InsideBusiness App Security
InsideBusiness App combines the security of two-factor authentication with the convenience of mobile devices.
Something you have
Each user creates multiple, personal and strong sets of cryptographic keys during the App activation process. Separate keys are used for authenticated encryption and signing. These keys allow the App to create a second secure channel on top of TLS, so that even in case the TLS layer is broken, the app remains secure.
Strong and proven protocols are used for connection, encryption and keys:
- TLS 1.2+ for the outer secure channel, with strong certificate pinning to prevent a Man-in-the-Middle attack
- AES (256), HMAC (512), and RSA (2048) for the additional secure channel on top of TLS. For this additional channel the app also pins the RSA public key of the server to further thwart a possible Man-in-the-Middle attack
Something you know
A personal mPIN is used specific for this App, user and device combination to unlock the App and connect to ING.
- The mPIN is not known to ING and is not transmitted
- To authenticate the user based on their mPIN the Secure Remote Password (SRP) protocol is used
- The mPIN is blocked after 5 incorrect attempts and unblock is only possible by re-activation. The user and Corporate Admin (if there) are informed when a new registration takes place
Something you are
- Fingerprint or Face recognition
- The software is extensively tested in multiple phases on different levels during the development process. Before a major release the implementation is also tested by an external 3rd party (white box, grey box and black box testing)
- A user can de-register the App (wipe keys and block the App). User, Corporate Administrator and ING can block the App via InsideBusiness
- A profile ID and keys are securely stored on the mobile device (based on iOS and Android keychain). Sensitive data downloaded with the app is stored encrypted and only available in combination with a secure connection with ING and the mPIN/Fingerprint
- InsideBusiness App complies with applicable local regulatory requirements, international security standards and market best practices
- Ability to detect common cases of tampering with your device
- ING monitors continuously for possible fraudulent activities