Black Friday brings the picture of chaos to mind when people go berserk in stores, right? And true, not long ago the standard protection gear was helmets, knee – and elbow pads in the brawl for Black Friday brings the picture of chaos to mind when people go berserk in stores, right? And true, not long ago, the standard protection gear was helmets, knee – and elbow pads in the brawl for Black Friday door-cracked deals. But this is rapidly changing as more and more people (naturally) avoid the in-store ruckus and instead hunt for Black Friday deals online from their homes.

People’s desire to grab top Black Friday and Cyber Monday deals for their friend’s and family’s Christmas lists is a massive threat to both retailers and consumers. During the online shopping frenzy, people click-search for a bargain after a bargain and tend to ignore elementary security procedure

If it walks like a duck or clucks like a duck – it’s probably a duck.

As online retailers’ email campaigns ramp up with irresistible offers, cybercriminals are getting ready to get in on the action into action too. The holiday season provides a golden opportunity for fraudsters to dispatch millions of phishing emails with too-good-to-be-true discounts that land in our inboxes mingled with legitimate offers.

The smartphone security dilemma

It’s not just online frauds that present a threat – all digital or electronic means of payment, like card transactions and ATM withdrawals, are equally vulnerable to fraud, this we already know. But – there is one significant device that has become the most exposed and undefended in recent years – the smartphone. This fact is particularly disheartening as the smartphone is also the preferred means of payment and shopping for an ever-increasing amount of people. One security pitfall is, for example, that mobile browsers have short address fields and it can be hard to see the full URL because of this, which makes it more challenging to see the deceptive link.

The regulation that comes to the rescue – PSD2

The EU regulation PSD2 (Second Secure Payment Directive) is about opening up banks’ APIs to third parties. Still, the directive also requires that transactions from €30 and up go through heavy authentication before an approved purchase. To handle this, the customer experience can, in many cases, take a blow, as it means more clicks and complex setup of various authentication applications on people’s own devices and more advanced security procedures to go through than before.

How about Covr?

With this in mind, we developed the Covr app, which circumvents user-friendliness and security paradoxes. As a result, Covr is both ultra-secure and convenient for people to use – and the shopping holidays can become a fun, safe, and happy experience again for your customers.

In recent years, proving who you are has become more critical. Companies and online services need verification and use different methods for you to do so. We started with increasingly complex passwords, but more and more are looking at 2-factor-authentication or even multi-factor authentication. But what way is preferred, both from a security and user-experience perspective?

Having complex passwords that you can’t even remember yourself has lately proven to be a relatively poor method of securing your online accounts. Bill Burr, the former manager at the National Institute of Standards and Technology (NIST), created the password guide used today to find a secure password. The problem is that the guide was produced in 2003, and Burr now says that he didn’t understand how passwords worked during the time. The principle that is being used today doesn’t ensure safe passwords. A better method of creating secure passwords is to put together three or four unrelated words, resulting in a longer password without being unreasonably challenging to remember.

But having just a password to verify your identity has proven insufficient; look at the Heartbleed bug a few years ago, where thousands of passwords were leaked. In addition, through the years, there have been several reports where hacks or simple errors have compromised passwords. So, to stay safe, there should be another method to prove you are you.

The answer has come in the form of 2-factor authentication, where you use your password to log in to an online account and then get prompted on a different device (often your mobile phone) to authenticate that you are attempting to log in to that account. This ensures that you are you, or at least in theory. In addition, many started using text messaging to send a passcode you entered to verify the login. But lately, there have been numerous reports of such text messages being redirected to a different phone, and thus the authentication process is yet again insecure.

Many companies, such as Google, have created an app that ensures the verification code is only sent to that specific phone. In countries like Sweden, the banks have joined forces and created a Bank-ID linked to the citizen’s identification number. The problem with these is that they do not work globally or universally across platforms. In Google’s case, the service provider must then use Google’s authentication and, thus, their login system, which might be undesirable for many service providers. In the case of the Swedish Bank ID, you must have a Swedish personal number and a Swedish bank account.

In other cases, the verification process often requires several steps, which becomes a hassle for the user. This reduces the willingness to use the verification system. Since people tend to use the path of least resistance, the user experience must be at the system’s center. If logging in to your account isn’t easy, you will probably use a less secure method instead.

