Why would I need a token?



Blocking company operations, intellectual property theft or crucial information leak – these are just some of the examples of the greatest cyber security threats. We sit down with Pawel Bulat, an industry expert of Comarch, who shares his views on how to keep online banking safe and sound.

How likely is any given bank to be targeted by hackers wanting to access, alter and steal sensitive business data?

            Very likely. And the methods of doing so get more and sophisticated at that. Take the Spectre and Meltdown vulnerabilities discovered last year in the X86 processor architecture.

            They shocked the IT world. Mostly because they allowed the attacker to steal critical data by memory leakage from the kernel to user space. The case turned out to be all the more serious because an attack could be made from Javascript – meaning: a web browser – and almost all electronic devices on the market today were exposed: from smartphones and laptops through to PCs and servers.

What can we learn from that?

            First, it is vital for every company to regularly check the security of its hardware and software to eliminate potential threats. And second, the devices of strategic importance in banking – and beyond – should be based on dedicated systems such as cryptographic tokens. They increase the security of transactions way more than devices designed for universal use, such as smartphones. Tokens also effectively protect us against remote attacks, which we may be unaware of for a longer period of time.

And what’s a token anyway?

            It’s basically kind of a USB drive generating digital signatures, used for secure authentication and authorization of transactions….

Is there any difference between these two?

            By all means, yes. They are two key elements of IT security. Authentication confirms user identity, while authorization grants the user access to a given resource at specific times and for specific reasons. So, back to the token itself – simply put, it verifies your bank transfers, so you can remain certain that the money you send goes to the right bank account, not the one controlled by a cyber thief.

Speaking of money – at Comarch, you manufacture your own transaction protection tools. How do they work?

            That’s right. They come in two classes: the first one is tPro ECC, a USB token I just told you about, used for signing transfers. This is our own, proprietary hardware, made 100% in Europe. The second is tPro Mobile, a mobile-adjusted version of the solution.

            At Comarch, as early as in 2012, we had our hands full working on a concept of a device whose main goal was to create a secure communication channel with the bank, and find an equally secure way to show transaction details.

            The idea of our device was very simple. The user sends a transfer order to the bank, the bank sends it back in an encrypted form via a secure channel to the client-assigned device, and the latter can then decipher and display the order details. After sifting through them, the user decides whether the data matches the one initially transferred to the bank. If so, the transfer is confirmed.

Just like sending a letter to the bank with a handwritten signature…

            …and having it sent back by the bank in a safe deposit box, to which only you know the code. Upon receiving the box, you open it using your unique code to make sure the account number and amount check out, and confirm or cancel the transaction. Any attempt to breach the deposit box along the way is troublesome and immediately detectable.

Sounds solid.

            It is. Better yet, our token has no operating system, so it can’t be affected by any virus. It also requires human-machine interaction: there’s a built-in button you have to push and release in order to generate a signature. This means that even if your credentials are stolen, they won’t be any good to a cyber thief since the thief will have no way to authorize the transaction. Finally, the token comes with a dedicated system supporting elliptic curves cryptography.

Do elaborate on that.

            Simply put, the elliptic curves, used these days for, say, Bitcoin transfers, give you a high level of security and fast operations like authorization, authentication or key generation.

I see. Are there any other Comarch’s differentiators?

            Comarch has prioritized information security solutions starting from its very first IT project in the mid-nineties. The goal of ensuring the data is as secure as it gets is pursued by us as early as in the software design phase.

            But for us, building hardware and software is one thing, the other one revolves around consultancy projects whose aim is to double-check whether your IT security is solid. We’re a one-stop shop for protecting your sensitive data.

            In other words, we take end-to-end responsibility – from solution design and implementation up to maintenance, thanks to which our clients may rest assured that whatever happens, we’re there for them.


Pawel Bulat, Product Manager at Comarch

            Pawel is a cyber security expert with more than a decade of experience in the online banking industry.

            Comarch prides itself on being one of the leading software houses in Europe with over 6000 employees worldwide and numerous successful projects carried out for the largest international brands. With 20 years’ experience in the industry, Comarch Financial Services, a business sector within the Comarch Capital Group, specializes in developing sophisticated software and IT systems for major financial institutions in banking, insurance and capital markets.

            Want to learn more about best ways of protecting your company’s assets? Join our webinar :





comarch logo color medium

Comarch (Thailand) Company Limited
No.3, Promphan 3 Building, Unit No.1709-1710
Ladprao Soi 3, Ladprao Rd., Chom Phon, Chatuchak
Bangkok 10900, Thailand