CASE STUDY

Sony Bank Builds on a Trusted Relationship with OneSpan to Secure their Mobile Experience

To protect its new mobile banking app, Sony Bank implemented OneSpan’s app shielding functionality, as well as support for biometric authentication and transaction signing. This provides strong mobile security, while also ensuring an optimal user experience and facilitating compliance.

moneykit-sonybank-logo

Executive Summary

Business Objectives
  • Deliver a convenient and secure mobile banking experience
The Challenge
  • Implement robust mobile security that runs invisibly in the background
  • Facilitate regulatory compliance
The Solution
  • App shielding to secure the mobile banking app against malicious attacks
  • Multi-factor authentication with easy-to-use biometrics to secure login
  • Transaction signing to protect against Man-in-the-Middle attacks
The Results
  • App shielding was “impressively quick and easy to implement” for the dev team
  • The bank accelerated time-to-market for their software token deployment by leveraging their existing infrastructure
  • Customers now enjoy the convenience of face and fingerprint recognition

Established in April 2001, Sony Bank is a Japanese direct bank that “provides customer-oriented, high quality financial products and services to individual customers over the Internet.” Sony Bank offers local and foreign currency deposits, investments, and mortgages via online channels, as well as a mobile banking app for everyday banking transactions.

Sony Bank first started their security journey with OneSpan by introducing Digipass® hardware tokens since, at the time, there were still concerns about cybercriminals taking over a mobile device on which a software token was installed. In 2012, the bank deployed the Digipass GO7 authenticators to replace static passwords. At that time, there was already high awareness among Japanese banking customers of the need for two-factor authentication and other security measures to protect against online banking attacks that could lead to account takeover.

Sony Bank became the first Japanese digital bank to implement one-time password (OTP) technology from OneSpan (formerly VASCO Data Security). Today, many of their customers acknowledge the importance of using one-time passwords and rely on Digipass devices to protect their accounts.

phones

 

Mobile Banking Requires New Security Measures

In 2019, Sony Bank released the Sony Bank App. According to Mr. Shuichiro Sumimoto, Senior Manager of the Systems Planning Department, the bank introduced this new mobile app to keep pace with the widespread adoption of mobile devices and the trend to open banking and open APIs. But most importantly, because of the emergence of robust mobile security solutions in the market. Having the ability to fully secure the Sony Bank App gave the bank the confidence to move forward with new mobile services.

Mobile Security Suite

Sony Bank integrated OneSpan’s Mobile Security Suite (formerly DIGIPASS for Apps). This is a set of mobile SDKs for integrating app shielding with runtime protection, biometric authentication, transaction signing, and more. It provides comprehensive security functions required for mobile transactions, including protection against unauthorized money transfers, multi-factor authentication, and protection against attacks on the app at runtime.

By implementing the Mobile Security Suite SDK for biometric authentication, customers can log in to the app using the biometric authentication method supported by their smartphone. Biometric authentication is verified in the client device, and once biometric authentication is completed on the device, OneSpan’s Mobile Security Suite is designed to link dynamic random numbers to the server automatically.

The OneSpan Mobile Security Suite offers many benefits, including the ability to:
  • Protect confidential information and prevent device cloning attacks by using application data encryption and secure element function of the device itself
  • Secure server-to-client communication with an end-to-end encryption channel
  • Protect against platform vulnerabilities that threaten mobile app security with device binding that enables device identification, jailbreaking/rooting detection function
  • Offer convenient authentication options by using not only the biometrics supported by the device, but also behavioral biometrics

Selecting OneSpan for their mobile authentication provided an additional benefit. Because the bank was already using the OneSpan Authentication Server Framework (formerly VACMAN Controller) for their hardware authenticators, they were able to save development costs by leveraging their existing server investment to support the new software authentication method.

With these security measures and multi-factor authentication in place, Sony Bank has defended their app against attacks, while also simplifying the user experience. This allows the bank to provide the most convenient authentication methods, such as face and fingerprint recognition, and offer a seamless user experience.

Mobile App Shielding

The bank integrated app shielding with runtime protection to protect the Sony Bank App.

“Mobile banking allows us to enjoy many benefits, but it also increases the risk of exposing confidential information. Cybercriminals are constantly trying to exploit users, OS, and device vulnerabilities,” says Mr. Shuichiro Sumimoto. “That’s why we chose OneSpan. After our evaluation, we judged that the Mobile Security Suite can provide the security we need, while ensuring our customers enjoy a convenient experience.”

Integrating app shielding also:

  • Protects the mobile app by preventing reverse-engineering techniques via code obfuscation and anti-repackaging technology
  • Actively detects threats such as malicious keylogging, screen-readers, debuggers, emulators, and overlay attacks
  • Allows the app to proactively defend itself if a malicious attack or infection is detected, or even shut itself down (based on an app owner’s security policy)

The app shielding function is very easy to implement and use. I can shield the target application by simply selecting the function I want to use from the management console. It’s as simple as selecting on/off.

Ms. Kahori KusunokiLead project manager,
Mobile app development

The bank was able to efficiently integrate mobile security with minimal development resources. In the System Development Department, Ms. Kahori Kusunoki, lead project manager, says the simplicity of implementation of app shielding is impressive.

“The app shielding function is very easy to implement and use. We can shield the target application by simply selecting the function I want to use from the management console. It’s as simple as selecting on/off.”

For the app shielding implementation, OneSpan invited a trainer to do a specialized session of product features and implementation points. Ms. Kusunoki says, “OneSpan’s training and source code review by technical members helped us quickly and thoroughly implement the aspects I originally found difficult. Sequence processing with high security functions such as activation, etc., could also be developed much more efficiently than building in-house, by using the sample code provided.”

Transaction Signing Functionality

As Mr. Sumimoto explains, the transaction signing functionality was a must-have requirement for the new app. The Sony Bank App needed to have both usability and robust security in order to allow customers to transfer funds and do foreign currency transactions securely by protecting against Man-in-the-Middle (MitM) attacks. In a MitM scenario, a bad actor intercepts the communication between the customer and the banking server, and alters the details of the transaction without the genuine payer noticing.

“The hardware token is clearly protected from malware, but in case of software, it is an environment where it can co-exist with malware on the device. As with PCs, we needed to secure smartphones from malware and prevent unauthorized money transfers. The concept of OneSpan’s Mobile Security Suite, to comprehensively protect mobile transactions, as well as the device and the app itself, matched our needs,” says Mr. Sumimoto.

We focused on improving the user interface and experience. We have discussed repeatedly about the design, reducing the taps times on transaction, and making the login process faster. As a result, we can offer this app with confidence.

Ms. Kahori KusunokiLead project manager,
Mobile app development

Conclusion

Since its launch, the Sony Bank App has been very highly rated by customers. Part of this success is due to the security measures protecting mobile-first users and their devices and transactions. Sony Bank has had a trusted partnership with OneSpan for years. The Sony Bank team knew firsthand the quality and support that OneSpan provides, and that gave the team the confidence to move forward with this innovative and holistic approach to mobile security.

At OneSpan, we understand that banks have unique security needs and requirements relative to the mobile channel. To learn more about how you can benefit from similar best practices and technologies as Sony Bank, visit https://www. onespan.com/products/mobile-security-suite.

SONY BANK BUILDS ON A TRUSTED RELATIONSHIP WITH ONESPAN TO SECURE THEIR MOBILE EXPERIENCE

 

Download PDF