and Banking segment, delivering solutions to the Financial Services industry and driving relevant partnerships and channels.

About Irdeto

Irdeto is a pioneer in digital platform and application security, with its software security technology and cyber services protecting over 2 billion devices against cyberattacks for some of the world’s best known brands. For nearly 50 years, Irdeto has worked with software application providers, connected device manufacturers, pay-media operators and content creators to secure their products and business models. Combining proven technologies and services, Irdeto Payments & Banking solutions enable banks and PSPs to deliver a convenient and safe digital shopping or banking experience by safeguarding customer data even in the most hostile environments.