New technologies to use.

Design, implementation and operation of secure transaction and information systems for national and international clients.
Know-how transfer in the context of individual seminars.

Get to know SRC ...

Feature Article

SRC conducts Security Evaluation of the Protectoria Secure Mobile Platform

Protectoria has developed the Protectoria Secure Mobile Platform (PSMP) that shall allow PSPs to provide security enhanced payment apps on a single smartphone without any other pre-requisites than an Internet connection.
SRC as an independent consultancy company was asked to carry out a third party verification of the PSMP solution. The security evaluation was based on the requirements stated in the ECB Assessment guide and the EBA Guidelines for the Security of Internet Payments. It was investigated to what extent the design of the PSMP solution is able to meet requirements related to component authentication and strong user authentication, message integrity, cryptographic operations and confidentiality of sensitive data where applicable. In a first step, the design of the PSMP solution has been evaluated on a conceptual level.
SRC states that “the evaluation result of the PSMP solution is compliant with the EBA requirements which are relevant for the PSMP solution and that all applicable criteria for strong customer authentication have been met. One specific finding was that the dynamic code blocks and the code obfuscation mechanism provide a reasonable amount of complexity to the system, which makes it extremely hard to analyse the code, even if the smartphone device is infected with malware. Since the code blocks are dynamically loaded, the time span for code modifications is very small. The assumptions on the implementation of the PSMP solution have to be upheld during the implementation to ensure the results of the evaluation are valid.”
Therefore, in a second step Protectoria will undergo an in depth security testing of the implementation of the PSMP solution. The compliance of the PSMP solution in a concrete integration scenario shall be checked in a pilot implementation through a banking supervisory audit.
Protectoria is an innovative Norwegian company that has patent pending mobile security technologies meeting the actual security requirements and compliance rules mostly defined by the EU. These new rules and directives are required for future-proof ecommerce, international money transfer and for the protection of critical infrastructures. The relevant directives related to enhanced information security are in the areas Payments (PSD2), Network and Information Security (NIS) and Confidentiality (ePrivacy directive), which defines the target market segments for the Protectoria innovations.

Here you find the full press release. 

NEW: Study "Paying 2025 - Scenarios for the future of the payment systens in Germany"

Last year, we initiated the study "Paying in 2025" with the helpful input of a large number of national and international experts. The results of our analysis are now available for download.
With this study, we aim to support the decision-makers in the payments sector in the analysis of the opportunities and challenges of the future payments landscape.
Naturally, it is not possible to predict the “one true” future of payments. We therefore focused our efforts on identifying those factors that are most likely to have a strong influence on the future of payments over the next decade.
On this basis we developed various consistent scenarios of the future which can help to improve our understanding of what payments may look like in ten years' time.

The results of the study are now available for download.

We'd be pleased to answer any questions you might have on the study - please contact us.

Critical Infrastructures: BSI publishes study.

The reliable availability of utility services provided by organisations categorised as critical infrastructures, e.g. power and water supply, forms a basic prerequisite for the proper functioning of the state, the economy and the society.
It is the responsibility of the utility companies to ensure the availability of critical services. However, due to the significance of these services for the society as a whole, the state must take over part of the responsibility by providing incentives, regulations and controls to work towards protecting critical infrastructures.
The protection of the ICT systems required to provide such services and of externally provided ICT services becomes increasingly important.
In Germany, critical infrastructures are divided into nine sectors: energy, food, finance and insurance industry, health, information technology and telecommunications, media and culture, government and public administration, transport and traffic, and water.
For each of these sectors, a KRITIS sector study was conducted on behalf of BSI.
SRC conducted the KRITIS study for the sector finance and insurance industry in cooperation with IABG and Gucio Consulting.
Apart from the confidential versions of the studies, there are also a publicly available versions. The public study on the finance and insurance industry can be downloaded from the BSI website.
The finance and insurance sector is characterised by the fact that financial resources – in contrast to other sectors of the economy- are not only a framework condition for economic activities but represent the business purpose itself. The level of automation in the finance and insurance industry is high. The necessary systems are usually not operated by the organisation of the sector themselves but by technical service providers. These service providers work on behalf of organisations which are active in one of the industries of this sector. The service providers therefore provide a crucial technical basis for the proper functioning of the sector.
The organisations of the finance and insurance sector are subject to state supervision and regulation. The utility services provided by the sector are largely defined by legislation. On this basis, the current study identifies and evaluates the utility services and rates their criticality with regard to defined damage categories in the areas “state” (capacity to act, safety and order), “economy” (monetary damage and image) and society (personal damage and psychological damage).
The study lists 19 incidents in the financial sector where force majeure, human or technical failure, or intentional attacks caused failures. From this list, seven incidents are taken as examples and described in detail. This also includes a reaction from supervisory authorities and regulators.
Do you have any questions of the topic of Critical Infrastructures or on the study? Please contact us.