Build38 exhibiting at the Singapore Fintech Festival & SWITCH

We are very excited to share that we will be present at the Singapore FinTech Festival & SWITCH. As one of the startups selected by the Catalonia Trade and Investment agency, we will be at the Catalonia International Pavilion of the SFF x SWITCH. Come and visit us, enjoy some souther european hospitality and learn interesting facts, like that Build38 largest workforce chunk is based in Barcelona, a vibrant and innovative city that has become a key place for entrepreneurship in Europe and globally. Meet our Asia Pacific Managing Director, Pedro Hernandez, and talk to our Head of Product Architecture, Marc Obrador, for the latest insights on Mobile App Security and Fraud Management.

The Singapore FinTech Festival & SWITCH exhibition will be held between the 11th and 13th of November at the Singapore Expo (Hall 1 to 6), 1 Expo Drive. Singapore 486150. Opening times are 10am to 6pm.


Build38 selected for the Scale Programme of ICE71

Build38 is proud to announce that it has been selected to be part of the Scale Programme of ICE71, the leading Cyber Security Accelerator in Asia-Pacific. ICE71 founding partners are Innov8, the Singtel group corporate Venture Capital unit, and NUS Enterprise, the entrepreneurship arm of the National University of Singapore.

As part of the programme, the Singapore team of Build38 will take residency at the accelerator and able to benefit and contribute to the thriving Cyber Security ecosystem of Singapore and the region. Due to the unparalleled activities and initiatives of ICE71, Pedro Hernandez, Managing Director of Asia-Pacific and Co-Founder of Build38 stated: "We are extremely honoured and happy to be part of ICE71. Singapore, as the most competitive economy in the world and a reference in the Asia-Pacific region, it's a strategic location and ICE71 is the place to be for Build38 as a Cyber Security Start-up with plans to extend our footprint in the region".

ICE71 is located at 71 Ayer Rajah Crescent, the core of the one-north Science, Research and Innovation district of Singapore, hence exposing the Cyber Security ecosystem to multiple disciplines and forging new connections. Now the Asia-Pacific team of Build38 will be benefiting from that exposure too.

 


Lessons from Japan: Preventing Account Takeover through App Security

Recently, it has appeared on the news that one of the largest convenience store chains in Japan, that uses a mobile wallet in order to perform payments associated to a credit card, has suffered an attack that ended up in the total loss of 55 Million Yen by almost 1,000 users. Based on public information, it is believed the attack was based on an account takeover scheme. The attacker started a password recovery process that ended up in sending an email with a password reset link.

Apparently, the process was implemented in a way that the user had the option to send the reset link to an alternative email address than the one that was originally used to sign for the account. This is a very strange practice as generally when resetting your password you use some element as the original root-of-trust (the original email address) but in this case it seems that they were using some very basic information like birth date as the root-of-trust.

Even if there is no evidence that the Mobile App was compromised and if additional countermeasures would have prevented the attack, the question here is: Can we design a password reset mechanism that can overcome the flaws of current methods? Beside this particular news, we have heard of many cases of account takeovers by attackers using SIM Card replacement mechanisms, where the Service Provider has to rely on the Mobile Network Operator / Carrier of the user to do the right verification before providing a SIM Card replacement.

Solving the issue: What if the Service Provider didn’t have to rely on third parties for that?

That brings us to an improved flow for the password recovery mechanism. Imagine you have a Mobile Wallet that you use to make purchases and you have a Mobile App in your phone, protected by some kind of user verification, e.g. Fingerprint or FaceID. One day, you want to access your account from a website. Or you are asked to login again and you forgot your account password. In a current scenario, the user would request a password reset and a link would be sent to their Email that once clicked would be used to set a new password. An alternative would be an SMS to their phone number with the link or a code for the password reset.

