Borchert IT-Sicherheit UG was founded in 2012 as a spin-off of Tübingen University/Computer Science Department. The company invents, develops and sells methods to prevent trojans sitting on insecure end-devices from manipulating transactions and from eavesdropping. The focus of the current development is summarized by the following "mission statement" and its explanation below it.
Problem. Many applications in banking, payment and authentication nowadays use the smartphone of the user as the security token on which the secret keys are stored. But the smartphone is an insecure device - it may be infiltrated by powerful trojans which just steal or abuse the secret keys stored on the smartphone.
Solution. The simple idea for solving this problem is the following: Move out the secret keys from the smartphone to a smartcard which is connected to the smartphone via NFC or Bluetooth!
Usability side effect. This not only solves the security problem of secret keys stored on the smartphone but also has usability advantages as compared to the smartphone solution: (1) no intialization (''provisioning'') of the smartphone with the secret key - neither coupling, (2) no trouble with smartphone change, (3) works perfectly on several mobile end-devices of the user at the same time, (4) no de-initialization of the smartphone, (5) no potential security concerns of the user about the stored secret keys in case the smartphone is lost, stolen, or given away.
Smartcards. A smartcard is a perfect form factor for a security token anyway. Moreover, if the server institution already distributes smartcards to its users, like a bank to its customers or a company to its employees, then the security token functionality should be integrated into these cards, so that the users do not need more than what they already have.
True mobility. An authentication on the smartphone via the smartcard is mobile in the sense that the user does not need anything more than what he carries anyway: smartphone and smartcard.
Solutions. The two solutions developed for the banking/payment scenario are NFC-TAN (no display, NFC) and Display-TAN (display, Bluetooth). The solution developed for the log-in scenario is eKaay NFC.
Step back in progress? There exists a ''vision'' that the user's whole purse including the cards should be moved into his smartphone. This ''vision'' should be revised after something like 20 years: A smartphone is simply too insecure for important authentications. Moreover, people nowadays have several mobile end-devices and change them often, so it is not practical for them to have the secret keys stored on the various changing end-devices, it is easier to have them stored on a smardcard.
Peccadillos of youth. Smartphone solutions as decribed above (i.e., without smartcard) were developed within the research group. The one for banking/payment eKaay-TAN was abandoned already 2009, and the one for login eKaay was abandoned around 2015.
Email: info at ekaay dot com
Official Address: Ludwig-Schriever-Str. 16, D-48480 Lünne, Germany