With Covr, you can offer your users a safe way of authenticating themselves and authorizing transactions via an app on their smartphones
With Covr, you can offer your users a safe way of authenticating themselves and authorizing transactions via an app on their smartphones

Developing a universal and global multi-authentication system that is secure and easy to use is, therefore, desired and urgent. Luckily, we are now seeing several such systems being developed, and the one currently leading the charge toward secure and easy online verification is Covr Security. They are a Swedish company that has used the experiences from the Swedish Bank-ID to create a system that is non-affiliated to a vendor with its agenda and works around the globe. The system is easy to use and implement and ensures the highest level of security. Simply put, it offers all that you could ask for in a multi-factor authentication system

You want to know that the person you’re dealing with really is who they say they are. You do, and this is why an up-to-date secure customer authentication method is the cleverest of business strategies.

Saying it like it is – companies and organizations that continue to depend on passwords alone as their first method of identity verification are seriously negligent. It is not just about the disaster that come in the wake of a security breach, it’s also about owning up to your promise to keep your customers safe. We’d like to disentangle how you can remedy this slip without overloading yourself, your users, customers or workforce.

Three simple advice to convince your users of the benefits of MFA
You want to know that the person you’re dealing with really is who they say they are.

Nobody wants to be the prey of identity thieves

You can no longer dispute that there are severe security vulnerabilities that come with the evolvement of third-party payments services, connected IoT-devices, or the already known problems with unsecure public WIFIs as well as BYOD (Bring Your Own Device) policies in workplaces. This is the constant headache for IT-professionals and management in most industries providing digital services today (and honestly, what company doesn’t?).

By basing your cyber protection strategy on watertight verification of the user underlaid by smart, tested multi factor MFA-tools that authenticates and grants your customer access to systems and services you are well on your way! This can be done in many ways, of which the worst is using many different tools for mobile identity management as cost and complexity can quickly spiral out of control.

Is MFA really necessary, and if so, how do I get my customers onboard?

People nowadays have colossal amounts of online accounts for banking, social media, digital utility tools, health records – the list goes on and on. By illustrating and communicating the need for identification, authentication and verification on a basic level you can help your users to better understand why MFA is so crucial. Here’s some bullets on how to break it down in a way that makes sense to the average user.

  1. Explain multi-factor authentication to your customers/users very basically
    It takes just one carelessly crafted password to invite an attack – it’s just like leaving the door open and unlocked when you go to work. In worst case, depending on what is stored in the account, sensitive data like credit card numbers, passwords recklessly stored in a text file on Google Drive, pincodes or just fraudulent emails can result in a person’s entire identity is hijacked. Inform your users that this can happen everywhere, anywhere, on any account.
  2. Be persistent and provide plenty of support, guides and information. 
    Change is often tough and convincing a user to trust a new app doesn’t come easy. By being open and giving the users all the support they need, easy-to-read manuals you could win your customers over. Even better – by choosing a security app that you can white label makes the transition easier as the customers sees that the app comes from a familiar and trusted source (you).
  3. Make it easy 
    The best way to convince your users of the benefits of multifactor-factor authentication is to supply them with an all-in-one mobile app that authenticates, verifies, and grants the user access. Choose an app that provides MFA with as little hassle as possible.As with everything, there are learning curves to implementing MFA. Everyone may not understand the necessity for it, but once implemented the benefits outweighs any and all potential drawbacks and protects everything – whether it be identity, data, or money.As for which app to use, Covr offers a lean user experience backed by a company with a exemplary security record!

We have been using passwords and codes for hundreds of years, but still, it seems like our security thinking hasn’t evolved at all.

You’d think that in today’s high-tech society, nobody uses text-messages as part of their 2-factor authentication system. But despite hoping that this was dead and buried practice, every now and then we see examples of when it’s being used and subsequently hacked. Recently, Metro Bank in the UK and its customers suffered the consequences from this, which goes to show it’s time we start using better and safer solutions.

Telecom operators use what’s called an SS7 protocol to reroute both text messages and calls, and also offers the possibility of geo-positioning cellphones. The problem is that the owner of the cellphone doesn’t need to be informed of this, meaning anyone with access can reroute text messages and track the whereabouts of the phone as they choose. This could, for example, be the Telecom operator itself, a government agency, or the not-so-friendly hacker.

