Horizon
2020 project

Quardlock ApS has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 757096

Introduction

CardLab’s and QuardLock’s joint vision is to bring a disruptive, highly secure smart card (QuardCard) to the market to improve the security of access control in general and for online and physical transactions which is currently facing major increases in fraud levels.

The consortium gathers two Danish SMEs with complementary expertise and positioning in the value chain. Both companies benefit from the project through a cross-license agreement between the parties.

The project has been supported by Horizon2020 with a grant of 1,620,243 EURO. The title of the project is:

Grant number 757096: QuardCard – Powered smartcard with a biometric one-time password system

Summary of the context and overall objectives of the project

Financial fraud is a global problem, with online banking fraud rising with double digit % figures with increasing financial activity on the internet. Online transaction safety is a major issue for individuals, card issuers, merchants, and banks, all risking significant losses. Physical payment issues have increased with the popularity of contactless payment where electronic pickpocketing and skimming of cards increases.

The massive increase in Cyber-crime activities happens partly because the internet can be used under false identities and cause anything from fraud, “Man in the middle” attacks or skim personal data of millions of citizens and organizations. Cyber-crime losses are expected to rise to more than $ 2,100 billion this year.

The digital world makes life convenient for Citizens but equally easy to live incognito in the cyber world performing criminal activities hard or impossible to track down. Citizen biometric databases get hacked and lead to whole nations loss of citizens unique identity, like in India with the Aadhaar data breach and must be stopped.

Block chain solutions and Crypto Currency trading platforms also poses a significant risk of money laundering due to anonymous users. Unique user identification is needed to provide a secure blockchain solution to exclude criminal activities with no ability to detect the culprits’ true identity.

The importance of this project increases for the society to ensure Cyber security and secure unique citizens ID and full privacy protection. An offline biometric card solution is today the only viable way to secure unique user ID as IOT devices can be hacked.

The Increasing number of terror attacks both physically and virtually calls for solutions to protect the society, citizens, and critical infrastructure. The biometric card with backend authentication system provides such protective tool with much lower risk for hacking and removes the risk of losing critical biometric data from databases.

The overall objective is to provide unique user identification with full privacy protection which this project provides.

This project period, our main focus has been to improve security in financial transactions with focus on PSD2 and Tokenization. PSD2 requires strong customer authentication and dynamic linking for card-not-present transaction (e-commerce) and we have solved this issue with a combination of a server update, QuardCard update and a mobile app and now actually perform secure user authentication SCA (2 factor authentication) in card-not present transactions (e-commerce) which means at least 2 of the following factors:

  1. Something you have
  2. Something you are
  3. Something you know

We have also made R&D on Tokenization where a virtual credit card number or token is created as a surrogate value that stands in for a real credit card number in a payment transaction and we now have a roadmap on how to implement this technology with QuardCard and backend server.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

In the total project period, the development has stabilized and improved the technology further and has brought along a new version of QuardCard with a much better fingerprint touch sensor and new exiting features being implemented, like

  1. PSD2 requiring strong customer authentication and dynamic linking in e-commerce
  2. Tokenization
  3. Energy harvesting
  4. Battery augmentation
  5. E-ink display
  6. Updates to Identity & Authentication server (manage key feature, TOTP, PSD2, SAML 2.0)
  7. New Vendor Tool interface between server, NFC reader and firmware
  8. Biometric template match in Secure Element
  9. BIO- Operating system for Secure Element.
  10. Biometric fingerprint matching as CVM in EMV applets
  11. Improved production technology and quality assessment

Ongoing market research has confirmed that the following solution with 4 different secure and hygienic card models will cover most requests made by customers:

  1. A contact and contactless energy-harvesting card for payment, access control and to some extent ID card
  2. A contact and contactless energy-harvesting card with battery augmentation and display for E-commerce, E-banking, card-present transactions, E-government and to some extent access and ID cards. Some of these solutions will have to contain a dynamic magstripe for token transmission to existing “brick and mortar” system
  3. An OTP card with display and primary battery for low frequency use for card-not-present and card-present transactions, E-banking, E-government, access, and ID cards
  4. A high frequency use card with rechargeable battery, large display, and contactless interface via NFC and BLE as Crypto Currency cold wallet and cryptographic authentication of Block chain users. Dynamic magstripe for token transmission to existing “brick and mortar” system can be added.

Unique user identification is coming closer with both the EU and MasterCard among others starting to mandate biometric authentication of users. Biometric authentication directly with the offline QuardCard, is by far the most secure way of protecting privacy, taking PSD2 and GDPR compliance into account. The offline authentication turning an individual into a token eliminates the value of any hacker attack and risk of biometric data loss, due to database hacking.

Progress beyond the state of the art, expected results until the end of the project and potential impacts

Stricter GDPR regulations are in force and it is clear that our solution provides a secure, hygienic and GDPR compatible solution in the most efficient and secure way ever seen. OTP, dynamic CVV, dynamic PIN and sending code via NFC gives a strong tokenization and PSD2 platform. Identity theft can dramatically be reduced by the solution, as the authentication is moved offline with identities visible as tokens only. The offline template storage enables sending a biometric encoded credit card by mail ensuring only the cardholder´s fingerprint can activate the card.

PSD2 requirement has added a compliance factor with payee number and amount being included in e-commerce data has now been implemented on QuardCard and backend server.

Biometric verification (template match) in Secure Element ensuring biometric verification directly on card is the solution of the future, but for full security it needs our tokenization solution.

QuardCard security is well above other card solutions of today. When implemented in all financial transactions physical and online fraud can be eliminated as transactions require the correct fingerprint.

Distributed storage of fingerprints in offline cards, is a huge step forward in citizen identity protection, and system wise a huge security improvement with each transactions uniquely identified with no critical personal data but exchange of biometric ID one-time codes.

This enables block chain and Crypto Currency exchange platforms legitimacy, with each created block given a tokenized biometric stamp. In case of suspected criminal activities, authorities can via a block chain data dump identify persons having performed any criminal activities.

The solution protects against Cyber-attack losses by only allowing authorized users, biometrically identified access to databases keeping critical data stored on card only, out of hacker reach, only accessible with correct fingerprint.

As a side effect of the distributed security with the fingerprint match on card, the solution is so far the only fully secure solution taking both true identification, Cyber security and hygiene into consideration keeping the Covid19 virus in mind. It is therefore well suited as Covid-19 pass.