All in your language

Security for the payer

On this page we present the most important security features of Khipu. It is not intended to be an abstract, so we will not avoid technical topics or terms. We prefer to give you all the useful information so that you know that if you’re paying through Khipu, you are doing it through a secure system that you can trust.

Los terminales de pagos de Khipu son navegadores web, especialmente diseñados y desarrollados para realizar pagos electrónicos. Se puede llegar a estos desde una aplicación móvil o una página web del comercio. These can be reached from a mobile application or a web page of the merchant.

What the payment terminal does is automate the fund transfer process, presenting the user with an interface that only asks for their identification and security data necessary to authorize the recipient and the amount of the transfer.

Then, the terminal informs the data of the transfer to reconcile the payment (that is, that the amount and recipient of the transfer correspond to the collection) and the issuance of the corresponding payment receipt.

As for the payer’s bank, the Khipu payment terminal is just another web browser, like Internet Explorer, Chrome, Firefox or any other. In any case, it is a software that takes control of the interface and media between the user and the bank’s server.

General security elements

 

  • Use of the HTTPS protocol: The payment terminal, as a web browser, is mounted on WebKit, the same navigation framework used by Google Chrome and Apple’s Safari, among others. Thus, all the security elements, in particular the implementation of the HTTPS protocol, are provided here. HTTPS is a secure communications protocol, which means that the data being transferred can only be read by the participating parties in the communication. The level of encryption that Khipu uses to communicate with the banks is the standard one defined by the banks and the level of encryption associated with each page is the same used by multipurpose browsers – such as Internet Explorer, Google Chrome, Firefox, Safari or any other browser that uses WebKit. When the communication is with the Khipu server, other security elements are added, such as HSTS and double encryption, to ensure end-to-end encryption.
  • Maintaining navigation routes: Khipu only browses through known web addresses, previously configured for each of the banks with which Khipu operates, to guarantee that the procedure is carried out correctly, preventing malicious software from diverting the data. When the user activates the Khipu payment terminal to process a payment, the first step is to download from the Khipu server the navigation path that corresponds to the bank to be used, thus ensuring that the procedure runs correctly. This configuration is implemented by the Khipu engineering staff: the user does not have access to an interface that permits the Khipu payment terminal to navigate through addresses other than those configured. Additionally, the system is set to manage the possibility that the payment terminal finds a page that cannot recognize or in which it does not have an action configured. In this situation, the system sends the page, along with other user browsing data (not including passwords) to the Khipu server. In this way, a reconfiguration process of the navigation route of the bank that the user was using to pay begins. Only for the purpose of configuring and maintaining navigation routes, Khipu could receive and store pages from a bank that have been reached by a user, under conditions not configured in the system. This occurs in less than 1% of the cases. The data on these pages is not used to carry out campaigns or any other type of analysis other than to keep the banks’ navigation routes properly configured.
  • Password and private data management: Khipu does not save user credentials and protects them with the utmost care during the payment process. The privacy of users’ banking credentials (passwords and second passwords) is always kept in the private sphere of each user. Khipu does not save any password of any user to enter a bank account or to make any transfer. The credentials are sent directly from the payment terminal to the bank’s website when using Khipu Inside and go through a Khipu microservice when using Khipu Web. When using Khipu Web the credentials are sent to the Khipu microservice through an encrypted session with https (TLS 1.3) and additional end-to-end encryption using x25519-xsalsa20-poly1305. The data is decrypted by the microservice that runs on a segregated network segment and is never stored on a persistent medium, such as a database, filesystem, message queue, or other. From the Khipu microservice, this data is sent to the financial institution’s server using the security mechanisms that it has defined, usually https (TLS 1.2 or higher). Likewise, Khipu keeps all the user’s personal information under absolute reserve, except those related to collection operations, which are communicated to the recipient indicated by the collector, making it public in case the charge is generic or has a charge link for public use. Users are responsible for keeping all their passwords secret. It should be noted that Khipu has no responsibility for any interference from Trojans, spyware, or malicious software that users may have on their devices. Additionally, payment terminals allow the users to save their credentials locally on the user’s device, where security mechanisms of the user’s device are used, allowing access through the normal security mechanism defined for the device (pattern, fingerprint, pin, faceId, etc).
  • Verification of operations: Khipu verifies all transfers. It does so in the bank account where the transfer ends and issues a proof of payment in PDF format electronically signed every time a transfer is confirmed. Additionally, users who are registered with Khipu will be able to access and download their vouchers by logging into the Khipu website or by clicking here .
  • The identity of the collector is assured: Unlike traditional electronic transfers (where only account numbers and RUT are validated) Khipu always knows with certainty the identity of the recipient of the money, avoiding fraud by identity fraud. A collecting user will always be registered in Khipu and his identity cannot be edited or modified: all his data is provided by the bank when registering the checking account that receives the funds. The use of fantasy names for a company is accepted, upon written request of the collector, which is also reviewed on a case-by-case basis by the Khipu operations staff.
    There are Payment Service Providers (PSP) that include Khipu among their payment options, in these cases, Khipu knows the identity of the PSP, but not the final trade of the transaction.
  • Legal protection: From a legal point of view, the paying user delivers a mandate to Khipu. This means that the legal representatives of Khipu have criminal responsibility before the payer, that is, users are protected by the highest level of responsibility possible in Chile.
  • External security audit (monthly): Every month an external security company performs an analysis of data traffic from Android and iOS payment terminals to validate the information transmitted and the connections made.

 

Comparative Security

If we compare the security features of Khipu with the different paying alternatives that exist in Chile, we can highlight the following aspects.

First, Khipu online payment is more secure than other options, because:

  • It is a particular purpose web browser, which means that it is designed and developed for a single and specific purpose: banking transactions.
  • Khipu knows the correct web addresses for each page of each enabled bank, reducing enormously the possibility of errors and minimizing the risk of scams and phishing.
  • Khipu submits electronically signed proof of payments.
  • It operates under legal terms for both the payer and the collector.
  • It uses double HSTS encryption and extended validation certificate.

Second, face-to-face payments with Khipu are more secure than in other options, because:

  • It uses dynamic security elements (second passwords, digipass or coordinates of a matrix card), while face-to-face means of payment use only passwords and other fixed data – such as the bank card itself, which have a high risk of being cloned; and once copied they can be reused for other face-to-face payments and even to withdraw funds from ATMs as well as all the POS terminals.

 

Security against Phishing

Khipu protects users against phishing, today’s biggest fraud threat on the Internet. These scams consist of misleading people while stealing their security data. By using the Khipu payment terminal, users are protected against this type of fraud because Khipu knows and uses the correct address of each configured bank.

This security feature is unique to Khipu. Browsing with a general-purpose browser (such as Internet Explorer, Google Chrome, Firefox or Safari) makes it impossible to restrict or limit browsing within the bank pages, because those browsers must allow navigation on any web page.

However, it is possible to trick a user to install a fake Khipu App or using a web page that does not correspond to Khipu Web, so the payment terminal must always be installed from one of the official sources or start the payment from a reliable merchant.

Also, another security threat to watch out for are the Trojans. These are malicious programs that trick users into stealing their confidential information.

 

Chile Address: Las Urbinas 53 oficina 132, Providencia, Santiago, Chile. Postal code 7510093

Argentina Address: Besares 1029, Chacras de Coria, Mendoza, Argentina. Postal code 5505.