Looking at the FinTech behind Number26
Number26 is Europe’s most modern bank account, with all transactions appearing instantly on your smartphone. As a rising star on the FinTech stage, we were keen to hear more about the tech behind Europe’s latest banking solution.
The buzz around Number26’s launch is a testament to their mission to transform the face of banking, with JAXenter recently having the opportunity to chat with Valentin Stalf, CEO of Number26 and all-round startup veteran.
Here we get into the nitty gritty of what the company is using to allow for real-time transaction data and instant security feature access.
JAXenter: Number26 is an intuitive banking experience that offers security through integration with core banking systems and the MasterCard network. This integration allows for real-time transaction data to be made available – could you give us more information about this technology and how it works?
Valentin Stalf: We are deeply integrating with both processing (which is connected to the MasterCard network directly) and core banking systems at the same time. In most banking institutions, those systems are treated separately and synchronized once a month with the credit card billing. The logic behind processes in the MC network are very complex and hard to combine with classical banking. We mastered the challenge of combining and synchronising the two systems in real-time, which allows us to offer superior features.
Data protection is also something Number26 aims to provide. What systems are put in place to enable this? Are you required to follow the Payment Card Industry Data Security Standard (PCI DSS)?
Legally, we are not required to be PCI DSS compliant, since we do not store so called “sensitive authentication data”, e.g. including the full PAN (credit card number). Nevertheless, we follow requirements for PCI compliance.
What technology stacks do you currently employ? Is the customer-facing portal separate?
Our main back-end cluster runs Java. We combine a number of banking and processing specific protocols and expose a clean REST API to our Client devices and the WebApp.
Security features in the Number26 app are available instantly and can be amended by users at any time. How important was it to get this technology right? What do you do to adhere to SSL encryption or OAuth v2?
Our customer’s security is a top priority for Number26, we are using strong SSL encryption on all of our communications, much of the development efforts were towards security related topics in order to secure our customers data, hence we have made sure that we store as little of the user’s data as possible and apply strong hashing algorithms for those that we need to store.
Furthermore, we have complied with OAuth2 security specification in order to allow to our users a more flexible authentication scheme.
Number26 protects accounts via a three-step security system, specifically pairing the user’s smartphone to their PIN. What work is involved with the pairing (and unpairing) of smartphones in this way?
The phone pairing process pairs the phone to the user’s account. Using an asymmetric encryption mechanism, combined with the phone’s hardware encryption, Number26 can make sure that only one physical phone can be paired with a user’s account at the same time and the pairing can not be moved to a different phone. In that way, a bank-transaction can only be initiated if the user knows both password and pin and is in possession of the uniquely chosen phone (ideally their own).
If a user wants to pair a different phone, Number26 require interaction with customer support, who will verify the user’s identity with a specially designed protocol and allow re-pairing remotely.