In the improved scenario, the Mobile App on the phone is strongly linked to it. This means that it can’t be copied to a different phone, the keys stored can’t be compromised or the communication sniffed. We also don’t have any need to rely on an SMS, whose phone number may have been compromised by poor carrier KYC mechanisms to get a SIM Replacement, or Emails that may be have compromised in multiple ways. This would work as follows: I want to login through the website but I can’t remember my password. I click on recover password. The user is asked through the website to open their app on the phone, do user verification, e.g. Fingerprint, and once is verified the possibility to define a new password is shown on the website. In the case of someone trying to take over the account, once they request the reset password link they will not get through as the real user is not going to open the app and accept the reset of the account.

Actually, such a flow would go in the direction of the Payments Japan Association guidelines that "requires the operators of mobile payment services to confirm the linkage between the devices of users and apps downloaded on them to prevent unauthorized access."

In the case that the user forgets the password and loses access to their phone at the same time, a specific “Red” path for the user verification shall be established. The good thing is that in this scenario, if an attacker is pretending to have lost their phone and forgot the password of the user, the actual user could be alerted of this happening though a warning to the App on the legit mobile device, being able to inform the Service Provider that they have not initiated such a process and alerting the Service Provider that an attack is happening.

Thus, using a strong device binding and a hardened app we can solve many of the risks associated with online account takeovers. Build38, through its family of technologies under the Trusted Application Kit (T.A.K) is able to make Service Providers independent of security processes of others, e.g. Mobile Network Operators / Carriers, Email and ISP providers. Contact us to learn more about Build38 and how we can help you transform your Mobile Security!

#buildonBuild38

 

Image by TheDigitalWay from Pixabay


Speakers at Cybersecurity Thailand, organised by ETDA, RSA Conference and CyberTech

Build38 was present at the Cybersecurity Thailand conference organised by ETDA, RSA Conference and CyberTech. We were invited to be speakers as part of the Start-up showcase in front of an auditory of 300+ people. Great feedback was received about the innovative showcase that Build38 brings to the table of Service Providers, e.g. Banks, Automakers, Transit operators, that want to go with a Mobile First approach.

Pedro Hernandez was part of the delegation and responsible to deliver the speech during the second day of the event that was profusely reported in Thai media. Many valuable leads and connections were established that will help bring our #buildonBuild38 motto to Thailand!

 


Pedro Hernandez

Pedro Hernández

Head of Product Management & Co-Founder

Quality Innovation

Pedro Hernández is drawn to thinking big. His take on business is not global, it is cosmic. Continents are the smallest unit for him, his personal journey took him from Europe to Asia. Pedro is educated in terms of larger connections. His exceptionnel management skills come from an astrophysic background.

Mobile security is a matter of quality. Innovation is finally adapting to the allimportant human need of security and as it does it is improving.


Dr. Christian Schläger

Dr. Christian Schläger

CEO, Managing Director & Build38 Founder

Building Build38

Dr. Christian Schläger – you might know him as Dr. Christian Schlaeger – hits mobile security with handpicked business relations and a truly global perspective on mobile security with tons of experience. His PhD is not a medical titel or just an academic honour, some say it is short for: disruptive thinking. Christian is usually thinking three steps ahead. His answers are as quick as his sense of humour. With his independant mind, his stoicism and his sense for corporate development he managed to gather a team and a vision. Anybody who is in for Build38 is in it because of Christian. The team around him is handpicked and it did not even take him too long to convince everybody to quit their established career and start up new to work even harder. Being the founder of Build38 Christian is CEO of Build38 Germany, Iberia and Singapore and Managing Director of Build38 Germany.

Christian is not your typical bold and adventurous startup guy. He is a family man. His safe heaven is well hidden amongst his two daughters and his wife. Along with his secrets of success, this is where he feels safe. Not too long ago, he would not have thought himself, that his career would take a turn on founding a company at the age of 40. His education on business Information systems in southern Germany and his impressive path within the most established consulting companies of the country already took him, where he wanted to be: ahead of mobile security. Now, that one familiar niche product has shown more power than any other before, his decision was only logical: found a company, commit a team, shape tomorrow before someone else does. Build mobile security to build on. In the best 3 countries to do so. With the best 8 people to start.

Mobile Security is part of Business Intelligence. That’s why it is invisible.