While many banks claim to adopt a mobile-first strategy, they often tie their mobile apps to internet banking during activation and customer onboarding. Initially, this was a functional concept, as mobile banking existed as an auxiliary channel to internet banking. Webinar Recording: https://www.youtube.com/watch?v=pybyvAWFVOQ&ab_channel=SMEBankingClub However, as user adoption of mobile banking has grown, attackers have increasingly targeted activation and onboarding processes. Fraudsters use internet banking as their self-care system: Since internet banking is available online and to anyone with an internet connection, it’s a handy hacking console that attackers routinely use to cause damage. By efficiently hijacking mobile banking activation and onboarding via internet banking, attackers pair victims’ accounts to their devices. They then gain complete control over the customer’s bank account and can steal both their money and pre-approved loans, leaving an audit trail that’s difficult to investigate. The solution to this problem is for banks to genuinely become mobile-first through rethinking their mobile onboarding process. Financial organizations can ensure better customer verification and prevent financial fraud through mobile personal identification (such as a document scan) and genuine presence check (using server-side facial biometrics). At the same time, banks should aim to use customers’ official government identity as input to the process and propose legislative changes to enable such access.

1. ADDRESS
Belehradska 858/23
120 00 Prague
Czech Republic
CONTACT
hello@wultra.com
www.wultra.com
Webinar
Time to Rethink Mobile
Onboarding

2. CEO & Founder
• 15 years of IT experience with a focus on digital
banking and finance.
• Author of the Czech national standard for
QR Payments and two cybersecurity patents.
• Open banking pioneer - the first PSD2 application
in the Czech Republic, an early version of Bank ID.
• Graduate of the Charles University Faculty of
Mathematics and Physics.
Petr Dvořák

3. We help the leading banks and
fintech companies to secure
their digital systems and bring
trust to customer journeys.
2014
Founded
550+
References
5
Regions
Powered by

4. State of Mobile
Onboarding

5. Our organization strategy
is mobile first.
— Almost every bank
"

7. How do you activate
your mobile app?
Internet Banking Branch ATM Call Center

8. 2012

9. 2012: Internet Banking = Mobile Onboarding Tool
• Primary Channel
• Secure Channel
• Well-Managed Projects
• Accepted by People
• Full Feature Set

10. 2022: Internet Banking = Open Hacking Tool
• Phishing / Vishing / Smishing
• Account Takeover
• Available 24x7
Fraudsters use phishing
to gain full access to
mobile banking using the
activation process in
internet banking.
Image automatically generated by DALL-E-2 by OpenAI.com, https://openai.com/dall-e-2/:
"security developer at startup writing code at midnight on his macbook"

11. 2022: Internet Banking = Open Hacking Tool
50%
of fraudulent calls
are successful
10 000 EUR
avg. vishing damage
Data of the Czech Banking Association (CBA).
NUMBER OF ATTACKS
0
10000
20000
30000
40000
2020 2021 01-07/2022
+14 757
20 660
12 239
5 235
ATTACKS PROJECTION

12. People lose money because
of insufficient mobile onboarding
procedures.
1
Key Takeaway

13. Future of Mobile
Onboarding

14. • Mobile-only.
• Secure. Phishing resistant. Passwordless.
• Strong KYC/AML assurances.
• PSD2 compliant.
• Done under 5 minutes.
• No prerequisites!
2022: Mobile Onboarding Done Right

15. Challenges of Mobile
Onboarding

16. And what if we introduced
a new password for a situation when the
user forgets the password?

17. Automatically generated by DALL-E-2 by OpenAI.com, https://openai.com/dall-e-2/
A Naked Troll in a Phone Booth…
• Remote user.
• Does not remember anything.
• Does not have anything. *
• Says and types everything
to everyone, everywhere.
* … anything which is not absolutely common

18. How to Move
Forward…

19. The Critical Building Blocks …
John Appleseed
ID Document Scan Facial Biometrics
SMS
SMS OTP

20. The User Flow …

21. Opinion of the European
Banking Authority on
the elements of strong
customer authentication
under PSD2
— EBA-Op-2019-06, 21 June 2019
https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2622242/4bf4e536-69a5-44a5-a685-de42e292ef78/
EBA%20Opinion%20on%20SCA%20elements%20under%20PSD2%20.pdf?retry=1

22. https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2622242/4bf4e536-69a5-44a5-a685-de42e292ef78/
EBA%20Opinion%20on%20SCA%20elements%20under%20PSD2%20.pdf?retry=1

23. With steps so few, quality
matters greatly.
2
Key Takeaway

24. ID Document Scan
Requirements
• Fast and Reliable Recognition.
• High-Quality Image Extraction.
• Document Authenticity Checks.
• Support for MRZ Reading.
• Support for NFC-Ready Documents.

25. Facial Biometrics
Requirements
Face Recognition
Right Person?
Liveness Check
Real Person?
Real-Time
Present Now?
eIDAS
• Compliant (eIDAS, PSD2).
• Reliable Statistics (FAR, FRR).
• Liveness Check.
• Deepfake Detection.
• Secure Camera
Data Stream.

27. There are ready-made components for
building a compliant, user-friendly,
mobile-first onboarding process.
3
Key Takeaway

28. ADRESS
Wultra s.r.o.
Bělehradská 858/23
120 00 Prague
Czech Republic
EMAIL
hello@wultra.com
Thank You!
Petr Dvořák
CEO & Founder
EMAIL
petr@wultra.com
CONTACT