All the hackers need to do is figure out the user’s login and password to their bank, things that are relatively easy to get your hands on these days. They then simply use the SS7- protocol to reroute the authentication text message to their own phone and immediately get full access to the bank account. This exact thing happened to customers of the Metro Bank in the UK recently, as reported by “Motherboard”. The SS7-attacks drained the accounts of “an extremely small number” of customers according to representatives of the bank. But regardless of the number of victims, this should really not be a hack that is possible to perform any more. Especially not at a bank that millions of individuals and companies trust with their money.

The victims were of course compensated by Metro Bank, and hopefully, both the bank and customers have learnt their lesson and immediately abandon these inadequate practices.
There are however still thousands of services, banks and others that rely on text- messaging for their 2-factor authentication, apparently living in the belief that their system is secure. But implementing just any 2-factor authentication protocol does not mean your system is secure, much like having a seat-belt made out of paper won’t do you much good in a car crash.

So, take a good look at the service providers you use. if they use text messaging as part of their two-factor authentication inform them of their errors and find yourself another supplier. You simply aren’t safe where these practices are being used.

Read more about the attack to Metro Bank here >

For the adrenalised digital world where connected devices are snowballing and digital transactions are flourishing, the ability to prove a unique digital identity is crucial. In essence, digital identities are becoming one of the most fundamental staple goods in the digital realm.

PRESSMEDDELANDEN Published 27 november 2020

Synch har agerat legal rådgivare till CovR Security AB i samband med bolagets nyligen genomförda finansiering om ca 20 miljoner kronor.
Patrik Malmberg, co-founder och CEO. ”Vi har sedan länge anlitat Synch för legal rådgivning avseende kapitalanskaffningar, kommersiella avtal, regulatoriska – och immaterialrättsliga frågor. Synchs kompetens och erfarenhet kombinerat med deras förståelse för de utmaningar som tillväxtbolag som är inne i en internationell expansion, ställs inför, har varit ovärderlig.”

Covr Security tillhandahåller en mobil multifaktor autentisering som en tjänst (likt ett globalt bank-id) till ett brett spektrum av branscher som är beroende av stark kundautentisering, till exempelvis banker, betalningsnätverk, kreditkortsföretag, eID-leverantörer, IoT-företag och mobiloperatörer. Bolagets användarvänliga lösning bygger på en modern arkitektur med ursprung i nordisk banksäkerhet.

Synchs team i kapitalanskaffningen bestod av Andreas Börjesson och Emma Lundberg. Synchs team för övriga områden består av Erik MyrbergVeronica UddstenAnders HellströmMathilda Nordmark och Johan Tydén.

Synch är en internationell advokatbyrå med fokus på digitala affärer och teknologi. Synch erbjuder en flexibel leveransmodell där Digital services kompletterar firmans tjänster inom Advisory services, Projects & Transaction Services och Managed services, SynchWherever. Synchs Projects & Transactions grupp är specialiserade inom privat och publik M&A, venture capital investeringar och finansiering, särskilt i förhållande till teknologi-företag.

A new license agreement with leading health organization Mitera

The supply of digital health care is rapidly being brought into the app economy while at the same time, supporting a much higher degree of patient control.

In light of this, we are delighted to disclose that Covr Security has entered into a partnership agreement with the leading health organization Mitera. Mitera’s main product, mApp, is aimed at providing health care coverage by collaborating with hospitals. 

The partnership intends to keep personal health records secure, providing privacy and security to 72 hospitals and up to 1 million users throughout West and Central Africa.

Mitera Health on Google Play

New hire! Navigating online security in the Asia Pacific

Meet Rajiv Madane! Mr. Madane joined Covr Security as Senior Vice President, Asia Pacific, during the spring.

Rajiv Madane has worked internationally with innovative fintech solutions for more than 30 years. He has expert knowledge from digital banking and payments, retail, SME, corporate banking, and wealth management from several leading positions, such as Virtusa and APIX.
Get in touch with him at LinkedIn.

How to keep safe online in a time of uncertainty

In the wake of the COVID-19 devastation, cybercriminals are taking advantage of our digital weaknesses and fear of contracting the disease. Please read our article about different types of socially engineered attacks targeting your security and what to do about it.

At CovrSecurity, we are committed to helping businesses stay safe online. We are always available to share our knowledge on how to implement user-friendly, bulletproof security into your workflows. Schedule a chat with us!

Until next time,

The team at Covr Security