The new solution eliminates the need for banks to issue customers with a dedicated authentication device by using a combination of NFC phones, QR codes and contactless bank cards.
Financial IT specialist GFT Technologies, in collaboration with researchers and students at Germany’s University of Tübingen, has developed a new authentication process for online banking that uses NFC.
The process makes use of both an NFC phone and a contactless debit card to generate a unique transaction authentication number (TAN) to confirm a transfer of funds.
Users log in to their online banking on a PC where they fill in a bank transfer form as usual. The website then displays a QR code which is scanned using the bank’s app on an NFC-enabled smartphone to confirm the details of the transaction.
The phone then displays a message telling the user to touch their debit card to the device. The phone then reads the debit card’s details via NFC and produces a TAN which, once entered on the PC, completes the transaction.
Normally transaction authentication numbers are sent via SMS messages which can easily be intercepted through malware on a user’s smartphone, says the IT solutions provider, while dedicated devices are unnecessarily awkward for customers.
“NFC is ideal for transmitting data between a debit card and a smartphone,” explains Bernd-Josef Kohl, head of international business consulting at GFT. “To a certain extent, the mobile works like a chip. It doesn’t even need reception. Everything is contactless, which means added security.”
Unlike a recent test by Mastercard and ING which saw the secure element on an NFC smartphone used to authenticate transactions, no bank details are stored on the phone and no internet connection is needed on the phone for the NFC TAN service to work.